Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: include modularity (and other package qualifiers) in match details when matched package is an RPM from a module #2452

Open
willmurphyscode opened this issue Feb 17, 2025 · 0 comments
Open

feat: include modularity (and other package qualifiers) in match details when matched package is an RPM from a module #2452

willmurphyscode opened this issue Feb 17, 2025 · 0 comments
Labels
enhancement New feature or request

Comments

@willmurphyscode
Copy link
Contributor

What would you like to be added:

I would like the matchDetails struct and JSON representation to report what module constraint was used to match the vulnerability on RPM-based matches.

Why is this needed:

Modularity is part of the version constraint. The version and package used are reported; module should be, since Grype might change its match decision based on

Additional context:

Right now, modularity is represented as a "package qualifier" in the Grype DB. There is an expansion point for other package qualifiers. Probably the change to matchDetails should include these other qualifiers.

Here's an example ("CVE-2019-16161" found in test image docker.io/anchore/test_images:appstreams-rhel-8-1a287dd@sha256:524ff8a75f21fd886ec7ed82387766df386671e8b77e898d05786118d5b7880b):

  "matchDetails": [
{
      "type": "exact-indirect-match",
      "matcher": "rpm-matcher",
      "searchedBy": {
        "distro": {
          "type": "redhat",
          "version": "8.6"
        },
        "namespace": "redhat:distro:redhat:8",
        "package": {
          "name": "ruby",
          "version": "2.5.9-110.module+el8.6.0+15956+aa803fc1"
        }
      },
      "found": {
        "versionConstraint": "none (rpm)",
        "vulnerabilityID": "CVE-2019-16161"
      }
    }
]

You can see that we considered the package name, "ruby", and it's version. But if we look at the package metadata, we see "modularityLabel": "ruby:2.5:8060020220715152618:ad008a3a", and if we look at the vuln record we see:

SELECT id, namespace, package_name, version_constraint, package_qualifiers
FROM vulnerability
WHERE id = "CVE-2019-16161" and namespace like "%red%8";

yields:

id namespace package_name version_constraint package_qualifiers
CVE-2019-16161 redhat:distro:redhat:8 ruby [{"kind":"rpm-modularity","module":"ruby:2.5"}]
CVE-2019-16161 redhat:distro:redhat:8 ruby [{"kind":"rpm-modularity","module":"ruby:2.6"}]

Grype here has chosen the ruby:2.5 row, but the match details don't directly say this.
@willmurphyscode willmurphyscode added the enhancement New feature or request label Feb 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@willmurphyscode