Django package CPE is not correct

[AndrewR777]

What happened:
Running the command:

syft --scope all-layers arenadata/adcm:latest -o cyclonedx-xml
the CPE of the Django packages is generated like this:
<cpe>cpe:2.3:a:django_software_foundation:python-Django:3.2.15:*:*:*:*:*:*:*</cpe>

In this way software like Dependency Track are not able to detect the vulnerability in NVD, based on the CPE. For example this vulnerability is not detected.

What you expected to happen:
The CPE of the Django package is generated like this
<cpe>cpe:2.3:a:djangoproject:django:3.2.15:*:*:*:*:*:*:*</cpe>

When the SBOM file will be imported into Dependency Track the vulnerability will be detected.

How to reproduce it:
Simply run the command
syft --scope all-layers arenadata/adcm:latest -o cyclonedx-xml

and check the value of generated CPE.

Environment:
syft 0.59.0

=================
And another related question: is there an internal file in syft, which I could edit to fix issues like this by myself?

[kzantow]

Thanks @AndrewR777 -- we are currently investigating some ways to improve CPE generation. This is a hard problem because CPEs are not especially consistent from NVD and often don't actually match information we've found. We'll keep you posted as this improves.

[tgerla]

@anchore/tools we may be able to solve this by adding the appropriate entry to https://github.com/anchore/syft/blob/v0.79.0/syft/pkg/cataloger/common/cpe/candidate_by_package_type.go