Debian packages CPE

[xpicio]

What happened: Running the command:

syft packages redis:6.2.6-bullseye -o cyclonedx > redis-sbom.xml

the CPE of the packages are generated with the pattern cpe:2.3:a:PACKAGE_NAME:PACKAGE_NAME:VERSION:*:*:*:*:*:*:* like this

<cpe>cpe:2.3:a:dpkg:dpkg:1.20.9:*:*:*:*:*:*:*</cpe>
<purl>pkg:deb/debian/[email protected]?arch=arm64&amp;distro=debian-11</purl>

In this way software like dependency track are not able to detect the vulnerability. For example this vulnerability is not detected.

What you expected to happen: The CPE of the packages are generated with the pattern cpe:2.3:a:VENDOR:PACKAGE_NAME:VERSION:*:*:*:*:*:*:* like this

<cpe>cpe:2.3:a:debian:dpkg:1.20.9:*:*:*:*:*:*:*</cpe>
<purl>pkg:deb/debian/[email protected]?arch=arm64&amp;distro=debian-11</purl>

When the SBOM file will be imported on dependecy track the vulnerability will be detected. I tried patching the VENDOR token with debian (instead of dpkg) and everything seems working well.

How to reproduce it (as minimally and precisely as possible): Simply run the command

syft packages redis:6.2.6-bullseye -o cyclonedx > redis-sbom.xml

and check the value of generated CPE.

Environment:

• syft 0.53.4
• macOS 12.4 Monterey

[tgerla]

Hi @xpicio, sorry for the delay responding, and thank you for this report. I have reproduced it on my side. We will take a look a soon as we can, and get back to you if we need any more info. Thanks again!

[spiffcs]

Moved this over to our backlog for us to pickup when we have cycles - grype currently has a way where it does not use CPE for matching on debian packages (we use their official feed), but recognize that this CPE is incorrect. When this get's picked up we'll try to find a better way to generate this CPE.

All PR from the community are also welcome - tag me and I can help with the review if you want to take a stab at this =)