Update MSRC matching to include product ID in the suffix (#373)

* use squashed grype-db branch Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add more tests around the msrc matcher Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * incorporate the grype-db updates for msrc Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2024-11-10 14:44:12 +00:00 · 2021-08-12 08:35:30 -04:00 · 2021-08-12 08:35:30 -04:00 · fbc6bdfd8d
commit fbc6bdfd8d
parent 729aec24a6
3 changed files with 74 additions and 28 deletions
--- a/go.mod
+++ b/go.mod
@ -7,7 +7,7 @@ require (
 	github.com/adrg/xdg v0.2.1
 	github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04
 	github.com/anchore/go-version v1.2.2-0.20200810141238-330bef18dbca
-	github.com/anchore/grype-db v0.0.0-20210715172505-e527bcf6bc40
+	github.com/anchore/grype-db v0.0.0-20210809130557-72ff1b90af67
 	github.com/anchore/stereoscope v0.0.0-20210524175238-3b7662f3a66f
 	github.com/anchore/syft v0.19.2-0.20210809195219-98d4749f86ce
 	github.com/docker/docker v17.12.0-ce-rc1.0.20200309214505-aa6a9891b09c+incompatible
--- a/go.sum
+++ b/go.sum
@ -124,8 +124,8 @@ github.com/anchore/go-version v1.2.2-0.20200810141238-330bef18dbca h1:rLyc7Rih76
 github.com/anchore/go-version v1.2.2-0.20200810141238-330bef18dbca/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
 github.com/anchore/grype v0.14.1-0.20210702143224-05ade7bbbf70/go.mod h1:yPh9WHflzInB/INwPrDs2wLKmRsa8owAuojmv4K8H6I=
 github.com/anchore/grype-db v0.0.0-20210527140125-6f881b00e927/go.mod h1:XSlPf1awNrMpah+rHbWrzgUvnmWLgn/KkdicxERVClg=
-github.com/anchore/grype-db v0.0.0-20210715172505-e527bcf6bc40 h1:83qJtrq9tSQyD768rHIseF0z7fhG4c+32NpW98kx0YI=
-github.com/anchore/grype-db v0.0.0-20210715172505-e527bcf6bc40/go.mod h1:Hx1keM12D75ZDD3kYVcSqBSg1NRSPtsF0bfWOdXa4E0=
+github.com/anchore/grype-db v0.0.0-20210809130557-72ff1b90af67 h1:JyK6DKtAWQ11jzzrvSe91gY07BW4I//IJQVdj5JKeIk=
+github.com/anchore/grype-db v0.0.0-20210809130557-72ff1b90af67/go.mod h1:Hx1keM12D75ZDD3kYVcSqBSg1NRSPtsF0bfWOdXa4E0=
 github.com/anchore/stereoscope v0.0.0-20210524175238-3b7662f3a66f h1:bFadyOLOkzME3BrZFZ5m8cf/b2hsn3aMSS9s+SKubRk=
 github.com/anchore/stereoscope v0.0.0-20210524175238-3b7662f3a66f h1:bFadyOLOkzME3BrZFZ5m8cf/b2hsn3aMSS9s+SKubRk=
 github.com/anchore/stereoscope v0.0.0-20210524175238-3b7662f3a66f/go.mod h1:vhh1M99rfWx5ejMvz1lkQiFZUrC5wu32V12R4JXH+ZI=
--- a/grype/matcher/msrc/matcher_test.go
+++ b/grype/matcher/msrc/matcher_test.go
@ -1,6 +1,7 @@
 package msrc

 import (
+	"fmt"
 	"testing"

 	grypeDB "github.com/anchore/grype-db/pkg/db/v3"
@ -24,27 +25,33 @@ func (s *mockStore) GetVulnerability(namespace, name string) ([]grypeDB.Vulnerab
 }

