From 5812bb8305477d3665d94738bb77426f5cf4620b Mon Sep 17 00:00:00 2001
From: Bar Nuri <barnuri@hotmail.com>
Date: Wed, 15 Jan 2025 22:19:30 +0200
Subject: [PATCH] fix: upstream match for linux-.*-headers-.* (#2320)

Signed-off-by: Bar Nuri <barnuri@hotmail.com>
Signed-off-by: tomersein <tomersein@gmail.com>
Co-authored-by: GGMU <49076226+tomersein@users.noreply.github.com>
Co-authored-by: tomersein <tomersein@gmail.com>
---
 cmd/grype/cli/commands/root.go |  2 +-
 grype/match/ignore.go          |  8 +++-
 grype/match/ignore_test.go     | 68 +++++++++++++++++++++++++++++++++-
 3 files changed, 75 insertions(+), 3 deletions(-)

diff --git a/cmd/grype/cli/commands/root.go b/cmd/grype/cli/commands/root.go
index fd640c292cf..9d03e6b7aa2 100644
--- a/cmd/grype/cli/commands/root.go
+++ b/cmd/grype/cli/commands/root.go
@@ -104,7 +104,7 @@ var ignoreVEXFixedNotAffected = []match.IgnoreRule{
 
 var ignoreLinuxKernelHeaders = []match.IgnoreRule{
 	{Package: match.IgnoreRulePackage{Name: "kernel-headers", UpstreamName: "kernel", Type: string(syftPkg.RpmPkg)}, MatchType: match.ExactIndirectMatch},
-	{Package: match.IgnoreRulePackage{Name: "linux-.*-headers-.*", UpstreamName: "linux", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch},
+	{Package: match.IgnoreRulePackage{Name: "linux(-.*)?-headers-.*", UpstreamName: "linux.*", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch},
 	{Package: match.IgnoreRulePackage{Name: "linux-libc-dev", UpstreamName: "linux", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch},
 }
 
diff --git a/grype/match/ignore.go b/grype/match/ignore.go
index c0644551dd6..0fd2460d4cb 100644
--- a/grype/match/ignore.go
+++ b/grype/match/ignore.go
@@ -3,6 +3,7 @@ package match
 import (
 	"regexp"
 
+	"github.com/anchore/grype/internal/log"
 	"github.com/bmatcuk/doublestar/v2"
 )
 
@@ -213,9 +214,14 @@ func ifPackageLocationApplies(location string) ignoreCondition {
 }
 
 func ifUpstreamPackageNameApplies(name string) ignoreCondition {
+	pattern, err := packageNameRegex(name)
+	if err != nil {
+		log.WithFields("name", name, "error", err).Debug("unable to parse name expression")
+		return func(Match) bool { return false }
+	}
 	return func(match Match) bool {
 		for _, upstream := range match.Package.Upstreams {
-			if name == upstream.Name {
+			if pattern.MatchString(upstream.Name) {
 				return true
 			}
 		}
diff --git a/grype/match/ignore_test.go b/grype/match/ignore_test.go
index 5b2365999ce..414f60751e0 100644
--- a/grype/match/ignore_test.go
+++ b/grype/match/ignore_test.go
@@ -225,6 +225,32 @@ var (
 				},
 			},
 		},
+		// linux-like match, similar to what we see from debian\ubuntu
+		{
+			Vulnerability: vulnerability.Vulnerability{
+				Reference: vulnerability.Reference{
+					ID:        "CVE-3",
+					Namespace: "fake-linux-vulns",
+				},
+				Fix: vulnerability.Fix{
+					State: vulnerability.FixStateUnknown,
+				},
+			},
+			Package: pkg.Package{
+				ID:      pkg.ID(uuid.NewString()),
+				Name:    "linux-azure-headers-generic",
+				Version: "5.2.1",
+				Type:    syftPkg.DebPkg,
+				Upstreams: []pkg.UpstreamPackage{
+					{Name: "linux-azure"},
+				},
+			},
+			Details: []Detail{
+				{
+					Type: ExactIndirectMatch,
+				},
+			},
+		},
 	}
 
 	// For testing the match-type and upstream ignore rules
@@ -540,6 +566,11 @@ func TestApplyIgnoreRules(t *testing.T) {
 						UpstreamName: "kernel",
 					},
 				},
+				{
+					Package: IgnoreRulePackage{
+						UpstreamName: "linux-.*",
+					},
+				},
 			},
 			expectedRemainingMatches: []Match{
 				kernelHeadersMatches[1],
@@ -555,6 +586,16 @@ func TestApplyIgnoreRules(t *testing.T) {
 						},
 					},
 				},
+				{
+					Match: kernelHeadersMatches[2],
+					AppliedIgnoreRules: []IgnoreRule{
+						{
+							Package: IgnoreRulePackage{
+								UpstreamName: "linux-.*",
+							},
+						},
+					},
+				},
 			},
 		},
 		{
@@ -595,6 +636,14 @@ func TestApplyIgnoreRules(t *testing.T) {
 					},
 					MatchType: ExactIndirectMatch,
 				},
+				{
+					Package: IgnoreRulePackage{
+						Name:         "linux-.*-headers-.*",
+						UpstreamName: "linux.*",
+						Type:         string(syftPkg.DebPkg),
+					},
+					MatchType: ExactIndirectMatch,
+				},
 			},
 			expectedRemainingMatches: []Match{
 				kernelHeadersMatches[1],
@@ -613,6 +662,19 @@ func TestApplyIgnoreRules(t *testing.T) {
 						},
 					},
 				},
+				{
+					Match: kernelHeadersMatches[2],
+					AppliedIgnoreRules: []IgnoreRule{
+						{
+							Package: IgnoreRulePackage{
+								Name:         "linux-.*-headers-.*",
+								UpstreamName: "linux.*",
+								Type:         string(syftPkg.DebPkg),
+							},
+							MatchType: ExactIndirectMatch,
+						},
+					},
+				},
 			},
 		},
 		{
@@ -627,6 +689,7 @@ func TestApplyIgnoreRules(t *testing.T) {
 			},
 			expectedRemainingMatches: []Match{
 				kernelHeadersMatches[1],
+				kernelHeadersMatches[2],
 			},
 			expectedIgnoredMatches: []IgnoredMatch{
 				{
@@ -677,7 +740,10 @@ func TestApplyIgnoreRules(t *testing.T) {
 					},
 				},
 			},
-			expectedRemainingMatches: []Match{kernelHeadersMatches[1]},
+			expectedRemainingMatches: []Match{
+				kernelHeadersMatches[1],
+				kernelHeadersMatches[2],
+			},
 			expectedIgnoredMatches: []IgnoredMatch{
 				{
 					Match: kernelHeadersMatches[0],