mirror of
https://github.com/anchore/syft.git
synced 2025-11-17 08:23:15 +01:00
feat(cpegenerate): add support for binary package digit-suffix variations in CPE generation (#4093)
* feat(cpegenerate): add support for binary package digit-suffix variations in CPE generation Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.13 to 0.5.14 (#4089) Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps) from 0.5.13 to 0.5.14. - [Release notes](https://github.com/gkampitakis/go-snaps/releases) - [Commits](https://github.com/gkampitakis/go-snaps/compare/v0.5.13...v0.5.14) --- updated-dependencies: - dependency-name: github.com/gkampitakis/go-snaps dependency-version: 0.5.14 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump modernc.org/sqlite from 1.38.1 to 1.38.2 (#4088) Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.38.1 to 1.38.2. - [Commits](https://gitlab.com/cznic/sqlite/compare/v1.38.1...v1.38.2) --- updated-dependencies: - dependency-name: modernc.org/sqlite dependency-version: 1.38.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump github.com/docker/docker (#4092) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 28.2.2+incompatible to 28.3.3+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v28.2.2...v28.3.3) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-version: 28.3.3+incompatible dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump github.com/anchore/stereoscope (#4091) Bumps [github.com/anchore/stereoscope](https://github.com/anchore/stereoscope) from 0.1.7-0.20250716200927-94c6f92877d4 to 0.1.7. - [Release notes](https://github.com/anchore/stereoscope/releases) - [Changelog](https://github.com/anchore/stereoscope/blob/main/RELEASE.md) - [Commits](https://github.com/anchore/stereoscope/commits/v0.1.7) --- updated-dependencies: - dependency-name: github.com/anchore/stereoscope dependency-version: 0.1.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * migrate to get.anchore.io (#4095) Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): update anchore dependencies (#4098) * chore(deps): update anchore dependencies Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * address reader close operations Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): update anchore dependencies (#4104) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump github/codeql-action from 3.29.4 to 3.29.5 (#4096) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.4 to 3.29.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](4e828ff8d4...51f77329af) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.29.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): update tools to latest versions (#4108) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): update CPE dictionary index (#4112) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): update tools to latest versions (#4111) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump actions/cache in /.github/actions/bootstrap (#4120) Bumps [actions/cache](https://github.com/actions/cache) from 4.2.3 to 4.2.4. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](5a3ec84eff...0400d5f644) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump actions/cache from 4.2.3 to 4.2.4 (#4119) Bumps [actions/cache](https://github.com/actions/cache) from 4.2.3 to 4.2.4. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](5a3ec84eff...0400d5f644) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump docker/login-action from 3.4.0 to 3.5.0 (#4115) Bumps [docker/login-action](https://github.com/docker/login-action) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](74a5d14239...184bdaa072) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 3.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * fix: nondeterministic Java archive cataloging and improve groupID (#4118) Signed-off-by: Keith Zantow <kzantow@gmail.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * feat: add binary classifier for hashicorp vault (#4121) * add binary classifier for hashicorp vault The Go Binary Cataloger isn't able to parse the version out of the binary shipped in the DockerHub images of hashicorp/vault because the version of the main module isn't set in the binary. Therefore, add a binary classifier cataloger for this binary. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * chore: add test fixtures, update vault Signed-off-by: Keith Zantow <kzantow@gmail.com> * chore: set binary classifier package type based on PURL Signed-off-by: Keith Zantow <kzantow@gmail.com> * chore: use github.com/hashicorp/vault as package name Signed-off-by: Keith Zantow <kzantow@gmail.com> * chore: update tests Signed-off-by: Keith Zantow <kzantow@gmail.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> Signed-off-by: Keith Zantow <kzantow@gmail.com> Co-authored-by: Keith Zantow <kzantow@gmail.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump github/codeql-action from 3.29.7 to 3.29.8 (#4124) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.7 to 3.29.8. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](51f77329af...76621b61de) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.29.8 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump golang.org/x/mod from 0.26.0 to 0.27.0 (#4123) Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.26.0 to 0.27.0. - [Commits](https://github.com/golang/mod/compare/v0.26.0...v0.27.