Mirrors/grype
2
0
Fork 0
mirror of https://github.com/anchore/grype synced 2024-11-10 14:44:12 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix vulndb fuzzy constraint matching (#415)

Browse source 
Grype DB Builder was changed to use single quotes instead of double quotes for version constraints. This change broke constraint matching for vulndb records. This change fixes that by adding support for single quotes to the parseUnit function in grype/version/constraint_unit.go.

* Update constraint unit parser to remove single quotes as well as double quotes from a constraint unit. This will allow vulndb constratints to match again.
* Add unit test for quoted fuzzy constraints.

Signed-off-by: Vijay Pillai <vijay.pillai@anchore.com>
This commit is contained in:
Vijay Pillai 2021-09-13 17:55:01 -04:00 committed by GitHub
parent f3e3e832a8
commit c272d8019e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 28 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
grype/version/constraint_unit.go
View file

@ -28,7 +28,7 @@ func parseUnit(phrase string) (*constraintUnit, error) {
version = strings.Trim(version, " ")
// version may have quotes, attempt to unquote it (ignore errors)
unquoted, err := strconv.Unquote(version)
unquoted, err := trimQuotes(version)
if err == nil {
version = unquoted
}
@ -43,6 +43,21 @@ func parseUnit(phrase string) (*constraintUnit, error) {
}, nil
}
// TrimQuotes will attempt to remove double quotes.
// If removing double quotes is unsuccessful, it will attempt to remove single quotes.
// If neither operation is successful, it will return an error.
func trimQuotes(s string) (string, error) {
unquoted, err := strconv.Unquote(s)
switch {
case err == nil:
return unquoted, nil
case strings.HasPrefix(s, "'") && strings.HasSuffix(s, "'"):
return strings.Trim(s, "'"), nil
default:
return s, fmt.Errorf("string %s is not single or double quoted", s)
}
}
func (c *constraintUnit) Satisfied(comparison int) bool {
switch c.rangeOperator {
case EQ:

12
grype/version/fuzzy_constraint_test.go
View file

@ -225,6 +225,18 @@ func TestFuzzyConstraintSatisfaction(t *testing.T) {
constraint: "<= 1.3.3-r0",
expected: true,
},
{
name: "vulndb fuzzy constraint single quoted",
version: "4.5.2",
constraint: "'4.5.1' || '4.5.2'",
expected: true,
},
{
name: "vulndb fuzzy constraint double quoted",
version: "4.5.2",
constraint: "\"4.5.1\" || \"4.5.2\"",
expected: true,
},
}
for _, test := range tests {