From 2566a7c772c2c79ea8f66d763d6853a377808c3b Mon Sep 17 00:00:00 2001
From: Weston Steimel <weston.steimel@anchore.com>
Date: Wed, 1 Mar 2023 13:55:40 +0000
Subject: [PATCH] fix: improved CPE-generation for several more APK packages
 (#1631)

* fix: correct vendor for musl

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: correct vendor for firefox and thunderbird

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: correct vendor/product for chromium

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: correct product for apache http server

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: correct product for tiff

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: correct vendor for ghostscript

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: correct vendor for openjpeg

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: correct vendor/product for xorg-server

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: correct vendor for podofo

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: correct vendor for wpa_supplicant

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

---------

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
---
 .../common/cpe/candidate_by_package_type.go   | 60 +++++++++++++++++++
 .../cataloger/common/cpe/vendors_from_url.go  |  4 ++
 2 files changed, 64 insertions(+)

diff --git a/syft/pkg/cataloger/common/cpe/candidate_by_package_type.go b/syft/pkg/cataloger/common/cpe/candidate_by_package_type.go
index 7a5db9ccebe..edc9a0af451 100644
--- a/syft/pkg/cataloger/common/cpe/candidate_by_package_type.go
+++ b/syft/pkg/cataloger/common/cpe/candidate_by_package_type.go
@@ -273,6 +273,66 @@ var defaultCandidateAdditions = buildCandidateLookup(
 			candidateKey{PkgName: "libxpm"},
 			candidateAddition{AdditionalVendors: []string{"libxpm_project"}},
 		},
+		{
+			pkg.ApkPkg,
+			candidateKey{PkgName: "musl"},
+			candidateAddition{AdditionalVendors: []string{"musl-libc"}},
+		},
+		{
+			pkg.ApkPkg,
+			candidateKey{PkgName: "firefox"},
+			candidateAddition{AdditionalVendors: []string{"mozilla"}},
+		},
+		{
+			pkg.ApkPkg,
+			candidateKey{PkgName: "firefox-esr"},
+			candidateAddition{AdditionalVendors: []string{"mozilla"}},
+		},
+		{
+			pkg.ApkPkg,
+			candidateKey{PkgName: "thunderbird"},
+			candidateAddition{AdditionalVendors: []string{"mozilla"}},
+		},
+		{
+			pkg.ApkPkg,
+			candidateKey{PkgName: "chromium"},
+			candidateAddition{AdditionalVendors: []string{"google"}, AdditionalProducts: []string{"chrome"}},
+		},
+		{
+			pkg.ApkPkg,
+			candidateKey{PkgName: "apache"},
+			candidateAddition{AdditionalProducts: []string{"http_server"}},
+		},
+		{
+			pkg.ApkPkg,
+			candidateKey{PkgName: "tiff"},
+			candidateAddition{AdditionalProducts: []string{"libtiff"}},
+		},
+		{
+			pkg.ApkPkg,
+			candidateKey{PkgName: "ghostscript"},
+			candidateAddition{AdditionalVendors: []string{"artifex"}},
+		},
+		{
+			pkg.ApkPkg,
+			candidateKey{PkgName: "openjpeg"},
+			candidateAddition{AdditionalVendors: []string{"uclouvain"}},
+		},
+		{
+			pkg.ApkPkg,
+			candidateKey{PkgName: "xorg-server"},
+			candidateAddition{AdditionalVendors: []string{"x.org"}, AdditionalProducts: []string{"x_server"}},
+		},
+		{
+			pkg.ApkPkg,
+			candidateKey{PkgName: "podofo"},
+			candidateAddition{AdditionalVendors: []string{"podofo_project"}},
+		},
+		{
+			pkg.ApkPkg,
+			candidateKey{PkgName: "wpa_supplicant"},
+			candidateAddition{AdditionalVendors: []string{"w1.fi"}},
+		},
 		//
 		// Binary packages
 		{
diff --git a/syft/pkg/cataloger/common/cpe/vendors_from_url.go b/syft/pkg/cataloger/common/cpe/vendors_from_url.go
index 93267827487..9a981914248 100644
--- a/syft/pkg/cataloger/common/cpe/vendors_from_url.go
+++ b/syft/pkg/cataloger/common/cpe/vendors_from_url.go
@@ -14,6 +14,10 @@ var (
 		"https://www.ruby-lang.org/":   {"ruby-lang"},
 		"https://llvm.org/":            {"llvm"},
 		"https://www.isc.org/":         {"isc"},
+		"https://musl.libc.org/":       {"musl-libc"},
+		"https://www.mozilla.org/":     {"mozilla"},
+		"https://www.x.org/":           {"x.org"},
+		"https://w1.fi/":               {"w1.fi"},
 	}
 
 	vendorExtractionPatterns = []*regexp.Regexp{