Retain empty group for npm to perform strict search (#80)

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "appthreat-vulnerability-db"
-version = "5.5.6"
+version = "5.5.7"
 description = "AppThreat's vulnerability database and package search library with a built-in file based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities."
 authors = [
     {name = "Team AppThreat", email = "cloud@appthreat.com"},

vdb/lib/db.py

@@ -205,12 +205,19 @@ def bulk_index_search(pkg_list):
         version = None
         # This key could be either a vendor|name or name
         vendor_idx_key = None
+        pkg_type = None
         if pkg.get("purl"):
             purl_obj = parse_purl(pkg.get("purl"))
+            # Retain empty group names
             vendor = purl_obj.get("namespace")
-            # Fallback to using type as the vendor
+            pkg_type = purl_obj.get("type")
             if not vendor:
-                vendor = purl_obj.get("type")
+                if pkg_type in ("npm",):
+                    # Search for empty vendor in the key
+                    vendor = ""
+                else:
+                    # Fallback to using type as the vendor
+                    vendor = pkg_type
             name = purl_obj.get("name")
             version = purl_obj.get("version")
         else:
@@ -222,7 +229,8 @@ def bulk_index_search(pkg_list):
         )
         version_list = None
         # If there is vendor information use it to perform strict search
-        if vendor:
+        # For ecosystem such as npm, always perform such a strict search to reduce false positives
+        if vendor or (pkg_type and pkg_type in ("npm",)):
             version_list = vendor_index_data.get(vendor_idx_key, [])
             store_pos_cve = pos_index_data.get(vendor_idx_key)
         else: