diff --git a/syft/pkg/cataloger/common/cpe/candidate_by_package_type.go b/syft/pkg/cataloger/common/cpe/candidate_by_package_type.go
index 82e7ce784781..5481108f852a 100644
--- a/syft/pkg/cataloger/common/cpe/candidate_by_package_type.go
+++ b/syft/pkg/cataloger/common/cpe/candidate_by_package_type.go
@@ -32,6 +32,12 @@ var defaultCandidateAdditions = buildCandidateLookup(
 			candidateKey{PkgName: "spring-core"},
 			candidateAddition{AdditionalProducts: []string{"spring_framework", "springsource_spring_framework"}, AdditionalVendors: []string{"pivotal_software", "springsource", "vmware"}},
 		},
+		{
+			// example image: docker.io/jenkins/jenkins:latest
+			pkg.JavaPkg,
+			candidateKey{PkgName: "spring-security-core"},
+			candidateAddition{AdditionalProducts: []string{"spring_security"}, AdditionalVendors: []string{"vmware"}},
+		},
 		{
 			// example image: docker.io/nuxeo:latest
 			pkg.JavaPkg,
diff --git a/syft/pkg/cataloger/common/cpe/generate_test.go b/syft/pkg/cataloger/common/cpe/generate_test.go
index e12ac50b65bc..4c8e4a3b4df2 100644
--- a/syft/pkg/cataloger/common/cpe/generate_test.go
+++ b/syft/pkg/cataloger/common/cpe/generate_test.go
@@ -768,6 +768,14 @@ func TestCandidateProducts(t *testing.T) {
 			},
 			expected: []string{"spring_framework", "springsource_spring_framework" /* <-- known good names | default guess --> */, "springframework"},
 		},
+		{
+			name: "spring-security-core",
+			p: pkg.Package{
+				Name: "spring-security-core",
+				Type: pkg.JavaPkg,
+			},
+			expected: []string{"spring-security-core", "spring_security", "spring_security_core"},
+		},
 		{
 			name: "java",
 			p: pkg.Package{
@@ -857,6 +865,14 @@ func TestCandidateVendor(t *testing.T) {
 			},
 			expected: []string{"elastic" /* <-- known good names | default guess --> */, "elasticsearch"},
 		},
+		{
+			name: "spring-security",
+			p: pkg.Package{
+				Name: "spring-security-core",
+				Type: pkg.JavaPkg,
+			},
+			expected: []string{"vmware" /* <-- known good names | default guess --> */, "spring", "spring-security", "spring-security-core", "spring_security_core", "spring_security"},
+		},
 		{
 			name: "log4j",
 			p: pkg.Package{