Annotate where each CPE on a package is sourced from

[wagoodman]

Today we have a list of CPEs on a package, which classically have always been generated with logic tailored for each ecosystem:

"cpes": [
  "cpe:2.3:a:ansi-regex:ansi-regex:5.0.1:*:*:*:*:*:*:*",
  "cpe:2.3:a:ansi-regex:ansi_regex:5.0.1:*:*:*:*:*:*:*",
  "cpe:2.3:a:ansi_regex:ansi-regex:5.0.1:*:*:*:*:*:*:*",
  "cpe:2.3:a:ansi_regex:ansi_regex:5.0.1:*:*:*:*:*:*:*",
  "cpe:2.3:a:ansi:ansi-regex:5.0.1:*:*:*:*:*:*:*",
  "cpe:2.3:a:ansi:ansi_regex:5.0.1:*:*:*:*:*:*:*"
]

Since then a CPE index sourced from the NVD data has been added, which means that there is more than one way for a CPE to make it onto a package. Or, more specifically, if there is a single CPE on a package, it's unclear if that CPE was generated or if it was from the new index.

Also, there may be more places that we source this CPE information, say lifting from packaging metadata, other 3rd party indexes, etc. Ideally the SBOM should be able to represent where the information was sourced from without the consumer needing to guess this.

We could make a change to annotate CPEs with this information:

"cpes": [ 
  {
   "value": "cpe:2.3:a:ansi-regex:ansi-regex:5.0.1:*:*:*:*:*:*:*",
   "source": "auto-generated"
  },
  {
   "value": "cpe:2.3:a:ansi:ansi-regex:5.0.1:*:*:*:*:*:*:*",
   "source": "nvd-cpe-index"
  }
]

This proposal would necessarily be a breaking change, however, open to other ways to introduce this in a non-breaking way!

[willmurphyscode]

Or, more specifically, if there is a single CPE on a package, it's unclear if that CPE was generated or if it was from the new index.

@wagoodman I don't understand why the case where there is a single CPE is special. It looks like we append, even in cases where there is an exact match in the dictionary:

syft/internal/task/package_task_factory.go

Lines 112 to 117 in b0ab75f

	// generate CPEs (note: this is excluded from package ID, so is safe to mutate)
	// we might have binary classified CPE already with the package so we want to append here
	dictionaryCPE, ok := cpe.DictionaryFind(p)
	if ok {
	log.Tracef("used CPE dictionary to find CPE for %s package %q: %s", p.Type, p.Name, dictionaryCPE.BindToFmtString())
	p.CPEs = append(p.CPEs, dictionaryCPE)

So I think even if there are multiple CPEs on a package, it's unclear whether they were generated or whether one of them was found in the NVD CPE dictionary.

[willmurphyscode]

Note that this issue is connected #2529 - changing how Syft represents CPEs is probably also a good time to decouple the representation from an external library as well.