Fixing false negative vulnerabilities on macOS Homebrew python packages. (#17722)

#17061

Already merged into main: #17709

# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality

Author: getvictor

changes/17061-homebrew-python

@@ -0,0 +1 @@
+Fixing false negative vulnerabilities on macOS Homebrew python packages.

server/vulnerabilities/nvd/cpe_test.go

@@ -1367,6 +1367,15 @@ func TestCPEFromSoftwareIntegration(t *testing.T) {
 			// DO NOT MATCH with Cisco Umbrella
 			cpe: "",
 		},
+		{
+			software: fleet.Software{
+				Name:    "[email protected]",
+				Source:  "homebrew_packages",
+				Version: "3.9.18_2",
+				Vendor:  "",
+			},
+			cpe: `cpe:2.3:a:python:python:3.9.18_2:*:*:*:*:*:*:*`,
+		},
 	}
 
 	tempDir := t.TempDir()

server/vulnerabilities/nvd/sanitize.go

@@ -81,11 +81,13 @@ var langCodes = map[string]bool{
 // - Removing any extra spaces
 // - Lowercasing the name
 // - Removing parts from the bundle identifier
+// - Removing version contained in homebrew_packages name
 func sanitizeSoftwareName(s *fleet.Software) string {
 	archs := regexp.MustCompile(` \(?x64\)?|\(?64-bit\)?|\(?64bit\)?|\(?amd64\)? `)
 	ver := regexp.MustCompile(` \.?\(?(\d+\.)?(\d+\.)?(\*|\d+)\)?\s?`)
 	gen := regexp.MustCompile(` \(\w+\)\s?`)
 	comments := regexp.MustCompile(` (-|:)\s?.+`)
+	versions := regexp.MustCompile(`@\d+($|(\.\d+($|\..+)))`) // @3 or @3.9 or @3.9.18 or @3.9.18_2
 
 	r := strings.ToLower(s.Name)
 	r = strings.TrimSuffix(r, ".app")
@@ -119,6 +121,11 @@ func sanitizeSoftwareName(s *fleet.Software) string {
 	r = strings.Replace(r, ")", " ", -1)
 	r = strings.Join(strings.Fields(r), " ")
 
+	// Remove @<version> from homebrew names
+	if s.Source == "homebrew_packages" {
+		r = versions.ReplaceAllString(r, "")
+	}
+
 	return r
 }