feat: enable os vulns to have version range

The Mariner distro feed will start including version ranges in the OVAL XML. Update models and grype-db transformer to be able to handle this in version 5. Signed-off-by: Will Murphy <will.murphy@anchore.com>
anchore · May 24, 2024 · 20c715a · 20c715a
1 parent dcc9d3f
commit 20c715a
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 8 deletions.
diff --git a/pkg/process/v5/transformers/os/test-fixtures/mariner-range.json b/pkg/process/v5/transformers/os/test-fixtures/mariner-range.json
@@ -0,0 +1,27 @@
+[
+  {
+      "Vulnerability": {
+        "Name": "CVE-2023-29404",
+        "NamespaceName": "mariner:2.0",
+        "Description": "CVE-2023-29404 affecting package golang for versions less than 1.20.7-1. A patched version of the package is available.",
+        "Severity": "Critical",
+        "Link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29404",
+        "CVSS": [],
+        "FixedIn": [
+          {
+            "Name": "golang",
+            "NamespaceName": "mariner:2.0",
+            "VersionFormat": "rpm",
+            "Version": "0:1.20.7-1.cm2",
+            "Module": "",
+            "VendorAdvisory": {
+              "NoAdvisory": false,
+              "AdvisorySummary": []
+            },
+            "VulnerableRange": "> 0:1.19.0.cm2, < 0:1.20.7-1.cm2"
+          }
+        ],
+        "Metadata": {}
+      }
+    }
+]
diff --git a/pkg/process/v5/transformers/os/transform.go b/pkg/process/v5/transformers/os/transform.go
@@ -84,7 +84,7 @@ func Transform(vulnerability unmarshal.OSVulnerability) ([]data.Entry, error) {
 		allVulns = append(allVulns, grypeDB.Vulnerability{
 			ID:                     vulnerability.Vulnerability.Name,
 			PackageQualifiers:      buildPackageQualifiers(fixedInEntry),
-			VersionConstraint:      enforceConstraint(fixedInEntry.Version, fixedInEntry.VersionFormat, vulnerability.Vulnerability.Name),
+			VersionConstraint:      enforceConstraint(fixedInEntry.Version, fixedInEntry.VulnerableRange, fixedInEntry.VersionFormat, vulnerability.Vulnerability.Name),
 			VersionFormat:          fixedInEntry.VersionFormat,
 			PackageName:            grypeNamespace.Resolver().Normalize(fixedInEntry.Name),
 			Namespace:              entryNamespace,
@@ -215,16 +215,19 @@ func deriveConstraintFromFix(fixVersion, vulnerabilityID string) string {
 	return constraint
 }
 
-func enforceConstraint(constraint, format, vulnerabilityID string) string {
-	constraint = common.CleanConstraint(constraint)
-	if len(constraint) == 0 {
+func enforceConstraint(fixedVersion, vulnerableRange, format, vulnerabilityID string) string {
+	if len(vulnerableRange) > 0 && !strings.HasSuffix(vulnerabilityID, "ALASKERNEL") {
+		return vulnerableRange
+	}
+	fixedVersion = common.CleanConstraint(fixedVersion)
+	if len(fixedVersion) == 0 {
 		return ""
 	}
 	switch strings.ToLower(format) {
 	case "semver":
-		return common.EnforceSemVerConstraint(constraint)
+		return common.EnforceSemVerConstraint(fixedVersion)
 	default:
 		// the passed constraint is a fixed version
-		return deriveConstraintFromFix(constraint, vulnerabilityID)
+		return deriveConstraintFromFix(fixedVersion, vulnerabilityID)
 	}
 }
diff --git a/pkg/process/v5/transformers/os/transform_test.go b/pkg/process/v5/transformers/os/transform_test.go
@@ -626,6 +626,45 @@ func TestParseVulnerabilitiesEntry(t *testing.T) {
 				Description:  "A flaw was found in PostgreSQL, where some PostgreSQL extensions did not use the search_path safely in their installation script. This flaw allows an attacker with sufficient privileges to trick an administrator into executing a specially crafted script during the extension's installation or update. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
 			},
 		},
+		{
+			name:       "mariner entry with version range",
+			numEntries: 1,
+			fixture:    "test-fixtures/mariner-range.json",
+			vulns: []grypeDB.Vulnerability{
+				{
+					ID:          "CVE-2023-29404",
+					PackageName: "golang",
+					Namespace:   "mariner:distro:mariner:2.0",
+					PackageQualifiers: []qualifier.Qualifier{
+						rpmmodularity.Qualifier{
+							Kind:   "rpm-modularity",
+							Module: "",
+						},
+					},
+					VersionConstraint: "> 0:1.19.0.cm2, < 0:1.20.7-1.cm2",
+					VersionFormat:     "rpm",
+					RelatedVulnerabilities: []grypeDB.VulnerabilityReference{
+						{
+							ID:        "CVE-2023-29404",
+							Namespace: "nvd:cpe",
+						},
+					},
+					Fix: grypeDB.Fix{
+						Versions: []string{"0:1.20.7-1.cm2"},
+						State:    grypeDB.FixedState,
+					},
+				},
+			},
+			metadata: grypeDB.VulnerabilityMetadata{
+				ID:           "CVE-2023-29404",
+				Namespace:    "mariner:distro:mariner:2.0",
+				DataSource:   "https://nvd.nist.gov/vuln/detail/CVE-2023-29404",
+				RecordSource: "vulnerabilities:mariner:2.0",
+				Severity:     "Critical",
+				URLs:         []string{"https://nvd.nist.gov/vuln/detail/CVE-2023-29404"},
+				Description:  "CVE-2023-29404 affecting package golang for versions less than 1.20.7-1. A patched version of the package is available.",
+			},
+		},
 	}
 
 	for _, test := range tests {

diff --git a/pkg/provider/unmarshal/os_vulnerability.go b/pkg/provider/unmarshal/os_vulnerability.go
@@ -21,8 +21,9 @@ type OSFixedIn struct {
 		} `json:"AdvisorySummary"`
 		NoAdvisory bool `json:"NoAdvisory"`
 	} `json:"VendorAdvisory"`
-	Version       string `json:"Version"`
-	VersionFormat string `json:"VersionFormat"`
+	Version         string `json:"Version"`
+	VersionFormat   string `json:"VersionFormat"`
+	VulnerableRange string `json:"VulnerableRange"`
 }
 
 type OSFixedIns []OSFixedIn