create ignore regexs conditionally (#2805)

Signed-off-by: Alex Goodman <[email protected]>

Author: wagoodman

grype/db/v6/models_test.go

@@ -1,9 +1,9 @@
 package v6
 
 import (
-	"github.com/google/go-cmp/cmp"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

grype/match/ignore.go

@@ -222,13 +222,21 @@ func packageNameRegex(packageName string) (*regexp.Regexp, error) {
 }
 
 func ifPackageNameApplies(name string) ignoreCondition {
-	pattern, err := packageNameRegex(name)
-	if err != nil {
-		return func(Match) bool { return false }
-	}
+	// with enough ignore rules, we could end up needlessly creating a lot of regexes, which is not ideal.
+	// instead lets detect if the input string is a regex or not, and if it is, then compile it...
+	// otherwise, we can just do a simple string comparison
+	if isLikelyARegex(name) {
+		pattern, err := packageNameRegex(name)
+		if err != nil || pattern == nil {
+			return func(Match) bool { return false }
+		}
 
+		return func(match Match) bool {
+			return pattern.MatchString(match.Package.Name)
+		}
+	}
 	return func(match Match) bool {
-		return pattern.MatchString(match.Package.Name)
+		return name == match.Package.Name
 	}
 }
 
@@ -257,21 +265,43 @@ func ifPackageLocationApplies(location string) ignoreCondition {
 }
 
 func ifUpstreamPackageNameApplies(name string) ignoreCondition {
-	pattern, err := packageNameRegex(name)
-	if err != nil {
-		log.WithFields("name", name, "error", err).Debug("unable to parse name expression")
-		return func(Match) bool { return false }
+	// with enough ignore rules, we could end up needlessly creating a lot of regexes, which is not ideal.
+	// instead lets detect if the input string is a regex or not, and if it is, then compile it...
+	// otherwise, we can just do a simple string comparison
+	if isLikelyARegex(name) {
+		pattern, err := packageNameRegex(name)
+		if err != nil {
+			log.WithFields("name", name, "error", err).Debug("unable to parse name expression")
+			return func(Match) bool { return false }
+		}
+		return func(match Match) bool {
+			for _, upstream := range match.Package.Upstreams {
+				if pattern.MatchString(upstream.Name) {
+					return true
+				}
+			}
+			return false
+		}
 	}
 	return func(match Match) bool {
 		for _, upstream := range match.Package.Upstreams {
-			if pattern.MatchString(upstream.Name) {
+			if name == upstream.Name {
 				return true
 			}
 		}
 		return false
 	}
 }
 
+// isRegexPattern is a compiled regex that matches common regex characters. We intentionally leave out
+// the '.' character, as it is a common character in package names and versions, and we do not want to
+// treat it as a regex unless there is other evidence that it is a regex.
+var isRegexPattern = regexp.MustCompile(`[\^\$\*\+\?\[\]\(\)\{\}\|\\]|\\[dDwWsSnrtfv]`)
+
+func isLikelyARegex(s string) bool {
+	return isRegexPattern.MatchString(s)
+}
+
 func ifMatchTypeApplies(matchType Type) ignoreCondition {
 	return func(match Match) bool {
 		for _, mType := range match.Details.Types() {

grype/match/ignore_test.go

@@ -833,6 +833,274 @@ var (
 	}
 )
 
