From 24a8aff15747520e3803a68a1b8c674781178dc7 Mon Sep 17 00:00:00 2001
From: DmitriyLewen <dmitriy.lewen@smartforce.io>
Date: Tue, 16 Jan 2024 12:22:05 +0600
Subject: [PATCH 1/2] fix(amazon): save system files for pkgs containing `amzn`
 in src

---
 pkg/fanal/analyzer/pkg/rpm/rpm.go      | 16 +++++---
 pkg/fanal/analyzer/pkg/rpm/rpm_test.go | 56 ++++++++++++++++++++++++++
 2 files changed, 66 insertions(+), 6 deletions(-)

diff --git a/pkg/fanal/analyzer/pkg/rpm/rpm.go b/pkg/fanal/analyzer/pkg/rpm/rpm.go
index 1efd91c0e8e1..90c93c91ac11 100644
--- a/pkg/fanal/analyzer/pkg/rpm/rpm.go
+++ b/pkg/fanal/analyzer/pkg/rpm/rpm.go
@@ -133,7 +133,7 @@ func (a rpmPkgAnalyzer) listPkgs(db RPMDB) (types.Packages, []string, error) {
 		// Check if the package is vendor-provided.
 		// If the package is not provided by vendor, the installed files should not be skipped.
 		var files []string
-		if packageProvidedByVendor(pkg.Vendor) {
+		if packageProvidedByVendor(pkg.Vendor, srcRel) {
 			files, err = pkg.InstalledFileNames()
 			if err != nil {
 				return nil, nil, xerrors.Errorf("unable to get installed files: %w", err)
@@ -235,13 +235,17 @@ func splitFileName(filename string) (name, ver, rel string, err error) {
 	return name, ver, rel, nil
 }
 
-func packageProvidedByVendor(pkgVendor string) bool {
-	for _, vendor := range osVendors {
-		if strings.HasPrefix(pkgVendor, vendor) {
-			return true
+func packageProvidedByVendor(pkgVendor, srcRelease string) bool {
+	if pkgVendor != "" {
+		for _, vendor := range osVendors {
+			if strings.HasPrefix(pkgVendor, vendor) {
+				return true
+			}
 		}
 	}
-	return false
+	// Official Amazon packages may not contain `Vendor` field:
+	// https://github.com/aquasecurity/trivy/issues/5887
+	return strings.Contains(srcRelease, "amzn")
 }
 
 func writeToTempFile(rc io.Reader) (string, error) {
diff --git a/pkg/fanal/analyzer/pkg/rpm/rpm_test.go b/pkg/fanal/analyzer/pkg/rpm/rpm_test.go
index 7e99cc601d61..2ef2a0b46219 100644
--- a/pkg/fanal/analyzer/pkg/rpm/rpm_test.go
+++ b/pkg/fanal/analyzer/pkg/rpm/rpm_test.go
@@ -165,6 +165,62 @@ func Test_rpmPkgAnalyzer_listPkgs(t *testing.T) {
 				"/lib64/libm-2.27.so",
 			},
 		},
+		{
+			name: "Amazon official package without `Vendor` field",
+			mock: mock{
+				packages: []*rpmdb.PackageInfo{
+					{
+						Name:      "curl-minimal",
+						Version:   "8.3.0",
+						Release:   "1.amzn2023.0.2",
+						Arch:      "aarch64",
+						SourceRpm: "curl-8.3.0-1.amzn2023.0.2.src.rpm",
+						DirNames: []string{
+							"/usr/bin/",
+							"/usr/lib/",
+							"/usr/lib/.build-id/",
+							"/usr/lib/.build-id/aa/",
+							"/usr/share/man/man1/",
+						},
+						DirIndexes: []int32{0, 1, 2, 3, 4},
+						BaseNames: []string{
+							"curl",
+							".build-id",
+							"aa",
+							"d987ea9bc1c73706d12c7a143ee792117851ff",
+							"curl.1.gz",
+						},
+						Vendor: "",
+					},
+				},
+			},
+			wantPkgs: types.Packages{
+				{
+					ID:         "curl-minimal@8.3.0-1.amzn2023.0.2.aarch64",
+					Name:       "curl-minimal",
+					Version:    "8.3.0",
+					Release:    "1.amzn2023.0.2",
+					Arch:       "aarch64",
+					SrcName:    "curl",
+					SrcVersion: "8.3.0",
+					SrcRelease: "1.amzn2023.0.2",
+					InstalledFiles: []string{
+						"/usr/bin/curl",
+						"/usr/lib/.build-id",
+						"/usr/lib/.build-id/aa",
+						"/usr/lib/.build-id/aa/d987ea9bc1c73706d12c7a143ee792117851ff",
+						"/usr/share/man/man1/curl.1.gz",
+					},
+				},
+			},
+			wantFiles: []string{
+				"/usr/bin/curl",
+				"/usr/lib/.build-id",
+				"/usr/lib/.build-id/aa",
+				"/usr/lib/.build-id/aa/d987ea9bc1c73706d12c7a143ee792117851ff",
+				"/usr/share/man/man1/curl.1.gz",
+			},
+		},
 		{
 			name: "invalid source rpm",
 			mock: mock{

From 7146d138ca98af5821958492ef244d8301ebe277 Mon Sep 17 00:00:00 2001
From: knqyf263 <knqyf263@gmail.com>
Date: Wed, 17 Jan 2024 10:37:27 +0400
Subject: [PATCH 2/2] refactor

Signed-off-by: knqyf263 <knqyf263@gmail.com>
---
 pkg/fanal/analyzer/pkg/rpm/rpm.go | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/pkg/fanal/analyzer/pkg/rpm/rpm.go b/pkg/fanal/analyzer/pkg/rpm/rpm.go
index 90c93c91ac11..f3a52286e578 100644
--- a/pkg/fanal/analyzer/pkg/rpm/rpm.go
+++ b/pkg/fanal/analyzer/pkg/rpm/rpm.go
@@ -133,7 +133,7 @@ func (a rpmPkgAnalyzer) listPkgs(db RPMDB) (types.Packages, []string, error) {
 		// Check if the package is vendor-provided.
 		// If the package is not provided by vendor, the installed files should not be skipped.
 		var files []string
-		if packageProvidedByVendor(pkg.Vendor, srcRel) {
+		if packageProvidedByVendor(pkg) {
 			files, err = pkg.InstalledFileNames()
 			if err != nil {
 				return nil, nil, xerrors.Errorf("unable to get installed files: %w", err)
@@ -235,17 +235,20 @@ func splitFileName(filename string) (name, ver, rel string, err error) {
 	return name, ver, rel, nil
 }
 
-func packageProvidedByVendor(pkgVendor, srcRelease string) bool {
-	if pkgVendor != "" {
-		for _, vendor := range osVendors {
-			if strings.HasPrefix(pkgVendor, vendor) {
-				return true
-			}
+func packageProvidedByVendor(pkg *rpmdb.PackageInfo) bool {
+	if pkg.Vendor == "" {
+		// Official Amazon packages may not contain `Vendor` field:
+		// https://github.com/aquasecurity/trivy/issues/5887
+		return strings.Contains(pkg.Release, "amzn")
+	}
+
+	for _, vendor := range osVendors {
+		if strings.HasPrefix(pkg.Vendor, vendor) {
+			return true
 		}
 	}
-	// Official Amazon packages may not contain `Vendor` field:
-	// https://github.com/aquasecurity/trivy/issues/5887
-	return strings.Contains(srcRelease, "amzn")
+
+	return false
 }
 
 func writeToTempFile(rc io.Reader) (string, error) {