fix: spdx sbom cpe bug

AryanBakliwal · AryanBakliwal · commit 4f87d884160f · 2025-03-17T06:54:48.000Z
Signed-off-by: Aryan Bakliwal &lt;aryanbakliwal12345@gmail.com&gt;
diff --git a/cve_bin_tool/sbom_manager/parse.py b/cve_bin_tool/sbom_manager/parse.py
@@ -262,24 +262,25 @@ def parse_cyclonedx_spdx(self) -> [(str, str, str)]:
             # If Package URL or CPE record found, use this data in preference to package data
             ext_ref = package.get("externalreference")
             if ext_ref is not None:
-                vendor, package_name, version = self.parse_ext_ref(ext_ref=ext_ref)
-
-            # For any data not found in CPE or the Package URL get from package data
-            if not vendor:
-                pass  # Because no vendor was detected then all vendors with this named package
-                # will be included in the output.
-
-            if not package_name:
-                package_name = package["name"]
-
-            if (not version) and (package.get("version") is not None):
-                version = package["version"]
-            elif version is None:
-                LOGGER.debug(f"No version found in {package}")
-
-            if version:
-                # Found at least package and version, save the results
-                modules.append([vendor, package_name, version])
+                external_references = self.parse_ext_ref(ext_ref=ext_ref)
+                # Store the data for each external reference
+                for vendor, package_name, version in external_references:
+                    # For any data not found in CPE or the Package URL get from package data
+                    if not vendor:
+                        pass  # Because no vendor was detected then all vendors with this named package
+                        # will be included in the output.
+
+                    if not package_name:
+                        package_name = package["name"]
+
+                    if (not version) and (package.get("version") is not None):
+                        version = package["version"]
+                    elif version is None:
+                        LOGGER.debug(f"No version found in {package}")
+
+                    if version:
+                        # Found at least package and version, save the results
+                        modules.append([vendor, package_name, version])
 
         LOGGER.debug(f"Parsed SBOM {self.filename} {modules}")
         return modules
@@ -320,7 +321,7 @@ def extract(self, swid: str) -> list[str]:
         # As some version numbers have leading 'v', it is removed
         return [item[0].strip(" "), item[1], item[2].upper().replace("V", "")]
 
-    def parse_ext_ref(self, ext_ref) -> (str | None, str | None, str | None):
+    def parse_ext_ref(self, ext_ref) -> list[tuple[str | None, str | None, str | None]]:
         """
         Parse external references in an SBOM to extract module information.
 
@@ -337,34 +338,40 @@ def parse_ext_ref(self, ext_ref) -> (str | None, str | None, str | None):
 
         """
         decoded = {}
+        results = []
         for ref in ext_ref:
             ref_type = ref[1]
             ref_string = ref[2]
+            if ref_type == "purl":
+                # Validation of purl is performed implicitly within the decode_purl function
+                decoded["purl"] = self.decode_purl(ref_string)
+
             if ref_type == "cpe23Type" and self.is_valid_string("cpe23", ref_string):
                 decoded["cpe23Type"] = decode_cpe23(ref_string)
 
-            elif ref_type == "cpe22Type" and self.is_valid_string("cpe22", ref_string):
+            if ref_type == "cpe22Type" and self.is_valid_string("cpe22", ref_string):
                 decoded["cpe22Type"] = decode_cpe22(ref_string)
 
-            elif ref_type == "purl":
-                # Validation of purl is performed implicitly within the decode_purl function
-                decoded["purl"] = self.decode_purl(ref_string)
-
         # No ext-ref matches, return none
         if decoded.get("purl") is not None:
             LOGGER.debug("Found PURL")
-            return decoded.get("purl")
-        elif decoded.get("cpe23Type") is not None:
+            results.append(decoded.get("purl"))
+
+        if decoded.get("cpe23Type") is not None:
             LOGGER.debug("Found CPE23")
-            return decoded.get("cpe23Type")
-        elif decoded.get("cpe22Type") is not None:
+            results.append(decoded.get("cpe23Type"))
+
+        if decoded.get("cpe22Type") is not None:
             LOGGER.debug("Found CPE22")
-            return decoded.get("cpe22Type")
-        else:
+            results.append(decoded.get("cpe22Type"))
+
+        if results == []:
             LOGGER.debug("Nothing found")
-            return [None, None, None]
+            results.append([None, None, None])
+
+        return results
 
-    def decode_purl(self, purl) -> (str | None, str | None, str | None):
+    def decode_purl(self, purl) -> tuple[str | None, str | None, str | None]:
         """
         Decode a Package URL (purl) to extract version information.
 
