feat(sbom): generate CPE for PM specific components#151
Merged
Conversation
Add github.com/facebookincubator/nvdtools (wfn subpackage) to build and validate CPE 2.3 identifiers for pm-managed components. wfn provides the Well-Formed CPE Name binding (BindToFmtString) and parser (UnbindFmtString) used by the new pkg/sbom/cpe package, which ports the vendor/product heuristics from Anchore syft without depending on the full syft module. Pulling all of syft was rejected because its dependency tree bumps docker/buildah to versions incompatible with werf's pinned forks. Net effect is a single new direct dependency. Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
Add pkg/sbom/cpe, which infers CPE 2.3 identifiers for pm-managed components using vendor/product heuristics ported from Anchore syft on top of nvdtools/wfn: - URL-to-vendor extraction (github/gitlab owner, curated host prefixes) - curated vendor/product overrides (curl->haxx, brotli->google, ...) - upstream name normalization (strip -devel/-libs/-dev, stream version) - hyphen<->underscore delimiter variations and separator sub-selections - trailing-digit variations and known-vendor (apache) preference - specificity-based ordering Package binaries built by pm are typed pkg:generic in the SBOM; vulnerability scanners match those C/C++ components through CPE rather than purl, so without a CPE they get no CVE matches. The delimiter and sub-selection variations widen recall to the forms NVD actually records. os_pm attaches the most specific CPE to component.cpe and the remaining candidates as evidence.identity. pm components keep flowing through the external-reference resolver (which understands the containerFactoryVersion purl qualifier) — the CPE is additive and does not change that path. Copied heuristics carry Apache-2.0 attribution to syft; see NOTICE. Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
e84b4ba to
7eec323
Compare
nervgh
approved these changes
Jul 6, 2026
| return vendor | ||
| } | ||
|
|
||
| func uniqueStrings(values ...string) []string { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.