oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2026-02-12 10:36:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: stabilize cpe sorting during collection sort (#3009)

Browse Source
This commit is contained in:
Christopher Angelo Phillips 2024-07-09 14:24:21 -04:00 committed by GitHub
parent b101f44aba
commit f7ffcc534f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
syft/cpe/by_source_then_specificity_test.go
View File

@ -64,6 +64,28 @@ func TestBySourceThenSpecificity(t *testing.T) {
Must("cpe:2.3:a:some:package:*:*:*:*:*:*:*:*", "some-unknown-source"),
},
},
{
name: "lexical sorting on equal sources puts escaped characters later",
input: []CPE{
Must("cpe:2.3:a:jenkins:pipeline\\\\:_supporting_apis:865.v43e78cc44e0d:*:*:*:*:jenkins:*:*", "nvd-cpe-dictionary"),
Must("cpe:2.3:a:jenkins:pipeline_supporting_apis:865.v43e78cc44e0d:*:*:*:*:jenkins:*:*", "nvd-cpe-dictionary"),
},
want: []CPE{
Must("cpe:2.3:a:jenkins:pipeline_supporting_apis:865.v43e78cc44e0d:*:*:*:*:jenkins:*:*", "nvd-cpe-dictionary"),
Must("cpe:2.3:a:jenkins:pipeline\\\\:_supporting_apis:865.v43e78cc44e0d:*:*:*:*:jenkins:*:*", "nvd-cpe-dictionary"),
},
},
{
name: "lexical sorting on equal sources puts more specific attributes earlier",
input: []CPE{
Must("cpe:2.3:a:jenkins:mailer:472.vf7c289a_4b_420:*:*:*:*:*:*:*", "nvd-cpe-dictionary"),
Must("cpe:2.3:a:jenkins:mailer:472.vf7c289a_4b_420:*:*:*:*:jenkins:*:*", "nvd-cpe-dictionary"),
},
want: []CPE{
Must("cpe:2.3:a:jenkins:mailer:472.vf7c289a_4b_420:*:*:*:*:jenkins:*:*", "nvd-cpe-dictionary"),
Must("cpe:2.3:a:jenkins:mailer:472.vf7c289a_4b_420:*:*:*:*:*:*:*", "nvd-cpe-dictionary"),
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {

3
syft/pkg/cataloger/internal/cpegenerate/generate.go
View File

@ -127,6 +127,7 @@ func FromDictionaryFind(p pkg.Package) ([]cpe.CPE, bool) {
return []cpe.CPE{}, false
}
sort.Sort(cpe.BySourceThenSpecificity(parsedCPEs))
return parsedCPEs, true
}
@ -163,12 +164,12 @@ func FromPackageAttributes(p pkg.Package) []cpe.CPE {
// filter out any known combinations that don't accurately represent this package
cpes = filter(cpes, p, cpeFilters...)
sort.Sort(cpe.BySpecificity(cpes))
var result []cpe.CPE
for _, c := range cpes {
result = append(result, cpe.CPE{Attributes: c, Source: cpe.GeneratedSource})
}
sort.Sort(cpe.BySourceThenSpecificity(result))
return result
}