fix: xml2, sqlite (#5405)

[EternalDreamer01]

Attempt to fix issue #5405

[ffontaine]

Adding r"(3\.\d+\.\d+)" for sqlite will raise many false positives (e.g. any file containing 3.0.0 will be detected as sqlite)

[ffontaine]

Same issue with libxml2 and "GITv([0-9]+\.[0-9]+\.[0-9]+)" which could raise false positives.
I would advocate to make a regex with XML_ENTITY_REF_NODE.

[EternalDreamer01]

I see, I wasn't sure of how it worked.
XML_ENTITY_REF_NODE is on the line below, and I don't know how it could be managed in your project

[ffontaine]

You can manage it by adding a multi-line pattern which contains \r\n such as ([0-9]+\.[0-9]+\.[0-9]+)[a-z0-9>\-\r\n]*XML_ENTITY_REF_NODE.
I would also recommend to split your PR in two different PRs: one for libxml2 and another for sqlite as libxml2 is probably easier to handle.
You must also update /test/test_data/xml2.py instead of adding libraries in lib directory.
Finally, dummy_vex_output and test.sbom must be removed as those files are unrelated to the PR.
You'll find useful information here:

• https://github.com/intel/cve-bin-tool/blob/main/cve_bin_tool/checkers/README.md
• https://github.com/intel/cve-bin-tool/blob/main/test/README.md#adding-new-tests-signature-tests-against-real-files
• 3305edf
  Ideally, it would be great to download an android package through a link (as done for debian/alpine/etc).

[EternalDreamer01]

Alright I'm going to split my PR, first for libxml2.
However, there's no precompiled libxml2 to my knowledge, it has to be compiled from source, or pulled from an Android device/emulator.
So how can we proceed ?
Thank you !

[ffontaine]

If no package can be downloaded, you can just copy/paste the pattern you want to detect in a new entry under mapping_test_data :

mapping_test_data = [
    ...
    {
        "product": "libxml2",
        "version": "2.9.9",
        "version_strings": ["20909-GITv2.9.9-rc2-2-g7c4949afa\n-->\nXML_ENTITY_REF_NODE"],
    }
]