Skip to content

Commit

Permalink
fix: emit rpm-modularity qualifier for rpm rows (#230)
Browse files Browse the repository at this point in the history 
Always emit the `rpm-modularity` package qualifier for rpm rows as this
is necessary to take advantage of the filtering by modularity in grype
to prevent reporting of false-positive matches for packages of other
modularities.

Signed-off-by: Weston Steimel <[email protected]>
  • Loading branch information
@westonsteimel
westonsteimel authored Jan 24, 2024
1 parent 6b5b9dd commit 8fb8d67
Show file tree
Hide file tree
Showing 2 changed files with 108 additions and 37 deletions.
27 changes: 17 additions & 10 deletions pkg/process/v5/transformers/os/transform.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,22 @@ func buildGrypeNamespace(group string) (namespace.Namespace, error) {
return ns, nil
}

func buildPackageQualifiers(fixedInEntry unmarshal.OSFixedIn) (qualifiers []qualifier.Qualifier) {
if fixedInEntry.VersionFormat == "rpm" {
module := ""
if fixedInEntry.Module != nil {
module = *fixedInEntry.Module
}

qualifiers = []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: module,
}}
}

return qualifiers
}

func Transform(vulnerability unmarshal.OSVulnerability) ([]data.Entry, error) {
var allVulns []grypeDB.Vulnerability

Expand All @@ -64,19 +80,10 @@ func Transform(vulnerability unmarshal.OSVulnerability) ([]data.Entry, error) {
// separate vulnerability entries (one for each name|namespace combo) while merging
// constraint ranges as they are found.
for idx, fixedInEntry := range vulnerability.Vulnerability.FixedIn {
var qualifiers []qualifier.Qualifier

if fixedInEntry.Module != nil {
qualifiers = []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: *fixedInEntry.Module,
}}
}

