Description:
When generating an SBOM with Syft, Qt libraries (e.g., Qt5Core.dll v5.15.17) are catalogued under the CPE cpe:2.3:a:qt:Qt5:<version>.... However, the NIST CPE dictionary only includes entries under cpe:2.3:a:qt:qt:<version>. As a result, Grype (which relies on the official CPE naming) fails to detect any CVEs for Qt 5.15.17, even though this version is within the affected-range of CVE-2024-39936 and CVE-2025-30348.

Reproduction Steps:

1. Build an SBOM with Syft for a project including Qt 5.15.17 binaries:

   syft packages dir:/path/to/bin -o sbom.json

2. Scan the SBOM with Grype:

   grype sbom:sbom.json

3. Observe that CVEs for Qt are not reported.

4. Manually edit sbom.json, rename all cpe:qt:Qt5 to cpe:qt:qt, then re-scan:

   sed -i 's/qt:Qt5:/qt:qt:/g' sbom.json
   grype sbom:sbom.json

Vulnerabilities appear as expected.

Proposed Fix:

• Syft: Normalize CPE product to qt instead of Qt5.
• Or Grype: Support alias mapping, treating Qt5 as equivalent to qt.

References:

• NIST CPE dictionary: https://nvd.nist.gov/products/cpe
• CVE-2024-39936, CVE-2025-30348