rhel: move IgnoreUnpatched config key from updater to matcher

Previously the IgnoreUnpatched config key was a part of the RHEL
updater and would dictate whether or not the updater would ingest
unpatched vulnerabilities. This change moves that key to the RHEL
matcher and dictates whether the matcher should check for a
fixed_in_version when querying potential vulnerabilities. This makes the
config option more usable at the expense of DB size.

Signed-off-by: crozzy <joseph.crosland@gmail.com>

datastore/postgres/querybuilder.go

@@ -70,6 +70,8 @@ func buildGetQuery(record *claircore.IndexRecord, opts *datastore.GetOpts) (stri
 			ex = goqu.Ex{"dist_arch": record.Distribution.Arch}
 		case driver.RepositoryName:
 			ex = goqu.Ex{"repo_name": record.Repository.Name}
+		case driver.HasFixedInVersion:
+			ex = goqu.Ex{"fixed_in_version": goqu.Op{"neq": ""}}
 		default:
 			return "", fmt.Errorf("was provided unknown matcher: %v", m)
 		}

datastore/postgres/querybuilder_test.go

@@ -202,6 +202,20 @@ func TestGetQueryBuilderDeterministicArgs(t *testing.T) {
 				}
 			},
 		},
+		{
+			name: "FixedInVersion",
+			expectedQuery: preamble + both +
+				`("fixed_in_version" != '')` + epilogue,
+			matchExps: []driver.MatchConstraint{driver.HasFixedInVersion},
+			indexRecord: func() *claircore.IndexRecord {
+				pkgs := test.GenUniquePackages(1)
+				dists := test.GenUniqueDistributions(1)
+				return &claircore.IndexRecord{
+					Package:      pkgs[0],
+					Distribution: dists[0],
+				}
+			},
+		},
 	}
 
 	// This is safe to do because SQL doesn't care about what whitespace is

libvuln/driver/matcher.go

@@ -41,6 +41,8 @@ const (
 	DistributionPrettyName
 	// should match claircore.Package.Repository.Name => claircore.Vulnerability.Package.Repository.Name
 	RepositoryName
+	// should match claircore.Vulnerability.FixedInVersion != ""
+	HasFixedInVersion
 )
 
 // Matcher is an interface which a Controller uses to query the vulnstore for vulnerabilities.

matchers/defaults/defaults.go

@@ -53,13 +53,13 @@ var defaultMatchers = []driver.Matcher{
 	&photon.Matcher{},
 	&python.Matcher{},
 	rhcc.Matcher,
-	&rhel.Matcher{},
 	&ruby.Matcher{},
 	&suse.Matcher{},
 	&ubuntu.Matcher{},
 }
 
 func inner(ctx context.Context) error {
+	registry.Register("rhel", &rhel.MatcherFactory{})
 	for _, m := range defaultMatchers {
 		mf := driver.MatcherStatic(m)
 		registry.Register(m.Name(), mf)

rhel/matcher.go

@@ -11,7 +11,9 @@ import (
 )
 
 // Matcher implements driver.Matcher.
-type Matcher struct{}
+type Matcher struct {
+	ignoreUnpatched bool
+}
 
 var _ driver.Matcher = (*Matcher)(nil)
 
@@ -26,10 +28,12 @@ func (*Matcher) Filter(record *claircore.IndexRecord) bool {
 }
 
 // Query implements driver.Matcher.
-func (*Matcher) Query() []driver.MatchConstraint {
-	return []driver.MatchConstraint{
-		driver.PackageModule,
+func (m *Matcher) Query() []driver.MatchConstraint {
+	mcs := []driver.MatchConstraint{driver.PackageModule}
+	if m.ignoreUnpatched {
+		mcs = append(mcs, driver.HasFixedInVersion)
 	}
+	return mcs
 }
 
 // Vulnerable implements driver.Matcher.

rhel/matcherfactory.go

@@ -0,0 +1,35 @@
+package rhel
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/quay/claircore/libvuln/driver"
+)
+
+type MatcherFactory struct {
+	ignoreUnpatched bool
+}
+
+// MatcherFactory implements [driver.MatcherFactory]
+func (f *MatcherFactory) Matcher(ctx context.Context) ([]driver.Matcher, error) {
+	m := &Matcher{
+		ignoreUnpatched: f.ignoreUnpatched,
+	}
+	return []driver.Matcher{m}, nil
+}
+
+type MatcherFactoryConfig struct {
+	IgnoreUnpatched bool `json:"ignore_unpatched" yaml:"ignore_unpatched"`
+}
+
+// MatcherFactory implements driver.MatcherConfigurable.
+func (f *MatcherFactory) Configure(ctx context.Context, cfg driver.MatcherConfigUnmarshaler, c *http.Client) error {
+	var fc MatcherFactoryConfig
+	// TODO: add log
+	if err := cfg(&fc); err != nil {
+		return err
+	}
+	f.ignoreUnpatched = fc.IgnoreUnpatched
+	return nil
+}

rhel/vex/parser.go

@@ -86,13 +86,11 @@ func (u *VEXUpdater) DeltaParse(ctx context.Context, contents io.ReadCloser) ([]
 				return nil, nil, err
 			}
 			out[name] = fixedVulns
-			if !u.ignoreUnpatched {
-				knownAffectedVulns, err := creator.knownAffectedVulnerabilities(ctx, v, protoVuln)
-				if err != nil {
-					return nil, nil, err
-				}
-				out[name] = append(out[name], knownAffectedVulns...)
+			knownAffectedVulns, err := creator.knownAffectedVulnerabilities(ctx, v, protoVuln)
+			if err != nil {
+				return nil, nil, err
 			}
+			out[name] = append(out[name], knownAffectedVulns...)
 		}
 	}
 	vulns := []*claircore.Vulnerability{}

rhel/vex/updater.go

@@ -30,18 +30,16 @@ const (
 )
 
 type Factory struct {
-	c               *http.Client
-	base            *url.URL
-	ignoreUnpatched bool
+	c    *http.Client
+	base *url.URL
 }
 
 // UpdaterSet constructs one VEXUpdater
 func (f *Factory) UpdaterSet(_ context.Context) (driver.UpdaterSet, error) {
 	us := driver.NewUpdaterSet()
 	u := &VEXUpdater{
-		url:             f.base,
-		client:          f.c,
-		ignoreUnpatched: f.ignoreUnpatched,
+		url:    f.base,
+		client: f.c,
 	}
 	err := us.Add(u)
 	if err != nil {
@@ -53,8 +51,6 @@ func (f *Factory) UpdaterSet(_ context.Context) (driver.UpdaterSet, error) {
 type FactoryConfig struct {
 	// URL indicates the base URL for the SecDB layout. It should have a trailing slash.
 	URL string `json:"url" yaml:"url"`
-	// IgnoreUnpatched dictates whether to ingest known affected advisories from the VEX security data.
-	IgnoreUnpatched bool `json:"ignore_unpatched" yaml:"ignore_unpatched"`
 }
 
 func (f *Factory) Configure(ctx context.Context, cf driver.ConfigUnmarshaler, c *http.Client) error {
@@ -79,9 +75,8 @@ func (f *Factory) Configure(ctx context.Context, cf driver.ConfigUnmarshaler, c
 }
 
 type VEXUpdater struct {
-	url             *url.URL
-	client          *http.Client
-	ignoreUnpatched bool
+	url    *url.URL
+	client *http.Client
 }
 
 type fingerprint struct {