False positive for libskba/gnupg with CVE-2022-3515

[geofffranks]

What happened:

The following sbom file results in gnupg 2.2.41-1 being flagged for CVE-2022-3515:

{
  "spdxVersion": "SPDX-2.3",
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "release/release.tgz#",
  "documentNamespace": "https://anchore.com/syft/dir/release/release.tgz--2b95c299-4508-4a8e-844b-c3ad866bcdc3",
  "creationInfo": {
    "licenseListVersion": "3.20",
    "creators": [
      "Organization: Anchore, Inc",
      "Tool: syft-0.82.0"
    ],
    "created": "2023-06-06T14:01:20Z"
  },
  "packages": [
    {
      "name": "gnupg",
      "SPDXID": "SPDXRef-Package-alpm-gnupg-b8eba40bdb51930f",
      "versionInfo": "2.2.41-1",
      "downloadLocation": "NOASSERTION",
      "sourceInfo": "acquired package info from ALPM DB: packages/msys2.tgz#/msys2/msys2-base-x86_64-20230526.tar.xz#/msys64/var/lib/pacman/local/gnupg-2.2.41-1/desc",
      "licenseConcluded": "NOASSERTION",
      "licenseDeclared": "LicenseRef-GPL",
      "copyrightText": "NOASSERTION",
      "externalRefs": [
        {
          "referenceCategory": "SECURITY",
          "referenceType": "cpe23Type",
          "referenceLocator": "cpe:2.3:a:gnupg:gnupg:2.2.41-1:*:*:*:*:*:*:*"
        }
      ]
    }
  ]
}

What you expected to happen:

This should not have been flagged. Per NIST, v2.2.41 is not affected.

How to reproduce it (as minimally and precisely as possible):

Take the above sbom, and run a grype sbom:my-sbom.json.

Anything else we need to know?:

Possibly related to #1158?
To generate the original sbom, we ran syft against msys2-base--x86_64-20230526

Environment:

grype version
Application:          grype
Version:              0.62.2
Syft Version:         v0.82.0
BuildDate:            2023-05-26T17:47:10Z
GitCommit:            77eb4bb53fa6a3c7fb9ae37aa35da456159dab57
GitDescription:       v0.62.2
Platform:             linux/amd64
GoVersion:            go1.19.9
Compiler:             gc
Supported DB Schema:  5

cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.2 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

[geofffranks]

Note: if we modify the "referenceLocator": "cpe:2.3:a:gnupg:gnupg:2.2.41-1:*:*:*:*:*:*:*" field in the SBOM to show 2.2.41, rather than 2.2.41-1, this is not flagged for CVE-2022-3515.

[kzantow]

Developer notes:

• We have currently disabled Arch distro search in distro: Disable support for Arch Linux #1152
• The SemVer matcher is treating the -1 at the end as a pre-release, so we probably want to do is add an ALPM version object (similar to Alpine, which has things like -r1) which understands how to compare without this being treated as a pre-release. See: https://github.com/anchore/grype/blob/main/grype/version/apk_constraint.go
• see the pacman release docs "When a new package version is first released, the release count starts at 1" https://wiki.archlinux.org/title/Talk:Arch_package_guidelines