From 20c715abf83df9200eb9944ffbfa6f85984728ac Mon Sep 17 00:00:00 2001
From: Will Murphy <will.murphy@anchore.com>
Date: Fri, 24 May 2024 13:33:38 -0400
Subject: [PATCH 1/2] feat: enable os vulns to have version range

The Mariner distro feed will start including version ranges in the OVAL
XML. Update models and grype-db transformer to be able to handle this in
version 5.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
---
 .../os/test-fixtures/mariner-range.json       | 27 +++++++++++++
 pkg/process/v5/transformers/os/transform.go   | 15 ++++---
 .../v5/transformers/os/transform_test.go      | 39 +++++++++++++++++++
 pkg/provider/unmarshal/os_vulnerability.go    |  5 ++-
 4 files changed, 78 insertions(+), 8 deletions(-)
 create mode 100644 pkg/process/v5/transformers/os/test-fixtures/mariner-range.json

diff --git a/pkg/process/v5/transformers/os/test-fixtures/mariner-range.json b/pkg/process/v5/transformers/os/test-fixtures/mariner-range.json
new file mode 100644
index 00000000..3ec9731f
--- /dev/null
+++ b/pkg/process/v5/transformers/os/test-fixtures/mariner-range.json
@@ -0,0 +1,27 @@
+[
+  {
+      "Vulnerability": {
+        "Name": "CVE-2023-29404",
+        "NamespaceName": "mariner:2.0",
+        "Description": "CVE-2023-29404 affecting package golang for versions less than 1.20.7-1. A patched version of the package is available.",
+        "Severity": "Critical",
+        "Link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29404",
+        "CVSS": [],
+        "FixedIn": [
+          {
+            "Name": "golang",
+            "NamespaceName": "mariner:2.0",
+            "VersionFormat": "rpm",
+            "Version": "0:1.20.7-1.cm2",
+            "Module": "",
+            "VendorAdvisory": {
+              "NoAdvisory": false,
+              "AdvisorySummary": []
+            },
+            "VulnerableRange": "> 0:1.19.0.cm2, < 0:1.20.7-1.cm2"
+          }
+        ],
+        "Metadata": {}
+      }
+    }
+]
diff --git a/pkg/process/v5/transformers/os/transform.go b/pkg/process/v5/transformers/os/transform.go
index 18bff48a..c6f1db15 100644
--- a/pkg/process/v5/transformers/os/transform.go
+++ b/pkg/process/v5/transformers/os/transform.go
@@ -84,7 +84,7 @@ func Transform(vulnerability unmarshal.OSVulnerability) ([]data.Entry, error) {
 		allVulns = append(allVulns, grypeDB.Vulnerability{
 			ID:                     vulnerability.Vulnerability.Name,
 			PackageQualifiers:      buildPackageQualifiers(fixedInEntry),
-			VersionConstraint:      enforceConstraint(fixedInEntry.Version, fixedInEntry.VersionFormat, vulnerability.Vulnerability.Name),
+			VersionConstraint:      enforceConstraint(fixedInEntry.Version, fixedInEntry.VulnerableRange, fixedInEntry.VersionFormat, vulnerability.Vulnerability.Name),
 			VersionFormat:          fixedInEntry.VersionFormat,
 			PackageName:            grypeNamespace.Resolver().Normalize(fixedInEntry.Name),
 			Namespace:              entryNamespace,
@@ -215,16 +215,19 @@ func deriveConstraintFromFix(fixVersion, vulnerabilityID string) string {
 	return constraint
 }
 
