fix: PURL to CPE conversion results in "UNKOWN" vendor when CPE is given

[weichslgartner]

Description

I have an SPDX SBOM which contains PURL and CPE data:

SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: modules-deps
Creator: Tool: Zephyr SPDX builder
Created: 2025-01-15T16:30:07Z

Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-mbedtls-deps

##### Package: mbedtls-deps

PackageName: mbedtls-deps
SPDXID: SPDXRef-mbedtls-deps
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageDownloadLocation: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:arm:mbed_tls:3.6.0:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:github/Mbed-TLS/[email protected]
FilesAnalyzed: false
PackageComment: Utility target; no files

if I scan this with cve-bin-tool 3.4 I get:

╭─────────────╮
│ CPE SUMMARY │
╰─────────────╯
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃ Latest Upstream Stable Version ┃ CRITICAL CVEs Count ┃ HIGH CVEs Count ┃ MEDIUM CVEs Count ┃ LOW CVEs Count ┃ UNKNOWN CVEs Count ┃ TOTAL CVEs Count ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━┩
└────────┴─────────┴─────────┴────────────────────────────────┴─────────────────────┴─────────────────┴───────────────────┴────────────────┴────────────────────┴──────────────────┘
╭───────────────────────────────────────────────╮
│  Products with No Identified Vulnerabilities  │
╰───────────────────────────────────────────────╯
┏━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━┓
┃ Vendor  ┃ Product      ┃ Version ┃
┡━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━┩
│ UNKNOWN │ mbedtls-deps │ V3.6.0  │
└─────────┴──────────────┴─────────┘

So it seems that the PURL to CPE conversion failed to identify a vendor and overwrote a valid CPE which was present.
If I delete the PURL, it works as expected

SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: modules-deps
Creator: Tool: Zephyr SPDX builder
Created: 2025-01-15T16:30:07Z

Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-mbedtls-deps

##### Package: mbedtls-deps

PackageName: mbedtls-deps
SPDXID: SPDXRef-mbedtls-deps
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageDownloadLocation: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:arm:mbed_tls:3.6.0:*:*:*:*:*:*:*
FilesAnalyzed: false
PackageComment: Utility target; no files

Output:

┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product  ┃ Version ┃ Latest Upstream Stable Version ┃ CRITICAL CVEs Count ┃ HIGH CVEs Count ┃ MEDIUM CVEs Count ┃ LOW CVEs Count ┃ UNKNOWN CVEs Count ┃ TOTAL CVEs Count ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │ UNKNOWN (offline mode)         │ 1                   │ 0               │ 1                 │ 0              │ 0                  │ 2                │
└────────┴──────────┴─────────┴────────────────────────────────┴─────────────────────┴─────────────────┴───────────────────┴────────────────┴────────────────────┴──────────────────┘
╭─────────────────╮
│  NewFound CVEs  │
╰─────────────────╯
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product  ┃ Version ┃ CVE Number     ┃ Source ┃ Severity ┃ Score (CVSS Version) ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │ CVE-2024-45157 │ NVD    │ MEDIUM   │ 5.1 (v3)             │
│ arm    │ mbed_tls │ 3.6.0   │ CVE-2024-45159 │ NVD    │ CRITICAL │ 9.8 (v3)             │
└────────┴──────────┴─────────┴────────────────┴────────┴──────────┴──────────────────────┘
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━┳━━━━━━━━━━┓
┃ Vendor ┃ Product  ┃ Version ┃ Root ┃ Filename ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━╇━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │      │          │
└────────┴──────────┴─────────┴──────┴──────────┘

With Version 3.3 it also works as expected (I assume there was something changed in the PURL to CPE Logic).

