oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2026-06-10 06:18:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: detect mariadb version from RHEL build path (#4952)

Browse Source 
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
This commit is contained in:
Arpit Jain 2026-06-08 02:28:18 +09:00 committed by GitHub
parent d4496b05aa
commit c5c423ab37
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
syft/pkg/cataloger/binary/classifier_cataloger_test.go
View File

@ -207,6 +207,20 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
Metadata: metadata("mariadb-binary"), Metadata: metadata("mariadb-binary"),
}, },
}, },
{
// RHEL / MariaDB.org tarball builds do not embed the "-MariaDB" marker; the version is only
// present in the build path (e.g. mariadb-11.8.5-2-redhat-x86_64). The release suffix ("-2")
// must not leak into the version. Regression for anchore/grype#3452.
logicalFixture: "mariadb/11.8.5/linux-amd64",
expected: pkg.Package{
Name: "mariadb",
Version: "11.8.5",
Type: "binary",
PURL: "pkg:generic/mariadb@11.8.5",
Locations: locations("mariadb"),
Metadata: metadata("mariadb-binary"),
},
},
{ {
logicalFixture: "mysqld/9.7.0/linux-amd64", logicalFixture: "mysqld/9.7.0/linux-amd64",
expected: pkg.Package{ expected: pkg.Package{

12
syft/pkg/cataloger/binary/classifiers.go
View File

@ -440,9 +440,17 @@ func DefaultClassifiers() []binutils.Classifier {
{ {
Class: "mariadb-binary", Class: "mariadb-binary",
FileGlob: "**/{mariadb,mysql}", FileGlob: "**/{mariadb,mysql}",
EvidenceMatcher: m.FileContentsVersionMatcher( EvidenceMatcher: binutils.MatchAny(
// 10.6.15-MariaDB // 10.6.15-MariaDB
`(?m)(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)-MariaDB`), m.FileContentsVersionMatcher(`(?m)(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)-MariaDB`),
// MariaDB.org / RHEL tarball builds embed the release directory name, which does not contain the
// "-MariaDB" marker. The version is in the build path instead, e.g.:
// mariadb-11.8.5-2-redhat-x86_64/rhel-8/bin/mariadb
// mariadb-11.8.5-linux-systemd-x86_64
// Without this the older matcher misses the version and a later release suffix (e.g. "2") can be
// picked up instead, producing false-positive matches against ancient CVEs (see anchore/grype#3452).
m.FileContentsVersionMatcher(`(?m)(?:^|/)mariadb-(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)-`),
),
Package: "mariadb", Package: "mariadb",
PURL: mustPURL("pkg:generic/mariadb@version"), PURL: mustPURL("pkg:generic/mariadb@version"),
CPEs: singleCPE("cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource), CPEs: singleCPE("cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),

BIN
syft/pkg/cataloger/binary/testdata/classifiers/snippets/mariadb/11.8.5/linux-amd64/mariadb vendored Normal file
View File

Binary file not shown.