From d9d6e354daa9b5c566e41b9865318827c3aeb8e7 Mon Sep 17 00:00:00 2001
From: prabhu <prabhu@appthreat.com>
Date: Fri, 22 Dec 2023 09:44:25 +0000
Subject: [PATCH] Retain empty group for npm to perform strict search (#80)

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
---
 pyproject.toml |  2 +-
 vdb/lib/db.py  | 14 +++++++++++---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 4b89267..238a76f 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "appthreat-vulnerability-db"
-version = "5.5.6"
+version = "5.5.7"
 description = "AppThreat's vulnerability database and package search library with a built-in file based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities."
 authors = [
     {name = "Team AppThreat", email = "cloud@appthreat.com"},
diff --git a/vdb/lib/db.py b/vdb/lib/db.py
index 32a2eee..fd9c859 100644
--- a/vdb/lib/db.py
+++ b/vdb/lib/db.py
@@ -205,12 +205,19 @@ def bulk_index_search(pkg_list):
         version = None
         # This key could be either a vendor|name or name
         vendor_idx_key = None
+        pkg_type = None
         if pkg.get("purl"):
             purl_obj = parse_purl(pkg.get("purl"))
+            # Retain empty group names
             vendor = purl_obj.get("namespace")
-            # Fallback to using type as the vendor
+            pkg_type = purl_obj.get("type")
             if not vendor:
-                vendor = purl_obj.get("type")
+                if pkg_type in ("npm",):
+                    # Search for empty vendor in the key
+                    vendor = ""
+                else:
+                    # Fallback to using type as the vendor
+                    vendor = pkg_type
             name = purl_obj.get("name")
             version = purl_obj.get("version")
         else:
@@ -222,7 +229,8 @@ def bulk_index_search(pkg_list):
         )
         version_list = None
         # If there is vendor information use it to perform strict search
-        if vendor:
+        # For ecosystem such as npm, always perform such a strict search to reduce false positives
+        if vendor or (pkg_type and pkg_type in ("npm",)):
             version_list = vendor_index_data.get(vendor_idx_key, [])
             store_pos_cve = pos_index_data.get(vendor_idx_key)
         else: