fix RPM modularity (#506)

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
anchore · Feb 18, 2025 · a88497e · a88497e
1 parent a630cb2
commit a88497e
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 25 deletions.
diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
 	github.com/adrg/xdg v0.5.3
 	github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a
-	github.com/anchore/grype v0.87.1-0.20250218184845-a98ff71c4e32
+	github.com/anchore/grype v0.87.1-0.20250218201808-3a2ebbca9a5d
 	github.com/anchore/syft v1.19.0
 	github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de
 	github.com/dave/jennifer v1.7.1

diff --git a/go.sum b/go.sum
@@ -698,8 +698,8 @@ github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04 h1:VzprUTpc0v
 github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04/go.mod h1:6dK64g27Qi1qGQZ67gFmBFvEHScy0/C8qhQhNe5B5pQ=
 github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4 h1:rmZG77uXgE+o2gozGEBoUMpX27lsku+xrMwlmBZJtbg=
 github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
-github.com/anchore/grype v0.87.1-0.20250218184845-a98ff71c4e32 h1:+ApWgTB8kiPjL1RsofChKfmgN5AyOQcxE99PuhdVjhQ=
-github.com/anchore/grype v0.87.1-0.20250218184845-a98ff71c4e32/go.mod h1:F7fBAzv1n9C7e+yrzMIkuI++ExPfgl9yHgN1g+8Ua5o=
+github.com/anchore/grype v0.87.1-0.20250218201808-3a2ebbca9a5d h1:HTSf8fkRoGd1TF6+UMuaK6zRYOpGvk12MlVhhSr+25w=
+github.com/anchore/grype v0.87.1-0.20250218201808-3a2ebbca9a5d/go.mod h1:F7fBAzv1n9C7e+yrzMIkuI++ExPfgl9yHgN1g+8Ua5o=
 github.com/anchore/packageurl-go v0.1.1-0.20250117185454-edf36a908b10 h1:zBedM9ZGYbs/61QC4ZOKxtChx5njXKHgHqDeHuUxrTw=
 github.com/anchore/packageurl-go v0.1.1-0.20250117185454-edf36a908b10/go.mod h1:KoYIv7tdP5+CC9VGkeZV4/vGCKsY55VvoG+5dadg4YI=
 github.com/anchore/stereoscope v0.0.13 h1:9Ivkh7k+vOeG3JHrt44jOg/8UdZrCvMsSjLQ7trHBig=

diff --git a/pkg/process/v6/transformers/os/transform.go b/pkg/process/v6/transformers/os/transform.go
@@ -53,10 +53,16 @@ func getAffectedPackages(vuln unmarshal.OSVulnerability) []grypeDB.AffectedPacka
 	var afs []grypeDB.AffectedPackageHandle
 	groups := groupFixedIns(vuln)
 	for group, fixedIns := range groups {
+		// we only care about a single qualifier: rpm modules. The important thing to note about this is that
+		// a package with no module vs a package with a module should be detectable in the DB.
 		var qualifiers *grypeDB.AffectedPackageQualifiers
-		if group.module != "" {
+		if group.format == "rpm" {
+			module := "" // means the target package must have no module (where as nil means the module has no sway on matching)
+			if group.hasModule {
+				module = group.module
+			}
 			qualifiers = &grypeDB.AffectedPackageQualifiers{
-				RpmModularity: group.module,
+				RpmModularity: &module,
 			}
 		}
 
@@ -174,7 +180,9 @@ type groupIndex struct {
 	id        string
 	osName    string
 	osVersion string
+	hasModule bool
 	module    string
+	format    string
 }
 
 func groupFixedIns(vuln unmarshal.OSVulnerability) map[groupIndex][]unmarshal.OSFixedIn {
@@ -191,7 +199,9 @@ func groupFixedIns(vuln unmarshal.OSVulnerability) map[groupIndex][]unmarshal.OS
 			id:        osID,
 			osName:    osName,
 			osVersion: osVersion,
+			hasModule: fixedIn.Module != nil,
 			module:    mod,
+			format:    fixedIn.VersionFormat,
 		}
 
 		grouped[g] = append(grouped[g], fixedIn)

