fix: EUS application with multiple advisories (#2841)

Signed-off-by: Keith Zantow <[email protected]>

Author: kzantow

grype/matcher/rpm/rhel_eus.go

@@ -72,9 +72,7 @@ func redhatEUSMatches(provider result.Provider, searchPkg pkg.Package) ([]match.
 		search.ByPackageName(searchPkg.Name),
 		search.ByDistro(distroWithoutEUS), // e.g.  >= 9.0 && < 10 (no EUS channel)
 		internal.OnlyQualifiedPackages(searchPkg),
-		// note: we could apply a version constraint here (there would be no functional issue with this) but
-		// the current approach taken is to allow fixes from mainline disclosures to be accounted for in the final
-		// merge step below.
+		internal.OnlyVulnerableVersions(pkgVersion), // if these records indicate the version of the package is not vulnerable, do not include them
 	)
 	if err != nil {
 		return nil, fmt.Errorf("matcher failed to fetch disclosures for distro=%q pkg=%q: %w", searchPkg.Distro, searchPkg.Name, err)
@@ -98,12 +96,17 @@ func redhatEUSMatches(provider result.Provider, searchPkg pkg.Package) ([]match.
 		return nil, fmt.Errorf("matcher failed to fetch resolutions for distro=%q pkg=%q: %w", searchPkg.Distro, searchPkg.Name, err)
 	}
 
+	eusFixes := resolutions.Filter(search.ByFixedVersion(*pkgVersion))
+
+	// remove EUS fixed vulns for this version
+	remaining := disclosures.Remove(eusFixes)
+
 	// combine disclosures and fixes so that:
 	// a. disclosures that have EUS fixes that resolve the disclosure for an earlier version of the package (thus we're not vulnerable) are removed.
 	// b. disclosures that have EUS fixes that resolve the disclosure for future versions of the package (thus we're vulnerable) are kept.
 	// c. all fixes from the incoming resolutions are patched onto the disclosures in the returned collection, so the
 	//    final set of vulnerabilities is a fused set of disclosures and fixes together.
-	remaining := disclosures.Merge(resolutions, mergeEUSAdvisoriesIntoMainDisclosures(pkgVersion, false))
+	remaining = remaining.Merge(resolutions, mergeEUSAdvisoriesIntoMainDisclosures(pkgVersion, false))
 
 	return remaining.ToMatches(), err
 }

grype/matcher/rpm/rhel_eus_test.go

@@ -1117,6 +1117,51 @@ func TestRedhatEUSMatches(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:       "multiple advisories with mixed fix state relative to search package",
+			catalogPkg: testPkg1,
+			disclosureVulns: []vulnerability.Vulnerability{
+				{
+					Reference: vulnerability.Reference{
+						ID:        "CVE-2021-1",
+						Namespace: "namespace",
+					},
+					PackageName: "test-pkg", // direct match
+					Constraint:  version.MustGetConstraint("", version.RpmFormat),
+					Fix: vulnerability.Fix{
+						State:    vulnerability.FixStateUnknown,
+						Versions: []string{},
+					},
+				},
+			},
+			resolutionVulns: []vulnerability.Vulnerability{
+				{
+					Reference: vulnerability.Reference{
+						ID:        "CVE-2021-1",
+						Namespace: "namespace",
+					},
+					PackageName: "test-pkg", // direct match
+					Constraint:  version.MustGetConstraint("< 1.5.0", version.RpmFormat),
+					Fix: vulnerability.Fix{
+						State:    vulnerability.FixStateFixed,
+						Versions: []string{"1.5.0"},
+					},
+				},
+				{
+					Reference: vulnerability.Reference{
+						ID:        "CVE-2021-1",
+						Namespace: "namespace",
+					},
+					PackageName: "test-pkg", // direct match
+					Constraint:  version.MustGetConstraint("< 1.0.0", version.RpmFormat),
+					Fix: vulnerability.Fix{
+						State:    vulnerability.FixStateFixed,
+						Versions: []string{"1.0.0"},
+					},
+				},
+			},
+			want: []match.Match{},
+		},
 		{
 			name:            "error fetching disclosures",
 			catalogPkg:      testPkg1,

grype/search/version_constraint.go

@@ -57,6 +57,30 @@ func (v VersionCriteria) criteria(constraint version.Constraint) (bool, error) {
 	return satisfied, nil
 }
 
