handle more complex cases

Signed-off-by: Weston Steimel <[email protected]>
anchore · Oct 1, 2024 · cf17fd1 · cf17fd1
1 parent b1866cd
commit cf17fd1
Show file tree

Hide file tree

Showing 2 changed files with 138 additions and 6 deletions.
diff --git a/pkg/process/v5/transformers/nvd/transform.go b/pkg/process/v5/transformers/nvd/transform.go
@@ -109,19 +109,44 @@ func getVersionFormat(name string, cpes []string) version.Format {
 }
 
 func getFix(matches []nvd.CpeMatch) grypeDB.Fix {
-	fixedInVersions := strset.New()
+	possiblyFixed := strset.New()
+	knownAffected := strset.New()
+	unspecifiedSet := strset.New("*", "-", "*")
 
 	for _, match := range matches {
-		if match.VersionEndExcluding != nil && *match.VersionEndExcluding != "" {
-			fixedInVersions.Add(*match.VersionEndExcluding)
+		if !match.Vulnerable {
+			continue
+		}
+
+		if match.VersionEndExcluding != nil && !unspecifiedSet.Has(*match.VersionEndExcluding) {
+			possiblyFixed.Add(*match.VersionEndExcluding)
+		}
+
+		if match.VersionStartIncluding != nil && !unspecifiedSet.Has(*match.VersionStartIncluding) {
+			knownAffected.Add(*match.VersionStartIncluding)
+		}
+
+		if match.VersionEndIncluding != nil && !unspecifiedSet.Has(*match.VersionEndIncluding) {
+			knownAffected.Add(*match.VersionEndIncluding)
+		}
+
+		matchCPE, err := cpe.New(match.Criteria, cpe.DeclaredSource)
+		if err != nil {
+			continue
+		}
+
+		if !unspecifiedSet.Has(matchCPE.Attributes.Version) {
+			knownAffected.Add(matchCPE.Attributes.Version)
 		}
 	}
 
+	possiblyFixed.Remove(knownAffected.List()...)
+
 	var fixes []string
 	fixState := grypeDB.UnknownFixState
-	if fixedInVersions.Size() > 0 {
+	if possiblyFixed.Size() > 0 {
 		fixState = grypeDB.FixedState
-		fixes = fixedInVersions.List()
+		fixes = possiblyFixed.List()
 		slices.Sort(fixes)
 	}
 

