fix: correct APK CPE version comparison logic #1165
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
An example illustrating this is CVE-2023-22795 is fixed for ruby 3.2.0 and therefore shouldn't show up, but since the -r6 is causing it to be treated as a pre-release, it currently gets pulled in Thanks to @luhring for the example! |
westonsteimel
force-pushed
the
fix-apk-matcher-cpe-version-comparison
branch
from
de25eb9 to
5af75a9
Compare
Previously, the -r{buildindex} suffix of APK package versions were
treated as pre-release versions per the fuzzy matcher logic; however,
these should be treated as equivalent to the release version for the
purposes of collecting CPE-based matches for APK packages.
We may want to make a similar change in syft to generate cleaner CPE
versions for APK packages, but making the change in grype corrects
behaviour for previously-generated SBOMs as well.
Signed-off-by: Weston Steimel <[email protected]>
westonsteimel
force-pushed
the
fix-apk-matcher-cpe-version-comparison
branch
2 times, most recently
from
fbd914f to
94e8087
Compare
Signed-off-by: Weston Steimel <[email protected]>
westonsteimel
force-pushed
the
fix-apk-matcher-cpe-version-comparison
branch
from
94e8087 to
8e7bdec
Compare
wagoodman
reviewed
Mar 8, 2023
grype/matcher/apk/matcher.go
Outdated
| @@ -45,7 +46,8 @@ func (m *Matcher) Match(store vulnerability.Provider, d *distro.Distro, p pkg.Pa | |||
|
|
|||
| func (m *Matcher) cpeMatchesWithoutSecDBFixes(store vulnerability.Provider, d *distro.Distro, p pkg.Package) ([]match.Match, error) { | |||
| // find CPE-indexed vulnerability matches specific to the given package name and version | |||
| cpeMatches, err := search.ByPackageCPE(store, p, m.Type()) | |||
| cpePackage := cpeComparablePackage(p) | |||
| cpeMatches, err := search.ByPackageCPE(store, cpePackage, m.Type()) | |||
There was a problem hiding this comment.
we should be surfacing matches with the original package, the match details should have the necessary (mutated) details. This way we surface the vuln, the original package [from the SBOM as we understand it], and the match details showing what values were used in the search.
Signed-off-by: Weston Steimel <[email protected]>
westonsteimel
force-pushed
the
fix-apk-matcher-cpe-version-comparison
branch
from
e85d572 to
98eca0f
Compare
wagoodman
approved these changes
Mar 8, 2023
This was referenced Mar 9, 2023
This was referenced Mar 28, 2023
This was referenced Apr 5, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, the -r{buildindex} suffix of APK package versions were treated as pre-release versions per the fuzzy matcher logic; however, these should be treated as equivalent to the release version for the purposes of collecting CPE-based matches for APK packages.
We may want to make a similar change in syft to generate cleaner CPE versions for APK packages, but making the change in grype corrects behaviour for previously-generated SBOMs as well.