From 096d2b7bffbf725df4e8fec05ab235899dd77300 Mon Sep 17 00:00:00 2001
From: Weston Steimel <weston.steimel@anchore.com>
Date: Tue, 7 Mar 2023 15:18:44 +0000
Subject: [PATCH] fix: suppress some known incorrect vendor candidates for npm
 CPEs (#1659)

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
---
 .../common/cpe/candidate_by_package_type.go   | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/syft/pkg/cataloger/common/cpe/candidate_by_package_type.go b/syft/pkg/cataloger/common/cpe/candidate_by_package_type.go
index edc9a0af451..82e7ce78478 100644
--- a/syft/pkg/cataloger/common/cpe/candidate_by_package_type.go
+++ b/syft/pkg/cataloger/common/cpe/candidate_by_package_type.go
@@ -350,6 +350,27 @@ var defaultCandidateRemovals = buildCandidateRemovalLookup(
 			candidateKey{PkgName: "redis"},
 			candidateRemovals{VendorsToRemove: []string{"redis"}},
 		},
+		// NPM packages
+		{
+			pkg.NpmPkg,
+			candidateKey{PkgName: "redis"},
+			candidateRemovals{VendorsToRemove: []string{"redis"}},
+		},
+		{
+			pkg.NpmPkg,
+			candidateKey{PkgName: "php"},
+			candidateRemovals{VendorsToRemove: []string{"php"}},
+		},
+		{
+			pkg.NpmPkg,
+			candidateKey{PkgName: "delegate"},
+			candidateRemovals{VendorsToRemove: []string{"delegate"}},
+		},
+		{
+			pkg.NpmPkg,
+			candidateKey{PkgName: "docker"},
+			candidateRemovals{VendorsToRemove: []string{"docker"}},
+		},
 	})
 
 // buildCandidateLookup is a convenience function for creating the defaultCandidateAdditions set