Cyclonedx export with CPE #749
Description
What would you like to be added:
Cyclonedx report with CPE
Why is this needed:
The cyclone schema supports CPE and it will give a more precise output.
Some tools rely on CPE and do not consider pURL.
Additional context:
While SPDX export includes CPE, it is not included in the cycledx export.
Proof:
$ docker run anchore/syft centos:8 --output spdx-json | grep cpe | wc -l
1904
$ docker run anchore/syft centos:8 --output cyclonedx-json | grep cpe | wc -l
0
An issue might be that there are multiple CPEs for one component:
PackageName: python3-dnf
SPDXID: SPDXRef-Package-rpm-python3-dnf
PackageVersion: 4.4.2-11.el8
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: NONE
PackageLicenseDeclared: NONE
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:python3-dnf:python3-dnf:4.4.2-11.el8:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:python3-dnf:python3_dnf:4.4.2-11.el8:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:python3_dnf:python3-dnf:4.4.2-11.el8:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:python3_dnf:python3_dnf:4.4.2-11.el8:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:python3:python3-dnf:4.4.2-11.el8:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:python3:python3_dnf:4.4.2-11.el8:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:centos:python3-dnf:4.4.2-11.el8:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:centos:python3_dnf:4.4.2-11.el8:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:rpm/centos/[email protected]?arch=noarch