fix: handling of product versions and vendor name guessing

[rhythmrx9]

removed use of ECOSYSTEM versions, and corrected vendor name guessing from package name.

fixes #3200
partial work on #3201

[terriko]

Looks like this breaks one test:

=========================== short test summary info ============================
FAILED test/test_source_osv.py::TestSourceOSV::test_format_data[cve_entries0] - AssertionError: assert [{'cve_id': '...n': '*', ...}] == [{'cve_id': '...n': '*', ...}]
  At index 0 diff: {'cve_id': 'CVE-2014-5461', 'vendor': 'unknown', 'product': 'lua5.1', 'version': '*', 'versionStartIncluding': '5.1.4-5', 'versionStartExcluding': '', 'versionEndIncluding': '5.1.4-5', 'versionEndExcluding': ''} != {'cve_id': 'CVE-2014-5461', 'vendor': 'unknown', 'product': 'lua5.1', 'version': '*', 'versionStartIncluding': '0', 'versionStartExcluding': '', 'versionEndIncluding': '', 'versionEndExcluding': '5.1.4-5+deb6u1'}
  Full diff:
    [
     {'cve_id': 'CVE-2014-5461',
      'product': 'lua5.1',
      'vendor': 'unknown',
      'version': '*',
  -   'versionEndExcluding': '5.1.4-5+deb6u1',
  -   'versionEndIncluding': '',
  ?              ^^
  +   'versionEndExcluding': '',
  ?              ^^
  +   'versionEndIncluding': '5.1.4-5',
      'versionStartExcluding': '',
  -   'versionStartIncluding': '0'},
  ?                             ^
  +   'versionStartIncluding': '5.1.4-5'},
  ?                             ^^^^^^^
    ]
FAILED test/test_source_osv.py::TestSourceOSV::test_format_data[cve_entries1] - AssertionError: assert [{'cve_id': '...n': '*', ...}] == []
  Left contains one more item: {'cve_id': 'CVE-2018-20133', 'product': 'ymlref', 'vendor': 'unknown', 'version': '*', ...}
  Full diff:
    [
  -  ,
  +  {'cve_id': 'CVE-2018-20133',
  +   'product': 'ymlref',
  +   'vendor': 'unknown',
  +   'version': '*',
  +   'versionEndExcluding': '',
  +   'versionEndIncluding': '0.1.1',
  +   'versionStartExcluding': '',
  +   'versionStartIncluding': '0.1.0'},
    ]
===== 2 failed, 1751 passed, 28 skipped, 25 warnings in 1374.70s (0:22:54) =====

I'm guessing it just needs an update but I admit I didn't dig into the numbers to see if the new ones made sense.

[gluesmith2021]

removed use of ECOSYSTEM versions, and corrected vendor name guessing from package name.

fixes #3200 fixes (#)3201

@rhythmrx9 @terriko Current code change does fix #3200, but not 3201 (that could be for another PR). Should the link to 3201 be removed from the description to avoid confusion?

[rhythmrx9]

@rhythmrx9 @terriko Current code change does fix #3200, but not 3201 (that could be for another PR). Should the link to 3201 be removed from the description to avoid confusion?

@gluesmith2021 removing ECOSYSTEM versions fixes a part of #3201, the other part is duplicated ranges which is now fixed by 4c59c11.

[codecov-commenter]

Codecov Report

Merging #3225 (4c59c11) into main (338e0cf) will decrease coverage by 5.31%.
Report is 14 commits behind head on main.
The diff coverage is 40.00%.

@@            Coverage Diff             @@
##             main    #3225      +/-   ##
==========================================
- Coverage   80.82%   75.51%   -5.31%     
==========================================
  Files         716      722       +6     
  Lines       11163    11211      +48     
  Branches     1497     1502       +5     
==========================================
- Hits         9022     8466     -556     
- Misses       1738     2415     +677     
+ Partials      403      330      -73     

Flag	Coverage Δ
longtests	75.51% <40.00%> (+0.02%)	⬆️
win-longtests	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Changed	Coverage Δ
test/test_source_osv.py	66.66% <ø> (ø)
cve_bin_tool/data_sources/osv_source.py	30.41% <40.00%> (-32.38%)	⬇️

... and 33 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[terriko]

Failing CVE scan test seems to be unrelated, so this looks good to go.

I've removed the thing for #3201 so it shouldn't auto-close (we'll have to do that manually later)