Deduplicate vulnerabilities for SUSE linux

[wagoodman]

Today we have a function that checks if the distro package in question is from a "comprehensive feed", such that is can be used to deduplicate matches from non-distro sources (such as pypi).

grype/grype/pkg/package.go

Lines 152 to 174 in e5b341b

	func distroFeedIsComprehensive(distro *linux.Release) bool {
	// TODO: this mechanism should be re-examined once https://github.com/anchore/grype/issues/1426
	// is addressed
	if distro == nil {
	return false
	}
	if distro.ID == "amzn" {
	// AmazonLinux shows "like rhel" but is not an rhel clone
	// and does not have an exhaustive vulnerability feed.
	return false
	}
	for _, d := range comprehensiveDistros {
	if strings.EqualFold(d, distro.ID) {
	return true
	}
	for _, n := range distro.IDLike {
	if strings.EqualFold(d, n) {
	return true
	}
	}
	}
	return false
	}

SUSE is not on this list which is leading to multiple false positives:

• False positive: GHSA-h4m5-qpfp-3mpv (CVE-2021-42771) python3-Babel in SLES 15.5 #1903
• False Positive: GHSA-g98m-96g9-wfjq(CVE-2019-3881), GHSA-qg54-694p-wgpp(CVE-2021-41817) ruby2.5-rubygem-bundler in SUSE ecosystem #1850
• (there are probably more)

To be able to add SUSE to the list of distros that are considered comprehensive (thus we can deduplicate the matches for), we need to enhance the vunnel provider. Today we parse the patch information but additionally need to parse the -affected files such there is a hope to find matches for entries that have no fixes upstream.

I'm writing this issue here so that, when the vunnel enhancement lands, we can add a specific test for it here in grype.