fix: PURL to CPE conversion results in "UNKOWN" vendor when CPE is given

[weichslgartner]

Description

I have an SPDX SBOM which contains PURL and CPE data:

SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: modules-deps
Creator: Tool: Zephyr SPDX builder
Created: 2025-01-15T16:30:07Z

Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-mbedtls-deps

##### Package: mbedtls-deps

PackageName: mbedtls-deps
SPDXID: SPDXRef-mbedtls-deps
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageDownloadLocation: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:arm:mbed_tls:3.6.0:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:github/Mbed-TLS/[email protected]
FilesAnalyzed: false
PackageComment: Utility target; no files

if I scan this with cve-bin-tool 3.4 I get:

╭─────────────╮
│ CPE SUMMARY │
╰─────────────╯
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃ Latest Upstream Stable Version ┃ CRITICAL CVEs Count ┃ HIGH CVEs Count ┃ MEDIUM CVEs Count ┃ LOW CVEs Count ┃ UNKNOWN CVEs Count ┃ TOTAL CVEs Count ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━┩
└────────┴─────────┴─────────┴────────────────────────────────┴─────────────────────┴─────────────────┴───────────────────┴────────────────┴────────────────────┴──────────────────┘
╭───────────────────────────────────────────────╮
│  Products with No Identified Vulnerabilities  │
╰───────────────────────────────────────────────╯
┏━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━┓
┃ Vendor  ┃ Product      ┃ Version ┃
┡━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━┩
│ UNKNOWN │ mbedtls-deps │ V3.6.0  │
└─────────┴──────────────┴─────────┘

So it seems that the PURL to CPE conversion failed to identify a vendor and overwrote a valid CPE which was present.
If I delete the PURL, it works as expected

SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: modules-deps
Creator: Tool: Zephyr SPDX builder
Created: 2025-01-15T16:30:07Z

Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-mbedtls-deps

##### Package: mbedtls-deps

PackageName: mbedtls-deps
SPDXID: SPDXRef-mbedtls-deps
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageDownloadLocation: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:arm:mbed_tls:3.6.0:*:*:*:*:*:*:*
FilesAnalyzed: false
PackageComment: Utility target; no files

Output:

┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product  ┃ Version ┃ Latest Upstream Stable Version ┃ CRITICAL CVEs Count ┃ HIGH CVEs Count ┃ MEDIUM CVEs Count ┃ LOW CVEs Count ┃ UNKNOWN CVEs Count ┃ TOTAL CVEs Count ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │ UNKNOWN (offline mode)         │ 1                   │ 0               │ 1                 │ 0              │ 0                  │ 2                │
└────────┴──────────┴─────────┴────────────────────────────────┴─────────────────────┴─────────────────┴───────────────────┴────────────────┴────────────────────┴──────────────────┘
╭─────────────────╮
│  NewFound CVEs  │
╰─────────────────╯
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product  ┃ Version ┃ CVE Number     ┃ Source ┃ Severity ┃ Score (CVSS Version) ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │ CVE-2024-45157 │ NVD    │ MEDIUM   │ 5.1 (v3)             │
│ arm    │ mbed_tls │ 3.6.0   │ CVE-2024-45159 │ NVD    │ CRITICAL │ 9.8 (v3)             │
└────────┴──────────┴─────────┴────────────────┴────────┴──────────┴──────────────────────┘
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━┳━━━━━━━━━━┓
┃ Vendor ┃ Product  ┃ Version ┃ Root ┃ Filename ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━╇━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │      │          │
└────────┴──────────┴─────────┴──────┴──────────┘

With Version 3.3 it also works as expected (I assume there was something changed in the PURL to CPE Logic).

To reproduce

Steps to reproduce the behaviour:

1. Scan an SBOM which contains CPE and PURL for an component (e.g. cpe:2.3:a:arm:mbed_tls:3.6.0:*:*:*:*:*:*:* and pkg:github/Mbed-TLS/[email protected]) with e.g. cve-bin-tool --sbom spdx --sbom-file modules-deps.spdx
2. Vendor will be identified as "UNKNOWN"
3. No CVEs will be identified

Expected behaviour: CVEs should be matched if CPEs are given in the SBOM
Actual behaviour: PURL to CPE fail to identify the correct vendor and still have a higher priority than the given CPE

Version/platform info

Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): 3.4
Installed from pypi or github? Pypi
Operating system: Linux Ubuntu (Linux 5.4.0-204-generic #224-Ubuntu SMP)
Python version (e.g. python3 --version): Python 3.11.10
Running in any particular CI environment we should know about? no

Anything else?

Feel free to add any other context here.

[terriko]

Ugh, that is spectacularly not the behaviour we want. I think the correct behaviour here would be to provide both (and collapse appropriately if they yield the same thing so you don't get duplicate CVEs). Not sure when we'll get a fix in since I'm currently having some problems with cache updates that need fixing before any PRs will merge cleanly, but thank you for the report and hopefully we'll get to it soon!