diff --git a/pkg/process/v6/transformers/os/transform_test.go b/pkg/process/v6/transformers/os/transform_test.go
@@ -168,7 +168,8 @@ func TestTransform(t *testing.T) {
 								Ecosystem: "rpm",
 							},
 							BlobValue: &grypeDB.AffectedPackageBlob{
-								CVEs: []string{"CVE-2018-14648"},
+								CVEs:       []string{"CVE-2018-14648"},
+								Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
 								Ranges: []grypeDB.AffectedRange{
 									{
 										Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 1.3.8.4-15.amzn2.0.1"},
@@ -184,7 +185,8 @@ func TestTransform(t *testing.T) {
 								Ecosystem: "rpm",
 							},
 							BlobValue: &grypeDB.AffectedPackageBlob{
-								CVEs: []string{"CVE-2018-14648"},
+								CVEs:       []string{"CVE-2018-14648"},
+								Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
 								Ranges: []grypeDB.AffectedRange{
 									{
 										Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 1.3.8.4-15.amzn2.0.1"},
@@ -200,7 +202,8 @@ func TestTransform(t *testing.T) {
 								Ecosystem: "rpm",
 							},
 							BlobValue: &grypeDB.AffectedPackageBlob{
-								CVEs: []string{"CVE-2018-14648"},
+								CVEs:       []string{"CVE-2018-14648"},
+								Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
 								Ranges: []grypeDB.AffectedRange{
 									{
 										Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 1.3.8.4-15.amzn2.0.1"},
@@ -216,7 +219,8 @@ func TestTransform(t *testing.T) {
 								Ecosystem: "rpm",
 							},
 							BlobValue: &grypeDB.AffectedPackageBlob{
-								CVEs: []string{"CVE-2018-14648"},
+								CVEs:       []string{"CVE-2018-14648"},
+								Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
 								Ranges: []grypeDB.AffectedRange{
 									{
 										Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 1.3.8.4-15.amzn2.0.1"},
@@ -232,7 +236,8 @@ func TestTransform(t *testing.T) {
 								Ecosystem: "rpm",
 							},
 							BlobValue: &grypeDB.AffectedPackageBlob{
-								CVEs: []string{"CVE-2018-14648"},
+								CVEs:       []string{"CVE-2018-14648"},
+								Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
 								Ranges: []grypeDB.AffectedRange{
 									{
 										Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 1.3.8.4-15.amzn2.0.1"},
@@ -278,7 +283,8 @@ func TestTransform(t *testing.T) {
 							OperatingSystem: amazonOS,
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "kernel"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
-								CVEs: []string{"CVE-2021-3653", "CVE-2021-3656", "CVE-2021-3732"},
+								CVEs:       []string{"CVE-2021-3653", "CVE-2021-3656", "CVE-2021-3732"},
+								Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
 								Ranges: []grypeDB.AffectedRange{
 									{
 										Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 4.14.246-187.474.amzn2"},
@@ -291,7 +297,8 @@ func TestTransform(t *testing.T) {
 							OperatingSystem: amazonOS,
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "kernel-headers"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
-								CVEs: []string{"CVE-2021-3653", "CVE-2021-3656", "CVE-2021-3732"},
+								CVEs:       []string{"CVE-2021-3653", "CVE-2021-3656", "CVE-2021-3732"},
+								Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
 								Ranges: []grypeDB.AffectedRange{
 									{
 										Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 4.14.246-187.474.amzn2"},
@@ -330,7 +337,8 @@ func TestTransform(t *testing.T) {
 							OperatingSystem: amazonOS,
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "kernel"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
-								CVEs: []string{"CVE-2021-3753", "CVE-2021-40490"},
+								CVEs:       []string{"CVE-2021-3753", "CVE-2021-40490"},
+								Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
 								Ranges: []grypeDB.AffectedRange{
 									{
 										Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: ">= 5.4, < 5.4.144-69.257.amzn2"},
@@ -343,7 +351,8 @@ func TestTransform(t *testing.T) {
 							OperatingSystem: amazonOS,
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "kernel-headers"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
-								CVEs: []string{"CVE-2021-3753", "CVE-2021-40490"},
+								CVEs:       []string{"CVE-2021-3753", "CVE-2021-40490"},
+								Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
 								Ranges: []grypeDB.AffectedRange{
 									{
 										Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: ">= 5.4, < 5.4.144-69.257.amzn2"},
@@ -382,7 +391,8 @@ func TestTransform(t *testing.T) {
 							OperatingSystem: amazonOS,
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "kernel"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
-								CVEs: []string{"CVE-2021-3753", "CVE-2021-40490"},
+								CVEs:       []string{"CVE-2021-3753", "CVE-2021-40490"},
+								Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
 								Ranges: []grypeDB.AffectedRange{
 									{
 										Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: ">= 5.10, < 5.10.62-55.141.amzn2"},
@@ -395,7 +405,8 @@ func TestTransform(t *testing.T) {
 							OperatingSystem: amazonOS,
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "kernel-headers"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
-								CVEs: []string{"CVE-2021-3753", "CVE-2021-40490"},
+								CVEs:       []string{"CVE-2021-3753", "CVE-2021-40490"},
+								Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
 								Ranges: []grypeDB.AffectedRange{
 									{
 										Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: ">= 5.10, < 5.10.62-55.141.amzn2"},
@@ -440,6 +451,7 @@ func TestTransform(t *testing.T) {
 							OperatingSystem: azure3OS,
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "golang"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