+// ByFixedVersion returns criteria which constrains vulnerabilities to those that are fixed based on the provided version,
+// in other words: vulnerabilities where the fix version is less than v
+func ByFixedVersion(v version.Version) vulnerability.Criteria {
+	return &funcCriteria{
+		func(vuln vulnerability.Vulnerability) (bool, string, error) {
+			var err error
+			if vuln.Fix.State != vulnerability.FixStateFixed {
+				return false, "", nil
+			}
+			for _, fixVersion := range vuln.Fix.Versions {
+				cmp, e := version.New(fixVersion, v.Format).Compare(&v)
+				if e != nil {
+					err = e
+				}
+				if cmp <= 0 {
+					// fix version is less than or equal to the provided version, so is considered fixed
+					return true, fmt.Sprintf("fix version %v is less than %v", v, fixVersion), err
+				}
+			}
+			return false, "", err
+		},
+	}
+}
+
 // ByVersion returns criteria which constrains vulnerabilities to those with matching version constraints
 func ByVersion(v version.Version) vulnerability.Criteria {
 	return &VersionCriteria{

grype/search/version_constraint_test.go

@@ -100,3 +100,83 @@ func Test_ByConstraintFunc(t *testing.T) {
 		})
 	}
 }
+
+func Test_ByFixedVersion(t *testing.T) {
+	tests := []struct {
+		name    string
+		version string
+		input   vulnerability.Vulnerability
+		matches bool
+	}{
+		{
+			name:    "fixed version is lower",
+			version: "1.1.0",
+			input: vulnerability.Vulnerability{
+				Fix: vulnerability.Fix{
+					Versions: []string{"1.0.0"},
+					State:    vulnerability.FixStateFixed,
+				},
+			},
+			matches: true,
+		},
+		{
+			name:    "fixed version is equal",
+			version: "1.1.0",
+			input: vulnerability.Vulnerability{
+				Fix: vulnerability.Fix{
+					Versions: []string{"1.1.0"},
+					State:    vulnerability.FixStateFixed,
+				},
+			},
+			matches: true,
+		},
+		{
+			name:    "one of multiple fix versions matches",
+			version: "1.1.0",
+			input: vulnerability.Vulnerability{
+				Fix: vulnerability.Fix{
+					Versions: []string{"1.0.0", "1.2.0"},
+					State:    vulnerability.FixStateFixed,
+				},
+			},
+			matches: true,
+		},
+		{
+			name:    "fixed version is higher",
+			version: "1.1.0",
+			input: vulnerability.Vulnerability{
+				Fix: vulnerability.Fix{
+					Versions: []string{"1.2.0"},
+					State:    vulnerability.FixStateFixed,
+				},
+			},
+			matches: false,
+		},
+		{
+			name:    "no fix versions",
+			version: "1.1.0",
+			input: vulnerability.Vulnerability{
+				Fix: vulnerability.Fix{
+					Versions: []string{},
+					State:    vulnerability.FixStateWontFix,
+				},
+			},
+			matches: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			v := version.New(tt.version, version.SemanticFormat)
+			constraint := ByFixedVersion(*v)
+			matches, reason, err := constraint.MatchesVulnerability(tt.input)
+			require.NoError(t, err)
+			assert.Equal(t, tt.matches, matches)
+			if matches {
+				assert.NotEmpty(t, reason)
+			} else {
+				assert.Empty(t, reason)
+			}
+		})
+	}
+}