From 18af21d2a57b43a79a495188e0106c4ff655a448 Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Thu, 22 Apr 2021 14:59:44 -0400 Subject: [PATCH] add jenkins filter for known bad CPE field combinations Signed-off-by: Alex Goodman --- syft/pkg/cataloger/cpe.go | 21 +++++++++--- syft/pkg/cataloger/cpe_test.go | 58 ++++++++++++++++++++++++++++++++-- 2 files changed, 71 insertions(+), 8 deletions(-) diff --git a/syft/pkg/cataloger/cpe.go b/syft/pkg/cataloger/cpe.go index 0b7fece04..b11d1cec7 100644 --- a/syft/pkg/cataloger/cpe.go +++ b/syft/pkg/cataloger/cpe.go @@ -37,14 +37,22 @@ var productCandidatesByPkgType = candidateStore{ } var cpeFilters = []filterFn{ - // nolint: goconst func(cpe pkg.CPE, p pkg.Package) bool { // jira / atlassian should not apply to clients - if cpe.Vendor == "atlassian" && cpe.Product == "jira" && strings.Contains(p.Name, "client") { - return true + if cpe.Product == "jira" && strings.Contains(strings.ToLower(p.Name), "client") { + if cpe.Vendor == wfn.Any || cpe.Vendor == "jira" || cpe.Vendor == "atlassian" { + return true + } } - if cpe.Vendor == "jira" && cpe.Product == "jira" && strings.Contains(p.Name, "client") { - return true + return false + }, + // nolint: goconst + func(cpe pkg.CPE, p pkg.Package) bool { + // jenkins server should only match against a product with the name jenkins + if cpe.Product == "jenkins" && !strings.Contains(strings.ToLower(p.Name), "jenkins") { + if cpe.Vendor == wfn.Any || cpe.Vendor == "jenkins" || cpe.Vendor == "cloudbees" { + return true + } } return false }, @@ -186,6 +194,9 @@ func candidateProducts(p pkg.Package) []string { } func candidateProductsForJava(p pkg.Package) []string { + // TODO: we could get group-id-like info from the MANIFEST.MF "Automatic-Module-Name" field + // for more info see pkg:maven/commons-io/commons-io@2.8.0 within cloudbees/cloudbees-core-mm:2.263.4.2 + // at /usr/share/jenkins/jenkins.war:WEB-INF/plugins/analysis-model-api.hpi:WEB-INF/lib/commons-io-2.8.0.jar if product, _ := productAndVendorFromPomPropertiesGroupID(p); product != "" { // ignore group ID info from a jenkins plugin, as using this info may imply that this package // CPE belongs to the cloudbees org (or similar) which is wrong. diff --git a/syft/pkg/cataloger/cpe_test.go b/syft/pkg/cataloger/cpe_test.go index 795b1a6fb..c0e5d173a 100644 --- a/syft/pkg/cataloger/cpe_test.go +++ b/syft/pkg/cataloger/cpe_test.go @@ -351,9 +351,6 @@ func TestGeneratePackageCPEs(t *testing.T) { }, }, expected: []string{ - "cpe:2.3:a:*:jira:3.2:*:*:*:*:*:*:*", - "cpe:2.3:a:*:jira:3.2:*:*:*:*:java:*:*", - "cpe:2.3:a:*:jira:3.2:*:*:*:*:maven:*:*", "cpe:2.3:a:*:jira_client_core:3.2:*:*:*:*:*:*:*", "cpe:2.3:a:*:jira_client_core:3.2:*:*:*:*:java:*:*", "cpe:2.3:a:*:jira_client_core:3.2:*:*:*:*:maven:*:*", @@ -371,6 +368,61 @@ func TestGeneratePackageCPEs(t *testing.T) { "cpe:2.3:a:jira_client_core:jira_client_core:3.2:*:*:*:*:maven:*:*", }, }, + { + name: "jenkins filtering", + p: pkg.Package{ + Name: "cloudbees-installation-manager", + Version: "2.89.0.33", + FoundBy: "some-analyzer", + Language: pkg.Java, + Type: pkg.JavaPkg, + MetadataType: pkg.JavaMetadataType, + Metadata: pkg.JavaMetadata{ + PomProperties: &pkg.PomProperties{ + GroupID: "com.cloudbees.jenkins.modules", + ArtifactID: "cloudbees-installation-manager", + }, + }, + }, + expected: []string{ + "cpe:2.3:a:*:cloudbees-installation-manager:2.89.0.33:*:*:*:*:*:*:*", + "cpe:2.3:a:*:cloudbees-installation-manager:2.89.0.33:*:*:*:*:java:*:*", + "cpe:2.3:a:*:cloudbees-installation-manager:2.89.0.33:*:*:*:*:maven:*:*", + "cpe:2.3:a:*:cloudbees_installation_manager:2.89.0.33:*:*:*:*:*:*:*", + "cpe:2.3:a:*:cloudbees_installation_manager:2.89.0.33:*:*:*:*:java:*:*", + "cpe:2.3:a:*:cloudbees_installation_manager:2.89.0.33:*:*:*:*:maven:*:*", + "cpe:2.3:a:cloudbees-installation-manager:cloudbees-installation-manager:2.89.0.33:*:*:*:*:*:*:*", + "cpe:2.3:a:cloudbees-installation-manager:cloudbees-installation-manager:2.89.0.33:*:*:*:*:java:*:*", + "cpe:2.3:a:cloudbees-installation-manager:cloudbees-installation-manager:2.89.0.33:*:*:*:*:maven:*:*", + "cpe:2.3:a:cloudbees-installation-manager:cloudbees_installation_manager:2.89.0.33:*:*:*:*:*:*:*", + "cpe:2.3:a:cloudbees-installation-manager:cloudbees_installation_manager:2.89.0.33:*:*:*:*:java:*:*", + "cpe:2.3:a:cloudbees-installation-manager:cloudbees_installation_manager:2.89.0.33:*:*:*:*:maven:*:*", + "cpe:2.3:a:cloudbees-installation-manager:jenkins:2.89.0.33:*:*:*:*:*:*:*", + "cpe:2.3:a:cloudbees-installation-manager:jenkins:2.89.0.33:*:*:*:*:java:*:*", + "cpe:2.3:a:cloudbees-installation-manager:jenkins:2.89.0.33:*:*:*:*:maven:*:*", + "cpe:2.3:a:cloudbees:cloudbees-installation-manager:2.89.0.33:*:*:*:*:*:*:*", + "cpe:2.3:a:cloudbees:cloudbees-installation-manager:2.89.0.33:*:*:*:*:java:*:*", + "cpe:2.3:a:cloudbees:cloudbees-installation-manager:2.89.0.33:*:*:*:*:maven:*:*", + "cpe:2.3:a:cloudbees:cloudbees_installation_manager:2.89.0.33:*:*:*:*:*:*:*", + "cpe:2.3:a:cloudbees:cloudbees_installation_manager:2.89.0.33:*:*:*:*:java:*:*", + "cpe:2.3:a:cloudbees:cloudbees_installation_manager:2.89.0.33:*:*:*:*:maven:*:*", + "cpe:2.3:a:cloudbees_installation_manager:cloudbees-installation-manager:2.89.0.33:*:*:*:*:*:*:*", + "cpe:2.3:a:cloudbees_installation_manager:cloudbees-installation-manager:2.89.0.33:*:*:*:*:java:*:*", + "cpe:2.3:a:cloudbees_installation_manager:cloudbees-installation-manager:2.89.0.33:*:*:*:*:maven:*:*", + "cpe:2.3:a:cloudbees_installation_manager:cloudbees_installation_manager:2.89.0.33:*:*:*:*:*:*:*", + "cpe:2.3:a:cloudbees_installation_manager:cloudbees_installation_manager:2.89.0.33:*:*:*:*:java:*:*", + "cpe:2.3:a:cloudbees_installation_manager:cloudbees_installation_manager:2.89.0.33:*:*:*:*:maven:*:*", + "cpe:2.3:a:cloudbees_installation_manager:jenkins:2.89.0.33:*:*:*:*:*:*:*", + "cpe:2.3:a:cloudbees_installation_manager:jenkins:2.89.0.33:*:*:*:*:java:*:*", + "cpe:2.3:a:cloudbees_installation_manager:jenkins:2.89.0.33:*:*:*:*:maven:*:*", + "cpe:2.3:a:jenkins:cloudbees-installation-manager:2.89.0.33:*:*:*:*:*:*:*", + "cpe:2.3:a:jenkins:cloudbees-installation-manager:2.89.0.33:*:*:*:*:java:*:*", + "cpe:2.3:a:jenkins:cloudbees-installation-manager:2.89.0.33:*:*:*:*:maven:*:*", + "cpe:2.3:a:jenkins:cloudbees_installation_manager:2.89.0.33:*:*:*:*:*:*:*", + "cpe:2.3:a:jenkins:cloudbees_installation_manager:2.89.0.33:*:*:*:*:java:*:*", + "cpe:2.3:a:jenkins:cloudbees_installation_manager:2.89.0.33:*:*:*:*:maven:*:*", + }, + }, } for _, test := range tests {