fix: totals for vulnerability matches (#1359)

Signed-off-by: Keith Zantow <[email protected]>
anchore · Jun 26, 2023 · ab0a31a · ab0a31a
1 parent 5c5fb0e
commit ab0a31a
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 18 deletions.
diff --git a/grype/match/explicit_ignores.go b/grype/match/explicit_ignores.go
@@ -69,7 +69,7 @@ func init() {
 }
 
 // ApplyExplicitIgnoreRules Filters out matches meeting the criteria defined above and those within the grype database
-func ApplyExplicitIgnoreRules(provider ExclusionProvider, matches Matches) Matches {
+func ApplyExplicitIgnoreRules(provider ExclusionProvider, matches Matches) (Matches, []IgnoredMatch) {
 	var ignoreRules []IgnoreRule
 	ignoreRules = append(ignoreRules, explicitIgnoreRules...)
 
@@ -84,18 +84,5 @@ func ApplyExplicitIgnoreRules(provider ExclusionProvider, matches Matches) Match
 		ignoreRules = append(ignoreRules, r...)
 	}
 
-	matches, ignored := ApplyIgnoreRules(matches, ignoreRules)
-
-	if len(ignored) > 0 {
-		log.Debugf("Removed %d explicit vulnerability matches:", len(ignored))
-		for idx, i := range ignored {
-			branch := "├──"
-			if idx == len(ignored)-1 {
-				branch = "└──"
-			}
-			log.Debugf("  %s %s : %s", branch, i.Match.Vulnerability.ID, i.Package.PURL)
-		}
-	}
-
-	return matches
+	return ApplyIgnoreRules(matches, ignoreRules)
 }
diff --git a/grype/match/explicit_ignores_test.go b/grype/match/explicit_ignores_test.go
@@ -39,6 +39,7 @@ func Test_ApplyExplicitIgnoreRules(t *testing.T) {
 		typ      syftPkg.Type
 		matches  []cvePkg
 		expected []string
+		ignored  []string
 	}{
 		// some explicit log4j-related data:
 		// "CVE-2021-44228", "CVE-2021-45046", "GHSA-jfh8-c2jp-5v3q", "GHSA-7rjr-3q55-vv33",
@@ -69,6 +70,7 @@ func Test_ApplyExplicitIgnoreRules(t *testing.T) {
 				{"CVE-2021-44228", "log4j-core"},
 			},
 			expected: []string{"log4j-core"},
+			ignored:  []string{"log4j-api"},
 		},
 		{
 			name: "filters all matching CVEs and packages",
@@ -78,6 +80,7 @@ func Test_ApplyExplicitIgnoreRules(t *testing.T) {
 				{"GHSA-jfh8-c2jp-5v3q", "log4j-slf4j-impl"},
 			},
 			expected: []string{},
+			ignored:  []string{"log4j-api", "log4j-slf4j-impl"},
 		},
 		{
 			name: "filters invalid CVEs for protobuf Go module",
@@ -87,6 +90,7 @@ func Test_ApplyExplicitIgnoreRules(t *testing.T) {
 				{"CVE-2021-22570", "google.golang.org/protobuf"},
 			},
 			expected: []string{},
+			ignored:  []string{"google.golang.org/protobuf", "google.golang.org/protobuf"},
 		},
 		{
 			name: "keeps valid CVEs for protobuf Go module",
@@ -118,14 +122,24 @@ func Test_ApplyExplicitIgnoreRules(t *testing.T) {
 				})
 			}
 
-			filtered := ApplyExplicitIgnoreRules(p, matches)
+			filtered, ignores := ApplyExplicitIgnoreRules(p, matches)
 
 			var found []string
 			for match := range filtered.Enumerate() {
 				found = append(found, match.Package.Name)
 
 			}
 			assert.ElementsMatch(t, test.expected, found)
+
+			if len(test.ignored) > 0 {
+				var ignored []string
+				for _, i := range ignores {
+					ignored = append(ignored, i.Package.Name)
+				}
+				assert.ElementsMatch(t, test.ignored, ignored)
+			} else {
+				assert.Empty(t, ignores)
+			}
 		})
 	}
 }
diff --git a/grype/matcher/matchers.go b/grype/matcher/matchers.go
@@ -147,6 +147,8 @@ func FindMatches(store interface {
 	res := match.NewMatches()
 	matcherIndex, defaultMatcher := newMatcherIndex(matchers)
 
+	var ignored []match.IgnoredMatch
+
 	var d *distro.Distro
 	if release != nil {
 		d, err = distro.NewFromRelease(*release)
@@ -177,6 +179,10 @@ func FindMatches(store interface {
 			if err != nil {
 				log.Warnf("matcher failed for pkg=%s: %+v", p, err)
 			} else {
+				// Filter out matches based on records in the database exclusion table and hard-coded rules
+				filtered, ignores := match.ApplyExplicitIgnoreRules(store, match.NewMatches(matches...))
+				ignored = append(ignored, ignores...)
+				matches := filtered.Sorted()
 				logMatches(p, matches)
 				res.Add(matches...)
 				progressMonitor.VulnerabilitiesDiscovered.Add(int64(len(matches)))
@@ -189,8 +195,7 @@ func FindMatches(store interface {
 
 	logListSummary(progressMonitor)
 
-	// Filter out matches based off of the records in the exclusion table in the database or from the old hard-coded rules
-	res = match.ApplyExplicitIgnoreRules(store, res)
+	logIgnoredMatches(ignored)
 
 	return res
 }
@@ -216,6 +221,19 @@ func logListSummary(vl *monitor) {
 	}
 }
 
+func logIgnoredMatches(ignored []match.IgnoredMatch) {
+	if len(ignored) > 0 {
+		log.Debugf("Removed %d explicit vulnerability matches:", len(ignored))
+		for idx, i := range ignored {
+			branch := "├──"
+			if idx == len(ignored)-1 {
+				branch = "└──"
+			}
+			log.Debugf("  %s %s : %s", branch, i.Match.Vulnerability.ID, i.Package.PURL)
+		}
+	}
+}
+
 func updateVulnerabilityList(list *monitor, matches []match.Match, metadataProvider vulnerability.MetadataProvider) {
 	for _, m := range matches {
 		metadata, err := metadataProvider.GetMetadata(m.Vulnerability.ID, m.Vulnerability.Namespace)