fix: correct cpe target software comparison to syft language (#1658)

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
anchore · Jul 11, 2024 · ef37603 · ef37603
1 parent 7acac8c
commit ef37603
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 2 deletions.
diff --git a/grype/search/cpe_test.go b/grype/search/cpe_test.go
@@ -701,6 +701,56 @@ func TestFindMatchesByPackageCPE(t *testing.T) {
  }
  },
  },
+ {
+ name: "Ensure match is kept for target software that matches the syft package language type",
+ p: pkg.Package{
+ CPEs: []cpe.CPE{
+ cpe.Must("cpe:2.3:a:handlebarsjs:handlebars:*:*:*:*:*:*:*:*", ""),
+ },
+ Name: "handlebars",
+ Version: "0.1",
+ Language: syftPkg.JavaScript,
+ Type: syftPkg.NpmPkg,
+ },
+ expected: []match.Match{
+ {
+ Vulnerability: vulnerability.Vulnerability{
+ ID: "CVE-2021-23369",
+ },
+ Package: pkg.Package{
+ CPEs: []cpe.CPE{
+ cpe.Must("cpe:2.3:a:handlebarsjs:handlebars:*:*:*:*:*:*:*:*", ""),
+ },
+ Name: "handlebars",
+ Version: "0.1",
+ Language: syftPkg.JavaScript,
+ Type: syftPkg.NpmPkg,
+ },
+ Details: []match.Detail{
+ {
+ Type: match.CPEMatch,
+ Confidence: 0.9,
+ SearchedBy: CPEParameters{
+ CPEs: []string{"cpe:2.3:a:handlebarsjs:handlebars:*:*:*:*:*:*:*:*"},
+ Namespace: "nvd:cpe",
+ Package: CPEPackageParameter{
+ Name: "handlebars",
+ Version: "0.1",
+ },
+ },
+ Found: CPEResult{
+ CPEs: []string{
+ "cpe:2.3:a:handlebarsjs:handlebars:*:*:*:*:*:node.js:*:*",
+ },
+ VersionConstraint: "< 4.7.7 (unknown)",
+ VulnerabilityID: "CVE-2021-23369",
+ },
+ Matcher: matcher,
+ },
+ },
+ },
+ },
+ },
  }
 
  for _, test := range tests {

diff --git a/grype/search/only_vulnerable_targets.go b/grype/search/only_vulnerable_targets.go
@@ -56,8 +56,8 @@ func onlyVulnerableTargets(p pkg.Package, allVulns []vulnerability.Vulnerability
  isPackageVulnerable := len(vuln.CPEs) == 0
  for _, cpe := range vuln.CPEs {
  targetSW := cpe.Attributes.TargetSW
- mismatchWithUnknownLanguage := targetSW != string(p.Language) && isUnknownTarget(targetSW)
- if targetSW == wfn.Any || targetSW == wfn.NA || targetSW == string(p.Language) || mismatchWithUnknownLanguage {
+ mismatchWithUnknownLanguage := syftPkg.LanguageByName(targetSW) != p.Language && isUnknownTarget(targetSW)
+ if targetSW == wfn.Any || targetSW == wfn.NA || syftPkg.LanguageByName(targetSW) == p.Language || mismatchWithUnknownLanguage {
  isPackageVulnerable = true
  }
  }