feat: extract use cpes in matching logic to be configurable

README.md

@@ -674,6 +674,25 @@ log:
   # location to write the log file (default is not to have a log file)
   # same as GRYPE_LOG_FILE env var
   file: ""
+
+match:
+  # sets the matchers below to use cpes when trying to find 
+  # vulnerability matches. The stock matcher is the default
+  # when no primary matcher can be identified 
+  java:
+    using-cpes: true
+  python:
+    using-cpes: true
+  javascript:
+    using-cpes: true
+  ruby:
+    using-cpes: true
+  dotnet:
+    using-cpes: true
+  golang:
+    using-cpes: true
+  stock:
+    using-cpes: true
 ```
 
 ## Future plans

cmd/root.go

@@ -19,6 +19,12 @@ import (
 	"github.com/anchore/grype/grype/grypeerr"
 	"github.com/anchore/grype/grype/match"
 	"github.com/anchore/grype/grype/matcher"
+	"github.com/anchore/grype/grype/matcher/dotnet"
+	"github.com/anchore/grype/grype/matcher/golang"
+	"github.com/anchore/grype/grype/matcher/javascript"
+	"github.com/anchore/grype/grype/matcher/python"
+	"github.com/anchore/grype/grype/matcher/ruby"
+	"github.com/anchore/grype/grype/matcher/stock"
 	"github.com/anchore/grype/grype/pkg"
 	"github.com/anchore/grype/grype/presenter"
 	"github.com/anchore/grype/grype/store"
@@ -351,7 +357,13 @@ func startWorker(userInput string, failOnSeverity *vulnerability.Severity) <-cha
 		applyDistroHint(packages, &context, appConfig)
 
 		matchers := matcher.NewDefaultMatchers(matcher.Config{
-			Java: appConfig.ExternalSources.ToJavaMatcherConfig(),
+			Java:       appConfig.ExternalSources.ToJavaMatcherConfig(appConfig.Match.Java),
+			Ruby:       ruby.MatcherConfig(appConfig.Match.Ruby),
+			Python:     python.MatcherConfig(appConfig.Match.Python),
+			Dotnet:     dotnet.MatcherConfig(appConfig.Match.Dotnet),
+			Javascript: javascript.MatcherConfig(appConfig.Match.Javascript),
+			Golang:     golang.MatcherConfig(appConfig.Match.Golang),
+			Stock:      stock.MatcherConfig(appConfig.Match.Stock),
 		})
 
 		allMatches := grype.FindVulnerabilitiesForPackage(*store, context.Distro, matchers, packages)

grype/matcher/dotnet/matcher.go

@@ -10,6 +10,17 @@ import (
 )
 
 type Matcher struct {
+	UseCPEs bool
+}
+
+type MatcherConfig struct {
+	UseCPEs bool
+}
+
+func NewDotnetMatcher(cfg MatcherConfig) *Matcher {
+	return &Matcher{
+		UseCPEs: cfg.UseCPEs,
+	}
 }
 
 func (m *Matcher) PackageTypes() []syftPkg.Type {
@@ -21,5 +32,9 @@ func (m *Matcher) Type() match.MatcherType {
 }
 
 func (m *Matcher) Match(store vulnerability.Provider, d *distro.Distro, p pkg.Package) ([]match.Match, error) {
-	return search.ByCriteria(store, d, p, m.Type(), search.CommonCriteria...)
+	criteria := search.CommonCriteria
+	if m.UseCPEs {
+		criteria = append(criteria, search.ByCPE)
+	}
+	return search.ByCriteria(store, d, p, m.Type(), criteria...)
