fix: upstream match for linux-.*-headers-.* (#2320)

Signed-off-by: Bar Nuri <[email protected]> Signed-off-by: tomersein <[email protected]> Co-authored-by: GGMU <[email protected]> Co-authored-by: tomersein <[email protected]>
anchore · Jan 15, 2025 · 5812bb8 · 5812bb8
1 parent 500f3b1
commit 5812bb8
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 3 deletions.
diff --git a/cmd/grype/cli/commands/root.go b/cmd/grype/cli/commands/root.go
@@ -104,7 +104,7 @@ var ignoreVEXFixedNotAffected = []match.IgnoreRule{
 
 var ignoreLinuxKernelHeaders = []match.IgnoreRule{
 	{Package: match.IgnoreRulePackage{Name: "kernel-headers", UpstreamName: "kernel", Type: string(syftPkg.RpmPkg)}, MatchType: match.ExactIndirectMatch},
-	{Package: match.IgnoreRulePackage{Name: "linux-.*-headers-.*", UpstreamName: "linux", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch},
+	{Package: match.IgnoreRulePackage{Name: "linux(-.*)?-headers-.*", UpstreamName: "linux.*", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch},
 	{Package: match.IgnoreRulePackage{Name: "linux-libc-dev", UpstreamName: "linux", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch},
 }
 

diff --git a/grype/match/ignore.go b/grype/match/ignore.go
@@ -3,6 +3,7 @@ package match
 import (
 	"regexp"
 
+	"github.com/anchore/grype/internal/log"
 	"github.com/bmatcuk/doublestar/v2"
 )
 
@@ -213,9 +214,14 @@ func ifPackageLocationApplies(location string) ignoreCondition {
 }
 
 func ifUpstreamPackageNameApplies(name string) ignoreCondition {
+	pattern, err := packageNameRegex(name)
+	if err != nil {
+		log.WithFields("name", name, "error", err).Debug("unable to parse name expression")
+		return func(Match) bool { return false }
+	}
 	return func(match Match) bool {
 		for _, upstream := range match.Package.Upstreams {
-			if name == upstream.Name {
+			if pattern.MatchString(upstream.Name) {
 				return true
 			}
 		}

diff --git a/grype/match/ignore_test.go b/grype/match/ignore_test.go
@@ -225,6 +225,32 @@ var (
 				},
 			},
 		},
+		// linux-like match, similar to what we see from debian\ubuntu
+		{
+			Vulnerability: vulnerability.Vulnerability{
+				Reference: vulnerability.Reference{
+					ID:        "CVE-3",
+					Namespace: "fake-linux-vulns",
+				},
+				Fix: vulnerability.Fix{
+					State: vulnerability.FixStateUnknown,
+				},
+			},
+			Package: pkg.Package{
+				ID:      pkg.ID(uuid.NewString()),
+				Name:    "linux-azure-headers-generic",
+				Version: "5.2.1",
+				Type:    syftPkg.DebPkg,
+				Upstreams: []pkg.UpstreamPackage{
+					{Name: "linux-azure"},
+				},
+			},
+			Details: []Detail{
+				{
+					Type: ExactIndirectMatch,
+				},
+			},
+		},
 	}
 
 	// For testing the match-type and upstream ignore rules
@@ -540,6 +566,11 @@ func TestApplyIgnoreRules(t *testing.T) {
 						UpstreamName: "kernel",
 					},
 				},
+				{
+					Package: IgnoreRulePackage{
+						UpstreamName: "linux-.*",
+					},
+				},
 			},
 			expectedRemainingMatches: []Match{
 				kernelHeadersMatches[1],
@@ -555,6 +586,16 @@ func TestApplyIgnoreRules(t *testing.T) {
 						},
 					},
 				},
+				{
+					Match: kernelHeadersMatches[2],
+					AppliedIgnoreRules: []IgnoreRule{
+						{
+							Package: IgnoreRulePackage{
+								UpstreamName: "linux-.*",
+							},
+						},
+					},
+				},
 			},
 		},
 		{
@@ -595,6 +636,14 @@ func TestApplyIgnoreRules(t *testing.T) {
 					},
 					MatchType: ExactIndirectMatch,
 				},
+				{
+					Package: IgnoreRulePackage{
+						Name:         "linux-.*-headers-.*",
+						UpstreamName: "linux.*",
+						Type:         string(syftPkg.DebPkg),
+					},
+					MatchType: ExactIndirectMatch,
+				},
 			},
 			expectedRemainingMatches: []Match{
 				kernelHeadersMatches[1],
@@ -613,6 +662,19 @@ func TestApplyIgnoreRules(t *testing.T) {
 						},
 					},
 				},
+				{
+					Match: kernelHeadersMatches[2],
+					AppliedIgnoreRules: []IgnoreRule{
+						{
+							Package: IgnoreRulePackage{
+								Name:         "linux-.*-headers-.*",
+								UpstreamName: "linux.*",
+								Type:         string(syftPkg.DebPkg),
+							},
+							MatchType: ExactIndirectMatch,
+						},
+					},
+				},
 			},
 		},
 		{
@@ -627,6 +689,7 @@ func TestApplyIgnoreRules(t *testing.T) {
 			},
 			expectedRemainingMatches: []Match{
 				kernelHeadersMatches[1],
+				kernelHeadersMatches[2],
 			},
 			expectedIgnoredMatches: []IgnoredMatch{
 				{
@@ -677,7 +740,10 @@ func TestApplyIgnoreRules(t *testing.T) {
 					},
 				},
 			},
-			expectedRemainingMatches: []Match{kernelHeadersMatches[1]},
+			expectedRemainingMatches: []Match{
+				kernelHeadersMatches[1],
+				kernelHeadersMatches[2],
+			},
 			expectedIgnoredMatches: []IgnoredMatch{
 				{
 					Match: kernelHeadersMatches[0],