add suggested fixed version

grype/presenter/json/test-fixtures/snapshot/TestJsonDirsPresenter.golden

@@ -38,6 +38,9 @@
      },
      "found": {
       "constraint": ">= 20"
+     },
+     "fix": {
+      "suggestedVersion": "the-next-version"
      }
     }
    ],
@@ -103,6 +106,9 @@
      },
      "found": {
       "constraint": "somecpe"
+     },
+     "fix": {
+      "suggestedVersion": ""
      }
     }
    ],

grype/presenter/json/test-fixtures/snapshot/TestJsonImgsPresenter.golden

@@ -38,6 +38,9 @@
      },
      "found": {
       "constraint": ">= 20"
+     },
+     "fix": {
+      "suggestedVersion": "the-next-version"
      }
     }
    ],
@@ -103,6 +106,9 @@
      },
      "found": {
       "constraint": "somecpe"
+     },
+     "fix": {
+      "suggestedVersion": ""
      }
     }
    ],

grype/presenter/models/document_test.go

@@ -95,6 +95,55 @@ func TestPackagesAreSorted(t *testing.T) {
 	assert.Equal(t, []string{"CVE-1999-0003", "CVE-1999-0002", "CVE-1999-0001"}, actualVulnerabilities)
 }
 
+func TestFixSuggestedVersion(t *testing.T) {
+
+	var pkg1 = pkg.Package{
+		ID:      "package-1-id",
+		Name:    "package-1",
+		Version: "1.1.1",
+		Type:    syftPkg.PythonPkg,
+	}
+
+	var match1 = match.Match{
+		Vulnerability: vulnerability.Vulnerability{
+			Fix: vulnerability.Fix{
+				Versions: []string{"1.0.0", "1.2.0", "1.1.2"},
+			},
+			Reference: vulnerability.Reference{ID: "CVE-1999-0003"},
+		},
+		Package: pkg1,
+		Details: match.Details{
+			{
+				Type: match.ExactDirectMatch,
+			},
+		},
+	}
+
+	matches := match.NewMatches()
+	matches.Add(match1)
+
+	packages := []pkg.Package{pkg1}
+
+	ctx := pkg.Context{
+		Source: &syftSource.Description{
+			Metadata: syftSource.DirectoryMetadata{},
+		},
+		Distro: &linux.Release{
+			ID:      "centos",
+			IDLike:  []string{"rhel"},
+			Version: "8.0",
+		},
+	}
+	doc, err := NewDocument(clio.Identification{}, packages, ctx, matches, nil, NewMetadataMock(), nil, nil)
+	if err != nil {
+		t.Fatalf("unable to get document: %+v", err)
+	}
+
+	actualSuggestedFixedVersion := doc.Matches[0].MatchDetails[0].Fix.SuggestedVersion
+
+	assert.Equal(t, "1.1.2", actualSuggestedFixedVersion)
+}
+
 func TestTimestampValidFormat(t *testing.T) {
 
 	matches := match.NewMatches()

grype/presenter/models/match.go

@@ -6,7 +6,9 @@ import (
 
 	"github.com/anchore/grype/grype/match"
 	"github.com/anchore/grype/grype/pkg"
+	"github.com/anchore/grype/grype/version"
 	"github.com/anchore/grype/grype/vulnerability"
+	"github.com/anchore/grype/internal/log"
 )
 
 // Match is a single item for the JSON array reported
@@ -23,6 +25,12 @@ type MatchDetails struct {
 	Matcher    string      `json:"matcher"`
 	SearchedBy interface{} `json:"searchedBy"` // The specific attributes that were used to search (other than package name and version) --this indicates "how" the match was made.
 	Found      interface{} `json:"found"`      // The specific attributes on the vulnerability object that were matched with --this indicates "what" was matched on / within.
+	Fix        FixDetails  `json:"fix"`
+}
+
+// FixDetails contains all data related to the fix
+type FixDetails struct {
+	SuggestedVersion string `json:"suggestedVersion"`
 }
 
 func newMatch(m match.Match, p pkg.Package, metadataProvider vulnerability.MetadataProvider) (*Match, error) {
@@ -49,6 +57,9 @@ func newMatch(m match.Match, p pkg.Package, metadataProvider vulnerability.Metad
 			Matcher:    string(d.Matcher),
 			SearchedBy: d.SearchedBy,
 			Found:      d.Found,
+			Fix: FixDetails{
+				SuggestedVersion: calculateSuggestedFixedVersion(p, m.Vulnerability.Fix.Versions),
+			},
 		}
 	}
 
@@ -93,3 +104,59 @@ func (m MatchSort) Less(i, j int) bool {
 func (m MatchSort) Swap(i, j int) {
 	m[i], m[j] = m[j], m[i]
 }
+
+func calculateSuggestedFixedVersion(p pkg.Package, fixedVersions []string) string {
+	if len(fixedVersions) == 0 {
+		return ""
+	}
+
+	if len(fixedVersions) == 1 {
+		return fixedVersions[0]
+	}
+
+	format := version.FormatFromPkg(p)
+	parseConstraint := func(constStr string) (version.Constraint, error) {
+		constraint, err := version.GetConstraint(constStr, format)
+		if err != nil {
+			log.WithFields("package", p.Name).Trace("skipping sorting fixed versions")
+		}
+		return constraint, err
+	}
+
+	checkSatisfaction := func(constraint version.Constraint, v *version.Version) bool {
+		satisfied, err := constraint.Satisfied(v)
+		if err != nil {
+			log.WithFields("package", p.Name).Trace("error while checking version satisfaction for sorting")
+		}
+		return satisfied && err == nil
+	}
+
+	sort.SliceStable(fixedVersions, func(i, j int) bool {
+		v1, err1 := version.NewVersion(fixedVersions[i], format)
+		v2, err2 := version.NewVersion(fixedVersions[j], format)
+		if err1 != nil || err2 != nil {
+			log.WithFields("package", p.Name).Trace("error while parsing version for sorting")
+			return false
+		}
+
+		packageConstraint, err := parseConstraint(fmt.Sprintf("<=%s", p.Version))
+		if err != nil {
+			return false
+		}
+
+		v1Satisfied := checkSatisfaction(packageConstraint, v1)
+		v2Satisfied := checkSatisfaction(packageConstraint, v2)
+
+		if v1Satisfied != v2Satisfied {
+			return !v1Satisfied
+		}
+
+		internalConstraint, err := parseConstraint(fmt.Sprintf("<=%s", v1.Raw))
+		if err != nil {
+			return false
+		}
+		return !checkSatisfaction(internalConstraint, v2)
+	})
+
+	return fixedVersions[0]
+}