Filter CPE matches by target SW to reduce FPs

[wagoodman]

If a CPE search results in a match against a CPE that has target SW specified, then check the package type and/or language against the value to see if it has any known incompatibilities (e.g. python package language matching against a vulnerability with a CPE that has a target SW of nodejs is probably wrong, so the match should be filtered out).

It cannot be assumed that target SW is specified; if not specified this filtering should be skipped.

Also, there are some odd permutations that may indeed be valid, for example, a java package wrapping a javascript package. It may be entirely valid for the vulnerability to have a CPE for nodejs even if the package is a java type. This needs to be explored more --is this contrived? or is this case prevalent?

[westonsteimel]

I think this makes a lot of sense. There is at least an example of that scenario happening at #445 (comment)

I guess you could make it configurable?

[westonsteimel]

Another thing which might potentially be useful (and should probably be configurable on individual ecosystem matcher level) could be if we find an NVD match and that CVE has a GHSA for another ecosystem (and the eocsystem we're matching for is supported by GitHub) we filter it out. Hopefully that makes sense but if not I can try and explain it better.