sbom: work around grype matching unrelated packages with CPEs only

Starting with 0.91.1 grype will match a CVE if the component name matches
the ecosystem package, even if the CPE is unrelated.

Work around by setting "syft:package:type" for those components, which
for some reason makes it stop doing that.

Author: lazka

msys2_devtools/sbom.py

@@ -65,7 +65,9 @@ def generate_components(value) -> list[Component]:
     for cpe in cpes:
         name, version = parse_cpe(cpe)[2:4]
         assert isinstance(version, str) and isinstance(name, str)
-        component = Component(name=name, version=version, cpe=cpe, properties=properties)
+        # https://github.com/anchore/grype/issues/2618
+        cpe_properties = properties + [Property(name="syft:package:type", value="binary")]
+        component = Component(name=name, version=version, cpe=cpe, properties=cpe_properties)
         components.append(component)
 
     for purl in purls:

tests/test_sbom.py

@@ -58,3 +58,24 @@ def test_generate_components():
     assert components[0].version == "1.2.3"
     assert components[0].purl is None
     assert components[0].cpe == "cpe:/a:djangoproject:django:1.2.3"
+
+
+def test_grype_workaround():
+    # https://github.com/anchore/grype/issues/2618
+    srcinfo = {"mingw32": "pkgbase = foo\npkgver = 42"}
+    components = generate_components({"srcinfo": srcinfo, "extra": {"references": [
+        "cpe: cpe:/a:djangoproject:django:1.2.3"
+    ]}})
+    for property in components[0].properties:
+        if property.name == "syft:package:type":
+            assert property.value == "binary"
+            break
+    else:
+        assert False, "syft:package:type property not found"
+
+    components = generate_components({"srcinfo": srcinfo, "extra": {"references": [
+        "purl: pkg:pypi/django"
+    ]}})
+    assert all(
+        property.name != "syft:package:type" for property in components[0].properties
+    ), "syft:package:type property should not be present"