diff --git a/pkg/process/v5/transformers/nvd/transform_test.go b/pkg/process/v5/transformers/nvd/transform_test.go
@@ -815,7 +815,8 @@ func TestGetFix(t *testing.T) {
 			name: "Equals",
 			matches: []nvd.CpeMatch{
 				{
-					Criteria: "cpe:2.3:a:vendor:product:2.2.0:*:*:*:*:target:*:*",
+					Criteria:   "cpe:2.3:a:vendor:product:2.2.0:*:*:*:*:target:*:*",
+					Vulnerable: true,
 				},
 			},
 			expected: grypeDB.Fix{
@@ -829,6 +830,7 @@ func TestGetFix(t *testing.T) {
 				{
 					Criteria:            "cpe:2.3:a:vendor:product:*:*:*:*:*:target:*:*",
 					VersionEndExcluding: strRef("2.3.0"),
+					Vulnerable:          true,
 				},
 			},
 			expected: grypeDB.Fix{
@@ -842,6 +844,7 @@ func TestGetFix(t *testing.T) {
 				{
 					Criteria:            "cpe:2.3:a:vendor:product:*:*:*:*:*:target:*:*",
 					VersionEndIncluding: strRef("2.3.0"),
+					Vulnerable:          true,
 				},
 			},
 			expected: grypeDB.Fix{
@@ -855,6 +858,7 @@ func TestGetFix(t *testing.T) {
 				{
 					Criteria:              "cpe:2.3:a:vendor:product:*:*:*:*:*:target:*:*",
 					VersionStartExcluding: strRef("2.3.0"),
+					Vulnerable:            true,
 				},
 			},
 			expected: grypeDB.Fix{
@@ -868,6 +872,7 @@ func TestGetFix(t *testing.T) {
 				{
 					Criteria:              "cpe:2.3:a:vendor:product:*:*:*:*:*:target:*:*",
 					VersionStartIncluding: strRef("2.3.0"),
+					Vulnerable:            true,
 				},
 			},
 			expected: grypeDB.Fix{
@@ -882,6 +887,7 @@ func TestGetFix(t *testing.T) {
 					Criteria:              "cpe:2.3:a:vendor:product:*:*:*:*:*:target:*:*",
 					VersionStartIncluding: strRef("2.3.0"),
 					VersionEndIncluding:   strRef("2.5.0"),
+					Vulnerable:            true,
 				},
 			},
 			expected: grypeDB.Fix{
@@ -896,11 +902,13 @@ func TestGetFix(t *testing.T) {
 					Criteria:              "cpe:2.3:a:vendor:product:*:*:*:*:*:target:*:*",
 					VersionStartIncluding: strRef("2.3.0"),
 					VersionEndIncluding:   strRef("2.5.0"),
+					Vulnerable:            true,
 				},
 				{
 					Criteria:              "cpe:2.3:a:vendor:product:*:*:*:*:*:target:*:*",
 					VersionStartExcluding: strRef("3.3.0"),
 					VersionEndExcluding:   strRef("3.5.0"),
+					Vulnerable:            true,
 				},
 			},
 			expected: grypeDB.Fix{
@@ -915,6 +923,7 @@ func TestGetFix(t *testing.T) {
 					Criteria:              "cpe:2.3:a:vendor:product:*:*:*:*:*:target:*:*",
 					VersionStartExcluding: strRef("3.3.0"),
 					VersionEndExcluding:   strRef(""),
+					Vulnerable:            true,
 				},
 			},
 			expected: grypeDB.Fix{
@@ -929,23 +938,121 @@ func TestGetFix(t *testing.T) {
 					Criteria:              "cpe:2.3:a:vendor:product:*:*:*:*:*:target:*:*",
 					VersionStartIncluding: strRef("3.3.0"),
 					VersionEndExcluding:   strRef("3.5.0"),
+					Vulnerable:            true,
 				},
 				{
 					Criteria:              "cpe:2.3:a:vendor:product:*:*:*:*:*:target:*:*",
 					VersionStartIncluding: strRef("0"),
 					VersionEndExcluding:   strRef("1.7.0"),
+					Vulnerable:            true,
 				},
 				{
 					Criteria:              "cpe:2.3:a:vendor:product:*:*:*:*:*:target-2:*:*",
 					VersionStartIncluding: strRef("0"),
 					VersionEndExcluding:   strRef("1.7.0"),
+					Vulnerable:            true,
 				},
 			},
 			expected: grypeDB.Fix{
 				Versions: []string{"1.7.0", "3.5.0"},
 				State:    "fixed",
 			},
 		},
+		{
+			name: "< range with overlapping >= range",
+			matches: []nvd.CpeMatch{
+				{
+					Criteria:              "cpe:2.3:a:vendor:product:*:*:*:*:*:target:*:*",
+					VersionStartIncluding: strRef("2.3.0"),
+					VersionEndExcluding:   strRef("2.5.0"),
+					Vulnerable:            true,
+				},
+				{
+					Criteria:              "cpe:2.3:a:vendor:product:*:*:*:*:*:target:*:*",
+					VersionStartIncluding: strRef("2.5.0"),
+					VersionEndExcluding:   strRef("3.5.0"),
+					Vulnerable:            true,
+				},
+			},
+			expected: grypeDB.Fix{
+				Versions: []string{"3.5.0"},
+				State:    "fixed",
+			},
+		},
+		{
+			name: "< range with overlapping <= range",
+			matches: []nvd.CpeMatch{
+				{
+					Criteria:              "cpe:2.3:a:vendor:product:*:*:*:*:*:target:*:*",
+					VersionStartIncluding: strRef("2.3.0"),
+					VersionEndExcluding:   strRef("2.5.0"),
+					Vulnerable:            true,
+				},
+				{
+					Criteria:              "cpe:2.3:a:vendor:product:*:*:*:*:*:target:*:*",
+					VersionStartIncluding: strRef("2.1.0"),
+					VersionEndIncluding:   strRef("2.5.0"),
+					Vulnerable:            true,
+				},
+			},
+			expected: grypeDB.Fix{
+				Versions: nil,
+				State:    "unknown",
+			},
+		},
+		{
+			name: "< range with overlapping == critera",
+			matches: []nvd.CpeMatch{
+				{
+					Criteria:              "cpe:2.3:a:vendor:product:*:*:*:*:*:target:*:*",
+					VersionStartIncluding: strRef("2.3.0"),
+					VersionEndExcluding:   strRef("2.5.0"),
+					Vulnerable:            true,
+				},
+				{
+					Criteria:   "cpe:2.3:a:vendor:product:2.5.0:*:*:*:*:target:*:*",
+					Vulnerable: true,
+				},
+			},
+			expected: grypeDB.Fix{
+				Versions: nil,
+				State:    "unknown",
+			},
+		},
+		{
+			name: "< range with another unaffected entry",
+			matches: []nvd.CpeMatch{
+				{
+					Criteria:              "cpe:2.3:a:vendor:product:*:*:*:*:*:target:*:*",
+					VersionStartIncluding: strRef("2.3.0"),
+					VersionEndExcluding:   strRef("2.5.0"),
+					Vulnerable:            true,
+				},
+				{
+					Criteria:   "cpe:2.3:a:vendor:product:2.5.0:*:*:*:*:target:*:*",
+					Vulnerable: false,
+				},
+			},
+			expected: grypeDB.Fix{
+				Versions: []string{"2.5.0"},
+				State:    "fixed",
+			},
+		},
+		{
+			name: "* as < should be treates as unknown",
+			matches: []nvd.CpeMatch{
+				{
+					Criteria:              "cpe:2.3:a:vendor:product:*:*:*:*:*:target:*:*",
+					VersionStartIncluding: strRef("2.3.0"),
+					VersionEndExcluding:   strRef("*"),
+					Vulnerable:            true,
+				},
+			},
+			expected: grypeDB.Fix{
+				Versions: nil,
+				State:    "unknown",
+			},
+		},
 	}
 
 	for _, tt := range tests {