Add java.Matcher configuration to includes maven upstream sha1 query

[spiffcs]

Add Grype Matcher configuration for upstream maven query based on SHA1

Syft is now able to generate sha1 digests for discovered java archives. These digests are included along with the java archive metadata output.
anchore/syft#941

This PR adds the ability for the user to configure the java.Matcher to query the maven upstream repository for additional data that may not be present at time of SBOM generation.

Specifically, sboms of java archives are sometimes limited in their details when pom.xml or pom.properties are not present at the time of analysis. Querying maven given an archives sha1 digest value allows users to add fidelity to their vulnerability report when matching against data not relying on CPE generation (GHSA or GL Advisory Database).

It should be noted that a NEW package is not generated for the grype output. Matches found with this method are assigned directly to the java package that presented the sha1 for search. No duplication should be caused from doing this additional query.

The .grype.yaml configuration has been updated to include the following block:

external-sources:
  enable: true
  maven:
    search-maven-upstream: true
    base-url: "https://search.maven.org/solrsearch/select"

Features added

• Matcher Config options at the app config level
• Maven upstream package search with vulnerability comparison

TODO

• Test Updates

Demo

Disabled - 606 vulnerabilities reported:

Enabled - 682 vulnerabilities reported:

Yardstick Analysis vs current release and branch:

This shows all of the additional vulnerabilities captured when enabling upstream matching:

None of these findings appear to be FP and can all be accurately attributed to the image.

What's interesting here is that after running yardstick the new branch shows 22 new vulnerabilities reported. The output of the respective commands (current release vs branch) shows a difference of 76 when comparing the Scanned image [xxx vulnerabilities] field (606 vs 682). This disparity has been found to be related to additional relatedVulnerabiities being populated as a result of enabling the upstream source. When searching by sha and matching with GHSA is also will generate a new relatedVulnerability for the NVD source. New vulnerabilities PLUS packages that can now be found via the GHSA and not just CPE account for this increase in the output.

I have found that the branch results will overwrite exact-direct-match with exact-indirect-match if a vulnerability is found upstream via the checksum search.

Signed-off-by: Christopher Phillips christopher.phillips@anchore.com

[spiffcs]

Update on next syft release

[kzantow]

Only other thing I'll note at the moment is that we'll probably want to update the README with this one. Removing global state is MEGA-👍, though!

[wagoodman]

great maven search addition, and love that this paves the way to exposing user-configuration for matchers in the future

[wagoodman]

nit: since we have the master switch (which is great) we could have the maven search option default to on

[kzantow]

I strongly +1 this

[wagoodman]

nit: the full config path stutters: external-sources.maven.search-maven-upstream with maven showing up twice.
maybe rename the field to search-upstream? Or more descriptive to the what or how of the operation, such as search-by-sha1 or find-artifact-group-id (not saying these suggestions are necessarily better, but wanted to give an idea)

[spiffcs]

Yea nice suggestion. I'll update the config here.

[spiffcs]

TODO before merge and thanks for the 🟢 @wagoodman and @kzantow :

• config update to not stutter
• default updates
• test behavior correction
• update syft release

[kzantow]

@spiffcs I'd like to see two more things:

• make sure the appropriate environment variables work
• make sure the README is updated

[spiffcs]

Still debugging these env variables

[spiffcs]

@kzantow this should work for you GRYPE_EXTERNAL_SOURCES_ENABLE=true I think the env variables need to be prefixed with GRYPE