anchore · wagoodman · Nov 7, 2024 · Nov 5, 2024 · Nov 7, 2024
diff --git a/grype/match/details.go b/grype/match/details.go
@@ -2,8 +2,10 @@ package match
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/mitchellh/hashstructure/v2"
+	"github.com/scylladb/go-set/strset"
 )
 
 type Details []Detail
@@ -52,3 +54,63 @@ func (m Detail) ID() string {
 
 	return fmt.Sprintf("%x", f)
 }
+
+func (m Details) Len() int {
+	return len(m)
+}
+
+func (m Details) Less(i, j int) bool {
+	a := m[i]
+	b := m[j]
+
+	if a.Type != b.Type {
+		// exact-direct-match < exact-indirect-match < cpe-match
+
+		at := typeOrder[a.Type]
+		bt := typeOrder[b.Type]
+		if at == 0 {
+			return false
+		} else if bt == 0 {
+			return true
+		}
+		return at < bt
+	}
+
+	// sort by confidence
+	if a.Confidence != b.Confidence {
+		// flipped comparison since we want higher confidence to be first
+		return a.Confidence > b.Confidence
+	}
+
+	// if the types are the same, then sort by the ID (costly, but deterministic)
+	return strings.Compare(a.ID(), b.ID()) < 0
+}
+
+func (m Details) Swap(i, j int) {
+	m[i], m[j] = m[j], m[i]
+}
+
+func hasMatchType(details Details, ty Type) bool {
+	for _, d := range details {
+		if d.Type == ty {
+			return true
+		}
+	}
+	return false
+}
+
+func hasExclusivelyAnyMatchTypes(details Details, tys ...Type) bool {
+	allowed := strset.New()
+	for _, ty := range tys {
+		allowed.Add(string(ty))
+	}
+	var found bool
+	for _, d := range details {
+		if allowed.Has(string(d.Type)) {
+			found = true
+		} else {
+			return false
+		}
+	}
+	return found
+}
diff --git a/grype/match/details_test.go b/grype/match/details_test.go
@@ -0,0 +1,158 @@
+package match
+
+import (
+	"sort"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestDetails_Sorting(t *testing.T) {
+
+	detailExactDirectHigh := Detail{
+		Type:       ExactDirectMatch,
+		Confidence: 0.9,
+		SearchedBy: "attribute1",
+		Found:      "value1",
+		Matcher:    "matcher1",
+	}
+	detailExactDirectLow := Detail{
+		Type:       ExactDirectMatch,
+		Confidence: 0.5,
+		SearchedBy: "attribute1",
+		Found:      "value1",
+		Matcher:    "matcher1",
+	}
+	detailExactIndirect := Detail{
+		Type:       ExactIndirectMatch,
+		Confidence: 0.7,
+		SearchedBy: "attribute2",
+		Found:      "value2",
+		Matcher:    "matcher2",
+	}
+	detailCPEMatch := Detail{
+		Type:       CPEMatch,
+		Confidence: 0.8,
+		SearchedBy: "attribute3",
+		Found:      "value3",
+		Matcher:    "matcher3",
+	}
+
+	tests := []struct {
+		name     string
+		details  Details
+		expected Details
+	}{
+		{
+			name: "sorts by type first, then by confidence",
+			details: Details{
+				detailCPEMatch,
+				detailExactDirectHigh,
+				detailExactIndirect,
+				detailExactDirectLow,
+			},
+			expected: Details{
+				detailExactDirectHigh,
+				detailExactDirectLow,
+				detailExactIndirect,
+				detailCPEMatch,
+			},
+		},
+		{
+			name: "sorts by confidence within the same type",
+			details: Details{
+				detailExactDirectLow,
+				detailExactDirectHigh,
+			},
+			expected: Details{
+				detailExactDirectHigh,
+				detailExactDirectLow,
+			},
+		},
+		{
+			name: "sorts by ID when type and confidence are the same",
+			details: Details{
+				// clone of detailExactDirectLow with slight difference to enforce ID sorting
+				{
+					Type:       ExactDirectMatch,
+					Confidence: 0.5,
+					SearchedBy: "attribute2",
+					Found:      "value2",
+					Matcher:    "matcher2",
+				},
+				detailExactDirectLow,
+			},
+			expected: Details{
+				detailExactDirectLow,
+				{
+					Type:       ExactDirectMatch,
+					Confidence: 0.5,
+					SearchedBy: "attribute2",
+					Found:      "value2",
+					Matcher:    "matcher2",
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			sort.Sort(tt.details)
+			require.Equal(t, tt.expected, tt.details)
+		})
+	}
+}
+
+func TestHasExclusivelyAnyMatchTypes(t *testing.T) {
+	tests := []struct {
+		name     string
+		details  Details
+		types    []Type
+		expected bool
+	}{
+		{
+			name:     "all types allowed",
+			details:  Details{{Type: "A"}, {Type: "B"}},
+			types:    []Type{"A", "B"},
+			expected: true,
+		},
+		{
+			name:     "mixed types with disallowed",
+			details:  Details{{Type: "A"}, {Type: "B"}, {Type: "C"}},
+			types:    []Type{"A", "B"},
+			expected: false,
+		},
+		{
+			name:     "single allowed type",
+			details:  Details{{Type: "A"}},
+			types:    []Type{"A"},
+			expected: true,
+		},
+		{
+			name:     "empty details",
+			details:  Details{},
+			types:    []Type{"A"},
+			expected: false,
+		},
+		{
+			name:     "empty types list",
+			details:  Details{{Type: "A"}},
+			types:    []Type{},
+			expected: false,
+		},
+		{
+			name:     "no match with disallowed type",
+			details:  Details{{Type: "C"}},
+			types:    []Type{"A", "B"},
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := hasExclusivelyAnyMatchTypes(tt.details, tt.types...)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
diff --git a/grype/match/fingerprint.go b/grype/match/fingerprint.go
@@ -9,9 +9,13 @@ import (
 )
 