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-version: 0.27.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump golang.org/x/net from 0.42.0 to 0.43.0 (#4122) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.42.0 to 0.43.0. - [Commits](https://github.com/golang/net/compare/v0.42.0...v0.43.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.43.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): update CPE dictionary index (#4126) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore: update GoReleaser configurations (#4128) Signed-off-by: Emmanuel Ferdman <emmanuelferdman@gmail.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 (#4130) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 5.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](11bd71901b...08c6903cd8) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * fix: closed reader during java binary detection (#4129) Signed-off-by: Keith Zantow <kzantow@gmail.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * fix: support multiple letters in openssl patch version (#4106) Signed-off-by: honigbot <thesoftbear@gmail.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump github/codeql-action from 3.29.8 to 3.29.9 (#4134) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.8 to 3.29.9. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](76621b61de...df559355d5) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.29.9 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * feat: update syft license construction to be able to look up by URL (#4132) --------- Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * feat: add package supplier flag (#4131) --------- Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump zizmorcore/zizmor-action from 0.1.1 to 0.1.2 (#4135) Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.1.1 to 0.1.2. - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](f52a838cfa...5ca5fc7a47) --- updated-dependencies: - dependency-name: zizmorcore/zizmor-action dependency-version: 0.1.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * feat: add support for authors, maintainers, and contributors in package.json. (#4003) Fixes #2250 --------- Signed-off-by: Alan Pope <alan.pope@anchore.com> Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * feat(cpegentereate): added test for the addBinaryPackageDigitVariation function Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * docs(cpegenerate): made the comment more verbose Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * nit: separate digit variation concerns from case of use Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> --------- Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Keith Zantow <kzantow@gmail.com> Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> Signed-off-by: Emmanuel Ferdman <emmanuelferdman@gmail.com> Signed-off-by: honigbot <thesoftbear@gmail.com> Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Alan Pope <alan.pope@anchore.com> Signed-off-by: Parthib Mukherjee <109328510+hawkaii@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: anchore-actions-token-generator[bot] <102182147+anchore-actions-token-generator[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Keith Zantow <kzantow@gmail.com> Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com> Co-authored-by: Emmanuel Ferdman <emmanuelferdman@gmail.com> Co-authored-by: honigbot <34426443+honigbot@users.noreply.github.com> Co-authored-by: Alan Pope <alan.pope@anchore.com>
This commit is contained in:
Parthib Mukherjee
GitHub
parent
8f1d45830d
commit
c732052cf1
@ -6,9 +6,11 @@ import (
|
||||
_ "embed"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"regexp"
|
||||
"sort"
|
||||
"strings"
|
||||
"sync"
|
||||
"unicode"
|
||||
|
||||
"github.com/scylladb/go-set/strset"
|
||||
|
||||
@ -228,6 +230,11 @@ func candidateVendors(p pkg.Package) []string {
|
||||
vendors.union(candidateVendorsForWordpressPlugin(p))
|
||||
}
|
||||
|
||||
if p.Type == pkg.BinaryPkg && endsWithNumber(p.Name) {
|
||||
// add binary package digit-suffix variations (e.g. Qt5 -> Qt)
|
||||
addBinaryPackageDigitVariations(vendors)
|
||||
}
|
||||
|
||||
// We should no longer be generating vendor candidates with these values ["" and "*"]
|
||||
// (since CPEs will match any other value)
|
||||
vendors.removeByValue("")
|
||||
@ -286,6 +293,9 @@ func candidateProductSet(p pkg.Package) fieldCandidateSet {
|
||||
if prod != "" {
|
||||
products.addValue(prod)
|
||||
}
|
||||
case p.Type == pkg.BinaryPkg && endsWithNumber(p.Name):
|
||||
// add binary package digit-suffix variations (e.g. Qt5 -> Qt)
|
||||
addBinaryPackageDigitVariations(products)
|
||||
}
|
||||
|
||||
switch p.Metadata.(type) {
|
||||
@ -404,3 +414,33 @@ func addDelimiterVariations(fields fieldCandidateSet) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// removeTrailingDigits removes all trailing digits from a string
|
||||
func removeTrailingDigits(s string) string {
|
||||
re := regexp.MustCompile(`\d+$`)
|
||||
return re.ReplaceAllString(s, "")
|
||||
}
|
||||
|
||||
// addBinaryPackageDigitVariations adds variations with trailing digits removed for binary packages.For binary package types only, when the name ends with a digit, add a new variation with all suffix-digits removed (e.g. Qt5 -> Qt). This helps generate additional CPE permutations for better vulnerability matching.
