Skip to content

Fix RPM modularity #506

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Feb 18, 2025
Merged

Fix RPM modularity #506

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ require (
github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
github.com/adrg/xdg v0.5.3
github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a
github.com/anchore/grype v0.87.1-0.20250218184845-a98ff71c4e32
github.com/anchore/grype v0.87.1-0.20250218201808-3a2ebbca9a5d
github.com/anchore/syft v1.19.0
github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de
github.com/dave/jennifer v1.7.1
Expand Down
4 changes: 2 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -698,8 +698,8 @@ github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04 h1:VzprUTpc0v
github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04/go.mod h1:6dK64g27Qi1qGQZ67gFmBFvEHScy0/C8qhQhNe5B5pQ=
github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4 h1:rmZG77uXgE+o2gozGEBoUMpX27lsku+xrMwlmBZJtbg=
github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
github.com/anchore/grype v0.87.1-0.20250218184845-a98ff71c4e32 h1:+ApWgTB8kiPjL1RsofChKfmgN5AyOQcxE99PuhdVjhQ=
github.com/anchore/grype v0.87.1-0.20250218184845-a98ff71c4e32/go.mod h1:F7fBAzv1n9C7e+yrzMIkuI++ExPfgl9yHgN1g+8Ua5o=
github.com/anchore/grype v0.87.1-0.20250218201808-3a2ebbca9a5d h1:HTSf8fkRoGd1TF6+UMuaK6zRYOpGvk12MlVhhSr+25w=
github.com/anchore/grype v0.87.1-0.20250218201808-3a2ebbca9a5d/go.mod h1:F7fBAzv1n9C7e+yrzMIkuI++ExPfgl9yHgN1g+8Ua5o=
github.com/anchore/packageurl-go v0.1.1-0.20250117185454-edf36a908b10 h1:zBedM9ZGYbs/61QC4ZOKxtChx5njXKHgHqDeHuUxrTw=
github.com/anchore/packageurl-go v0.1.1-0.20250117185454-edf36a908b10/go.mod h1:KoYIv7tdP5+CC9VGkeZV4/vGCKsY55VvoG+5dadg4YI=
github.com/anchore/stereoscope v0.0.13 h1:9Ivkh7k+vOeG3JHrt44jOg/8UdZrCvMsSjLQ7trHBig=
Expand Down
14 changes: 12 additions & 2 deletions pkg/process/v6/transformers/os/transform.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,10 +53,16 @@ func getAffectedPackages(vuln unmarshal.OSVulnerability) []grypeDB.AffectedPacka
var afs []grypeDB.AffectedPackageHandle
groups := groupFixedIns(vuln)
for group, fixedIns := range groups {
// we only care about a single qualifier: rpm modules. The important thing to note about this is that
// a package with no module vs a package with a module should be detectable in the DB.
var qualifiers *grypeDB.AffectedPackageQualifiers
if group.module != "" {
if group.format == "rpm" {
module := "" // means the target package must have no module (where as nil means the module has no sway on matching)
if group.hasModule {
module = group.module
}
qualifiers = &grypeDB.AffectedPackageQualifiers{
RpmModularity: group.module,
RpmModularity: &module,
}
}

Expand Down Expand Up @@ -174,7 +180,9 @@ type groupIndex struct {
id string
osName string
osVersion string
hasModule bool
module string
format string
}

func groupFixedIns(vuln unmarshal.OSVulnerability) map[groupIndex][]unmarshal.OSFixedIn {
Expand All @@ -191,7 +199,9 @@ func groupFixedIns(vuln unmarshal.OSVulnerability) map[groupIndex][]unmarshal.OS
id: osID,
osName: osName,
osVersion: osVersion,
hasModule: fixedIn.Module != nil,
module: mod,
format: fixedIn.VersionFormat,
}

