stop generating wildcard vendors

Add logic for parsing javascript and ruby package vendor candidates from url and author fields and stop generating wildcard vendor candidates Signed-off-by: Weston Steimel <[email protected]>
anchore · Mar 3, 2023 · 52cebc2 · 52cebc2
1 parent 47b5bb9
commit 52cebc2
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 7 deletions.
diff --git a/syft/pkg/cataloger/common/cpe/generate.go b/syft/pkg/cataloger/common/cpe/generate.go
@@ -93,13 +93,6 @@ func candidateVendors(p pkg.Package) []string {
 		}
 	}
 
-	// some ecosystems do not have enough metadata to determine the vendor accurately, in which case we selectively
-	// allow * as a candidate. Note: do NOT allow Java packages to have * vendors.
-	switch p.Language {
-	case pkg.Ruby, pkg.JavaScript:
-		vendors.addValue(wfn.Any)
-	}
-
 	switch p.MetadataType {
 	case pkg.RpmMetadataType:
 		vendors.union(candidateVendorsForRPM(p))
@@ -111,8 +104,15 @@ func candidateVendors(p pkg.Package) []string {
 		vendors.union(candidateVendorsForJava(p))
 	case pkg.ApkMetadataType:
 		vendors.union(candidateVendorsForAPK(p))
+	case pkg.NpmPackageJSONMetadataType:
+		vendors.union(candidateVendorsForJavascript(p))
 	}
 
+	// We should no longer be generating vendor candidates with these values ["" and "*"]
+	// (since CPEs will match any other value)
+	vendors.removeByValue("")
+	vendors.removeByValue("*")
+
 	// try swapping hyphens for underscores, vice versa, and removing separators altogether
 	addDelimiterVariations(vendors)
 

diff --git a/syft/pkg/cataloger/common/cpe/javascript.go b/syft/pkg/cataloger/common/cpe/javascript.go
@@ -0,0 +1,32 @@
+package cpe
+
+import "github.com/anchore/syft/syft/pkg"
+
+func candidateVendorsForJavascript(p pkg.Package) fieldCandidateSet {
+	if p.MetadataType != pkg.NpmPackageJSONMetadataType {
+		return nil
+	}
+
+	vendors := newFieldCandidateSet()
+	metadata, ok := p.Metadata.(pkg.NpmPackageJSONMetadata)
+	if !ok {
+		return nil
+	}
+
+	if metadata.Author != "" {
+		vendors.add(fieldCandidate{
+			value:                 normalizePersonName(stripEmailSuffix(metadata.Author)),
+			disallowSubSelections: true,
+		})
+	}
+
+	if metadata.URL != "" {
+		vendors.union(candidateVendorsFromURL(metadata.URL))
+	}
+
+	if metadata.Homepage != "" {
+		vendors.union(candidateVendorsFromURL(metadata.Homepage))
+	}
+
+	return vendors
+}
diff --git a/syft/pkg/cataloger/common/cpe/ruby.go b/syft/pkg/cataloger/common/cpe/ruby.go
@@ -17,5 +17,10 @@ func candidateVendorsForRuby(p pkg.Package) fieldCandidateSet {
 			disallowSubSelections: true,
 		})
 	}
+
+	if metadata.Homepage != "" {
+		vendors.union(candidateVendorsFromURL(metadata.Homepage))
+	}
+
 	return vendors
 }