feat: include modularity (and other package qualifiers) in match details when matched package is an RPM from a module #2452
Description
What would you like to be added:
I would like the matchDetails struct and JSON representation to report what module constraint was used to match the vulnerability on RPM-based matches.
Why is this needed:
Modularity is part of the version constraint. The version and package used are reported; module should be, since Grype might change its match decision based on
Additional context:
Right now, modularity is represented as a "package qualifier" in the Grype DB. There is an expansion point for other package qualifiers. Probably the change to matchDetails should include these other qualifiers.
Here's an example ("CVE-2019-16161" found in test image docker.io/anchore/test_images:appstreams-rhel-8-1a287dd@sha256:524ff8a75f21fd886ec7ed82387766df386671e8b77e898d05786118d5b7880b):
"matchDetails": [
{
"type": "exact-indirect-match",
"matcher": "rpm-matcher",
"searchedBy": {
"distro": {
"type": "redhat",
"version": "8.6"
},
"namespace": "redhat:distro:redhat:8",
"package": {
"name": "ruby",
"version": "2.5.9-110.module+el8.6.0+15956+aa803fc1"
}
},
"found": {
"versionConstraint": "none (rpm)",
"vulnerabilityID": "CVE-2019-16161"
}
}
]You can see that we considered the package name, "ruby", and it's version. But if we look at the package metadata, we see "modularityLabel": "ruby:2.5:8060020220715152618:ad008a3a", and if we look at the vuln record we see:
SELECT id, namespace, package_name, version_constraint, package_qualifiers
FROM vulnerability
WHERE id = "CVE-2019-16161" and namespace like "%red%8";yields:
| id | namespace | package_name | version_constraint | package_qualifiers |
|---|---|---|---|---|
| CVE-2019-16161 | redhat:distro:redhat:8 | ruby | [{"kind":"rpm-modularity","module":"ruby:2.5"}] | |
| CVE-2019-16161 | redhat:distro:redhat:8 | ruby | [{"kind":"rpm-modularity","module":"ruby:2.6"}] |
Grype here has chosen the ruby:2.5 row, but the match details don't directly say this.