From c87a91c56b88bd12cad54a48a021767d09f5d0dc Mon Sep 17 00:00:00 2001 From: ashwin <44602975+ashwin-h@users.noreply.github.com> Date: Fri, 29 May 2020 19:46:33 +0530 Subject: [PATCH] Add photon matcher. (#185) Co-authored-by: Louis DeLosSantos --- libvuln/opts.go | 2 ++ photon/matcher.go | 48 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 photon/matcher.go diff --git a/libvuln/opts.go b/libvuln/opts.go index 103874e23..70e274bbd 100644 --- a/libvuln/opts.go +++ b/libvuln/opts.go @@ -12,6 +12,7 @@ import ( "github.com/quay/claircore/python" "github.com/quay/claircore/rhel" "github.com/quay/claircore/ubuntu" + "github.com/quay/claircore/photon" ) const ( @@ -71,6 +72,7 @@ var defaultMatchers = []driver.Matcher{ &python.Matcher{}, &ubuntu.Matcher{}, &rhel.Matcher{}, + &photon.Matcher{}, } // parse is an internal method for constructing diff --git a/photon/matcher.go b/photon/matcher.go new file mode 100644 index 000000000..14ecd8753 --- /dev/null +++ b/photon/matcher.go @@ -0,0 +1,48 @@ +package photon + +import ( + version "github.com/knqyf263/go-rpm-version" + + "github.com/quay/claircore" + "github.com/quay/claircore/libvuln/driver" +) + +// Matcher implements driver.Matcher. +type Matcher struct{} + +var _ driver.Matcher = (*Matcher)(nil) + +// Name implements driver.Matcher. +func (*Matcher) Name() string { + return "photon" +} + +// Filter implements driver.Matcher. +func (*Matcher) Filter(record *claircore.IndexRecord) bool { + return record.Distribution != nil && + record.Distribution.DID == "photon" +} + +// Query implements driver.Matcher. +func (*Matcher) Query() []driver.MatchConstraint { + return []driver.MatchConstraint{ + driver.DistributionDID, + driver.DistributionName, + driver.DistributionVersion, + } +} + +// Vulnerable implements driver.Matcher. +func (*Matcher) Vulnerable(record *claircore.IndexRecord, vuln *claircore.Vulnerability) bool { + pkgVer, vulnVer := version.NewVersion(record.Package.Version), version.NewVersion(vuln.Package.Version) + // Assume the vulnerability record we have is for the last known vulnerable + // version, so greater versions aren't vulnerable. + cmp := func(i int) bool { return i != version.GREATER } + // But if it's explicitly marked as a fixed-in version, it't only vulnerable + // if less than that version. + if vuln.FixedInVersion != "" { + vulnVer = version.NewVersion(vuln.FixedInVersion) + cmp = func(i int) bool { return i == version.LESS } + } + return cmp(pkgVer.Compare(vulnVer)) +}