■ ■ ■ ■ ■ ■
grype/matcher/apk/matcher.go
| skipped 26 lines |
27 | 27 | | var matches = make([]match.Match, 0) |
28 | 28 | | |
29 | 29 | | // direct matches with package |
30 | | - | directMatches, err := m.findApkPackage(store, d, p) |
| 30 | + | cpeMatches, err := m.cpeMatchesWithoutSecDBFixes(store, d, p) |
31 | 31 | | if err != nil { |
32 | 32 | | return nil, err |
33 | 33 | | } |
34 | | - | matches = append(matches, directMatches...) |
| 34 | + | matches = append(matches, cpeMatches...) |
35 | 35 | | |
36 | 36 | | // indirect matches with package source |
37 | 37 | | indirectMatches, err := m.matchBySourceIndirection(store, d, p) |
| skipped 63 lines |
101 | 101 | | return finalCpeMatches, nil |
102 | 102 | | } |
103 | 103 | | |
104 | | - | func deduplicateMatches(secDBMatches, cpeMatches []match.Match) (matches []match.Match) { |
105 | | - | // add additional unique matches from CPE source that is unique from the SecDB matches |
106 | | - | secDBMatchesByID := matchesByID(secDBMatches) |
107 | | - | cpeMatchesByID := matchesByID(cpeMatches) |
108 | | - | for id, cpeMatchesForID := range cpeMatchesByID { |
109 | | - | // by this point all matches have been verified to be vulnerable within the given package version relative to the vulnerability source. |
110 | | - | // now we will add unique CPE candidates that were not found in secdb. |
111 | | - | if _, exists := secDBMatchesByID[id]; !exists { |
112 | | - | // add the new CPE-based record (e.g. NVD) since it was not found in secDB |
113 | | - | matches = append(matches, cpeMatchesForID...) |
114 | | - | } |
115 | | - | } |
116 | | - | return matches |
117 | | - | } |
118 | | - | |
119 | 104 | | func matchesByID(matches []match.Match) map[string][]match.Match { |
120 | 105 | | var results = make(map[string][]match.Match) |
121 | 106 | | for _, secDBMatch := range matches { |
| skipped 11 lines |
133 | 118 | | return results |
134 | 119 | | } |
135 | 120 | | |
136 | | - | func (m *Matcher) findApkPackage(store vulnerability.Provider, d *distro.Distro, p pkg.Package) ([]match.Match, error) { |
137 | | - | // find Alpine SecDB matches for the given package name and version |
138 | | - | secDBMatches, err := search.ByPackageDistro(store, d, p, m.Type()) |
139 | | - | if err != nil { |
140 | | - | return nil, err |
141 | | - | } |
142 | | - | |
143 | | - | cpeMatches, err := m.cpeMatchesWithoutSecDBFixes(store, d, p) |
144 | | - | if err != nil { |
145 | | - | return nil, err |
146 | | - | } |
147 | | - | |
148 | | - | var matches []match.Match |
149 | | - | |
150 | | - | // keep all secdb matches, as this is an authoritative source |
151 | | - | matches = append(matches, secDBMatches...) |
152 | | - | |
153 | | - | // keep only unique CPE matches |
154 | | - | matches = append(matches, deduplicateMatches(secDBMatches, cpeMatches)...) |
155 | | - | |
156 | | - | return matches, nil |
157 | | - | } |
158 | | - | |
159 | 121 | | func (m *Matcher) matchBySourceIndirection(store vulnerability.Provider, d *distro.Distro, p pkg.Package) ([]match.Match, error) { |
160 | 122 | | var matches []match.Match |
161 | 123 | | |
162 | 124 | | for _, indirectPackage := range pkg.UpstreamPackages(p) { |
163 | | - | indirectMatches, err := m.findApkPackage(store, d, indirectPackage) |
| 125 | + | // direct matches with package |
| 126 | + | indirectMatches, err := m.cpeMatchesWithoutSecDBFixes(store, d, indirectPackage) |
164 | 127 | | if err != nil { |
165 | | - | return nil, fmt.Errorf("failed to find vulnerabilities for apk upstream source package: %w", err) |
| 128 | + | return nil, err |
166 | 129 | | } |
167 | 130 | | matches = append(matches, indirectMatches...) |
168 | 131 | | } |
| skipped 8 lines |