fix(scan): CPE matching for OpenJDK packages

Signed-off-by: Dan Luhring <[email protected]>
wolfi-dev · Jan 29, 2024 · 482ec68 · 482ec68
1 parent c4184e9
commit 482ec68
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/pkg/sbom/sbom.go b/pkg/sbom/sbom.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"os"
 	"path"
+	"strings"
 
 	"github.com/anchore/syft/syft"
 	"github.com/anchore/syft/syft/cataloging/pkgcataloging"
@@ -157,6 +158,23 @@ func generateCPEs(p pkg.Package) []cpe.CPE {
 		return []cpe.CPE{dictionaryCPE}
 	}
 
+	// TODO: This is a workaround for Syft not coming up with this CPE for OpenJDK
+	// 	packages. Some thought would be needed on the "right" way to implement this
+	// 	upstream, but it's more obvious how we can address this in wolfictl for our
+	// 	purposes.
+	//
+	//  Potentially related: https://github.com/anchore/syft/issues/2422
+	if strings.HasPrefix(p.Name, "openjdk-") {
+		return []cpe.CPE{
+			{
+				Part:    "a",
+				Vendor:  "oracle",
+				Product: "jdk",
+				Version: p.Version,
+			},
+		}
+	}
+
 	return cpegen.Generate(p)
 }