feat: consider well-known false-positive generating CPE target SW components in match filtering logic (#961)

Enhances the CPE target software component match filtering logic to consider ecosystems which aren't currently supported by
syft cataloging but are well-known sources of false-positives. This currently adds support for filtering various
permutations of `wordpress`, `joomla`, and `drupal`

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
This commit is contained in:
Weston Steimel 2022-11-02 20:21:14 +00:00 committed by GitHub
parent a2ab617cef
commit e33b1203a1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 51 additions and 2 deletions

View file

@ -8,6 +8,29 @@ import (
syftPkg "github.com/anchore/syft/syft/pkg"
)
func isUnknownTarget(targetSW string) bool {
if syftPkg.LanguageByName(targetSW) != syftPkg.UnknownLanguage {
return false
}
// There are some common target software CPE components which are not currently
// supported by syft but are signifcant sources of false positives and should be
// considered known for the purposes of filtering here
known := map[string]bool{
"wordpress": true,
"wordpress_": true,
"joomla": true,
"joomla\\!": true,
"drupal": true,
}
if _, ok := known[targetSW]; ok {
return false
}
return true
}
// Determines if a vulnerability is an accurate match using the vulnerability's cpes' target software
func onlyVulnerableTargets(p pkg.Package, allVulns []vulnerability.Vulnerability) []vulnerability.Vulnerability {
var vulns []vulnerability.Vulnerability
@ -24,7 +47,7 @@ func onlyVulnerableTargets(p pkg.Package, allVulns []vulnerability.Vulnerability
isPackageVulnerable := len(vuln.CPEs) == 0
for _, cpe := range vuln.CPEs {
targetSW := cpe.TargetSW
mismatchWithUnknownLanguage := targetSW != string(p.Language) && syftPkg.LanguageByName(targetSW) == syftPkg.UnknownLanguage
mismatchWithUnknownLanguage := targetSW != string(p.Language) && isUnknownTarget(targetSW)
if targetSW == wfn.Any || targetSW == wfn.NA || targetSW == string(p.Language) || mismatchWithUnknownLanguage {
isPackageVulnerable = true
}

View file

@ -0,0 +1,26 @@
package search
import (
"testing"
"github.com/stretchr/testify/assert"
)
func Test_isUnknownTarget(t *testing.T) {
tests := []struct {
name string
targetSW string
expected bool
}{
{name: "supported syft language", targetSW: "python", expected: false},
{name: "supported non-syft language CPE component", targetSW: "wordpress", expected: false},
{name: "unknown component", targetSW: "abc", expected: true},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
u := isUnknownTarget(test.targetSW)
assert.Equal(t, test.expected, u)
})
}
}

@ -1 +1 @@
Subproject commit 785a654e2e8c9466914189a3bc8ded2f95b6c307
Subproject commit 6ca252c622bc67e7670fe5333464400ceafbe64d