■ ■ ■ ■ ■ ■
grype/matcher/apk/matcher.go
| skipped 26 lines |
| 27 | 27 | | var matches = make([]match.Match, 0) |
| 28 | 28 | | |
| 29 | 29 | | // direct matches with package |
| 30 | | - | directMatches, err := m.findApkPackage(store, d, p) |
| | 30 | + | cpeMatches, err := m.cpeMatchesWithoutSecDBFixes(store, d, p) |
| 31 | 31 | | if err != nil { |
| 32 | 32 | | return nil, err |
| 33 | 33 | | } |
| 34 | | - | matches = append(matches, directMatches...) |
| | 34 | + | matches = append(matches, cpeMatches...) |
| 35 | 35 | | |
| 36 | 36 | | // indirect matches with package source |
| 37 | 37 | | indirectMatches, err := m.matchBySourceIndirection(store, d, p) |
| skipped 63 lines |
| 101 | 101 | | return finalCpeMatches, nil |
| 102 | 102 | | } |
| 103 | 103 | | |
| 104 | | - | func deduplicateMatches(secDBMatches, cpeMatches []match.Match) (matches []match.Match) { |
| 105 | | - | // add additional unique matches from CPE source that is unique from the SecDB matches |
| 106 | | - | secDBMatchesByID := matchesByID(secDBMatches) |
| 107 | | - | cpeMatchesByID := matchesByID(cpeMatches) |
| 108 | | - | for id, cpeMatchesForID := range cpeMatchesByID { |
| 109 | | - | // by this point all matches have been verified to be vulnerable within the given package version relative to the vulnerability source. |
| 110 | | - | // now we will add unique CPE candidates that were not found in secdb. |
| 111 | | - | if _, exists := secDBMatchesByID[id]; !exists { |
| 112 | | - | // add the new CPE-based record (e.g. NVD) since it was not found in secDB |
| 113 | | - | matches = append(matches, cpeMatchesForID...) |
| 114 | | - | } |
| 115 | | - | } |
| 116 | | - | return matches |
| 117 | | - | } |
| 118 | | - | |
| 119 | 104 | | func matchesByID(matches []match.Match) map[string][]match.Match { |
| 120 | 105 | | var results = make(map[string][]match.Match) |
| 121 | 106 | | for _, secDBMatch := range matches { |
| skipped 11 lines |
| 133 | 118 | | return results |
| 134 | 119 | | } |
| 135 | 120 | | |
| 136 | | - | func (m *Matcher) findApkPackage(store vulnerability.Provider, d *distro.Distro, p pkg.Package) ([]match.Match, error) { |
| 137 | | - | // find Alpine SecDB matches for the given package name and version |
| 138 | | - | secDBMatches, err := search.ByPackageDistro(store, d, p, m.Type()) |
| 139 | | - | if err != nil { |
| 140 | | - | return nil, err |
| 141 | | - | } |
| 142 | | - | |
| 143 | | - | cpeMatches, err := m.cpeMatchesWithoutSecDBFixes(store, d, p) |
| 144 | | - | if err != nil { |
| 145 | | - | return nil, err |
| 146 | | - | } |
| 147 | | - | |
| 148 | | - | var matches []match.Match |
| 149 | | - | |
| 150 | | - | // keep all secdb matches, as this is an authoritative source |
| 151 | | - | matches = append(matches, secDBMatches...) |
| 152 | | - | |
| 153 | | - | // keep only unique CPE matches |
| 154 | | - | matches = append(matches, deduplicateMatches(secDBMatches, cpeMatches)...) |
| 155 | | - | |
| 156 | | - | return matches, nil |
| 157 | | - | } |
| 158 | | - | |
| 159 | 121 | | func (m *Matcher) matchBySourceIndirection(store vulnerability.Provider, d *distro.Distro, p pkg.Package) ([]match.Match, error) { |
| 160 | 122 | | var matches []match.Match |
| 161 | 123 | | |
| 162 | 124 | | for _, indirectPackage := range pkg.UpstreamPackages(p) { |
| 163 | | - | indirectMatches, err := m.findApkPackage(store, d, indirectPackage) |
| | 125 | + | // direct matches with package |
| | 126 | + | indirectMatches, err := m.cpeMatchesWithoutSecDBFixes(store, d, indirectPackage) |
| 164 | 127 | | if err != nil { |
| 165 | | - | return nil, fmt.Errorf("failed to find vulnerabilities for apk upstream source package: %w", err) |
| | 128 | + | return nil, err |
| 166 | 129 | | } |
| 167 | 130 | | matches = append(matches, indirectMatches...) |
| 168 | 131 | | } |
| skipped 8 lines |
Christopher Phillips
committed
11 months ago
1 parent 0f71006f