grype icon indicating copy to clipboard operation
grype copied to clipboard

Published 20 hours ago verified publisher icon anchore

Prefer direct match information over indirect matches

Open wagoodman opened this issue 8 months ago • 5 comments

In the case where both a direct match and indirect match are made for the same package and vulnerability ID, today we have two matches:

cat sbom-maven.json |  grype -o json | jq '.matches[] | select(.artifact.name == "perl-Errno" and .vulnerability.id == "ELSA-2021-1678") | { "name": .artifact.name, "version": .artifact.version, "vuln": .vulnerability.id, "fix": .vulnerability.fix.versions , "match-type": .matchDetails[].type}'
{
  "name": "perl-Errno",
  "version": "0:1.28-417.el8_3",
  "vuln": "ELSA-2021-1678",
  "fix": [
    "0:1.28-419.el8"
  ],
  "match-type": "exact-direct-match"
}
{
  "name": "perl-Errno",
  "version": "0:1.28-417.el8_3",
  "vuln": "ELSA-2021-1678",
  "fix": [
    "4:5.26.3-419.el8"
  ],
  "match-type": "exact-indirect-match"
}

However, this is probably too much information, as the fix information is probably most accurate on the direct match anyway.

We could merge these similar matches into a single match, preferring the direct match, while still including the match details for the indirect match in the matchDetails array.

This would, in effect, result in this (just to illustrate the approximate change):

cat sbom-maven.json |  grype -o json | jq '.matches[] | select(.artifact.name == "perl-Errno" and .vulnerability.id == "ELSA-2021-1678") | { "name": .artifact.name, "version": .artifact.version, "vuln": .vulnerability.id, "fix": .vulnerability.fix.versions , "match-type": .matchDetails[].type}'
{
  "name": "perl-Errno",
  "version": "0:1.28-417.el8_3",
  "vuln": "ELSA-2021-1678",
  "fix": [
    "0:1.28-419.el8"
  ],
  "match-type": ["exact-direct-match", "exact-indirect-match"]
}

Note that:

  • there are multiple match types
  • the fix info is from the direct match

(the SBOM was produced from maven@sha256:1ffe2b51b6762b94590a1149cf0c35a169203d467dc34891be1439ad3b54940e)

dev notes:

  • today we do deduplication with a hash lookup by fingerprint https://github.com/anchore/grype/blob/main/grype/match/fingerprint.go
  • this is done while adding to a collection of matches: https://github.com/anchore/grype/blob/main/grype/match/matches.go#L11
  • we should probably also have a fingerprint-without-fixes index so we can lookup similar matches and make a more nuanced decision while merging (still during the Add). Order of add into the collection will need to be considered here.

wagoodman avatar Jun 12 '24 14:06 wagoodman