Seeing "WARN some package(s) are missing CPEs" but it's not clear why

[luhring]

How to reproduce it (as minimally and precisely as possible):

$ grype cgr.dev/chainguard/go
 ✔ Vulnerability DB                [no update available]
 ✔ Parsed image                                                                                   sha256:8e217ba6d74dae0f00439c99cb6947ade1d900a599b13c3936b0b7687eb27b68
 ✔ Cataloged packages              [146 packages]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored
[0011]  WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none
No vulnerabilities found

What you expected to happen:

Not to see the WARN message. It's not clear why this is showing up. If this method of scanning is subpar, I would've assumed Grype would try a better approach by default. I was also confused to see a reference to relying on CPEs, given Grype's awesome progress not to rely on CPEs!

Anything else we need to know?:

Environment:

• Output of grype version:
• OS (e.g: cat /etc/os-release or similar):

[willmurphyscode]

It looks like the packages with missing CPEs are being generated for golang executables?

syft -q -o json cgr.dev/chainguard/go | jq -rc '.artifacts[] | select(.cpes | type == "array" and length == 0) | { purl: .purl, language: .language, name: .name }'
{"purl":"pkg:golang/cmd/addr2line@(devel)","language":"go","name":"cmd/addr2line"}
{"purl":"pkg:golang/cmd/asm@(devel)","language":"go","name":"cmd/asm"}
{"purl":"pkg:golang/cmd/buildid@(devel)","language":"go","name":"cmd/buildid"}
{"purl":"pkg:golang/cmd/cgo@(devel)","language":"go","name":"cmd/cgo"}
{"purl":"pkg:golang/cmd/compile@(devel)","language":"go","name":"cmd/compile"}
{"purl":"pkg:golang/cmd/covdata@(devel)","language":"go","name":"cmd/covdata"}
{"purl":"pkg:golang/cmd/cover@(devel)","language":"go","name":"cmd/cover"}
{"purl":"pkg:golang/cmd/dist@(devel)","language":"go","name":"cmd/dist"}
{"purl":"pkg:golang/cmd/distpack@(devel)","language":"go","name":"cmd/distpack"}
{"purl":"pkg:golang/cmd/doc@(devel)","language":"go","name":"cmd/doc"}
{"purl":"pkg:golang/cmd/fix@(devel)","language":"go","name":"cmd/fix"}
{"purl":"pkg:golang/cmd/go@(devel)","language":"go","name":"cmd/go"}
{"purl":"pkg:golang/cmd/gofmt@(devel)","language":"go","name":"cmd/gofmt"}
{"purl":"pkg:golang/cmd/link@(devel)","language":"go","name":"cmd/link"}
{"purl":"pkg:golang/cmd/nm@(devel)","language":"go","name":"cmd/nm"}
{"purl":"pkg:golang/cmd/objdump@(devel)","language":"go","name":"cmd/objdump"}
{"purl":"pkg:golang/cmd/pack@(devel)","language":"go","name":"cmd/pack"}
{"purl":"pkg:golang/cmd/pprof@(devel)","language":"go","name":"cmd/pprof"}
{"purl":"pkg:golang/cmd/test2json@(devel)","language":"go","name":"cmd/test2json"}
{"purl":"pkg:golang/cmd/trace@(devel)","language":"go","name":"cmd/trace"}
{"purl":"pkg:golang/cmd/vet@(devel)","language":"go","name":"cmd/vet"}

@anchore/tools since CPE matching is off by default now for the Go ecosystem, except for stdlib, do you think we should try to make this warning conditional on the package type being from an ecosystem that's going to want CPEs? Or maybe turn this warning off?

Default golang matcher config is here:

grype/cmd/grype/cli/options/match.go

Lines 24 to 31 in a820759

	func defaultGolangConfig() golangConfig {
	return golangConfig{
	matcherConfig: matcherConfig{
	UseCPEs: false,
	},
	AlwaysUseCPEForStdlib: true,
	}
	}

Warning is raised here: https://github.com/anchore/grype/blob/a820759495f373180d3758fd2e95a823d5d5b28d/grype/pkg/package.go#L92C1-L94