From 661e279d3d7f3f9d6643167d1cbde3a3eb7f8f3b Mon Sep 17 00:00:00 2001 From: Bar Nuri Date: Thu, 12 Dec 2024 09:57:48 +0200 Subject: [PATCH 1/3] fix upstream match for linux-.*-headers-.* Signed-off-by: Bar Nuri --- cmd/grype/cli/commands/root.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/grype/cli/commands/root.go b/cmd/grype/cli/commands/root.go index 255b33ac30d..2026bf38d4e 100644 --- a/cmd/grype/cli/commands/root.go +++ b/cmd/grype/cli/commands/root.go @@ -104,7 +104,7 @@ var ignoreVEXFixedNotAffected = []match.IgnoreRule{ var ignoreLinuxKernelHeaders = []match.IgnoreRule{ {Package: match.IgnoreRulePackage{Name: "kernel-headers", UpstreamName: "kernel", Type: string(syftPkg.RpmPkg)}, MatchType: match.ExactIndirectMatch}, - {Package: match.IgnoreRulePackage{Name: "linux-.*-headers-.*", UpstreamName: "linux", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch}, + {Package: match.IgnoreRulePackage{Name: "linux-.*-headers-.*", UpstreamName: "linux.*", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch}, {Package: match.IgnoreRulePackage{Name: "linux-libc-dev", UpstreamName: "linux", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch}, } From 5761275167e044a3f4b371e16d5a9acba56472bd Mon Sep 17 00:00:00 2001 From: github-actions Date: Sun, 5 Jan 2025 15:56:59 +0200 Subject: [PATCH 2/3] add new ignore and make upstream regex Signed-off-by: github-actions --- cmd/grype/cli/commands/root.go | 2 +- grype/match/ignore.go | 6 +++- grype/match/ignore_test.go | 66 +++++++++++++++++++++++++++++++++- 3 files changed, 71 insertions(+), 3 deletions(-) diff --git a/cmd/grype/cli/commands/root.go b/cmd/grype/cli/commands/root.go index 074e5308de6..9d03e6b7aa2 100644 --- a/cmd/grype/cli/commands/root.go +++ b/cmd/grype/cli/commands/root.go @@ -104,7 +104,7 @@ var ignoreVEXFixedNotAffected = []match.IgnoreRule{ var ignoreLinuxKernelHeaders = []match.IgnoreRule{ {Package: match.IgnoreRulePackage{Name: "kernel-headers", UpstreamName: "kernel", Type: string(syftPkg.RpmPkg)}, MatchType: match.ExactIndirectMatch}, - {Package: match.IgnoreRulePackage{Name: "linux-.*-headers-.*", UpstreamName: "linux.*", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch}, + {Package: match.IgnoreRulePackage{Name: "linux(-.*)?-headers-.*", UpstreamName: "linux.*", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch}, {Package: match.IgnoreRulePackage{Name: "linux-libc-dev", UpstreamName: "linux", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch}, } diff --git a/grype/match/ignore.go b/grype/match/ignore.go index c0644551dd6..3f21d5c4644 100644 --- a/grype/match/ignore.go +++ b/grype/match/ignore.go @@ -215,7 +215,11 @@ func ifPackageLocationApplies(location string) ignoreCondition { func ifUpstreamPackageNameApplies(name string) ignoreCondition { return func(match Match) bool { for _, upstream := range match.Package.Upstreams { - if name == upstream.Name { + pattern, err := packageNameRegex(name) + if err != nil { + continue + } + if pattern.MatchString(upstream.Name) { return true } } diff --git a/grype/match/ignore_test.go b/grype/match/ignore_test.go index 