Skip to content

Commit

Permalink
do not fail when inflating DB records
Browse files Browse the repository at this point in the history
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
  • Loading branch information
wagoodman committed Aug 12, 2024
1 parent b12a6f2 commit 8342083
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 6 deletions.
12 changes: 8 additions & 4 deletions grype/db/vulnerability_provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,8 @@ func (pr *VulnerabilityProvider) Get(id, namespace string) ([]vulnerability.Vuln
for _, vuln := range vulns {
vulnObj, err := vulnerability.NewVulnerability(vuln)
if err != nil {
return nil, fmt.Errorf("provider failed to inflate vulnerability record (namespace=%q id=%q): %w", vuln.Namespace, vuln.ID, err)
log.WithFields("namespace", vuln.Namespace, "id", vuln.ID).Errorf("failed to inflate vulnerability record: %v", err)
continue
}

results = append(results, *vulnObj)
Expand Down Expand Up @@ -87,7 +88,8 @@ func (pr *VulnerabilityProvider) GetByDistro(d *distro.Distro, p pkg.Package) ([
for _, vuln := range allPkgVulns {
vulnObj, err := vulnerability.NewVulnerability(vuln)
if err != nil {
return nil, fmt.Errorf("provider failed to inflate vulnerability record (namespace=%q id=%q distro=%q): %w", vuln.Namespace, vuln.ID, d, err)
log.WithFields("namespace", vuln.Namespace, "id", vuln.ID).Errorf("failed to inflate vulnerability record (by distro): %v", err)
continue
}

vulnerabilities = append(vulnerabilities, *vulnObj)
Expand Down Expand Up @@ -121,7 +123,8 @@ func (pr *VulnerabilityProvider) GetByLanguage(l syftPkg.Language, p pkg.Package
for _, vuln := range allPkgVulns {
vulnObj, err := vulnerability.NewVulnerability(vuln)
if err != nil {
return nil, fmt.Errorf("provider failed to inflate vulnerability record (namespace=%q id=%q language=%q): %w", vuln.Namespace, vuln.ID, l, err)
log.WithFields("namespace", vuln.Namespace, "id", vuln.ID).Errorf("failed to inflate vulnerability record (by language): %v", err)
continue
}

vulnerabilities = append(vulnerabilities, *vulnObj)
Expand Down Expand Up @@ -169,7 +172,8 @@ func (pr *VulnerabilityProvider) GetByCPE(requestCPE cpe.CPE) ([]vulnerability.V
if len(candidateMatchCpes) > 0 {
vulnObj, err := vulnerability.NewVulnerability(vuln)
if err != nil {
return nil, fmt.Errorf("provider failed to inflate vulnerability record (namespace=%q id=%q cpe=%q): %w", vuln.Namespace, vuln.ID, requestCPE.Attributes.BindToFmtString(), err)
log.WithFields("namespace", vuln.Namespace, "id", vuln.ID, "cpe", requestCPE.Attributes.BindToFmtString()).Errorf("failed to inflate vulnerability record (by CPE): %v", err)
continue
}

vulnObj.CPEs = candidateMatchCpes
Expand Down
23 changes: 21 additions & 2 deletions grype/db/vulnerability_provider_mocks_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,14 @@ func (d *mockStore) stub() {
ID: "CVE-2013-fake-2",
VersionFormat: "deb",
},
// poison the well! this is not a valid entry, but we want the matching process to survive and find other good results...
{
PackageName: "neutron",
Namespace: "debian:distro:debian:8",
VersionConstraint: "< 70.3.0-rc0", // intentionally bad value
ID: "CVE-2014-fake-3",
VersionFormat: "apk",
},
},
}
d.data["nvd:cpe"] = map[string][]grypeDB.Vulnerability{
Expand Down Expand Up @@ -62,7 +70,7 @@ func (d *mockStore) stub() {
ID: "CVE-2014-fake-5",
VersionFormat: "unknown",
CPEs: []string{
"cpe:2.3:*:couldntgetthisrightcouldyou:activerecord:4.0.1:*:*:*:*:*:*:*",
"cpe:2.3:*:couldntgetthisrightcouldyou:activerecord:4.0.1:*:*:*:*:*:*:*", // shouldn't match on this
},
},
{
Expand All @@ -72,7 +80,18 @@ func (d *mockStore) stub() {
ID: "CVE-2014-fake-6",
VersionFormat: "unknown",
CPEs: []string{
"cpe:2.3:*:awesome:awesome:*:*:*:*:*:*:*:*",
"cpe:2.3:*:awesome:awesome:*:*:*:*:*:*:*:*", // shouldn't match on this
},
},
// poison the well! this is not a valid entry, but we want the matching process to survive and find other good results...
{
PackageName: "activerecord",
Namespace: "nvd:cpe",
VersionConstraint: "< 70.3.0-rc0", // intentionally bad value
ID: "CVE-2014-fake-7",
VersionFormat: "apk",
CPEs: []string{
"cpe:2.3:*:activerecord:activerecord:*:*:*:*:*:rails:*:*",
},
},
},
Expand Down
5 changes: 5 additions & 0 deletions grype/db/vulnerability_provider_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -198,4 +198,9 @@ func Test_Get(t *testing.T) {
t.Errorf("diff: %+v", d)
}
}

// prove we survive a bad request
actual, err = provider.Get("CVE-2014-fake-3", "debian:distro:debian:8")
require.NoError(t, err)
assert.Empty(t, actual)
}

0 comments on commit 8342083

Please sign in to comment.