// create vulnerability entry
allVulns = append(allVulns, grypeDB.Vulnerability{
ID: vulnerability.Vulnerability.Name,
PackageQualifiers: qualifiers,
PackageQualifiers: buildPackageQualifiers(fixedInEntry),
VersionConstraint: enforceConstraint(fixedInEntry.Version, fixedInEntry.VersionFormat, vulnerability.Vulnerability.Name),
VersionFormat: fixedInEntry.VersionFormat,
PackageName: grypeNamespace.Resolver().Normalize(fixedInEntry.Name),
Expand Down
118 changes: 91 additions & 27 deletions pkg/process/v5/transformers/os/transform_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,11 @@ func TestParseVulnerabilitiesEntry(t *testing.T) {
},
},
PackageName: "389-ds-base",
Namespace: "amazon:distro:amazonlinux:2",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
Namespace: "amazon:distro:amazonlinux:2",
Fix: grypeDB.Fix{
Versions: []string{"1.3.8.4-15.amzn2.0.1"},
State: grypeDB.FixedState,
Expand All @@ -69,7 +73,11 @@ func TestParseVulnerabilitiesEntry(t *testing.T) {
},
},
PackageName: "389-ds-base-debuginfo",
Namespace: "amazon:distro:amazonlinux:2",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
Namespace: "amazon:distro:amazonlinux:2",
Fix: grypeDB.Fix{
Versions: []string{"1.3.8.4-15.amzn2.0.1"},
State: grypeDB.FixedState,
Expand All @@ -86,7 +94,11 @@ func TestParseVulnerabilitiesEntry(t *testing.T) {
},
},
PackageName: "389-ds-base-devel",
Namespace: "amazon:distro:amazonlinux:2",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
Namespace: "amazon:distro:amazonlinux:2",
Fix: grypeDB.Fix{
Versions: []string{"1.3.8.4-15.amzn2.0.1"},
State: grypeDB.FixedState,
Expand All @@ -103,7 +115,11 @@ func TestParseVulnerabilitiesEntry(t *testing.T) {
},
},
PackageName: "389-ds-base-libs",
Namespace: "amazon:distro:amazonlinux:2",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
Namespace: "amazon:distro:amazonlinux:2",
Fix: grypeDB.Fix{
Versions: []string{"1.3.8.4-15.amzn2.0.1"},
State: grypeDB.FixedState,
Expand All @@ -120,7 +136,11 @@ func TestParseVulnerabilitiesEntry(t *testing.T) {
},
},
PackageName: "389-ds-base-snmp",
Namespace: "amazon:distro:amazonlinux:2",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
Namespace: "amazon:distro:amazonlinux:2",
Fix: grypeDB.Fix{
Versions: []string{"1.3.8.4-15.amzn2.0.1"},
State: grypeDB.FixedState,
Expand Down Expand Up @@ -225,8 +245,12 @@ func TestParseVulnerabilitiesEntry(t *testing.T) {
fixture: "test-fixtures/rhel-8.json",
vulns: []grypeDB.Vulnerability{
{
ID: "CVE-2020-6819",
PackageName: "firefox",
ID: "CVE-2020-6819",
PackageName: "firefox",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
VersionConstraint: "< 0:68.6.1-1.el8_1",
VersionFormat: "rpm",
Namespace: "redhat:distro:redhat:8",
Expand All @@ -248,8 +272,12 @@ func TestParseVulnerabilitiesEntry(t *testing.T) {
},
},
{
ID: "CVE-2020-6819",
PackageName: "thunderbird",
ID: "CVE-2020-6819",
PackageName: "thunderbird",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
VersionConstraint: "< 0:68.7.0-1.el8_1",
VersionFormat: "rpm",
Namespace: "redhat:distro:redhat:8",
Expand Down Expand Up @@ -447,8 +475,12 @@ func TestParseVulnerabilitiesEntry(t *testing.T) {
fixture: "test-fixtures/ol-8.json",
vulns: []grypeDB.Vulnerability{
{
ID: "ELSA-2020-2550",
PackageName: "libexif",
ID: "ELSA-2020-2550",
PackageName: "libexif",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
VersionConstraint: "< 0:0.6.21-17.el8_2",
VersionFormat: "rpm",
RelatedVulnerabilities: []grypeDB.VulnerabilityReference{
Expand All @@ -464,8 +496,12 @@ func TestParseVulnerabilitiesEntry(t *testing.T) {
},
},
{
ID: "ELSA-2020-2550",
PackageName: "libexif-devel",
ID: "ELSA-2020-2550",
PackageName: "libexif-devel",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
VersionConstraint: "< 0:0.6.21-17.el8_2",
VersionFormat: "rpm",
RelatedVulnerabilities: []grypeDB.VulnerabilityReference{
Expand All @@ -481,8 +517,12 @@ func TestParseVulnerabilitiesEntry(t *testing.T) {
},
},
{
ID: "ELSA-2020-2550",
PackageName: "libexif-dummy",
ID: "ELSA-2020-2550",
PackageName: "libexif-dummy",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
VersionConstraint: "",
VersionFormat: "rpm",
RelatedVulnerabilities: []grypeDB.VulnerabilityReference{
Expand Down Expand Up @@ -680,8 +720,12 @@ func TestParseVulnerabilitiesAllEntries(t *testing.T) {
fixture: "test-fixtures/amazon-multiple-kernel-advisories.json",
vulns: []grypeDB.Vulnerability{
{
ID: "ALAS-2021-1704",
PackageName: "kernel-headers",
ID: "ALAS-2021-1704",
PackageName: "kernel-headers",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
VersionConstraint: "< 4.14.246-187.474.amzn2",
VersionFormat: "rpm",
Namespace: "amazon:distro:amazonlinux:2",
Expand All @@ -705,8 +749,12 @@ func TestParseVulnerabilitiesAllEntries(t *testing.T) {
},
},
{
ID: "ALAS-2021-1704",
PackageName: "kernel",
ID: "ALAS-2021-1704",
PackageName: "kernel",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
VersionConstraint: "< 4.14.246-187.474.amzn2",
VersionFormat: "rpm",
Namespace: "amazon:distro:amazonlinux:2",
Expand All @@ -730,8 +778,12 @@ func TestParseVulnerabilitiesAllEntries(t *testing.T) {
},
},
{
ID: "ALASKERNEL-5.4-2022-007",
PackageName: "kernel-headers",
ID: "ALASKERNEL-5.4-2022-007",
PackageName: "kernel-headers",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
VersionConstraint: ">= 5.4, < 5.4.144-69.257.amzn2",
VersionFormat: "rpm",
Namespace: "amazon:distro:amazonlinux:2",
Expand All @@ -751,8 +803,12 @@ func TestParseVulnerabilitiesAllEntries(t *testing.T) {
},
},
{
ID: "ALASKERNEL-5.4-2022-007",
PackageName: "kernel",
ID: "ALASKERNEL-5.4-2022-007",
PackageName: "kernel",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
VersionConstraint: ">= 5.4, < 5.4.144-69.257.amzn2",
VersionFormat: "rpm",
Namespace: "amazon:distro:amazonlinux:2",
Expand All @@ -772,8 +828,12 @@ func TestParseVulnerabilitiesAllEntries(t *testing.T) {
},
},
{
ID: "ALASKERNEL-5.10-2022-005",
PackageName: "kernel-headers",
ID: "ALASKERNEL-5.10-2022-005",
PackageName: "kernel-headers",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
VersionConstraint: ">= 5.10, < 5.10.62-55.141.amzn2",
VersionFormat: "rpm",
Namespace: "amazon:distro:amazonlinux:2",
Expand All @@ -793,8 +853,12 @@ func TestParseVulnerabilitiesAllEntries(t *testing.T) {
},
},
{
ID: "ALASKERNEL-5.10-2022-005",
PackageName: "kernel",
ID: "ALASKERNEL-5.10-2022-005",
PackageName: "kernel",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
VersionConstraint: ">= 5.10, < 5.10.62-55.141.amzn2",
VersionFormat: "rpm",
Namespace: "amazon:distro:amazonlinux:2",
Expand Down

0 comments on commit 8fb8d67

Please sign in to comment.