 }

grype/matcher/golang/matcher.go

@@ -12,6 +12,17 @@ import (
 )
 
 type Matcher struct {
+	UseCPEs bool
+}
+
+type MatcherConfig struct {
+	UseCPEs bool
+}
+
+func NewGolangMatcher(cfg MatcherConfig) *Matcher {
+	return &Matcher{
+		UseCPEs: cfg.UseCPEs,
+	}
 }
 
 func (m *Matcher) PackageTypes() []syftPkg.Type {
@@ -38,5 +49,9 @@ func (m *Matcher) Match(store vulnerability.Provider, d *distro.Distro, p pkg.Pa
 		return matches, nil
 	}
 
-	return search.ByCriteria(store, d, p, m.Type(), search.CommonCriteria...)
+	criteria := search.CommonCriteria
+	if m.UseCPEs {
+		criteria = append(criteria, search.ByCPE)
+	}
+	return search.ByCriteria(store, d, p, m.Type(), criteria...)
 }

grype/matcher/java/matcher.go

@@ -23,6 +23,7 @@ const (
 type Matcher struct {
 	SearchMavenUpstream bool
 	MavenSearcher
+	UseCPEs bool
 }
 
 // MavenSearcher is the interface that wraps the GetMavenPackageBySha method.
@@ -104,6 +105,7 @@ func (ms *mavenSearch) GetMavenPackageBySha(sha1 string) (*pkg.Package, error) {
 type MatcherConfig struct {
 	SearchMavenUpstream bool
 	MavenBaseURL        string
+	UseCPEs             bool
 }
 
 func NewJavaMatcher(cfg MatcherConfig) *Matcher {
@@ -113,6 +115,7 @@ func NewJavaMatcher(cfg MatcherConfig) *Matcher {
 			client:  http.DefaultClient,
 			baseURL: cfg.MavenBaseURL,
 		},
+		cfg.UseCPEs,
 	}
 }
 
@@ -134,7 +137,11 @@ func (m *Matcher) Match(store vulnerability.Provider, d *distro.Distro, p pkg.Pa
 			matches = append(matches, upstreamMatches...)
 		}
 	}
-	criteriaMatches, err := search.ByCriteria(store, d, p, m.Type(), search.CommonCriteria...)
+	criteria := search.CommonCriteria
+	if m.UseCPEs {
+		criteria = append(criteria, search.ByCPE)
+	}
+	criteriaMatches, err := search.ByCriteria(store, d, p, m.Type(), criteria...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to match by exact package: %w", err)
 	}

grype/matcher/javascript/matcher.go

@@ -10,6 +10,17 @@ import (
 )
 
 type Matcher struct {
+	UseCPEs bool
+}
+
+type MatcherConfig struct {
+	UseCPEs bool
+}
+
+func NewJavascriptMatcher(cfg MatcherConfig) *Matcher {
+	return &Matcher{
+		UseCPEs: cfg.UseCPEs,
+	}
 }
 
 func (m *Matcher) PackageTypes() []syftPkg.Type {
@@ -21,5 +32,9 @@ func (m *Matcher) Type() match.MatcherType {
 }
 
 func (m *Matcher) Match(store vulnerability.Provider, d *distro.Distro, p pkg.Package) ([]match.Match, error) {
-	return search.ByCriteria(store, d, p, m.Type(), search.CommonCriteria...)
+	criteria := search.CommonCriteria
+	if m.UseCPEs {
+		criteria = append(criteria, search.ByCPE)
+	}
+	return search.ByCriteria(store, d, p, m.Type(), criteria...)
