**Related issue:** Resolves#41644
There are two cases that exist in the cpe database where this generic
logic could not be applied.
django from python_packages:
gofiber:django
djangoproject:django
npm from npm_packages:
microsoft:npm
npmjs:npm
These will require individual cve overrides that is outside the scope of
this task.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Enhanced CPE (Common Platform Enumeration) matching to reduce
non-deterministic vendor selection when multiple vendors exist for the
same software product. The algorithm now incorporates software ecosystem
information to ensure more accurate and consistent vulnerability
resolution across package types.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39899
This fix fixes the determinism issue by ordering the results, however,
it does not necessarily fix the correctness issue. Another bug opened
for that: https://github.com/fleetdm/fleet/issues/41644
That's why you see changes in `cpe_test.go` that may seem incorrect in
some cases. In reality the previous behavior was purely by coincidence
(based on insert order).
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed nondeterministic CPE matching when multiple candidates share the
same product name. CPE selection is now deterministic and prioritizes
matches based on vendor alignment with the software being analyzed.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