5b2365999ce..e0d84f807ac 100644 --- a/grype/match/ignore_test.go +++ b/grype/match/ignore_test.go @@ -225,6 +225,30 @@ var ( }, }, }, + // linux-like match, similar to what we see from debian\ubuntu + { + Vulnerability: vulnerability.Vulnerability{ + ID: "CVE-3", + Namespace: "fake-linux-vulns", + Fix: vulnerability.Fix{ + State: vulnerability.FixStateUnknown, + }, + }, + Package: pkg.Package{ + ID: pkg.ID(uuid.NewString()), + Name: "linux-azure-headers-generic", + Version: "5.2.1", + Type: syftPkg.DebPkg, + Upstreams: []pkg.UpstreamPackage{ + {Name: "linux-azure"}, + }, + }, + Details: []Detail{ + { + Type: ExactIndirectMatch, + }, + }, + }, } // For testing the match-type and upstream ignore rules @@ -540,6 +564,11 @@ func TestApplyIgnoreRules(t *testing.T) { UpstreamName: "kernel", }, }, + { + Package: IgnoreRulePackage{ + UpstreamName: "linux-.*", + }, + }, }, expectedRemainingMatches: []Match{ kernelHeadersMatches[1], @@ -555,6 +584,16 @@ func TestApplyIgnoreRules(t *testing.T) { }, }, }, + { + Match: kernelHeadersMatches[2], + AppliedIgnoreRules: []IgnoreRule{ + { + Package: IgnoreRulePackage{ + UpstreamName: "linux-.*", + }, + }, + }, + }, }, }, { @@ -595,6 +634,14 @@ func TestApplyIgnoreRules(t *testing.T) { }, MatchType: ExactIndirectMatch, }, + { + Package: IgnoreRulePackage{ + Name: "linux-.*-headers-.*", + UpstreamName: "linux.*", + Type: string(syftPkg.DebPkg), + }, + MatchType: ExactIndirectMatch, + }, }, expectedRemainingMatches: []Match{ kernelHeadersMatches[1], @@ -613,6 +660,19 @@ func TestApplyIgnoreRules(t *testing.T) { }, }, }, + { + Match: kernelHeadersMatches[2], + AppliedIgnoreRules: []IgnoreRule{ + { + Package: IgnoreRulePackage{ + Name: "linux-.*-headers-.*", + UpstreamName: "linux.*", + Type: string(syftPkg.DebPkg), + }, + MatchType: ExactIndirectMatch, + }, + }, + }, }, }, { @@ -627,6 +687,7 @@ func TestApplyIgnoreRules(t *testing.T) { }, expectedRemainingMatches: []Match{ kernelHeadersMatches[1], + kernelHeadersMatches[2], }, expectedIgnoredMatches: []IgnoredMatch{ { @@ -677,7 +738,10 @@ func TestApplyIgnoreRules(t *testing.T) { }, }, }, - expectedRemainingMatches: []Match{kernelHeadersMatches[1]}, + expectedRemainingMatches: []Match{ + kernelHeadersMatches[1], + kernelHeadersMatches[2], + }, expectedIgnoredMatches: []IgnoredMatch{ { Match: kernelHeadersMatches[0], From 144f4181a127be3eb8963d70e2e6df7ca1a98d15 Mon Sep 17 00:00:00 2001 From: tomersein Date: Sun, 5 Jan 2025 16:44:48 +0200 Subject: [PATCH 3/3] add new ignore and make upstream regex Signed-off-by: tomersein --- grype/match/ignore_test.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/grype/match/ignore_test.go b/grype/match/ignore_test.go index e0d84f807ac..414f60751e0 100644 --- a/grype/match/ignore_test.go +++ b/grype/match/ignore_test.go @@ -228,8 +228,10 @@ var ( // linux-like match, similar to what we see from debian\ubuntu { Vulnerability: vulnerability.Vulnerability{ - ID: "CVE-3", - Namespace: "fake-linux-vulns", + Reference: vulnerability.Reference{ + ID: "CVE-3", + Namespace: "fake-linux-vulns", + }, Fix: vulnerability.Fix{ State: vulnerability.FixStateUnknown, },