fix: correct APK CPE version comparison logic

grype/matcher/apk/matcher.go

@@ -2,6 +2,7 @@ package apk
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/anchore/grype/grype/distro"
 	"github.com/anchore/grype/grype/match"
@@ -45,7 +46,8 @@ func (m *Matcher) Match(store vulnerability.Provider, d *distro.Distro, p pkg.Pa
 
 func (m *Matcher) cpeMatchesWithoutSecDBFixes(store vulnerability.Provider, d *distro.Distro, p pkg.Package) ([]match.Match, error) {
 	// find CPE-indexed vulnerability matches specific to the given package name and version
-	cpeMatches, err := search.ByPackageCPE(store, p, m.Type())
+	cpePackage := cpeComparablePackage(p)
+	cpeMatches, err := search.ByPackageCPE(store, cpePackage, m.Type())
 	if err != nil {
 		return nil, err
 	}
@@ -101,6 +103,37 @@ cveLoop:
 	return finalCpeMatches, nil
 }
 
+func cpeComparablePackage(p pkg.Package) pkg.Package {
+	// clean the alpine package version so that it compares correctly with the CPE version comparison logic
+	// alpine versions are suffixed with -r{buildindex}; however, if left intact CPE comparison logic will
+	// incorrectly treat these as a pre-release.  In actuality, we just want to treat 1.2.3-r21 as equivalent to
+	// 1.2.3 for purposes of CPE-based matching since the alpine fix should filter out any cases where a later
+	// build fixes something that was vulnerable in 1.2.3
+	components := strings.Split(p.Version, "-r")
+	cpeComparableVersion := p.Version
+
+	if len(components) == 2 {
+		cpeComparableVersion = components[0]
+	}
+
+	if cpeComparableVersion == p.Version {
+		return p
+	}
+
+	t := p
+	t.CPEs = nil
+	t.CPEs = append(t.CPEs, p.CPEs...)
+
+	for index, cpe := range t.CPEs {
+		if cpe.Version == p.Version {
+			cpe.Version = cpeComparableVersion
+			t.CPEs[index] = cpe
+		}
+	}
+
+	return t
+}
+
 func deduplicateMatches(secDBMatches, cpeMatches []match.Match) (matches []match.Match) {
 	// add additional unique matches from CPE source that is unique from the SecDB matches
 	secDBMatchesByID := matchesByID(secDBMatches)

grype/matcher/apk/matcher_test.go

@@ -368,6 +368,81 @@ func TestNvdOnlyMatches(t *testing.T) {
 	assertMatches(t, expected, actual)
 }
 
+func TestNvdMatchesProperVersionFiltering(t *testing.T) {
+	nvdVulnMatch := grypeDB.Vulnerability{
+		ID:                "CVE-2020-1",
+		VersionConstraint: "<= 0.9.11",
+		VersionFormat:     "unknown",
+		CPEs:              []string{`cpe:2.3:a:lib_vnc_project-\(server\):libvncserver:*:*:*:*:*:*:*:*`},
+		Namespace:         "nvd:cpe",
+	}
+	nvdVulnNoMatch := grypeDB.Vulnerability{
+		ID:                "CVE-2020-2",
+		VersionConstraint: "< 0.9.11",
+		VersionFormat:     "unknown",
+		CPEs:              []string{`cpe:2.3:a:lib_vnc_project-\(server\):libvncserver:*:*:*:*:*:*:*:*`},
+		Namespace:         "nvd:cpe",
+	}
+	store := mockStore{
+		backend: map[string]map[string][]grypeDB.Vulnerability{
+			"nvd:cpe": {
+				"libvncserver": []grypeDB.Vulnerability{nvdVulnMatch, nvdVulnNoMatch},
+			},
+		},
+	}
+
+	provider, err := db.NewVulnerabilityProvider(&store)
+	require.NoError(t, err)
+
+	m := Matcher{}
+	d, err := distro.New(distro.Alpine, "3.12.0", "")
+	if err != nil {
+		t.Fatalf("failed to create a new distro: %+v", err)
+	}
+	p := pkg.Package{
+		ID:      pkg.ID(uuid.NewString()),
+		Name:    "libvncserver",
+		Version: "0.9.11-r10",
+		Type:    syftPkg.ApkPkg,
+		CPEs: []cpe.CPE{
+			cpe.Must("cpe:2.3:a:*:libvncserver:0.9.11:*:*:*:*:*:*:*"),
+		},
+	}
+
+	vulnFound, err := vulnerability.NewVulnerability(nvdVulnMatch)
+	assert.NoError(t, err)
+	vulnFound.CPEs = []cpe.CPE{cpe.Must(nvdVulnMatch.CPEs[0])}
+
+	expected := []match.Match{
+		{
+
+			Vulnerability: *vulnFound,
+			Package:       p,
+			Details: []match.Detail{
+				{
+					Type:       match.CPEMatch,
+					Confidence: 0.9,
+					SearchedBy: search.CPEParameters{
+						CPEs:      []string{"cpe:2.3:a:*:libvncserver:0.9.11:*:*:*:*:*:*:*"},
+						Namespace: "nvd:cpe",
+					},
+					Found: search.CPEResult{
+						CPEs:              []string{vulnFound.CPEs[0].BindToFmtString()},
+						VersionConstraint: vulnFound.Constraint.String(),
+						VulnerabilityID:   "CVE-2020-1",
+					},
+					Matcher: match.ApkMatcher,
+				},
+			},
+		},
+	}
+
+	actual, err := m.Match(provider, d, p)
+	assert.NoError(t, err)
+
+	assertMatches(t, expected, actual)
+}
+
 func TestNvdMatchesWithSecDBFix(t *testing.T) {
 	nvdVuln := grypeDB.Vulnerability{
 		ID:                "CVE-2020-1",