From 5761275167e044a3f4b371e16d5a9acba56472bd Mon Sep 17 00:00:00 2001 From: github-actions Date: Sun, 5 Jan 2025 15:56:59 +0200 Subject: [PATCH] add new ignore and make upstream regex Signed-off-by: github-actions --- cmd/grype/cli/commands/root.go | 2 +- grype/match/ignore.go | 6 +++- grype/match/ignore_test.go | 66 +++++++++++++++++++++++++++++++++- 3 files changed, 71 insertions(+), 3 deletions(-) diff --git a/cmd/grype/cli/commands/root.go b/cmd/grype/cli/commands/root.go index 074e5308de6..9d03e6b7aa2 100644 --- a/cmd/grype/cli/commands/root.go +++ b/cmd/grype/cli/commands/root.go @@ -104,7 +104,7 @@ var ignoreVEXFixedNotAffected = []match.IgnoreRule{ var ignoreLinuxKernelHeaders = []match.IgnoreRule{ {Package: match.IgnoreRulePackage{Name: "kernel-headers", UpstreamName: "kernel", Type: string(syftPkg.RpmPkg)}, MatchType: match.ExactIndirectMatch}, - {Package: match.IgnoreRulePackage{Name: "linux-.*-headers-.*", UpstreamName: "linux.*", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch}, + {Package: match.IgnoreRulePackage{Name: "linux(-.*)?-headers-.*", UpstreamName: "linux.*", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch}, {Package: match.IgnoreRulePackage{Name: "linux-libc-dev", UpstreamName: "linux", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch}, } diff --git a/grype/match/ignore.go b/grype/match/ignore.go index c0644551dd6..3f21d5c4644 100644 --- a/grype/match/ignore.go +++ b/grype/match/ignore.go @@ -215,7 +215,11 @@ func ifPackageLocationApplies(location string) ignoreCondition { func ifUpstreamPackageNameApplies(name string) ignoreCondition { return func(match Match) bool { for _, upstream := range match.Package.Upstreams { - if name == upstream.Name { + pattern, err := packageNameRegex(name) + if err != nil { + continue + } + if pattern.MatchString(upstream.Name) { return true } } diff --git a/grype/match/ignore_test.go b/grype/match/ignore_test.go index 5b2365999ce..e0d84f807ac 100644 --- a/grype/match/ignore_test.go +++ b/grype/match/ignore_test.go @@ -225,6 +225,30 @@ var ( }, }, }, + // linux-like match, similar to what we see from debian\ubuntu + { + Vulnerability: vulnerability.Vulnerability{ + ID: "CVE-3", + Namespace: "fake-linux-vulns", + Fix: vulnerability.Fix{ + State: vulnerability.FixStateUnknown, + }, + }, + Package: pkg.Package{ + ID: pkg.ID(uuid.NewString()), + Name: "linux-azure-headers-generic", + Version: "5.2.1", + Type: syftPkg.DebPkg, + Upstreams: []pkg.UpstreamPackage{ + {Name: "linux-azure"}, + }, + }, + Details: []Detail{ + { + Type: ExactIndirectMatch, + }, + }, + }, } // For testing the match-type and upstream ignore rules @@ -540,6 +564,11 @@ func TestApplyIgnoreRules(t *testing.T) { UpstreamName: "kernel", }, }, + { + Package: IgnoreRulePackage{ + UpstreamName: "linux-.*", + }, + }, }, expectedRemainingMatches: []Match{ kernelHeadersMatches[1], @@ -555,6 +584,16 @@ func TestApplyIgnoreRules(t *testing.T) { }, }, }, + { + Match: kernelHeadersMatches[2], + AppliedIgnoreRules: []IgnoreRule{ + { + Package: IgnoreRulePackage{ + UpstreamName: "linux-.*", + }, + }, + }, + }, }, }, { @@ -595,6 +634,14 @@ func TestApplyIgnoreRules(t *testing.T) { }, MatchType: ExactIndirectMatch, }, + { + Package: IgnoreRulePackage{ + Name: "linux-.*-headers-.*", + UpstreamName: "linux.*", + Type: string(syftPkg.DebPkg), + }, + MatchType: ExactIndirectMatch, + }, }, expectedRemainingMatches: []Match{ kernelHeadersMatches[1], @@ -613,6 +660,19 @@ func TestApplyIgnoreRules(t *testing.T) { }, }, }, + { + Match: kernelHeadersMatches[2], + AppliedIgnoreRules: []IgnoreRule{ + { + Package: IgnoreRulePackage{ + Name: "linux-.*-headers-.*", + UpstreamName: "linux.*", + Type: string(syftPkg.DebPkg), + }, + MatchType: ExactIndirectMatch, + }, + }, + }, }, }, { @@ -627,6 +687,7 @@ func TestApplyIgnoreRules(t *testing.T) { }, expectedRemainingMatches: []Match{ kernelHeadersMatches[1], + kernelHeadersMatches[2], }, expectedIgnoredMatches: []IgnoredMatch{ { @@ -677,7 +738,10 @@ func TestApplyIgnoreRules(t *testing.T) { }, }, }, - expectedRemainingMatches: []Match{kernelHeadersMatches[1]}, + expectedRemainingMatches: []Match{ + kernelHeadersMatches[1], + kernelHeadersMatches[2], + }, expectedIgnoredMatches: []IgnoredMatch{ { Match: kernelHeadersMatches[0],