mirror of
https://github.com/anchore/syft.git
synced 2025-11-17 08:23:15 +01:00
b7a6d5e946
Syft can get CPEs from several source, including generating them based on package data, finding them in the NVD CPE dictionary, or finding them declared in a manifest or existing SBOM. Record where Syft got CPEs so that consumers of SBOMs can reason about how trustworthy they are. Signed-off-by: Will Murphy <will.murphy@anchore.com>
28 lines
608 B
Go
28 lines
608 B
Go
package cpe
|
|
|
|
import (
|
|
"fmt"
|
|
"sort"
|
|
)
|
|
|
|
// Merge returns unique SourcedCPEs that are found in A or B
|
|
// Two SourcedCPEs are identical if their source and normalized string are identical
|
|
func Merge(a, b []CPE) []CPE {
|
|
var result []CPE
|
|
dedupe := make(map[string]CPE)
|
|
key := func(scpe CPE) string {
|
|
return fmt.Sprintf("%s:%s", scpe.Source.String(), scpe.Attributes.BindToFmtString())
|
|
}
|
|
for _, s := range a {
|
|
dedupe[key(s)] = s
|
|
}
|
|
for _, s := range b {
|
|
dedupe[key(s)] = s
|
|
}
|
|
for _, val := range dedupe {
|
|
result = append(result, val)
|
|
}
|
|
sort.Sort(BySourceThenSpecificity(result))
|
|
return result
|
|
}
|