zhill
commented
3 years ago The cpe generation code is lifted from the policy engine loader. I moved it and cleaned it up a bit to ensure no weird import dependencies and since the call parameters were different. The only generator with any real complexity is the java generator which I only very mildly refactored (moved the tokenizer phase to its own function).
Adds cpe generation where needed in the sbom generation step prior to handoff to Grype.
Also updates to latest Grype release that supports go-module vuln scans and a default matcher that will handle 'binary' types.
Signed-off-by: Zach Hill zach@anchore.com