CPE for operating systems is not identified correctly

[rhaley-starfish]

Hi Anthony,

I am generating a SBOM for neutrino RTOS. I noted that the CPE for older versions of that OS is:

cpe:2.3:o:blackberry:qnx_neutrino_rtos:6.5.0:sp1:*:*:*:*:*:*

The CPE generated by lib4sbom is:

cpe:/a:BlackBerry:qnx_neutrino_rtos:7.1

which converts to CPE 2.3: cpe:2.3:a:BlackBerry:qnx_neutrino_rtos:7.1:*:*:*:*:*:*:*

Note the "a" (I assume for application) instead of "o" (for operating system?)

The outputted component correctly identifies as an operating system: { "type": "operating-system", "bom-ref": "blackberry:qnx_neutrino_rtos@7.1", "name": "qnx_neutrino_rtos", "version": "7.1", "supplier": { "name": "BlackBerry" }, "cpe": "cpe:/a:BlackBerry:qnx_neutrino_rtos:7.1", "externalReferences": [ { "url": "https://blackberry.qnx.com/en/products/foundation-software/qnx-rtos", "type": "website", "comment": "Home page for project" } ] },

[anthonyharrison]

Thanks @rhaley-starfish.

EDITED

The cpe value is 'generated'.if the supplier is specified (which is in your example). It always generates cpe:/a' regardless of the component type. I will change it to generate cpe:/o if the component type is set to operating-system.