Incorrect CPE for React

[Chormon]

What happened:
The project's SBOM was uploaded to DependencyTrack but was not matched with the related CVE. We double checked the CPE, and it was different from the CPE provided by NVD.

The generated CPE by Syft:
cpe:2.3:a:react:react:18.3.1:*:*:*:*:*:*:*

Provided CPE by NVD:
cpe:2.3:a:facebook:react:18.3.1:*:*:*:*:*:*:*

What you expected to happen:

Correct CPEs matching with NVD format.

Steps to reproduce the issue:

Scan a project's package-lock.yaml containing React version 18.3.1 with Syft version 1.42.1.

[kzantow]

Hey @Chormon this seems like a pretty important package to get right. We have a mechanism to add CPEs when Syft isn't able to extract the right one from contents. I think this would be a simple addition here