 }

grype/matcher/matchers.go

@@ -34,22 +34,29 @@ type Monitor struct {
 
 // Config contains values used by individual matcher structs for advanced configuration
 type Config struct {
-	Java java.MatcherConfig
+	Java       java.MatcherConfig
+	Ruby       ruby.MatcherConfig
+	Python     python.MatcherConfig
+	Dotnet     dotnet.MatcherConfig
+	Javascript javascript.MatcherConfig
+	Golang     golang.MatcherConfig
+	Stock      stock.MatcherConfig
 }
 
 func NewDefaultMatchers(mc Config) []Matcher {
 	return []Matcher{
 		&dpkg.Matcher{},
-		&ruby.Matcher{},
-		&python.Matcher{},
-		&dotnet.Matcher{},
+		ruby.NewRubyMatcher(mc.Ruby),
+		python.NewPythonMatcher(mc.Python),
+		dotnet.NewDotnetMatcher(mc.Dotnet),
 		&rpmdb.Matcher{},
 		java.NewJavaMatcher(mc.Java),
-		&javascript.Matcher{},
+		javascript.NewJavascriptMatcher(mc.Javascript),
 		&apk.Matcher{},
-		&golang.Matcher{},
+		golang.NewGolangMatcher(mc.Golang),
 		&msrc.Matcher{},
 		&portage.Matcher{},
+		stock.NewStockMatcher(mc.Stock),
 	}
 }
 
@@ -67,9 +74,14 @@ func trackMatcher() (*progress.Manual, *progress.Manual) {
 	return &packagesProcessed, &vulnerabilitiesDiscovered
 }
 
-func newMatcherIndex(matchers []Matcher) map[syftPkg.Type][]Matcher {
+func newMatcherIndex(matchers []Matcher) (map[syftPkg.Type][]Matcher, Matcher) {
 	matcherIndex := make(map[syftPkg.Type][]Matcher)
+	var defaultMatcher Matcher
 	for _, m := range matchers {
+		if m.Type() == match.StockMatcher {
+			defaultMatcher = m
+			continue
+		}
 		for _, t := range m.PackageTypes() {
 			if _, ok := matcherIndex[t]; !ok {
 				matcherIndex[t] = make([]Matcher, 0)
@@ -80,7 +92,7 @@ func newMatcherIndex(matchers []Matcher) map[syftPkg.Type][]Matcher {
 		}
 	}
 
-	return matcherIndex
+	return matcherIndex, defaultMatcher
 }
 
 func FindMatches(store interface {
@@ -89,7 +101,7 @@ func FindMatches(store interface {
 }, release *linux.Release, matchers []Matcher, packages []pkg.Package) match.Matches {
 	var err error
 	res := match.NewMatches()
-	matcherIndex := newMatcherIndex(matchers)
+	matcherIndex, defaultMatcher := newMatcherIndex(matchers)
 
 	var d *distro.Distro
 	if release != nil {
@@ -101,7 +113,9 @@ func FindMatches(store interface {
 
 	packagesProcessed, vulnerabilitiesDiscovered := trackMatcher()
 
-	defaultMatcher := &stock.Matcher{}
+	if defaultMatcher == nil {
+		defaultMatcher = &stock.Matcher{UseCPEs: true}
+	}
 	for _, p := range packages {
 		packagesProcessed.N++
 		log.Debugf("searching for vulnerability matches for pkg=%s", p)

grype/matcher/python/matcher.go

@@ -10,6 +10,17 @@ import (
 )
 
 type Matcher struct {
+	UseCPEs bool
+}
+
+type MatcherConfig struct {
+	UseCPEs bool
+}
+
+func NewPythonMatcher(cfg MatcherConfig) *Matcher {
+	return &Matcher{
+		UseCPEs: cfg.UseCPEs,
+	}
 }
 
 func (m *Matcher) PackageTypes() []syftPkg.Type {
@@ -21,5 +32,9 @@ func (m *Matcher) Type() match.MatcherType {
 }
 
 func (m *Matcher) Match(store vulnerability.Provider, d *distro.Distro, p pkg.Package) ([]match.Match, error) {
-	return search.ByCriteria(store, d, p, m.Type(), search.CommonCriteria...)
+	criteria := search.CommonCriteria
+	if m.UseCPEs {
+		criteria = append(criteria, search.ByCPE)
+	}
+	return search.ByCriteria(store, d, p, m.Type(), criteria...)
