grype builds cpe string with incorrect vendor for local packages

[richardkhardy]

What happened:

grype sets the cpe string our locally developed mariadb package as cpe:2.3:a:mariadb:mariadb:0.3.0-SNAPSHOT:*:*:*:*:*:*:*
and this causes false positives. It can be solved with an ignore rule, but I was wondering if this can be handled in a better way, maybe the pom groupId could be considered when forming the cpe string.

   "artifact": {
    "id": "8578091f3f57029d",
    "name": "mariadb",
    "version": "0.3.0-SNAPSHOT",
    "type": "java-archive",
    "locations": [
     {
      "path": "/opt/edge/app.jar",
      "layerID": "sha256:4756f71f0dc2028af6981c3408cb68e358a3c13233f336b97d18570f6a5593e0"
     }
    ],
    "language": "java",
    "licenses": [],
    "cpes": [
     "cpe:2.3:a:mariadb:mariadb:0.3.0-SNAPSHOT:*:*:*:*:*:*:*"
    ],
    "purl": "pkg:maven/nz.co.solnet.labs.rhine/mariadb@0.3.0-SNAPSHOT",
    "upstreams": [],
    "metadataType": "JavaMetadata",
    "metadata": {
     "virtualPath": "/opt/edge/app.jar:nz.co.solnet.labs.rhine:mariadb",
     "pomArtifactID": "mariadb",
     "pomGroupID": "nz.co.solnet.labs.rhine",
     "manifestName": "",
     "archiveDigests": null
    }
   }

What you expected to happen:

ideally it should set the vendor to something different so that vulnerabilities are not matched against it, like this one.

     "found": {
      "vulnerabilityID": "CVE-2022-27449",
      "versionConstraint": "< 10.3.35 || >= 10.4.0, < 10.4.25 || >= 10.5.0, < 10.5.16 || >= 10.6.0, < 10.6.8 || >= 10.7.0, < 10.7.4 (unknown)",
      "cpes": [
       "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*"
      ]
     }

How to reproduce it (as minimally and precisely as possible):

Create a local artifact with the same name as a downloaded one with an independant version

Anything else we need to know?:

Environment:

• Output of grype version:
  Application: grype
  Version: 0.67.0
  Syft Version: v0.89.0
  BuildDate: 2023-09-11T18:07:08Z
  GitCommit: 1772f25
  GitDescription: v0.67.0
  Platform: linux/amd64
  GoVersion: go1.21.1
  Compiler: gc
  Supported DB Schema: 5

• OS (e.g: cat /etc/os-release or similar):
  NAME="Red Hat Enterprise Linux"
  VERSION="8.8 (Ootpa)"
  ID="rhel"
  ID_LIKE="fedora"
  VERSION_ID="8.8"
  PLATFORM_ID="platform:el8"
  PRETTY_NAME="Red Hat Enterprise Linux 8.8 (Ootpa)"
  ANSI_COLOR="0;31"
  CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
  HOME_URL="https://www.redhat.com/"
  DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8"
  BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.8
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.8"

[tgerla]

Thanks for the report, @richardkhardy. We are working on some improvements to the matching mechanisms that will help eliminate some of these false positives. Please stay tuned for this PR to be merged and released: #1412

Developer note: we should also re-evaluate our list of accepted top level domain strings: https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/common/cpe/java.go#L16 -- need to look at Syft, too.