grouped[g] = append(grouped[g], fixedIn)
Expand Down
63 changes: 43 additions & 20 deletions pkg/process/v6/transformers/os/transform_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,8 @@ func TestTransform(t *testing.T) {
Ecosystem: "rpm",
},
BlobValue: &grypeDB.AffectedPackageBlob{
CVEs: []string{"CVE-2018-14648"},
CVEs: []string{"CVE-2018-14648"},
Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
Ranges: []grypeDB.AffectedRange{
{
Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 1.3.8.4-15.amzn2.0.1"},
Expand All @@ -184,7 +185,8 @@ func TestTransform(t *testing.T) {
Ecosystem: "rpm",
},
BlobValue: &grypeDB.AffectedPackageBlob{
CVEs: []string{"CVE-2018-14648"},
CVEs: []string{"CVE-2018-14648"},
Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
Ranges: []grypeDB.AffectedRange{
{
Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 1.3.8.4-15.amzn2.0.1"},
Expand All @@ -200,7 +202,8 @@ func TestTransform(t *testing.T) {
Ecosystem: "rpm",
},
BlobValue: &grypeDB.AffectedPackageBlob{
CVEs: []string{"CVE-2018-14648"},
CVEs: []string{"CVE-2018-14648"},
Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
Ranges: []grypeDB.AffectedRange{
{
Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 1.3.8.4-15.amzn2.0.1"},
Expand All @@ -216,7 +219,8 @@ func TestTransform(t *testing.T) {
Ecosystem: "rpm",
},
BlobValue: &grypeDB.AffectedPackageBlob{
CVEs: []string{"CVE-2018-14648"},
CVEs: []string{"CVE-2018-14648"},
Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
Ranges: []grypeDB.AffectedRange{
{
Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 1.3.8.4-15.amzn2.0.1"},
Expand All @@ -232,7 +236,8 @@ func TestTransform(t *testing.T) {
Ecosystem: "rpm",
},
BlobValue: &grypeDB.AffectedPackageBlob{
CVEs: []string{"CVE-2018-14648"},
CVEs: []string{"CVE-2018-14648"},
Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
Ranges: []grypeDB.AffectedRange{
{
Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 1.3.8.4-15.amzn2.0.1"},
Expand Down Expand Up @@ -278,7 +283,8 @@ func TestTransform(t *testing.T) {
OperatingSystem: amazonOS,
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "kernel"},
BlobValue: &grypeDB.AffectedPackageBlob{
CVEs: []string{"CVE-2021-3653", "CVE-2021-3656", "CVE-2021-3732"},
CVEs: []string{"CVE-2021-3653", "CVE-2021-3656", "CVE-2021-3732"},
Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
Ranges: []grypeDB.AffectedRange{
{
Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 4.14.246-187.474.amzn2"},
Expand All @@ -291,7 +297,8 @@ func TestTransform(t *testing.T) {
OperatingSystem: amazonOS,
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "kernel-headers"},
BlobValue: &grypeDB.AffectedPackageBlob{
CVEs: []string{"CVE-2021-3653", "CVE-2021-3656", "CVE-2021-3732"},
CVEs: []string{"CVE-2021-3653", "CVE-2021-3656", "CVE-2021-3732"},
Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
Ranges: []grypeDB.AffectedRange{
{
Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 4.14.246-187.474.amzn2"},
Expand Down Expand Up @@ -330,7 +337,8 @@ func TestTransform(t *testing.T) {
OperatingSystem: amazonOS,
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "kernel"},
BlobValue: &grypeDB.AffectedPackageBlob{
CVEs: []string{"CVE-2021-3753", "CVE-2021-40490"},
CVEs: []string{"CVE-2021-3753", "CVE-2021-40490"},
Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
Ranges: []grypeDB.AffectedRange{
{
Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: ">= 5.4, < 5.4.144-69.257.amzn2"},
Expand All @@ -343,7 +351,8 @@ func TestTransform(t *testing.T) {
OperatingSystem: amazonOS,
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "kernel-headers"},
BlobValue: &grypeDB.AffectedPackageBlob{
CVEs: []string{"CVE-2021-3753", "CVE-2021-40490"},
CVEs: []string{"CVE-2021-3753", "CVE-2021-40490"},
Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
Ranges: []grypeDB.AffectedRange{
{
Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: ">= 5.4, < 5.4.144-69.257.amzn2"},
Expand Down Expand Up @@ -382,7 +391,8 @@ func TestTransform(t *testing.T) {
OperatingSystem: amazonOS,
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "kernel"},
BlobValue: &grypeDB.AffectedPackageBlob{
CVEs: []string{"CVE-2021-3753", "CVE-2021-40490"},
CVEs: []string{"CVE-2021-3753", "CVE-2021-40490"},
Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
Ranges: []grypeDB.AffectedRange{
{
Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: ">= 5.10, < 5.10.62-55.141.amzn2"},
Expand All @@ -395,7 +405,8 @@ func TestTransform(t *testing.T) {
OperatingSystem: amazonOS,
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "kernel-headers"},
BlobValue: &grypeDB.AffectedPackageBlob{
CVEs: []string{"CVE-2021-3753", "CVE-2021-40490"},
CVEs: []string{"CVE-2021-3753", "CVE-2021-40490"},
Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
Ranges: []grypeDB.AffectedRange{
{
Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: ">= 5.10, < 5.10.62-55.141.amzn2"},
Expand Down Expand Up @@ -440,6 +451,7 @@ func TestTransform(t *testing.T) {
OperatingSystem: azure3OS,
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "golang"},
BlobValue: &grypeDB.AffectedPackageBlob{
Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
Ranges: []grypeDB.AffectedRange{
{
Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 0:1.20.7-1.azl3"},
Expand Down Expand Up @@ -644,6 +656,7 @@ func TestTransform(t *testing.T) {
OperatingSystem: mariner2OS,
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "exiv2"},
BlobValue: &grypeDB.AffectedPackageBlob{
Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
Ranges: []grypeDB.AffectedRange{
{
Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 0:0.27.5-1.cm2"},
Expand Down Expand Up @@ -689,6 +702,7 @@ func TestTransform(t *testing.T) {
OperatingSystem: mariner2OS,
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "golang"},
BlobValue: &grypeDB.AffectedPackageBlob{
Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
Ranges: []grypeDB.AffectedRange{
{
Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "> 0:1.19.0.cm2, < 0:1.20.7-1.cm2"},
Expand Down Expand Up @@ -737,7 +751,8 @@ func TestTransform(t *testing.T) {
OperatingSystem: ol8OS,
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "libexif"},
BlobValue: &grypeDB.AffectedPackageBlob{
CVEs: []string{"CVE-2020-13112"},
CVEs: []string{"CVE-2020-13112"},
Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
Ranges: []grypeDB.AffectedRange{
{
Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 0:0.6.21-17.el8_2"},
Expand All @@ -750,7 +765,8 @@ func TestTransform(t *testing.T) {
OperatingSystem: ol8OS,
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "libexif-devel"},
BlobValue: &grypeDB.AffectedPackageBlob{
CVEs: []string{"CVE-2020-13112"},
CVEs: []string{"CVE-2020-13112"},
Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
Ranges: []grypeDB.AffectedRange{
{
Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 0:0.6.21-17.el8_2"},
Expand All @@ -763,7 +779,8 @@ func TestTransform(t *testing.T) {
OperatingSystem: ol8OS,
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "libexif-dummy"},
BlobValue: &grypeDB.AffectedPackageBlob{
CVEs: []string{"CVE-2020-13112"},
CVEs: []string{"CVE-2020-13112"},
Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
Ranges: []grypeDB.AffectedRange{
{
Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: ""},
Expand Down Expand Up @@ -810,7 +827,7 @@ func TestTransform(t *testing.T) {
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "postgresql"},
BlobValue: &grypeDB.AffectedPackageBlob{
Qualifiers: &grypeDB.AffectedPackageQualifiers{
RpmModularity: "postgresql:10",
RpmModularity: strRef("postgresql:10"),
},
Ranges: []grypeDB.AffectedRange{
{
Expand All @@ -831,7 +848,7 @@ func TestTransform(t *testing.T) {
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "postgresql"},
BlobValue: &grypeDB.AffectedPackageBlob{
Qualifiers: &grypeDB.AffectedPackageQualifiers{
RpmModularity: "postgresql:12",
RpmModularity: strRef("postgresql:12"),
},
Ranges: []grypeDB.AffectedRange{
{
Expand All @@ -852,7 +869,7 @@ func TestTransform(t *testing.T) {
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "postgresql"},
BlobValue: &grypeDB.AffectedPackageBlob{
Qualifiers: &grypeDB.AffectedPackageQualifiers{
RpmModularity: "postgresql:9.6",
RpmModularity: strRef("postgresql:9.6"),
},
Ranges: []grypeDB.AffectedRange{
{
Expand Down Expand Up @@ -912,6 +929,7 @@ func TestTransform(t *testing.T) {
OperatingSystem: rhel8OS,
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "firefox"},
BlobValue: &grypeDB.AffectedPackageBlob{
Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
Ranges: []grypeDB.AffectedRange{
{
Version: grypeDB.AffectedVersion{
Expand All @@ -938,6 +956,7 @@ func TestTransform(t *testing.T) {
OperatingSystem: rhel8OS,
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "thunderbird"},
BlobValue: &grypeDB.AffectedPackageBlob{
Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
Ranges: []grypeDB.AffectedRange{
{
Version: grypeDB.AffectedVersion{
Expand Down Expand Up @@ -1005,7 +1024,7 @@ func TestTransform(t *testing.T) {
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "postgresql"},
BlobValue: &grypeDB.AffectedPackageBlob{
Qualifiers: &grypeDB.AffectedPackageQualifiers{
RpmModularity: "postgresql:10",
RpmModularity: strRef("postgresql:10"),
},
Ranges: []grypeDB.AffectedRange{
{
Expand Down Expand Up @@ -1034,7 +1053,7 @@ func TestTransform(t *testing.T) {
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "postgresql"},
BlobValue: &grypeDB.AffectedPackageBlob{
Qualifiers: &grypeDB.AffectedPackageQualifiers{
RpmModularity: "postgresql:12",
RpmModularity: strRef("postgresql:12"),
},
Ranges: []grypeDB.AffectedRange{
{
Expand Down Expand Up @@ -1063,7 +1082,7 @@ func TestTransform(t *testing.T) {
Package: &grypeDB.Package{Ecosystem: "rpm", Name: "postgresql"},
BlobValue: &grypeDB.AffectedPackageBlob{
Qualifiers: &grypeDB.AffectedPackageQualifiers{
RpmModularity: "postgresql:9.6",
RpmModularity: strRef("postgresql:9.6"),
},
Ranges: []grypeDB.AffectedRange{
{
Expand Down Expand Up @@ -1260,3 +1279,7 @@ func loadFixture(t *testing.T, fixturePath string) []unmarshal.OSVulnerability {
func timeRef(ti time.Time) *time.Time {
return &ti
}

func strRef(s string) *string {
return &s
}
Loading