feat: heuristic splitting on `-` for lookups if vendor/product not found

[terriko]

• related to bug: libraries ignored by cve-bin-tool ? #2846

We recently had a case (see link above) where someone scanning their own SBOM with cve-bin-tool didn't get the scan results they were hoping for because their tool used a name that was basically vendor-product and we treat SBOM "name" as synonymous with product

I already opened up a couple of issues about adding CPE and PURL support as a way to differentiate:

• feat: add CPE support to SBOM parsing #2943
• feat: add PURL support to SBOM parsing #2945

But I think there's also a certain amount of clever we could do with heuristics for vendor lookups if searching for "name" without changes doesn't work.

• try splitting on - and searching for pieces (as seen in bug: libraries ignored by cve-bin-tool ? #2846 which was using an SBOM related to github repos)
• look at common patterns used in distro naming and remove prefixes that follow those patterns:
  • for example, looking at https://release-monitoring.org/project/3779 we can see that python-based projects might have python-, python2- or py3- as potential prefixes. (probably python3- too for older installs?)
  • Presumably there would be similar conventions for prefixes of packages in other environments such as rust or nodejs.

I think this is going to be most important for SBOMs but it's possible similar techniques would be useful in some of the language parsers. For the binary checkers we already have the vendor, product pair(s) explicitly set so they wouldn't need changes.

[mastersans]

Hey @terriko I'll start working on this one.!!