Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add suggested fixed version #2271

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

add suggested fixed version #2271

Show file tree
Hide file tree
Changes from 16 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
9a5228e
add explore cve command
tomersein Aug 4, 2024
7e2e2fd
filter unrelated fixed versions
tomersein Nov 20, 2024
a4181d2
add explore cve command
tomersein Aug 4, 2024
074fce6
Merge branch 'main' into filter-unrelated-fixed-version
tomersein Nov 25, 2024
e22060f
filter unrelated packages
tomersein Nov 25, 2024
75c1b96
sort fixed versions
tomersein Dec 13, 2024
1e0ecc0
Merge branch 'main' into filter-unrelated-fixed-version
tomersein Dec 13, 2024
a86115f
sort fixed versions
tomersein Dec 13, 2024
dac6726
sort fixed versions
tomersein Dec 13, 2024
4ceadd6
sort fixed versions
tomersein Dec 13, 2024
688fd41
sort fixed versions
tomersein Dec 13, 2024
a331bce
suggest fixed version
tomersein Jan 4, 2025
a58771b
suggest fixed version
tomersein Jan 4, 2025
e1ef84f
suggest fixed version
tomersein Jan 4, 2025
dee67ff
suggest fixed version
tomersein Jan 4, 2025
681ec3e
suggest fixed version
tomersein Jan 4, 2025
bb01e43
Merge branch 'main' into filter-unrelated-fixed-version
tomersein Jan 23, 2025
8528e43
add suggested fix version to results
tomersein Jan 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions grype/presenter/json/test-fixtures/snapshot/TestJsonDirsPresenter.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,8 @@
},
"found": {
"constraint": ">= 20"
}
},
"suggestedFixedVersion": "the-next-version"
}
],
"artifact": {
Expand Down Expand Up @@ -103,7 +104,8 @@
},
"found": {
"constraint": "somecpe"
}
},
"suggestedFixedVersion": ""
}
],
"artifact": {
Expand Down
6 changes: 4 additions & 2 deletions grype/presenter/json/test-fixtures/snapshot/TestJsonImgsPresenter.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,8 @@
},
"found": {
"constraint": ">= 20"
}
},
"suggestedFixedVersion": "the-next-version"
}
],
"artifact": {
Expand Down Expand Up @@ -103,7 +104,8 @@
},
"found": {
"constraint": "somecpe"
}
},
"suggestedFixedVersion": ""
}
],
"artifact": {
Expand Down
77 changes: 69 additions & 8 deletions grype/presenter/models/match.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,9 @@ import (

"github.com/anchore/grype/grype/match"
"github.com/anchore/grype/grype/pkg"
"github.com/anchore/grype/grype/version"
"github.com/anchore/grype/grype/vulnerability"
"github.com/anchore/grype/internal/log"
)

// Match is a single item for the JSON array reported
Expand All @@ -19,10 +21,11 @@ type Match struct {

// MatchDetails contains all data that indicates how the result match was found
type MatchDetails struct {
Type string `json:"type"`
Matcher string `json:"matcher"`
SearchedBy interface{} `json:"searchedBy"` // The specific attributes that were used to search (other than package name and version) --this indicates "how" the match was made.
Found interface{} `json:"found"` // The specific attributes on the vulnerability object that were matched with --this indicates "what" was matched on / within.
Type string `json:"type"`
Matcher string `json:"matcher"`
SearchedBy interface{} `json:"searchedBy"` // The specific attributes that were used to search (other than package name and version) --this indicates "how" the match was made.
Found interface{} `json:"found"` // The specific attributes on the vulnerability object that were matched with --this indicates "what" was matched on / within.
SuggestedFixedVersion string `json:"suggestedFixedVersion"`
}

func newMatch(m match.Match, p pkg.Package, metadataProvider vulnerability.MetadataProvider) (*Match, error) {
Expand All @@ -43,12 +46,14 @@ func newMatch(m match.Match, p pkg.Package, metadataProvider vulnerability.Metad
}

details := make([]MatchDetails, len(m.Details))
suggestedFixedVersion := calculateSuggestedFixedVersion(p, m.Vulnerability.Fix.Versions)
for idx, d := range m.Details {
details[idx] = MatchDetails{
Type: string(d.Type),
Matcher: string(d.Matcher),
SearchedBy: d.SearchedBy,
Found: d.Found,
Type: string(d.Type),
Matcher: string(d.Matcher),
SearchedBy: d.SearchedBy,
Found: d.Found,
SuggestedFixedVersion: suggestedFixedVersion,
Copy link
Contributor

@kzantow kzantow Jan 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suspect this was discussed before, so apologies for suggesting it again... but what about having this be a slice, populated with all known upgrades, sorted from "smallest" to "largest". I might even call this field "Upgrades": iterate over all known fix versions, omit any fix versions less than the current software version. So fix[0] would be "the easiest" fix, but there would be potentially other upgrades you could do, like upgrading to a OpenJDK 21 from OpenJDK 11, for example. If you were on OpenJDK 11, suggesting OpenJDK 11.x rather than 21 seems less than ideal for something that seems to be a recommendation, even if it's probably the easiest fix. Using this same logic for the table view "fixed-in" would seem to be good to do, also

}
}

Expand Down Expand Up @@ -93,3 +98,59 @@ func (m MatchSort) Less(i, j int) bool {
func (m MatchSort) Swap(i, j int) {
m[i], m[j] = m[j], m[i]
}

func calculateSuggestedFixedVersion(p pkg.Package, fixedVersions []string) string {
if len(fixedVersions) == 0 {
return ""
}

if len(fixedVersions) == 1 {
return fixedVersions[0]
}

format := version.FormatFromPkg(p)
parseConstraint := func(constStr string) (version.Constraint, error) {
constraint, err := version.GetConstraint(constStr, format)
if err != nil {
log.WithFields("package", p.Name).Trace("skipping sorting fixed versions")
}
return constraint, err
}

checkSatisfaction := func(constraint version.Constraint, v *version.Version) bool {
satisfied, err := constraint.Satisfied(v)
if err != nil {
log.WithFields("package", p.Name).Trace("error while checking version satisfaction for sorting")
}
return satisfied && err == nil
}

sort.SliceStable(fixedVersions, func(i, j int) bool {
v1, err1 := version.NewVersion(fixedVersions[i], format)
v2, err2 := version.NewVersion(fixedVersions[j], format)
if err1 != nil || err2 != nil {
log.WithFields("package", p.Name).Trace("error while parsing version for sorting")
return false
}

packageConstraint, err := parseConstraint(fmt.Sprintf("<=%s", p.Version))
if err != nil {
return false
}

v1Satisfied := checkSatisfaction(packageConstraint, v1)
v2Satisfied := checkSatisfaction(packageConstraint, v2)

if v1Satisfied != v2Satisfied {
return !v1Satisfied
}

internalConstraint, err := parseConstraint(fmt.Sprintf("<=%s", v1.Raw))
if err != nil {
return false
}
return !checkSatisfaction(internalConstraint, v2)
})

return fixedVersions[0]
}
Loading