Update grype-db dependency, add some SLES tests (#413)

* Update grype-db dependency, add some SLES tests

Signed-off-by: Dan Palmer <dan.palmer@anchore.com>

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/adrg/xdg v0.2.1
 	github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04
 	github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4
-	github.com/anchore/grype-db v0.0.0-20210809130557-72ff1b90af67
+	github.com/anchore/grype-db v0.0.0-20210913215030-fe28197b36f1
 	github.com/anchore/stereoscope v0.0.0-20210817160504-0f4abc2a5a5a
 	github.com/anchore/syft v0.23.0
 	github.com/docker/docker v17.12.0-ce-rc1.0.20200309214505-aa6a9891b09c+incompatible

go.sum

@@ -125,8 +125,8 @@ github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4 h1:rmZG77uXgE
 github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
 github.com/anchore/grype v0.14.1-0.20210702143224-05ade7bbbf70/go.mod h1:yPh9WHflzInB/INwPrDs2wLKmRsa8owAuojmv4K8H6I=
 github.com/anchore/grype-db v0.0.0-20210527140125-6f881b00e927/go.mod h1:XSlPf1awNrMpah+rHbWrzgUvnmWLgn/KkdicxERVClg=
-github.com/anchore/grype-db v0.0.0-20210809130557-72ff1b90af67 h1:JyK6DKtAWQ11jzzrvSe91gY07BW4I//IJQVdj5JKeIk=
-github.com/anchore/grype-db v0.0.0-20210809130557-72ff1b90af67/go.mod h1:Hx1keM12D75ZDD3kYVcSqBSg1NRSPtsF0bfWOdXa4E0=
+github.com/anchore/grype-db v0.0.0-20210913215030-fe28197b36f1 h1:Jr7IuHtpd2mIktOzhcr014boySty6AzVwp+pJF6Iet0=
+github.com/anchore/grype-db v0.0.0-20210913215030-fe28197b36f1/go.mod h1:GniMuMokZ2iAX67Qrd5fJW7BstX8a+4U48LyypGC2g0=
 github.com/anchore/stereoscope v0.0.0-20210524175238-3b7662f3a66f/go.mod h1:vhh1M99rfWx5ejMvz1lkQiFZUrC5wu32V12R4JXH+ZI=
 github.com/anchore/stereoscope v0.0.0-20210524175238-3b7662f3a66f/go.mod h1:vhh1M99rfWx5ejMvz1lkQiFZUrC5wu32V12R4JXH+ZI=
 github.com/anchore/stereoscope v0.0.0-20210817160504-0f4abc2a5a5a h1:RQb+Gft1MKxjDfJCnHP/f1mwfy0Jz50Kp9QGgSWKQiY=

grype/matcher/common/distro_matchers_test.go

@@ -35,21 +35,14 @@ func (pr *mockDistroProvider) stub() {
 				Namespace:  "debian:8",
 			},
 		},
-		// indirect...
-		"neutron-devel": {
-			// expected...
+	}
+	pr.data["sles:12.5"] = map[string][]vulnerability.Vulnerability{
+		// direct...
+		"sles_test_package": {
 			{
-				Constraint: version.MustGetConstraint("< 2014.1.4-5", version.DebFormat),
-				ID:         "CVE-2014-fake-2",
-			},
-			{
-				Constraint: version.MustGetConstraint("< 2015.0.0-1", version.DebFormat),
-				ID:         "CVE-2013-fake-3",
-			},
-			// unexpected...
-			{
-				Constraint: version.MustGetConstraint("< 2014.0.4-1", version.DebFormat),
-				ID:         "CVE-2013-fake-BAD",
+				Constraint: version.MustGetConstraint("< 2014.1.5-6", version.RpmFormat),
+				ID:         "CVE-2014-fake-4",
+				Namespace:  "sles:12.5",
 			},
 		},
 	}
@@ -109,3 +102,54 @@ func TestFindMatchesByPackageDistro(t *testing.T) {
 	assert.NoError(t, err)
 	assertMatchesUsingIDsForVulnerabilities(t, expected, actual)
 }
+
+func TestFindMatchesByPackageDistroSles(t *testing.T) {
+	p := pkg.Package{
+		Name:    "sles_test_package",
+		Version: "2014.1.3-6",
+		Type:    syftPkg.RpmPkg,
+		Metadata: pkg.DpkgMetadata{
+			Source: "sles_test_package",
+		},
+	}
+
+	d, err := distro.NewDistro(distro.SLES, "12.5", "")
+	if err != nil {
+		t.Fatal("could not create distro: ", err)
+	}
+
+	expected := []match.Match{
+		{
+			Type: match.ExactDirectMatch,
+			Vulnerability: vulnerability.Vulnerability{
+				ID: "CVE-2014-fake-4",
+			},
+			Package: p,
+			MatchDetails: []match.Details{
+				{
+					Confidence: 1,
+					SearchedBy: map[string]interface{}{
+						"distro": map[string]string{
+							"type":    "sles",
+							"version": "12.5",
+						},
+						"package": map[string]string{
+							"name":    "sles_test_package",
+							"version": "2014.1.3-6",
+						},
+						"namespace": "sles:12.5",
+					},
+					Found: map[string]interface{}{
+						"versionConstraint": "< 2014.1.5-6 (rpm)",
+					},
+					Matcher: match.PythonMatcher,
+				},
+			},
+		},
+	}
+
+	store := newMockProviderByDistro()
+	actual, err := FindMatchesByPackageDistro(store, &d, p, match.PythonMatcher)
+	assert.NoError(t, err)
+	assertMatchesUsingIDsForVulnerabilities(t, expected, actual)
+}