 type Fingerprint struct {
+	coreFingerprint
+	vulnerabilityFixes string
+}
+
+type coreFingerprint struct {
 	vulnerabilityID        string
 	vulnerabilityNamespace string
-	vulnerabilityFixes     string
 	packageID              pkg.ID // note: this encodes package name, version, type, location
 }
 

diff --git a/grype/match/match.go b/grype/match/match.go
@@ -18,7 +18,7 @@ var ErrCannotMerge = fmt.Errorf("unable to merge vulnerability matches")
 type Match struct {
 	Vulnerability vulnerability.Vulnerability // The vulnerability details of the match.
 	Package       pkg.Package                 // The package used to search for a match.
-	Details       Details                     // all ways in which how this particular match was made.
+	Details       Details                     // all the ways this particular match was made.
 }
 
 // String is the string representation of select match fields.
@@ -28,10 +28,12 @@ func (m Match) String() string {
 
 func (m Match) Fingerprint() Fingerprint {
 	return Fingerprint{
-		vulnerabilityID:        m.Vulnerability.ID,
-		vulnerabilityNamespace: m.Vulnerability.Namespace,
-		vulnerabilityFixes:     strings.Join(m.Vulnerability.Fix.Versions, ","),
-		packageID:              m.Package.ID,
+		coreFingerprint: coreFingerprint{
+			vulnerabilityID:        m.Vulnerability.ID,
+			vulnerabilityNamespace: m.Vulnerability.Namespace,
+			packageID:              m.Package.ID,
+		},
+		vulnerabilityFixes: strings.Join(m.Vulnerability.Fix.Versions, ","),
 	}
 }
 
@@ -73,11 +75,7 @@ func (m *Match) Merge(other Match) error {
 	}
 
 	// for stable output
-	sort.Slice(m.Details, func(i, j int) bool {
-		a := m.Details[i]
-		b := m.Details[j]
-		return strings.Compare(a.ID(), b.ID()) < 0
-	})
+	sort.Sort(m.Details)
 
 	// retain all unique CPEs for consistent output
 	m.Vulnerability.CPEs = cpe.Merge(m.Vulnerability.CPEs, other.Vulnerability.CPEs)