Map product/vendor for homebrew "pass" package, skip "jira" python package as it has no CVEs (#25626)

For #25597. Needs to be QA'd pre-merge /cc @jmwatts 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] Added/updated automated tests
- [x] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [x] Manual QA for all new/changed functionality

changes/25597-false-positives

@@ -0,0 +1 @@
+* Resolved false-positives for the `pass` Homebrew package and `jira` Python package via a vulnerability feed update available to all Fleet versions on 2025-01-22

server/vulnerabilities/nvd/cpe_test.go

@@ -1314,6 +1314,14 @@ func TestCPEFromSoftwareIntegration(t *testing.T) {
 				Version: "6.0.1",
 			}, cpe: "",
 		},
+		// 2025-01-20: there are no entries for the jira python package at the NVD dataset.
+		{
+			software: fleet.Software{
+				Name:    "jira",
+				Source:  "python_packages",
+				Version: "3.8.0",
+			}, cpe: "",
+		},
 		{ // checks vendor/product matching based on bundle name, including EAPs
 			software: fleet.Software{
 				Name:             "GoLand EAP.app",
@@ -1691,6 +1699,15 @@ func TestCPEFromSoftwareIntegration(t *testing.T) {
 				BundleIdentifier: "",
 			}, cpe: "cpe:2.3:a:github:cli:2.61.0:*:*:*:*:macos:*:*",
 		},
+		{
+			software: fleet.Software{
+				Name:             "pass",
+				Source:           "homebrew_packages",
+				Version:          "1.7.4",
+				Vendor:           "",
+				BundleIdentifier: "",
+			}, cpe: "cpe:2.3:a:simple_password_store_project:simple_password_store:1.7.4:*:*:*:*:macos:*:*",
+		},
 	}
 
 	// NVD_TEST_CPEDB_PATH can be used to speed up development (sync cpe.sqlite only once).

server/vulnerabilities/nvd/cpe_translations.json

@@ -10,6 +10,16 @@
       "target_sw": ["macos", "mac_os"]
     }
   },
+  {
+    "software": {
+      "name": ["pass"],
+      "source": ["homebrew_packages"]
+    },
+    "filter": {
+      "product": ["simple_password_store"],
+      "vendor": ["simple_password_store_project"]
+    }
+  },
   {
     "software": {
       "name": ["/^ruby(@.*)?$/"],
@@ -92,6 +102,15 @@
       "vendor": ["docker"]
     }
   },
+  {
+    "software": {
+      "name": ["jira"],
+      "source": ["python_packages"]
+    },
+    "filter": {
+      "skip": true
+    }
+  },
   {
     "software": {
       "name": ["docker"],

server/vulnerabilities/nvd/cve_test.go

@@ -378,6 +378,9 @@ func TestTranslateCPEToCVE(t *testing.T) {
 		"cpe:2.3:a:iterm2:iterm2:3.5.2:*:*:*:*:*:*:*": {
 			includedCVEs: []cve{{ID: "CVE-2024-38395", resolvedInVersion: ""}},
 		},
+		"cpe:2.3:a:simple_password_store_project:simple_password_store:1.7.0:*:*:*:*:macos:*:*": {
+			includedCVEs: []cve{{ID: "CVE-2018-12356", resolvedInVersion: "1.7.2"}},
+		},
 	}
 
 	cveOSTests := []struct {