implement v5 db schema to support improved matching between rpm appstream modules #944

westonsteimel · 2022-10-03T13:57:17Z

Adds support for a package_qualifiers column to allow evaluating package matches to vulnerabilities based on more than just version constraints. Currently adds an rpm-modularity qualifier in order to support matching to correct app stream module in order to reduce false positives within rpm-based distro ecosystems. In order to prevent an increase in false positive matches for previous versions of grype using the v4 schema, this change (along with the vulnerability source driver parser updates) requires bumping the schema to v5.

.github/workflows/validations.yaml

grype/db/v5/pkg/qualifier/from_json.go

grype/db/v5/pkg/qualifier/rpmmodularity/qualifier.go

grype/pkg/qualifier/rpmmodularity/qualifier.go

grype/search/language.go

test/grype-test-config.yaml

wagoodman · 2022-10-17T20:59:32Z

test/integration/diff_test.go

@@ -18,8 +18,8 @@ import (
 var update = flag.Bool("update", false, "update the *.golden files for diff presenter")

 const (
-	baseURL   = "https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v4_2022-07-05T08:18:22Z_39868af44fc51829a7c9.tar.gz"
-	targetURL = "https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v4_2022-07-06T08:16:42Z_c840f17244dea46d0c07.tar.gz"
+	baseURL   = "https://toolbox-data.anchore.io/grype/staging-databases/vulnerability-db_v5_2022-10-14T08:22:01Z_69c99aa5917dea969f2d.tar.gz"


not in scope for this PR: we need to rework this test to not be dependent on hosted DBs like this. We're thinking about deprecating beyond a time window in the future, which means this test would start to fail after 90days (or whatever window we go with).

We could capture this as an OCI artifact, but there is also the problem that this is coupled to the current DB schema version... should we change this? or is this assumption OK? In which case, we just need a nice way to continually update the fixture when we bump the schema version.

I have gone ahead and disabled this now as it started failing again when I updated everything else to use the non staging endpoint

wagoodman

Note: merging this will put grype in an unreleasable state until there is a V5 DB built and published.

I've added a few nits and reminder comments, but overall looks great! 🥇

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

…nerability matches Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

…e version flip Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

Signed-off-by: Weston Steimel <weston.steimel@anchore.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

…qualifier Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

westonsteimel force-pushed the grype-db-package-qualifier branch 3 times, most recently from fa6655d to 072ed00 Compare October 6, 2022 16:45

westonsteimel force-pushed the grype-db-package-qualifier branch 10 times, most recently from 957bf64 to 8a2ccd5 Compare October 14, 2022 15:39

westonsteimel changed the title ~~WIP: support rpm-modularity package qualifier when evaluating vulnerability matches to a package~~ implement v5 db schema to support correct matching between rpm appstream modules Oct 14, 2022

westonsteimel marked this pull request as ready for review October 14, 2022 15:50

westonsteimel requested a review from a team October 14, 2022 15:50

westonsteimel changed the title ~~implement v5 db schema to support correct matching between rpm appstream modules~~ implement v5 db schema to support improved matching between rpm appstream modules Oct 14, 2022

westonsteimel force-pushed the grype-db-package-qualifier branch from c87ff33 to fd882ee Compare October 17, 2022 19:45