|
||||
func addBinaryPackageDigitVariations(fields fieldCandidateSet) {
|
||||
candidatesForVariations := fields.copy()
|
||||
for _, candidate := range candidatesForVariations.values() {
|
||||
// Check if the candidate ends with a digit
|
||||
if len(candidate) > 0 && candidate[len(candidate)-1] >= '0' && candidate[len(candidate)-1] <= '9' {
|
||||
// Create variation with all suffix digits removed
|
||||
withoutDigits := removeTrailingDigits(candidate)
|
||||
if withoutDigits != "" && withoutDigits != candidate {
|
||||
fields.addValue(withoutDigits)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func endsWithNumber(s string) bool {
|
||||
if len(s) == 0 {
|
||||
return false
|
||||
}
|
||||
r := []rune(s)
|
||||
last := r[len(r)-1]
|
||||
return unicode.IsDigit(last)
|
||||
}
|
||||
|
||||
@ -1145,3 +1145,67 @@ func TestDictionaryFindIsWired(t *testing.T) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestAddBinaryPackageDigitVariations tests the heuristic for binary package types
|
||||
// where names ending with digits get variations with all suffix-digits removed (e.g. Qt5 -> Qt).
|
||||
// This improves vulnerability matching for binary packages like Qt6, libfoo123, etc.
|
||||
func TestAddBinaryPackageDigitVariations(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
packageType pkg.Type
|
||||
inputCandidates []string
|
||||
expectedPresent []string // These should be present in the result
|
||||
expectedAbsent []string // These should NOT be present in the result
|
||||
}{
|
||||
{
|
||||
name: "Qt5 binary package example",
|
||||
packageType: pkg.BinaryPkg,
|
||||
inputCandidates: []string{"Qt5"},
|
||||
expectedPresent: []string{"Qt5", "Qt"},
|
||||
expectedAbsent: []string{},
|
||||
},
|
||||
{
|
||||
name: "package with trailing digits",
|
||||
packageType: pkg.BinaryPkg,
|
||||
inputCandidates: []string{"Qt5", "libfoo123", "bar42", "baz"},
|
||||
expectedPresent: []string{"Qt5", "Qt", "libfoo123", "libfoo", "bar42", "bar", "baz"},
|
||||
expectedAbsent: []string{},
|
||||
},
|
||||
{
|
||||
name: "multiple trailing digits",
|
||||
inputCandidates: []string{"Qt872", "package999"},
|
||||
expectedPresent: []string{"Qt872", "Qt", "package999", "package"},
|
||||
expectedAbsent: []string{},
|
||||
},
|
||||
{
|
||||
name: "package without trailing digits",
|
||||
inputCandidates: []string{"QtCore", "libfoo", "bar"},
|
||||
expectedPresent: []string{"QtCore", "libfoo", "bar"},
|
||||
expectedAbsent: []string{"QtCor", "libfo", "ba"},
|
||||
},
|
||||
{
|
||||
name: "empty candidate set",
|
||||
packageType: pkg.BinaryPkg,
|
||||
inputCandidates: []string{},
|
||||
expectedPresent: []string{},
|
||||
expectedAbsent: []string{},
|
||||
},
|
||||
}
|
||||
|
||||
for _, test := range tests {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
fields := newFieldCandidateSet(test.inputCandidates...)
|
||||
addBinaryPackageDigitVariations(fields)
|
||||
|
||||
values := fields.uniqueValues()
|
||||
|
||||
for _, expected := range test.expectedPresent {
|
||||
assert.Contains(t, values, expected, "expected %q to be present", expected)
|
||||
}
|
||||
|
||||
for _, notExpected := range test.expectedAbsent {
|
||||
assert.NotContains(t, values, notExpected, "expected %q to be absent", notExpected)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user