From c5c423ab37a4bf0b1f2ee051ed0556a53c970ab1 Mon Sep 17 00:00:00 2001 From: Arpit Jain <3242828+arpitjain099@users.noreply.github.com> Date: Mon, 8 Jun 2026 02:28:18 +0900 Subject: [PATCH] fix: detect mariadb version from RHEL build path (#4952) Signed-off-by: Arpit Jain --- .../cataloger/binary/classifier_cataloger_test.go | 14 ++++++++++++++ syft/pkg/cataloger/binary/classifiers.go | 12 ++++++++++-- .../snippets/mariadb/11.8.5/linux-amd64/mariadb | Bin 0 -> 320 bytes 3 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 syft/pkg/cataloger/binary/testdata/classifiers/snippets/mariadb/11.8.5/linux-amd64/mariadb diff --git a/syft/pkg/cataloger/binary/classifier_cataloger_test.go b/syft/pkg/cataloger/binary/classifier_cataloger_test.go index 3d79df2e8..f8a4beabc 100644 --- a/syft/pkg/cataloger/binary/classifier_cataloger_test.go +++ b/syft/pkg/cataloger/binary/classifier_cataloger_test.go @@ -207,6 +207,20 @@ func Test_Cataloger_PositiveCases(t *testing.T) { Metadata: metadata("mariadb-binary"), }, }, + { + // RHEL / MariaDB.org tarball builds do not embed the "-MariaDB" marker; the version is only + // present in the build path (e.g. mariadb-11.8.5-2-redhat-x86_64). The release suffix ("-2") + // must not leak into the version. Regression for anchore/grype#3452. + logicalFixture: "mariadb/11.8.5/linux-amd64", + expected: pkg.Package{ + Name: "mariadb", + Version: "11.8.5", + Type: "binary", + PURL: "pkg:generic/mariadb@11.8.5", + Locations: locations("mariadb"), + Metadata: metadata("mariadb-binary"), + }, + }, { logicalFixture: "mysqld/9.7.0/linux-amd64", expected: pkg.Package{ diff --git a/syft/pkg/cataloger/binary/classifiers.go b/syft/pkg/cataloger/binary/classifiers.go index ff6b72504..24280a53c 100644 --- a/syft/pkg/cataloger/binary/classifiers.go +++ b/syft/pkg/cataloger/binary/classifiers.go @@ -440,9 +440,17 @@ func DefaultClassifiers() []binutils.Classifier { { Class: "mariadb-binary", FileGlob: "**/{mariadb,mysql}", - EvidenceMatcher: m.FileContentsVersionMatcher( + EvidenceMatcher: binutils.MatchAny( // 10.6.15-MariaDB - `(?m)(?P[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)-MariaDB`), + m.FileContentsVersionMatcher(`(?m)(?P[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)-MariaDB`), + // MariaDB.org / RHEL tarball builds embed the release directory name, which does not contain the + // "-MariaDB" marker. The version is in the build path instead, e.g.: + // mariadb-11.8.5-2-redhat-x86_64/rhel-8/bin/mariadb + // mariadb-11.8.5-linux-systemd-x86_64 + // Without this the older matcher misses the version and a later release suffix (e.g. "2") can be + // picked up instead, producing false-positive matches against ancient CVEs (see anchore/grype#3452). + m.FileContentsVersionMatcher(`(?m)(?:^|/)mariadb-(?P[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)-`), + ), Package: "mariadb", PURL: mustPURL("pkg:generic/mariadb@version"), CPEs: singleCPE("cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource), diff --git a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/mariadb/11.8.5/linux-amd64/mariadb b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/mariadb/11.8.5/linux-amd64/mariadb new file mode 100644 index 0000000000000000000000000000000000000000..bab006889da38c88d943137b1408e9e10cf100c0 GIT binary patch literal 320 zcmbu4OOAvf7=&GO3KG`}A|QH=UQRk49zSYAg8@1-bNe=F=LA!W+SHdyRn$*d@Kfhq zJA;z<1?qw+3J}-2EqIow#Qiv+-ZssIT(BRFV6$<2(p1daDCtJez2}aB(024{q}ES{ zDyyjE#sL+BuoGivs3wX09^kKx{!<9GZHvus1$@oKHDRAZNZ_UiG45T?V)5+I?tJYRY