From 6ccc0a554b07b05fd049f882a1825a0e1e0aabe1 Mon Sep 17 00:00:00 2001
From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
Date: Tue, 6 Feb 2024 17:09:53 +0600
Subject: [PATCH] fix: check unescaped `BomRef` when matching `PkgIdentifier`
 (#6025)

Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
---
 pkg/fanal/types/artifact.go     |  8 ++++++++
 pkg/vex/testdata/cyclonedx.json | 21 +++++++++++++++++++++
 pkg/vex/vex_test.go             | 25 +++++++++++++++++++++++++
 3 files changed, 54 insertions(+)

diff --git a/pkg/fanal/types/artifact.go b/pkg/fanal/types/artifact.go
index 2d8e491fc72c..cd005c6582b1 100644
--- a/pkg/fanal/types/artifact.go
+++ b/pkg/fanal/types/artifact.go
@@ -2,6 +2,7 @@ package types
 
 import (
 	"encoding/json"
+	"strings"
 	"time"
 
 	v1 "github.com/google/go-containerregistry/pkg/v1"
@@ -156,6 +157,13 @@ func (id *PkgIdentifier) Empty() bool {
 }
 
 func (id *PkgIdentifier) Match(s string) bool {
+	// Encode string as PURL
+	if strings.HasPrefix(s, "pkg:") {
+		if p, err := packageurl.FromString(s); err == nil {
+			s = p.String()
+		}
+	}
+
 	switch {
 	case id.BOMRef == s:
 		return true
diff --git a/pkg/vex/testdata/cyclonedx.json b/pkg/vex/testdata/cyclonedx.json
index a85d430dbc69..ccc4396981b5 100644
--- a/pkg/vex/testdata/cyclonedx.json
+++ b/pkg/vex/testdata/cyclonedx.json
@@ -18,6 +18,27 @@
           "ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0"
         }
       ]
+    },
+    {
+      "id": "CVE-2022-27943",
+      "source": {
+        "name": "ubuntu",
+        "url": "https://git.launchpad.net/ubuntu-cve-tracker"
+      },
+      "affects": [
+        {
+          "ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04",
+          "versions": [
+            {
+              "version": "12.3.0-1ubuntu1~22.04",
+              "status": "affected"
+            }
+          ]
+        }
+      ],
+      "analysis": {
+        "state": "not_affected"
+      }
     }
   ]
 }
diff --git a/pkg/vex/vex_test.go b/pkg/vex/vex_test.go
index 004a0d14d842..9e2d7b0b543e 100644
--- a/pkg/vex/vex_test.go
+++ b/pkg/vex/vex_test.go
@@ -149,6 +149,31 @@ func TestVEX_Filter(t *testing.T) {
 							},
 						},
 					},
+					{
+						VulnerabilityID:  "CVE-2022-27943",
+						PkgID:            "libstdc++6@12.3.0-1ubuntu1~22.04",
+						PkgName:          "libstdc++6",
+						InstalledVersion: "12.3.0-1ubuntu1~22.04",
+						PkgIdentifier: ftypes.PkgIdentifier{
+							BOMRef: "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?distro=ubuntu-22.04&arch=amd64",
+							PURL: &packageurl.PackageURL{
+								Type:      packageurl.TypeDebian,
+								Namespace: "ubuntu",
+								Name:      "libstdc++6",
+								Version:   "12.3.0-1ubuntu1~22.04",
+								Qualifiers: []packageurl.Qualifier{
+									{
+										Key:   "arch",
+										Value: "amd64",
+									},
+									{
+										Key:   "distro",
+										Value: "ubuntu-22.04",
+									},
+								},
+							},
+						},
+					},
 				},
 			},
 			want: []types.DetectedVulnerability{