cyclonedx: use the github organisation as software vendor

the case of snappy from the test was a real problem where
false positive vulnerabilities for cpe:2.3:a:knplabs:snappy:*:*:*:*:*:*:*:*
were reported, like for example CVE-2023-41330

nxdbom/__init__.py

@@ -613,7 +613,11 @@ def fmt_bom_cyclonedx_json(bom, software_path):
         elif pkginfo.kind == 'gem':
             purl_type = 'gem'
         else:
-            cpe = f'cpe:2.3:*:*:{pkginfo.name}:{pkginfo.version}:*:*:*:*:*:*:*'
+            cpe_vendor = '*'
+            parsed_url = urlparse(pkginfo.url)
+            if parsed_url.hostname == 'github.com':
+              cpe_vendor = parsed_url.path.split('/')[1]
+            cpe = f'cpe:2.3:*:{cpe_vendor}:{pkginfo.name}:{pkginfo.version}:*:*:*:*:*:*:*'
         purl = f'pkg:{purl_type}/{pkginfo.name}@{pkginfo.version}'
         component = {
             'name': pkginfo.name,

nxdbom/nxdbom_test.py

@@ -767,6 +767,10 @@ recipe = slapos.recipe.build:gitclone
 repository = https://lab.nexedi.com/nexedi/erp5
 revision = 1234abcd
 
+[snappy]
+recipe = slapos.recipe.cmmi
+url = https://github.com/google/snappy/archive/1.1.8.tar.gz
+
 [eggs]
 recipe = zc.recipe.egg
 _d = /ROOT/develop-eggs
@@ -827,7 +831,20 @@ eggs =
              'type': 'library',
              'version': '1.6.37',
          },
-    ]
+         {
+             'name': 'snappy',
+             'purl': 'pkg:generic/snappy@1.1.8',
+             'type': 'library',
+             'version': '1.1.8',
+             'cpe': 'cpe:2.3:*:google:snappy:1.1.8:*:*:*:*:*:*:*',
+             'externalReferences': [
+                 {
+                     'url': 'https://github.com/google/snappy/archive/1.1.8.tar.gz',
+                     'type': 'distribution',
+                 }
+             ],
+         },
+     ]
 
 
 # loading non-existing .installed.cfg -> error