Improve handling of multiple vendors in package parsers

[terriko]

• Related: fix(parser): handle multiple vendors in python #2796

In ##2796 @ffontaine has improved the python package parser to potentially match multiple vendors against a single product. I think we have a lot of other work to do in there with the metadata to handle better mapping than just searching a product name (see #2633 ) but for now I think just having the ability to find and use multiple vendors is an upgrade. @ffontaine mentioned that the Java parser in particular probably has the same problem as python did, it's likely that the others do as well.

This isn't quite a good first issue but it's likely a good second issue given that you can re-use the fix from #2796 (and maybe generalize?) for those of you who want something a bit bigger to work on.

[ffontaine]

For anyone wanting to work on this, the issue in the Java parser is raised by this line:

cve-bin-tool/cve_bin_tool/parsers/java.py

Line 30 in 6e139d3

vendor = vendor_package_pair[0]["vendor"]

Indeed, if there is multiple pairs in vendor_package_pair, the line above will only take the first pair.

To fix this issue in the Python parser, I removed the find_vendor function to integrate a loop through vendor_package_pair in run_checker. Indeed, the current code is calling

cve-bin-tool/cve_bin_tool/parsers/java.py

Line 73 in 6e139d3

yield product_info

but this is basically a noop as find_vendor will always returns a single element.

I'm not sure that the other parsers are affected.

[metabiswadeep]

I'll try it out

[anthonyharrison]

@terriko @metabiswadeep I think all of the language parsers will have this issue and so will the sbom manager (#2685 and #1504 are relevent).

I think we need to develop a generic get_vendor routine (probably within a separate class? which returns the set of candidate vendors for a product. If we refactor cve-bin-tool to have a single routine throughout we can then incrementally enhance it with more heuristic vendor matching e.g. we may need to also give the function a hint if we know that we are looking for a Python module which may then reduce the potential vendors which are returned. Products such as openssl exists in many different forms and we maybe able to reduce some false positive reporting

[anthonyharrison]

I have a fix for the SBOM manager which I will provide with the SBOM generation task.

[terriko]

Reopening this: we've fixed it for python and java, but no one's looked at the other parsers yet I don't think.

[terriko]

Reopening this: we've fixed it for python and java, but no one's looked at the other parsers yet I don't think.

[terriko]

I'm pretty sure this was effectively solved as part of the PURL integration, so I'm going to close it now.