 }

grype/matcher/ruby/matcher.go

@@ -10,6 +10,17 @@ import (
 )
 
 type Matcher struct {
+	UseCPEs bool
+}
+
+type MatcherConfig struct {
+	UseCPEs bool
+}
+
+func NewRubyMatcher(cfg MatcherConfig) *Matcher {
+	return &Matcher{
+		UseCPEs: cfg.UseCPEs,
+	}
 }
 
 func (m *Matcher) PackageTypes() []syftPkg.Type {
@@ -21,5 +32,9 @@ func (m *Matcher) Type() match.MatcherType {
 }
 
 func (m *Matcher) Match(store vulnerability.Provider, d *distro.Distro, p pkg.Package) ([]match.Match, error) {
-	return search.ByCriteria(store, d, p, m.Type(), search.CommonCriteria...)
+	criteria := search.CommonCriteria
+	if m.UseCPEs {
+		criteria = append(criteria, search.ByCPE)
+	}
+	return search.ByCriteria(store, d, p, m.Type(), criteria...)
 }

grype/matcher/stock/matcher.go

@@ -10,6 +10,17 @@ import (
 )
 
 type Matcher struct {
+	UseCPEs bool
+}
+
+type MatcherConfig struct {
+	UseCPEs bool
+}
+
+func NewStockMatcher(cfg MatcherConfig) *Matcher {
+	return &Matcher{
+		UseCPEs: cfg.UseCPEs,
+	}
 }
 
 func (m *Matcher) PackageTypes() []syftPkg.Type {
@@ -21,5 +32,9 @@ func (m *Matcher) Type() match.MatcherType {
 }
 
 func (m *Matcher) Match(store vulnerability.Provider, d *distro.Distro, p pkg.Package) ([]match.Match, error) {
-	return search.ByCriteria(store, d, p, m.Type(), search.CommonCriteria...)
+	criteria := search.CommonCriteria
+	if m.UseCPEs {
+		criteria = append(criteria, search.ByCPE)
+	}
+	return search.ByCriteria(store, d, p, m.Type(), criteria...)
 }

grype/search/criteria.go

@@ -14,7 +14,6 @@ var (
 	ByDistro       Criteria = "by-distro"
 	CommonCriteria          = []Criteria{
 		ByLanguage,
-		ByCPE,
 	}
 )
 

internal/config/application.go

@@ -46,6 +46,7 @@ type Application struct {
 	Exclusions          []string                `yaml:"exclude" json:"exclude" mapstructure:"exclude"`
 	DB                  database                `yaml:"db" json:"db" mapstructure:"db"`
 	ExternalSources     externalSources         `yaml:"external-sources" json:"externalSources" mapstructure:"external-sources"`
+	Match               matchConfig             `yaml:"match" json:"match" mapstructure:"match"`
 	Dev                 development             `yaml:"dev" json:"dev" mapstructure:"dev"`
 	FailOn              string                  `yaml:"fail-on-severity" json:"fail-on-severity" mapstructure:"fail-on-severity"`
 	FailOnSeverity      *vulnerability.Severity `yaml:"-" json:"-"`

internal/config/datasources.go

@@ -26,7 +26,7 @@ func (cfg externalSources) loadDefaultValues(v *viper.Viper) {
 	v.SetDefault("external-sources.maven.base-url", defaultMavenBaseURL)
 }
 
-func (cfg externalSources) ToJavaMatcherConfig() java.MatcherConfig {
+func (cfg externalSources) ToJavaMatcherConfig(matchCfg matcherConfig) java.MatcherConfig {
 	// always respect if global config is disabled
 	smu := cfg.Maven.SearchUpstreamBySha1
 	if !cfg.Enable {
@@ -35,5 +35,6 @@ func (cfg externalSources) ToJavaMatcherConfig() java.MatcherConfig {
 	return java.MatcherConfig{
 		SearchMavenUpstream: smu,
 		MavenBaseURL:        cfg.Maven.BaseURL,
+		UseCPEs:             matchCfg.UseCPEs,
 	}
 }