feat: consider well-known false-positive generating CPE target SW components in match filtering logic (#961)

Enhances the CPE target software component match filtering logic to consider ecosystems which aren't currently supported by syft cataloging but are well-known sources of false-positives. This currently adds support for filtering various permutations of `wordpress`, `joomla`, and `drupal` Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2024-11-10 06:34:13 +00:00 · 2022-11-02 20:21:14 +00:00 · 2022-11-02 20:21:14 +00:00 · e33b1203a1
commit e33b1203a1
parent a2ab617cef
3 changed files with 51 additions and 2 deletions
--- a/grype/search/only_vulnerable_targets.go
+++ b/grype/search/only_vulnerable_targets.go
@ -8,6 +8,29 @@ import (
 	syftPkg "github.com/anchore/syft/syft/pkg"
 )

+func isUnknownTarget(targetSW string) bool {
+	if syftPkg.LanguageByName(targetSW) != syftPkg.UnknownLanguage {
+		return false
+	}
+
+	// There are some common target software CPE components which are not currently
+	// supported by syft but are signifcant sources of false positives and should be
+	// considered known for the purposes of filtering here
+	known := map[string]bool{
+		"wordpress":  true,
+		"wordpress_": true,
+		"joomla":     true,
+		"joomla\\!":  true,
+		"drupal":     true,
+	}
+
+	if _, ok := known[targetSW]; ok {
+		return false
+	}
+
+	return true
+}
+
 // Determines if a vulnerability is an accurate match using the vulnerability's cpes' target software
 func onlyVulnerableTargets(p pkg.Package, allVulns []vulnerability.Vulnerability) []vulnerability.Vulnerability {
 	var vulns []vulnerability.Vulnerability
@ -24,7 +47,7 @@ func onlyVulnerableTargets(p pkg.Package, allVulns []vulnerability.Vulnerability
 		isPackageVulnerable := len(vuln.CPEs) == 0
 		for _, cpe := range vuln.CPEs {
 			targetSW := cpe.TargetSW
-			mismatchWithUnknownLanguage := targetSW != string(p.Language) && syftPkg.LanguageByName(targetSW) == syftPkg.UnknownLanguage
+			mismatchWithUnknownLanguage := targetSW != string(p.Language) && isUnknownTarget(targetSW)
 			if targetSW == wfn.Any || targetSW == wfn.NA || targetSW == string(p.Language) || mismatchWithUnknownLanguage {
 				isPackageVulnerable = true
 			}
--- a/grype/search/only_vulnerable_targets_test.go
+++ b/grype/search/only_vulnerable_targets_test.go
@ -0,0 +1,26 @@
+package search
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_isUnknownTarget(t *testing.T) {
+	tests := []struct {
+		name     string
+		targetSW string
+		expected bool
+	}{
+		{name: "supported syft language", targetSW: "python", expected: false},
+		{name: "supported non-syft language CPE component", targetSW: "wordpress", expected: false},
+		{name: "unknown component", targetSW: "abc", expected: true},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			u := isUnknownTarget(test.targetSW)
+			assert.Equal(t, test.expected, u)
+		})
+	}
+}
--- a/test/quality/vulnerability-match-labels
+++ b/test/quality/vulnerability-match-labels
@ -1 +1 @@
-Subproject commit 785a654e2e8c9466914189a3bc8ded2f95b6c307
+Subproject commit 6ca252c622bc67e7670fe5333464400ceafbe64d