+func TestIsRegex(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected bool
+	}{
+		// simple strings that should NOT be detected as regex
+		{
+			name:     "simple string",
+			input:    "hello",
+			expected: false,
+		},
+		{
+			name:     "alphanumeric with dashes",
+			input:    "kernel-headers",
+			expected: false,
+		},
+		{
+			name:     "alphanumeric with underscores",
+			input:    "my_package_name",
+			expected: false,
+		},
+		{
+			name:     "version numbers",
+			input:    "1.2.3",
+			expected: false, // dots are no longer considered regex metacharacters
+		},
+		{
+			name:     "empty string",
+			input:    "",
+			expected: false,
+		},
+		{
+			name:     "spaces only",
+			input:    "   ",
+			expected: false,
+		},
+		{
+			name:     "numbers only",
+			input:    "12345",
+			expected: false,
+		},
+		{
+			name:     "letters and numbers",
+			input:    "abc123",
+			expected: false,
+		},
+		{
+			name:     "with slashes",
+			input:    "path/to/file",
+			expected: false,
+		},
+		{
+			name:     "with colons",
+			input:    "namespace:package",
+			expected: false,
+		},
+		{
+			name:     "with at symbol",
+			input:    "[email protected]",
+			expected: false, // dots are no longer considered regex metacharacters
+		},
+
+		// strings with regex metacharacters that SHOULD be detected as regex
+		{
+			name:     "caret at start",
+			input:    "^start",
+			expected: true,
+		},
+		{
+			name:     "dollar at end",
+			input:    "end$",
+			expected: true,
+		},
+		{
+			name:     "asterisk wildcard",
+			input:    "test*",
+			expected: true,
+		},
+		{
+			name:     "plus quantifier",
+			input:    "test+",
+			expected: true,
+		},
+		{
+			name:     "question mark",
+			input:    "test?",
+			expected: true,
+		},
+		{
+			name:     "dot wildcard",
+			input:    "test.",
+			expected: false, // dots are no longer considered regex metacharacters
+		},
+		{
+			name:     "square brackets",
+			input:    "test[abc]",
+			expected: true,
+		},
+		{
+			name:     "parentheses grouping",
+			input:    "(test)",
+			expected: true,
+		},
+		{
+			name:     "curly braces quantifier",
+			input:    "test{1,3}",
+			expected: true,
+		},
+		{
+			name:     "pipe alternation",
+			input:    "test|other",
+			expected: true,
+		},
+		{
+			name:     "backslash escape",
+			input:    "test\\",
+			expected: true,
+		},
+		{
+			name:     "multiple metacharacters",
+			input:    "^test.*$",
+			expected: true,
+		},
+		{
+			name:     "complex regex pattern",
+			input:    "kernel-headers.*",
+			expected: true,
+		},
+		{
+			name:     "anchored regex",
+			input:    "^kernel-headers$",
+			expected: true,
+		},
+		{
+			name:     "character class",
+			input:    "test[0-9]",
+			expected: true,
+		},
+
+		// escaped character classes
+		{
+			name:     "escaped digit",
+			input:    "\\d",
+			expected: true,
+		},
+		{
+			name:     "escaped non-digit",
+			input:    "\\D",
+			expected: true,
+		},
+		{
+			name:     "escaped word character",
+			input:    "\\w",
+			expected: true,
+		},
+		{
+			name:     "escaped non-word character",
+			input:    "\\W",
+			expected: true,
+		},
+		{
+			name:     "escaped whitespace",
+			input:    "\\s",
+			expected: true,
+		},
+		{
+			name:     "escaped non-whitespace",
+			input:    "\\S",
+			expected: true,
+		},
+		{
+			name:     "escaped newline",
+			input:    "\\n",
+			expected: true,
+		},
+		{
+			name:     "escaped carriage return",
+			input:    "\\r",
+			expected: true,
+		},
+		{
+			name:     "escaped tab",
+			input:    "\\t",
+			expected: true,
+		},
+		{
+			name:     "escaped form feed",
+			input:    "\\f",
+			expected: true,
+		},
+		{
+			name:     "escaped vertical tab",
+			input:    "\\v",
+			expected: true,
+		},
+		{
+			name:     "escaped character classes in longer string",
+			input:    "prefix\\dpostfix",
+			expected: true,
+		},
+		{
+			name:     "multiple escaped classes",
+			input:    "\\w+\\s*\\d+",
+			expected: true,
+		},
+
+		// edge cases
+		{
+			name:     "single backslash",
+			input:    "\\",
+			expected: true,
+		},
+		{
+			name:     "single caret",
+			input:    "^",
+			expected: true,
+		},
+		{
+			name:     "single dollar",
+			input:    "$",
+			expected: true,
+		},
+		{
+			name:     "single dot",
+			input:    ".",
+			expected: false, // dots are no longer considered regex metacharacters
+		},
+		{
+			name:     "backslash followed by regular character",
+			input:    "\\a",
+			expected: true, // backslash is still a metacharacter
+		},
+		{
+			name:     "backslash at end",
+			input:    "test\\",
+			expected: true,
+		},
+		{
+			name:     "mixed metacharacters and escaped classes",
+			input:    "^\\w+\\.\\d{2,}$",
+			expected: true,
+		},
+		{
+			name:     "real world package patterns",
+			input:    "linux-.*",
+			expected: true,
+		},
+		{
+			name:     "real world upstream patterns",
+			input:    "linux.*",
+			expected: true,
+		},
+		{
+			name:     "real world header patterns",
+			input:    "linux-.*-headers-.*",
+			expected: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := isLikelyARegex(tt.input)
+			assert.Equal(t, tt.expected, got)
+		})
+	}
+}
+
 func TestShouldIgnore(t *testing.T) {
 	cases := []struct {
 		name     string