-func enforceConstraint(constraint, format, vulnerabilityID string) string {
-	constraint = common.CleanConstraint(constraint)
-	if len(constraint) == 0 {
+func enforceConstraint(fixedVersion, vulnerableRange, format, vulnerabilityID string) string {
+	if len(vulnerableRange) > 0 && !strings.HasSuffix(vulnerabilityID, "ALASKERNEL") {
+		return vulnerableRange
+	}
+	fixedVersion = common.CleanConstraint(fixedVersion)
+	if len(fixedVersion) == 0 {
 		return ""
 	}
 	switch strings.ToLower(format) {
 	case "semver":
-		return common.EnforceSemVerConstraint(constraint)
+		return common.EnforceSemVerConstraint(fixedVersion)
 	default:
 		// the passed constraint is a fixed version
-		return deriveConstraintFromFix(constraint, vulnerabilityID)
+		return deriveConstraintFromFix(fixedVersion, vulnerabilityID)
 	}
 }
diff --git a/pkg/process/v5/transformers/os/transform_test.go b/pkg/process/v5/transformers/os/transform_test.go
index e282eef7..8f746945 100644
--- a/pkg/process/v5/transformers/os/transform_test.go
+++ b/pkg/process/v5/transformers/os/transform_test.go
@@ -626,6 +626,45 @@ func TestParseVulnerabilitiesEntry(t *testing.T) {
 				Description:  "A flaw was found in PostgreSQL, where some PostgreSQL extensions did not use the search_path safely in their installation script. This flaw allows an attacker with sufficient privileges to trick an administrator into executing a specially crafted script during the extension's installation or update. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
 			},
 		},
+		{
+			name:       "mariner entry with version range",
+			numEntries: 1,
+			fixture:    "test-fixtures/mariner-range.json",
+			vulns: []grypeDB.Vulnerability{
+				{
+					ID:          "CVE-2023-29404",
+					PackageName: "golang",
+					Namespace:   "mariner:distro:mariner:2.0",
+					PackageQualifiers: []qualifier.Qualifier{
+						rpmmodularity.Qualifier{
+							Kind:   "rpm-modularity",
+							Module: "",
+						},
+					},
+					VersionConstraint: "> 0:1.19.0.cm2, < 0:1.20.7-1.cm2",
+					VersionFormat:     "rpm",
+					RelatedVulnerabilities: []grypeDB.VulnerabilityReference{
+						{
+							ID:        "CVE-2023-29404",
+							Namespace: "nvd:cpe",
+						},
+					},
+					Fix: grypeDB.Fix{
+						Versions: []string{"0:1.20.7-1.cm2"},
+						State:    grypeDB.FixedState,
+					},
+				},
+			},
+			metadata: grypeDB.VulnerabilityMetadata{
+				ID:           "CVE-2023-29404",
+				Namespace:    "mariner:distro:mariner:2.0",
+				DataSource:   "https://nvd.nist.gov/vuln/detail/CVE-2023-29404",
+				RecordSource: "vulnerabilities:mariner:2.0",
+				Severity:     "Critical",
+				URLs:         []string{"https://nvd.nist.gov/vuln/detail/CVE-2023-29404"},
+				Description:  "CVE-2023-29404 affecting package golang for versions less than 1.20.7-1. A patched version of the package is available.",
+			},
+		},
 	}
 
 	for _, test := range tests {
diff --git a/pkg/provider/unmarshal/os_vulnerability.go b/pkg/provider/unmarshal/os_vulnerability.go
index 8dec9f52..dd846082 100644
--- a/pkg/provider/unmarshal/os_vulnerability.go
+++ b/pkg/provider/unmarshal/os_vulnerability.go
@@ -21,8 +21,9 @@ type OSFixedIn struct {
 		} `json:"AdvisorySummary"`
 		NoAdvisory bool `json:"NoAdvisory"`
 	} `json:"VendorAdvisory"`
-	Version       string `json:"Version"`
-	VersionFormat string `json:"VersionFormat"`
+	Version         string `json:"Version"`
+	VersionFormat   string `json:"VersionFormat"`
+	VulnerableRange string `json:"VulnerableRange"`
 }
 
 type OSFixedIns []OSFixedIn

From 6c8ea34d7b8d85cb29223134c23dbb9e05220b04 Mon Sep 17 00:00:00 2001
From: Will Murphy <will.murphy@anchore.com>
Date: Tue, 28 May 2024 10:43:12 -0400
Subject: [PATCH 2/2] remove special case on ALASKERNEL

If the ALAS provider starts emitting vulnerableRange for ALAS kernel
vulnerabilities, there's no reason grype-db shouldn't respect them.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
---
 pkg/process/v5/transformers/os/transform.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/process/v5/transformers/os/transform.go b/pkg/process/v5/transformers/os/transform.go
index c6f1db15..9c2744c0 100644
--- a/pkg/process/v5/transformers/os/transform.go
+++ b/pkg/process/v5/transformers/os/transform.go
@@ -216,7 +216,7 @@ func deriveConstraintFromFix(fixVersion, vulnerabilityID string) string {
 }
 
 func enforceConstraint(fixedVersion, vulnerableRange, format, vulnerabilityID string) string {
-	if len(vulnerableRange) > 0 && !strings.HasSuffix(vulnerabilityID, "ALASKERNEL") {
+	if len(vulnerableRange) > 0 {
 		return vulnerableRange
 	}
 	fixedVersion = common.CleanConstraint(fixedVersion)