diff --git a/syft/pkg/cataloger/binary/classifier_cataloger_test.go b/syft/pkg/cataloger/binary/classifier_cataloger_test.go index 3d79df2e8..f8a4beabc 100644 --- a/syft/pkg/cataloger/binary/classifier_cataloger_test.go +++ b/syft/pkg/cataloger/binary/classifier_cataloger_test.go @@ -207,6 +207,20 @@ func Test_Cataloger_PositiveCases(t *testing.T) { Metadata: metadata("mariadb-binary"), }, }, + { + // RHEL / MariaDB.org tarball builds do not embed the "-MariaDB" marker; the version is only + // present in the build path (e.g. mariadb-11.8.5-2-redhat-x86_64). The release suffix ("-2") + // must not leak into the version. Regression for anchore/grype#3452. + logicalFixture: "mariadb/11.8.5/linux-amd64", + expected: pkg.Package{ + Name: "mariadb", + Version: "11.8.5", + Type: "binary", + PURL: "pkg:generic/mariadb@11.8.5", + Locations: locations("mariadb"), + Metadata: metadata("mariadb-binary"), + }, + }, { logicalFixture: "mysqld/9.7.0/linux-amd64", expected: pkg.Package{ diff --git a/syft/pkg/cataloger/binary/classifiers.go b/syft/pkg/cataloger/binary/classifiers.go index ff6b72504..24280a53c 100644 --- a/syft/pkg/cataloger/binary/classifiers.go +++ b/syft/pkg/cataloger/binary/classifiers.go @@ -440,9 +440,17 @@ func DefaultClassifiers() []binutils.Classifier { { Class: "mariadb-binary", FileGlob: "**/{mariadb,mysql}", - EvidenceMatcher: m.FileContentsVersionMatcher( + EvidenceMatcher: binutils.MatchAny( // 10.6.15-MariaDB - `(?m)(?P[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)-MariaDB`), + m.FileContentsVersionMatcher(`(?m)(?P[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)-MariaDB`), + // MariaDB.org / RHEL tarball builds embed the release directory name, which does not contain the + // "-MariaDB" marker. The version is in the build path instead, e.g.: + // mariadb-11.8.5-2-redhat-x86_64/rhel-8/bin/mariadb + // mariadb-11.8.5-linux-systemd-x86_64 + // Without this the older matcher misses the version and a later release suffix (e.g. "2") can be + // picked up instead, producing false-positive matches against ancient CVEs (see anchore/grype#3452). + m.FileContentsVersionMatcher(`(?m)(?:^|/)mariadb-(?P[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)-`), + ), Package: "mariadb", PURL: mustPURL("pkg:generic/mariadb@version"), CPEs: singleCPE("cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource), diff --git a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/mariadb/11.8.5/linux-amd64/mariadb b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/mariadb/11.8.5/linux-amd64/mariadb new file mode 100644 index 000000000..bab006889 Binary files /dev/null and b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/mariadb/11.8.5/linux-amd64/mariadb differ