test/integration/db_mock_test.go

@@ -96,6 +96,15 @@ func newMockDbStore() *mockStore {
 					},
 				},
 			},
+			"sles:12.5": {
+				"dive": []grypeDB.Vulnerability{
+					{
+						ID:                "CVE-rpmdb-dive",
+						VersionConstraint: "<= 1.0.42",
+						VersionFormat:     "rpm",
+					},
+				},
+			},
 		},
 	}
 }

test/integration/match_by_image_test.go

@@ -253,6 +253,40 @@ func addRhelMatches(t *testing.T, theSource source.Source, catalog *syftPkg.Cata
 	})
 }
 
+func addSlesMatches(t *testing.T, theSource source.Source, catalog *syftPkg.Catalog, theStore *mockStore, theResult *match.Matches) {
+	packages := catalog.PackagesByPath("/var/lib/rpm/Packages")
+	if len(packages) != 1 {
+		t.Logf("Sles Packages: %+v", packages)
+		t.Fatalf("problem with upstream syft cataloger (RPMDB)")
+	}
+	thePkg := pkg.New(packages[0])
+	theVuln := theStore.backend["rhel:8"][thePkg.Name][0]
+	vulnObj, err := vulnerability.NewVulnerability(theVuln)
+	if err != nil {
+		t.Fatalf("failed to create vuln obj: %+v", err)
+	}
+	theResult.Add(thePkg, match.Match{
+		Type:          match.ExactDirectMatch,
+		Vulnerability: *vulnObj,
+		Package:       thePkg,
+		MatchDetails: []match.Details{
+			{
+				Confidence: 1.0,
+				SearchedBy: map[string]interface{}{
+					"distro": map[string]string{
+						"type":    "sles",
+						"version": "12.5",
+					},
+				},
+				Found: map[string]interface{}{
+					"constraint": "<= 1.0.42 (rpm)",
+				},
+				Matcher: match.RpmDBMatcher,
+			},
+		},
+	})
+}
+
 func TestMatchByImage(t *testing.T) {
 
 	observedMatchers := internal.NewStringSet()
@@ -293,6 +327,14 @@ func TestMatchByImage(t *testing.T) {
 				return expectedMatches
 			},
 		},
+		{
+			fixtureImage: "image-sles-match-coverage",
+			expectedFn: func(theSource source.Source, catalog *syftPkg.Catalog, theStore *mockStore) match.Matches {
+				expectedMatches := match.NewMatches()
+				addSlesMatches(t, theSource, catalog, theStore, &expectedMatches)
+				return expectedMatches
+			},
+		},
 	}
 
 	for _, test := range tests {

test/integration/test-fixtures/image-sles-match-coverage/Dockerfile

@@ -0,0 +1,2 @@
+FROM scratch
+COPY . .

test/integration/test-fixtures/image-sles-match-coverage/etc/os-release

@@ -0,0 +1,9 @@
+NAME="SLES"
+VERSION="12-SP5"
+VERSION_ID="12.5"
+PRETTY_NAME="SUSE Linux Enterprise Server 12 SP5"
+ID="sles"
+ID_LIKE="suse"
+ANSI_COLOR="0;32"
+CPE_NAME="cpe:/o:suse:sles:12:sp5"
+DOCUMENTATION_URL="https://documentation.suse.com/"

test/integration/test-fixtures/image-sles-match-coverage/var/lib/rpm/generate-fixture.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -eux
+
+docker create --name generate-rpmdb-fixture sles12sp5:latest sh -c 'tail -f /dev/null'
+
+function cleanup {
+  docker kill generate-rpmdb-fixture
+  docker rm generate-rpmdb-fixture
+}
+trap cleanup EXIT
+
+docker start generate-rpmdb-fixture
+docker exec -i --tty=false generate-rpmdb-fixture bash <<-EOF
+  mkdir -p /scratch
+  cd /scratch
+  rpm --initdb --dbpath /scratch
+  curl -sSLO https://github.com/wagoodman/dive/releases/download/v0.9.2/dive_0.9.2_linux_amd64.rpm
+  rpm --dbpath /scratch -ivh dive_0.9.2_linux_amd64.rpm
+  rm dive_0.9.2_linux_amd64.rpm
+  rpm --dbpath /scratch -qa
+EOF
+
+docker cp generate-rpmdb-fixture:/scratch/Packages .