 func TestMatches(t *testing.T) {
+	d, err := distro.NewDistro(distro.Windows, "10816", "Windows Server 2016")
+	assert.NoError(t, err)
+
 	store := mockStore{
 		backend: map[string]map[string][]grypeDB.Vulnerability{
-			"msrc": {
-				"Windows 10 Versions 1903 for ARM64-based Systems": []grypeDB.Vulnerability{
+
+			// TODO: it would be ideal to test against something that constructs the namespace based on grype-db
+			// and not break the adaption of grype-db
+			fmt.Sprintf("msrc:%s", d.RawVersion): {
+				d.RawVersion: []grypeDB.Vulnerability{
 					{
-						ID:                "CVE-2020-1",
-						VersionConstraint: "878786 || 878787",
+						ID:                "CVE-2016-3333",
+						VersionConstraint: "3200970 || 878787 || base",
 						VersionFormat:     "kb",
 					},
 					{
 						// Does not match, version constraints do not apply
-						ID:                "CVE-2020-1",
-						VersionConstraint: "778786 || 778787",
+						ID:                "CVE-2020-made-up",
+						VersionConstraint: "778786 || 878787 || base",
 						VersionFormat:     "kb",
 					},
 				},
-				// Does not match, the package is Windows 10, not 11
-				"Windows 11 Versions 1903 for ARM64-based Systems": []grypeDB.Vulnerability{
+				// Does not match the product ID
+				"something-else": []grypeDB.Vulnerability{
 					{
-						ID:                "CVE-2020-1",
-						VersionConstraint: "878786 || 878787",
+						ID:                "CVE-2020-also-made-up",
+						VersionConstraint: "3200970 || 878787 || base",
 						VersionFormat:     "kb",
 					},
 				},
@ -54,21 +61,60 @@ func TestMatches(t *testing.T) {

 	provider := vulnerability.NewProviderFromStore(&store)

-	m := Matcher{}
-	d, err := distro.NewDistro(distro.Windows, "878787", "Windows 10 Versions 1903 for ARM64-based Systems")
-	if err != nil {
-		t.Fatalf("failed to create a new distro: %+v", err)
-	}
-	p := pkg.Package{
-		Name:    "Windows 10 Versions 1903 for ARM64-based Systems",
-		Version: "878787",
-		Type:    syftPkg.KbPkg,
-	}
-	matches, err := m.Match(provider, &d, p)
-
-	if err != nil {
-		t.Fatalf("failed to get matches: %+v", err)
+	tests := []struct {
+		name            string
+		pkg             pkg.Package
+		expectedVulnIDs []string
+	}{
+		{
+			name: "direct KB match",
+			pkg: pkg.Package{
+				Name:    d.RawVersion,
+				Version: "3200970",
+				Type:    syftPkg.KbPkg,
+			},
+			expectedVulnIDs: []string{
+				"CVE-2016-3333",
+			},
+		},
+		{
+			name: "multiple direct KB match",
+			pkg: pkg.Package{
+				Name:    d.RawVersion,
+				Version: "878787",
+				Type:    syftPkg.KbPkg,
+			},
+			expectedVulnIDs: []string{
+				"CVE-2016-3333",
+				"CVE-2020-made-up",
+			},
+		},
+		{
+			name: "no KBs found",
+			pkg: pkg.Package{
+				Name: d.RawVersion,
+				// this is the assumed version if no KBs are found
+				Version: "base",
+				Type:    syftPkg.KbPkg,
+			},
+			expectedVulnIDs: []string{
+				"CVE-2016-3333",
+				"CVE-2020-made-up",
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			m := Matcher{}
+			matches, err := m.Match(provider, &d, test.pkg)
+			assert.NoError(t, err)
+			var actualVulnIDs []string
+			for _, a := range matches {
+				actualVulnIDs = append(actualVulnIDs, a.Vulnerability.ID)
+			}
+			assert.ElementsMatch(t, test.expectedVulnIDs, actualVulnIDs)
+		})
 	}

-	assert.Len(t, matches, 1)
 }