diff --git a/grype/internal/cpe_target_software_to_pkg_type.go b/grype/internal/cpe_target_software_to_pkg_type.go deleted file mode 100644 index 8ed402c6a91..00000000000 --- a/grype/internal/cpe_target_software_to_pkg_type.go +++ /dev/null @@ -1,58 +0,0 @@ -package internal - -import ( - "strings" - - "github.com/anchore/syft/syft/pkg" -) - -// CPETargetSoftwareToPackageType is derived from looking at target_software attributes in the NVD dataset -// TODO: ideally this would be driven from the store, where we can resolve ecosystem aliases directly -func CPETargetSoftwareToPackageType(tsw string) pkg.Type { - tsw = strings.NewReplacer("-", "_", " ", "_").Replace(strings.ToLower(tsw)) - switch tsw { - case "alpine", "apk": - return pkg.ApkPkg - case "debian", "dpkg": - return pkg.DebPkg - case "java", "maven", "ant", "gradle", "jenkins", "jenkins_ci", "kafka", "logstash", "mule", "nifi", "solr", "spark", "storm", "struts", "tomcat", "zookeeper", "log4j": - return pkg.JavaPkg - case "javascript", "node", "nodejs", "node.js", "npm", "yarn", "apache", "jquery", "next.js", "prismjs": - return pkg.NpmPkg - case "c", "c++", "c/c++", "conan", "gnu_c++", "qt": - return pkg.ConanPkg - case "dart": - return pkg.DartPubPkg - case "redhat", "rpm", "redhat_enterprise_linux", "rhel", "suse", "suse_linux", "opensuse", "opensuse_linux", "fedora", "centos", "oracle_linux", "ol": - return pkg.RpmPkg - case "elixir", "hex": - return pkg.HexPkg - case "erlang": - return pkg.ErlangOTPPkg - case ".net", ".net_framework", "asp", "asp.net", "dotnet", "dotnet_framework", "c#", "csharp", "nuget": - return pkg.DotnetPkg - case "ruby", "gem", "nokogiri", "ruby_on_rails": - return pkg.GemPkg - case "rust", "cargo", "crates": - return pkg.RustPkg - case "python", "pip", "pypi", "flask": - return pkg.PythonPkg - case "kb", "knowledgebase", "msrc", "mskb", "microsoft": - return pkg.KbPkg - case "portage", "gentoo": - return pkg.PortagePkg - case "go", "golang", "gomodule": - return pkg.GoModulePkg - case "linux_kernel", "linux", "z/linux": - return pkg.LinuxKernelPkg - case "php": - return pkg.PhpComposerPkg - case "swift": - return pkg.SwiftPkg - case "wordpress", "wordpress_plugin", "wordpress_": - return pkg.WordpressPluginPkg - case "lua", "luarocks": - return pkg.LuaRocksPkg - } - return "" -} diff --git a/grype/matcher/internal/only_vulnerable_targets.go b/grype/matcher/internal/only_vulnerable_targets.go index ddb153fb18e..28957098b55 100644 --- a/grype/matcher/internal/only_vulnerable_targets.go +++ b/grype/matcher/internal/only_vulnerable_targets.go @@ -7,12 +7,12 @@ import ( "github.com/facebookincubator/nvdtools/wfn" "github.com/scylladb/go-set/strset" - "github.com/anchore/grype/grype/internal" "github.com/anchore/grype/grype/pkg" "github.com/anchore/grype/grype/search" "github.com/anchore/grype/grype/vulnerability" "github.com/anchore/syft/syft/cpe" syftPkg "github.com/anchore/syft/syft/pkg" + cpe_cataloger "github.com/anchore/syft/syft/pkg/cataloger/common/cpe" ) // OnlyVulnerableTargets returns a criteria object that tests vulnerability qualifiers against the package vulnerability rules. @@ -83,7 +83,7 @@ func refuteTargetSoftwareByPackageAttributes(p pkg.Package, vuln vulnerability.V mismatchWithUnknownLanguage := syftPkg.LanguageByName(targetSW) != p.Language && isUnknownTarget(targetSW) unspecifiedTargetSW := targetSW == wfn.Any || targetSW == wfn.NA matchesByLanguage := syftPkg.LanguageByName(targetSW) == p.Language - matchesByPackageType := internal.CPETargetSoftwareToPackageType(targetSW) == p.Type + matchesByPackageType := cpe_cataloger.TargetSoftwareToPackageType(targetSW) == p.Type if unspecifiedTargetSW || matchesByLanguage || matchesByPackageType || mismatchWithUnknownLanguage { return true, "" } @@ -164,7 +164,7 @@ func normalizeTargetSoftwares(ts []string) *strset.Set { normalizedTargetSWs := strset.New() for _, ts := range ts { // Attempt to normalize target sw to package type, e.g. node and nodejs should match - pt := string(internal.CPETargetSoftwareToPackageType(ts)) + pt := string(cpe_cataloger.TargetSoftwareToPackageType(ts)) if pt == "" && ts != "*" && ts != "?" && ts != "-" { // normalizing failed; preserve raw cpe target sw string as the type // unless it is wildcard diff --git a/grype/pkg/cpe_provider.go b/grype/pkg/cpe_provider.go index 2e4e7bccb6e..ac8b6ae0373 100644 --- a/grype/pkg/cpe_provider.go +++ b/grype/pkg/cpe_provider.go @@ -6,9 +6,9 @@ import ( "io" "strings" - "github.com/anchore/grype/grype/internal" "github.com/anchore/syft/syft/cpe" "github.com/anchore/syft/syft/pkg" + cpe_cataloger "github.com/anchore/syft/syft/pkg/cataloger/common/cpe" "github.com/anchore/syft/syft/sbom" "github.com/anchore/syft/syft/source" ) @@ -83,7 +83,7 @@ func cpeToPackage(rawLine string) (*Package, *pkg.Package, error) { Name: c.Attributes.Product, Version: c.Attributes.Version, CPEs: []cpe.CPE{c}, - Type: internal.CPETargetSoftwareToPackageType(c.Attributes.TargetSW), + Type: cpe_cataloger.TargetSoftwareToPackageType(c.Attributes.TargetSW), } syftPkg.SetID()