grype builds cpe string with incorrect vendor for local packages

[richardkhardy]

What happened:

grype sets the cpe string our locally developed mariadb package as cpe:2.3:a:mariadb:mariadb:0.3.0-SNAPSHOT:*:*:*:*:*:*:* and this causes false positives. It can be solved with an ignore rule, but I was wondering if this can be handled in a better way, maybe the pom groupId could be considered when forming the cpe string.

   "artifact": {
    "id": "8578091f3f57029d",
    "name": "mariadb",
    "version": "0.3.0-SNAPSHOT",
    "type": "java-archive",
    "locations": [
     {
      "path": "/opt/edge/app.jar",
      "layerID": "sha256:4756f71f0dc2028af6981c3408cb68e358a3c13233f336b97d18570f6a5593e0"
     }
    ],
    "language": "java",
    "licenses": [],
    "cpes": [
     "cpe:2.3:a:mariadb:mariadb:0.3.0-SNAPSHOT:*:*:*:*:*:*:*"
    ],
    "purl": "pkg:maven/nz.co.solnet.labs.rhine/mariadb@0.3.0-SNAPSHOT",
    "upstreams": [],
    "metadataType": "JavaMetadata",
    "metadata": {
     "virtualPath": "/opt/edge/app.jar:nz.co.solnet.labs.rhine:mariadb",
     "pomArtifactID": "mariadb",
     "pomGroupID": "nz.co.solnet.labs.rhine",
     "manifestName": "",
     "archiveDigests": null
    }
   }

What you expected to happen:

ideally it should set the vendor to something different so that vulnerabilities are not matched against it, like this one.

     "found": {
      "vulnerabilityID": "CVE-2022-27449",
      "versionConstraint": "< 10.3.35 || >= 10.4.0, < 10.4.25 || >= 10.5.0, < 10.5.16 || >= 10.6.0, < 10.6.8 || >= 10.7.0, < 10.7.4 (unknown)",
      "cpes": [
       "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*"
      ]
     }

How to reproduce it (as minimally and precisely as possible):

Create a local artifact with the same name as a downloaded one with an independant version

Anything else we need to know?:

Environment:

• Output of grype version: Application: grype Version: 0.67.0 Syft Version: v0.89.0 BuildDate: 2023-09-11T18:07:08Z GitCommit: 1772f25e2765a5a07febbe0a18ce7bef8819fde4 GitDescription: v0.67.0 Platform: linux/amd64 GoVersion: go1.21.1 Compiler: gc Supported DB Schema: 5

• OS (e.g: cat /etc/os-release or similar): NAME="Red Hat Enterprise Linux" VERSION="8.8 (Ootpa)" ID="rhel" ID_LIKE="fedora" VERSION_ID="8.8" PLATFORM_ID="platform:el8" PRETTY_NAME="Red Hat Enterprise Linux 8.8 (Ootpa)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8" BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8" REDHAT_BUGZILLA_PRODUCT_VERSION=8.8 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="8.8"

[tgerla]

Thanks for the report, @richardkhardy. We are working on some improvements to the matching mechanisms that will help eliminate some of these false positives. Please stay tuned for this PR to be merged and released: https://github.com/anchore/grype/pull/1412

Developer note: we should also re-evaluate our list of accepted top level domain strings: https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/common/cpe/java.go#L16 -- need to look at Syft, too.