intel · ffontaine · Feb 24, 2025
diff --git a/cve_bin_tool/cvedb.py b/cve_bin_tool/cvedb.py
@@ -763,6 +763,34 @@ def update_vendors(self, cve_data):
 
         return updated_severity, updated_affected
 
+    def guess_purl(self, vendor, product, version):
+        query = """
+        SELECT
+            distinct purl
+        FROM purl2cpe
+        WHERE cpe like ?
+        """
+        cursor = self.db_open_and_get_cursor()
+        cursor.execute(query, ["%:" + vendor + ":" + product + ":%"])
+
+        # Prefer upstream purl (e.g., github, gitlab, sourceforge)
+        # over distribution specific purl (e.g. debian, ubuntu, fedora)
+        purl_entries = [x[0] for x in cursor.fetchall()]
+        preferred_upstream = [
+            vendor,
+            f"github/{vendor}",
+            f"gitlab/{vendor}",
+            f"sourceforge/{vendor}",
+            "github",
+            "gitlab",
+            "sourceforge",
+            "",
+        ]
+        for subs in preferred_upstream:
+            res = [i for i in purl_entries if f"pkg:{subs}" in i]
+            if res:
+                return res[0] + "@" + version
+
     def db_open_and_get_cursor(self) -> sqlite3.Cursor:
         """Opens connection to sqlite database, returns cursor object."""
 

diff --git a/cve_bin_tool/sbom_manager/generate.py b/cve_bin_tool/sbom_manager/generate.py
@@ -107,6 +107,8 @@ def generate_sbom(self) -> None:
                         else:
                             evidence = path
                         my_package.set_evidence(evidence)
+                if product_data.purl:
+                    my_package.set_purl(product_data.purl)
                 self.sbom_packages[
                     (
                         my_package.get_name(),

diff --git a/cve_bin_tool/version_scanner.py b/cve_bin_tool/version_scanner.py
@@ -269,8 +269,9 @@ def run_checkers(self, filename: str, lines: str) -> Iterator[ScanInfo]:
                             f"{file_path} matched {dummy_checker_name} {version} ({version_results.matched_filename=}, {version_results.matched_contains=})"
                         )
                         for vendor, product in checker.VENDOR_PRODUCT:
+                            purl = self.cve_db.guess_purl(vendor, product, version)
                             yield ScanInfo(
-                                ProductInfo(vendor, product, version),
+                                ProductInfo(vendor, product, version, purl),
                                 file_path,
                             )