From 7dfa436314d85bacf56e7dd41257741ada3c83a2 Mon Sep 17 00:00:00 2001 From: Eiji Ito Date: Sat, 17 Aug 2024 04:13:06 +0900 Subject: [PATCH] Add "Alpine Linux" to IDMapping; handle no CPEs error in findApkPackage. (#2040) * Add "Alpine Linux" to IDMapping; handle no CPEs error in findApkPackage. Signed-off-by: Eiji Ito * Remove unused errNoCPEs and update error handling in findApkPackage function. Signed-off-by: Eiji Ito * test: prove test fails without fix Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> * fix: revert contributed fix Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> --------- Signed-off-by: Eiji Ito Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Eiji Ito Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> --- grype/distro/type.go | 1 + grype/matcher/apk/matcher.go | 3 +- grype/matcher/apk/matcher_test.go | 80 +++++++++++++++++++++++++++++++ 3 files changed, 83 insertions(+), 1 deletion(-) diff --git a/grype/distro/type.go b/grype/distro/type.go index f079b6ea..587bc316 100644 --- a/grype/distro/type.go +++ b/grype/distro/type.go @@ -64,6 +64,7 @@ var IDMapping = map[string]Type{ "centos": CentOS, "fedora": Fedora, "alpine": Alpine, + "Alpine Linux": Alpine, "busybox": Busybox, "amzn": AmazonLinux, "ol": OracleLinux, diff --git a/grype/matcher/apk/matcher.go b/grype/matcher/apk/matcher.go index b74aa1bb..f3bf4b40 100644 --- a/grype/matcher/apk/matcher.go +++ b/grype/matcher/apk/matcher.go @@ -146,8 +146,9 @@ func (m *Matcher) findApkPackage(store vulnerability.Provider, d *distro.Distro, return nil, err } + // TODO: are there other errors that we should handle here that causes this to short circuit cpeMatches, err := m.cpeMatchesWithoutSecDBFixes(store, d, p) - if err != nil { + if err != nil && !errors.Is(err, search.ErrEmptyCPEMatch) { return nil, err } diff --git a/grype/matcher/apk/matcher_test.go b/grype/matcher/apk/matcher_test.go index 20767eb6..6b046024 100644 --- a/grype/matcher/apk/matcher_test.go +++ b/grype/matcher/apk/matcher_test.go @@ -635,6 +635,86 @@ func TestDistroMatchBySourceIndirection(t *testing.T) { assertMatches(t, expected, actual) } +func TestSecDBMatchesStillCountedWithCpeErrors(t *testing.T) { + // this should match the test package + // the test package will have no CPE causing an error, + // but the error should not cause the secDB matches to fail + secDbVuln := grypeDB.Vulnerability{ + ID: "CVE-2020-2", + VersionConstraint: "<= 1.3.3-r0", + VersionFormat: "apk", + Namespace: "secdb:distro:alpine:3.12", + } + + store := mockStore{ + backend: map[string]map[string][]grypeDB.Vulnerability{ + "secdb:distro:alpine:3.12": { + "musl": []grypeDB.Vulnerability{secDbVuln}, + }, + }, + } + + provider, err := db.NewVulnerabilityProvider(&store) + require.NoError(t, err) + + m := Matcher{} + d, err := distro.New(distro.Alpine, "3.12.0", "") + if err != nil { + t.Fatalf("failed to create a new distro: %+v", err) + } + + p := pkg.Package{ + ID: pkg.ID(uuid.NewString()), + Name: "musl-utils", + Version: "1.3.2-r0", + Type: syftPkg.ApkPkg, + Upstreams: []pkg.UpstreamPackage{ + { + Name: "musl", + }, + }, + CPEs: []cpe.CPE{}, + } + + vulnFound, err := vulnerability.NewVulnerability(secDbVuln) + assert.NoError(t, err) + + expected := []match.Match{ + { + + Vulnerability: *vulnFound, + Package: p, + Details: []match.Detail{ + { + Type: match.ExactIndirectMatch, + Confidence: 1.0, + SearchedBy: map[string]interface{}{ + "distro": map[string]string{ + "type": d.Type.String(), + "version": d.RawVersion, + }, + "package": map[string]string{ + "name": "musl", + "version": p.Version, + }, + "namespace": "secdb:distro:alpine:3.12", + }, + Found: map[string]interface{}{ + "versionConstraint": vulnFound.Constraint.String(), + "vulnerabilityID": "CVE-2020-2", + }, + Matcher: match.ApkMatcher, + }, + }, + }, + } + + actual, err := m.Match(provider, d, p) + assert.NoError(t, err) + + assertMatches(t, expected, actual) +} + func TestNVDMatchBySourceIndirection(t *testing.T) { nvdVuln := grypeDB.Vulnerability{ ID: "CVE-2020-1",