use epoch from metadata when missing from version string

Signed-off-by: Alex Goodman <[email protected]>
anchore · Oct 14, 2024 · 20bcca7 · 20bcca7
1 parent c87f4a0
commit 20bcca7
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 12 deletions.
diff --git a/grype/matcher/rpm/matcher.go b/grype/matcher/rpm/matcher.go
@@ -126,7 +126,7 @@ func (m *Matcher) matchPackage(store vulnerability.ProviderByDistro, d *distro.D
 	// we want to ensure that the version ALWAYS has an epoch specified...
 	originalPkg := p
 
-	p.Version = addZeroEpicIfApplicable(p.Version)
+	addEpochIfApplicable(&p)
 
 	matches, err := search.ByPackageDistro(store, d, p, m.Type())
 	if err != nil {
@@ -141,9 +141,18 @@ func (m *Matcher) matchPackage(store vulnerability.ProviderByDistro, d *distro.D
 	return matches, nil
 }
 
-func addZeroEpicIfApplicable(version string) string {
-	if strings.Contains(version, ":") {
-		return version
+func addEpochIfApplicable(p *pkg.Package) {
+	meta, ok := p.Metadata.(pkg.RpmMetadata)
+	version := p.Version
+	switch {
+	case strings.Contains(version, ":"):
+		// we already have an epoch embedded in the version string
+		return
+	case ok && meta.Epoch != nil:
+		// we have an explicit epoch in the metadata
+		p.Version = fmt.Sprintf("%d:%s", *meta.Epoch, version)
+	default:
+		// no epoch was found, so we will add one
+		p.Version = "0:" + version
 	}
-	return "0:" + version
 }
diff --git a/grype/matcher/rpm/matcher_test.go b/grype/matcher/rpm/matcher_test.go
@@ -360,24 +360,52 @@ func TestMatcherRpm(t *testing.T) {
 	}
 }
 
-func Test_addZeroEpicIfApplicable(t *testing.T) {
+func Test_addEpochIfApplicable(t *testing.T) {
 	tests := []struct {
-		version  string
+		name     string
+		pkg      pkg.Package
 		expected string
 	}{
 		{
-			version:  "3.26.0-6.el8",
+			name: "assume 0 epoch",
+			pkg: pkg.Package{
+				Version: "3.26.0-6.el8",
+			},
 			expected: "0:3.26.0-6.el8",
 		},
 		{
-			version:  "7:3.26.0-6.el8",
+			name: "epoch already exists in version string",
+			pkg: pkg.Package{
+				Version: "7:3.26.0-6.el8",
+			},
+			expected: "7:3.26.0-6.el8",
+		},
+		{
+			name: "epoch only exists in metadata",
+			pkg: pkg.Package{
+				Version: "3.26.0-6.el8",
+				Metadata: pkg.RpmMetadata{
+					Epoch: intRef(7),
+				},
+			},
 			expected: "7:3.26.0-6.el8",
 		},
+		{
+			name: "epoch does not exist in metadata",
+			pkg: pkg.Package{
+				Version: "3.26.0-6.el8",
+				Metadata: pkg.RpmMetadata{
+					Epoch: nil,
+				},
+			},
+			expected: "0:3.26.0-6.el8",
+		},
 	}
 	for _, test := range tests {
-		t.Run(test.version, func(t *testing.T) {
-			actualVersion := addZeroEpicIfApplicable(test.version)
-			assert.Equal(t, test.expected, actualVersion)
+		t.Run(test.name, func(t *testing.T) {
+			p := test.pkg
+			addEpochIfApplicable(&p)
+			assert.Equal(t, test.expected, p.Version)
 		})
 	}
 }