To reproduce

Steps to reproduce the behaviour:

1. Scan an SBOM which contains CPE and PURL for an component (e.g. cpe:2.3:a:arm:mbed_tls:3.6.0:*:*:*:*:*:*:* and pkg:github/Mbed-TLS/[email protected]) with e.g. cve-bin-tool --sbom spdx --sbom-file modules-deps.spdx
2. Vendor will be identified as "UNKNOWN"
3. No CVEs will be identified

Expected behaviour: CVEs should be matched if CPEs are given in the SBOM
Actual behaviour: PURL to CPE fail to identify the correct vendor and still have a higher priority than the given CPE

Version/platform info

Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): 3.4
Installed from pypi or github? Pypi
Operating system: Linux Ubuntu (Linux 5.4.0-204-generic #224-Ubuntu SMP)
Python version (e.g. python3 --version): Python 3.11.10
Running in any particular CI environment we should know about? no

Anything else?

Feel free to add any other context here.

[terriko]

Ugh, that is spectacularly not the behaviour we want. I think the correct behaviour here would be to provide both (and collapse appropriately if they yield the same thing so you don't get duplicate CVEs). Not sure when we'll get a fix in since I'm currently having some problems with cache updates that need fixing before any PRs will merge cleanly, but thank you for the report and hopefully we'll get to it soon!

[AryanBakliwal]

@terriko I was trying to reproduce this and found something strange in parse.py
The order of preference is:

1. CPE 2.3 Identifiers
2. CPE 2.2
3. Package URLs (purl)
4. Name and Version from the SBOM (Vendor will be unspecified)

But at parse.py#L382, purl is checked before CPE 2.3 and CPE 2.2
It should be like this

# No ext-ref matches, return none
if decoded.get("cpe23Type") is not None:
    LOGGER.debug("Found CPE23")
    return decoded.get("cpe23Type")
elif decoded.get("cpe22Type") is not None:
    LOGGER.debug("Found CPE22")
    return decoded.get("cpe22Type")
elif decoded.get("purl") is not None:
    LOGGER.debug("Found PURL")
    return decoded.get("purl")
else:
    LOGGER.debug("Nothing found")
    return [None, None, None]

With this change, I get the correct output

╭─────────────╮
│ CPE SUMMARY │
╰─────────────╯
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━┓
┃        ┃          ┃         ┃ Latest         ┃                ┃                ┃                ┃                ┃                ┃               ┃
┃        ┃          ┃         ┃ Upstream       ┃ CRITICAL CVEs  ┃ HIGH CVEs      ┃ MEDIUM CVEs    ┃                ┃ UNKNOWN CVEs   ┃ TOTAL CVEs    ┃
┃ Vendor ┃ Product  ┃ Version ┃ Stable Version ┃ Count          ┃ Count          ┃ Count          ┃ LOW CVEs Count ┃ Count          ┃ Count         ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │ 3.6.2          │ 1              │ 0              │ 1              │ 0              │ 0              │ 2             │
└────────┴──────────┴─────────┴────────────────┴────────────────┴────────────────┴────────────────┴────────────────┴────────────────┴───────────────┘
╭─────────────────╮
│  NewFound CVEs  │
╰─────────────────╯
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product  ┃ Version ┃ CVE Number     ┃ Source ┃ Severity ┃ Score (CVSS Version) ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │ CVE-2024-45157 │ NVD    │ MEDIUM   │ 5.1 (v3)             │
│ arm    │ mbed_tls │ 3.6.0   │ CVE-2024-45159 │ NVD    │ CRITICAL │ 9.8 (v3)             │
└────────┴──────────┴─────────┴────────────────┴────────┴──────────┴──────────────────────┘
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━┳━━━━━━━━━━┓
┃ Vendor ┃ Product  ┃ Version ┃ Root ┃ Filename ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━╇━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │      │          │
└────────┴──────────┴─────────┴──────┴──────────┘
╭───────────────────────────────────────────────╮
│  Products with No Identified Vulnerabilities  │
╰───────────────────────────────────────────────╯
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━┩
└────────┴─────────┴─────────┘

[anthonyharrison]

@AryanBakliwal @terriko The emerging industry standard is to use PURLs over CPEs as CPE data is inconsistent and buggy. The order of evaluation should therefore be if there is a PURL to use this identifier in preference to a CPE. However, PURLs do not have a vendor associated with them so a vendor of UNKNOWN could be expected. If there is both PURL and CPE, the vendor from the CPE could be used.

Using CPEs in preference to PURLs will lead to many more vulnerabilities being missed, particularly for open source components.