We use the CPE dictionary from NVD to build a mapping between the CPE and its repository where we can find it hosted, and later map it to its package-coordinate, thanks to the crawling of ecosystem's metadata for each package.
Currently, we are not enriching this mapping with PURL information from advisories. The PurlMapper should also take this into account when inferPurl is called and cache the mapping cpe --> purl for later use.
We use the CPE dictionary from NVD to build a mapping between the CPE and its repository where we can find it hosted, and later map it to its package-coordinate, thanks to the crawling of ecosystem's metadata for each package.
Currently, we are not enriching this mapping with PURL information from advisories. The
PurlMappershould also take this into account wheninferPurlis called and cache the mappingcpe --> purlfor later use.The precision of this will need to be evaluated.