feat: Use purl2cpe also for the sbom manager

[jloehel]

Description

It would be cool to identify the vendor based on the package url for SBOM inputs:

cve-bin-tool/cve_bin_tool/sbom_manager/parse.py

Lines 407 to 414 in 7cbac8f

	vendor = None # Because the vendor and product identifiers in the purl don't always align
	product = None # with the CVE DB, only the version is parsed.
	version = None
	# Process purl identifier
	purl_info = PackageURL.from_string(purl).to_dict()
	version = purl_info.get("version")
	return [vendor or None, product or None, version or None]

Right now this works only for checkers/parsers. Maybe moving find_vendor_from_purl to the CVEDB where it's accessible for the Parser and the SBOM manager.

Why?

To avoid false-positives in case there is no CPE available, just a package url.

Environment context (optional)

• I am using cve-bin-tool version 3.4 from pypi with python3.11 on linux
• I am using the cvedb and cvescan with custom sources and with a modified scanner which adds the results automatically to the input sbom (cyclonedx) with some extra information.

Anything else?

Something like that:

   46     async def decode_purl(self, string) -> (str | None, str | None, str | None):           
   47         purl = PackageURL.from_string(string)                                                  
   48         vendor = await self._cvedb.find_vendor_from_purl(purl)                                 
   49         return [vendor, None, purl.version or None]

  145     async def cpe2vendors(self, string):                                                   
  146         cpe = CPE(string)                                                                  
  147         for vendor in cpe.get_vendor():                                                    
  148             yield vendor                                                                   
  149                                                                                            
  150     async def find_vendor_from_purl(self, purl):                                           
  151         param1 = f"pkg:{purl.type}/{purl.name}"                                            
  152         param2 = f"pkg:{purl.type}/%/{purl.name}"                                          
  153                                                                                            
  154         query = """                                                                        
  155             SELECT cpe from purl2cpe WHERE purl LIKE ?                                     
  156             UNION                                                                          
  157             SELECT cpe from purl2cpe WHERE purl LIKE ?                                     
  158         """                                                                                
  159         try:                                                                               
  160             vendors = set()                                                                
  161             async with self.get_db() as db:                                                
  162                 async with db.execute(query, (param1, param2)) as cursor:                  
  163                     for row in await cursor.fetchall():                                    
  164                         async for vendor in self.cpe2vendors(row["cpe"]):                  
  165                             vendors.add(vendor)                                            
  166             return vendors                                                                 
  167         except Exception as err:                                                           
  168             logger.opt(exception=err).debug("Unable to access purl2cpe database.")         
  169             return None