+								Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
 								Ranges: []grypeDB.AffectedRange{
 									{
 										Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 0:1.20.7-1.azl3"},
@@ -644,6 +656,7 @@ func TestTransform(t *testing.T) {
 							OperatingSystem: mariner2OS,
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "exiv2"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
+								Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
 								Ranges: []grypeDB.AffectedRange{
 									{
 										Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 0:0.27.5-1.cm2"},
@@ -689,6 +702,7 @@ func TestTransform(t *testing.T) {
 							OperatingSystem: mariner2OS,
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "golang"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
+								Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
 								Ranges: []grypeDB.AffectedRange{
 									{
 										Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "> 0:1.19.0.cm2, < 0:1.20.7-1.cm2"},
@@ -737,7 +751,8 @@ func TestTransform(t *testing.T) {
 							OperatingSystem: ol8OS,
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "libexif"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
-								CVEs: []string{"CVE-2020-13112"},
+								CVEs:       []string{"CVE-2020-13112"},
+								Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
 								Ranges: []grypeDB.AffectedRange{
 									{
 										Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 0:0.6.21-17.el8_2"},
@@ -750,7 +765,8 @@ func TestTransform(t *testing.T) {
 							OperatingSystem: ol8OS,
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "libexif-devel"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
-								CVEs: []string{"CVE-2020-13112"},
+								CVEs:       []string{"CVE-2020-13112"},
+								Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
 								Ranges: []grypeDB.AffectedRange{
 									{
 										Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: "< 0:0.6.21-17.el8_2"},
@@ -763,7 +779,8 @@ func TestTransform(t *testing.T) {
 							OperatingSystem: ol8OS,
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "libexif-dummy"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
-								CVEs: []string{"CVE-2020-13112"},
+								CVEs:       []string{"CVE-2020-13112"},
+								Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
 								Ranges: []grypeDB.AffectedRange{
 									{
 										Version: grypeDB.AffectedVersion{Type: "rpm", Constraint: ""},
@@ -810,7 +827,7 @@ func TestTransform(t *testing.T) {
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "postgresql"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
 								Qualifiers: &grypeDB.AffectedPackageQualifiers{
-									RpmModularity: "postgresql:10",
+									RpmModularity: strRef("postgresql:10"),
 								},
 								Ranges: []grypeDB.AffectedRange{
 									{
@@ -831,7 +848,7 @@ func TestTransform(t *testing.T) {
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "postgresql"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
 								Qualifiers: &grypeDB.AffectedPackageQualifiers{
-									RpmModularity: "postgresql:12",
+									RpmModularity: strRef("postgresql:12"),
 								},
 								Ranges: []grypeDB.AffectedRange{
 									{
@@ -852,7 +869,7 @@ func TestTransform(t *testing.T) {
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "postgresql"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
 								Qualifiers: &grypeDB.AffectedPackageQualifiers{
-									RpmModularity: "postgresql:9.6",
+									RpmModularity: strRef("postgresql:9.6"),
 								},
 								Ranges: []grypeDB.AffectedRange{
 									{
@@ -912,6 +929,7 @@ func TestTransform(t *testing.T) {
 							OperatingSystem: rhel8OS,
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "firefox"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
+								Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
 								Ranges: []grypeDB.AffectedRange{
 									{
 										Version: grypeDB.AffectedVersion{
@@ -938,6 +956,7 @@ func TestTransform(t *testing.T) {
 							OperatingSystem: rhel8OS,
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "thunderbird"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
+								Qualifiers: &grypeDB.AffectedPackageQualifiers{RpmModularity: strRef("")},
 								Ranges: []grypeDB.AffectedRange{
 									{
 										Version: grypeDB.AffectedVersion{
@@ -1005,7 +1024,7 @@ func TestTransform(t *testing.T) {
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "postgresql"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
 								Qualifiers: &grypeDB.AffectedPackageQualifiers{
-									RpmModularity: "postgresql:10",
+									RpmModularity: strRef("postgresql:10"),
 								},
 								Ranges: []grypeDB.AffectedRange{
 									{
@@ -1034,7 +1053,7 @@ func TestTransform(t *testing.T) {
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "postgresql"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
 								Qualifiers: &grypeDB.AffectedPackageQualifiers{
-									RpmModularity: "postgresql:12",
+									RpmModularity: strRef("postgresql:12"),
 								},
 								Ranges: []grypeDB.AffectedRange{
 									{
@@ -1063,7 +1082,7 @@ func TestTransform(t *testing.T) {
 							Package:         &grypeDB.Package{Ecosystem: "rpm", Name: "postgresql"},
 							BlobValue: &grypeDB.AffectedPackageBlob{
 								Qualifiers: &grypeDB.AffectedPackageQualifiers{
-									RpmModularity: "postgresql:9.6",
+									RpmModularity: strRef("postgresql:9.6"),
 								},
 								Ranges: []grypeDB.AffectedRange{
 									{
@@ -1260,3 +1279,7 @@ func loadFixture(t *testing.T, fixturePath string) []unmarshal.OSVulnerability {
 func timeRef(ti time.Time) *time.Time {
 	return &ti
 }
+
+func strRef(s string) *string {
+	return &s
+}