add new ignore and make upstream regex

Signed-off-by: github-actions <[email protected]>

cmd/grype/cli/commands/root.go

@@ -104,7 +104,7 @@ var ignoreVEXFixedNotAffected = []match.IgnoreRule{
 
 var ignoreLinuxKernelHeaders = []match.IgnoreRule{
 	{Package: match.IgnoreRulePackage{Name: "kernel-headers", UpstreamName: "kernel", Type: string(syftPkg.RpmPkg)}, MatchType: match.ExactIndirectMatch},
-	{Package: match.IgnoreRulePackage{Name: "linux-.*-headers-.*", UpstreamName: "linux.*", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch},
+	{Package: match.IgnoreRulePackage{Name: "linux(-.*)?-headers-.*", UpstreamName: "linux.*", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch},
 	{Package: match.IgnoreRulePackage{Name: "linux-libc-dev", UpstreamName: "linux", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch},
 }
 

grype/match/ignore.go

@@ -215,7 +215,11 @@ func ifPackageLocationApplies(location string) ignoreCondition {
 func ifUpstreamPackageNameApplies(name string) ignoreCondition {
 	return func(match Match) bool {
 		for _, upstream := range match.Package.Upstreams {
-			if name == upstream.Name {
+			pattern, err := packageNameRegex(name)
+			if err != nil {
+				continue
+			}
+			if pattern.MatchString(upstream.Name) {
 				return true
 			}
 		}

grype/match/ignore_test.go

@@ -225,6 +225,30 @@ var (
 				},
 			},
 		},
+		// linux-like match, similar to what we see from debian\ubuntu
+		{
+			Vulnerability: vulnerability.Vulnerability{
+				ID:        "CVE-3",
+				Namespace: "fake-linux-vulns",
+				Fix: vulnerability.Fix{
+					State: vulnerability.FixStateUnknown,
+				},
+			},
+			Package: pkg.Package{
+				ID:      pkg.ID(uuid.NewString()),
+				Name:    "linux-azure-headers-generic",
+				Version: "5.2.1",
+				Type:    syftPkg.DebPkg,
+				Upstreams: []pkg.UpstreamPackage{
+					{Name: "linux-azure"},
+				},
+			},
+			Details: []Detail{
+				{
+					Type: ExactIndirectMatch,
+				},
+			},
+		},
 	}
 
 	// For testing the match-type and upstream ignore rules
@@ -540,6 +564,11 @@ func TestApplyIgnoreRules(t *testing.T) {
 						UpstreamName: "kernel",
 					},
 				},
+				{
+					Package: IgnoreRulePackage{
+						UpstreamName: "linux-.*",
+					},
+				},
 			},
 			expectedRemainingMatches: []Match{
 				kernelHeadersMatches[1],
@@ -555,6 +584,16 @@ func TestApplyIgnoreRules(t *testing.T) {
 						},
 					},
 				},
+				{
+					Match: kernelHeadersMatches[2],
+					AppliedIgnoreRules: []IgnoreRule{
+						{
+							Package: IgnoreRulePackage{
+								UpstreamName: "linux-.*",
+							},
+						},
+					},
+				},
 			},
 		},
 		{
@@ -595,6 +634,14 @@ func TestApplyIgnoreRules(t *testing.T) {
 					},
 					MatchType: ExactIndirectMatch,
 				},
+				{
+					Package: IgnoreRulePackage{
+						Name:         "linux-.*-headers-.*",
+						UpstreamName: "linux.*",
+						Type:         string(syftPkg.DebPkg),
+					},
+					MatchType: ExactIndirectMatch,
+				},
 			},
 			expectedRemainingMatches: []Match{
 				kernelHeadersMatches[1],
@@ -613,6 +660,19 @@ func TestApplyIgnoreRules(t *testing.T) {
 						},
 					},
 				},
+				{
+					Match: kernelHeadersMatches[2],
+					AppliedIgnoreRules: []IgnoreRule{
+						{
+							Package: IgnoreRulePackage{
+								Name:         "linux-.*-headers-.*",
+								UpstreamName: "linux.*",
+								Type:         string(syftPkg.DebPkg),
+							},
+							MatchType: ExactIndirectMatch,
+						},
+					},
+				},
 			},
 		},
 		{
@@ -627,6 +687,7 @@ func TestApplyIgnoreRules(t *testing.T) {
 			},
 			expectedRemainingMatches: []Match{
 				kernelHeadersMatches[1],
+				kernelHeadersMatches[2],
 			},
 			expectedIgnoredMatches: []IgnoredMatch{
 				{
@@ -677,7 +738,10 @@ func TestApplyIgnoreRules(t *testing.T) {
 					},
 				},
 			},
-			expectedRemainingMatches: []Match{kernelHeadersMatches[1]},
+			expectedRemainingMatches: []Match{
+				kernelHeadersMatches[1],
+				kernelHeadersMatches[2],
+			},
 			expectedIgnoredMatches: []IgnoredMatch{
 				{
 					Match: kernelHeadersMatches[0],