Fix CPE update field handling for non-JVM packages #2845

ayham291 · 2025-08-01T21:17:30Z

Fix CPE update field handling for non-JVM packages

Problem

The CPE matching logic was only considering the update field for JVM packages, but it should also handle other packages where the update field contains important version information. For example, with NTP and OpenSSH:

cpe:2.3:a:ntp:ntp:4.2.8:p18:*:*:*:*:*:*

The current code would only use 4.2.8 for version matching, ignoring the p18 update field, which should be combined to form the complete version 4.2.8p18.

Solution

Created a general combineVersionAndUpdate function that handles CPE version and update field combinations for all package types
Updated MatchPackageByCPEs and filterCPEsByVersion functions to use the new general function
Maintained existing JVM-specific behavior using the original transformJvmVersion function
Added proper handling for wildcard/empty values to prevent incorrect combinations

Changes

Added: combineVersionAndUpdate function in grype/matcher/internal/cpe.go
Updated: CPE matching logic to use the new function for all package types

Testing

All existing tests pass
Added new test cases to verify correct behavior for non-JVM packages
Verified that JVM package behavior remains unchanged

Before

ntp                                            4.2.8p18                                  *4.2.8p9, 4.3.94  UnknownPackage  CVE-2016-7434     High      61.2% (98th)   41.0
ntp                                            4.2.8p18                                  4.2.8, *4.3.77    UnknownPackage  CVE-2015-7704     High      57.0% (98th)   39.2
ntp                                            4.2.8p18                                  4.2.8, *4.3.94    UnknownPackage  CVE-2016-7426     High      47.2% (97th)   31.6
ntp                                            4.2.8p18                                  4.2.8, *4.3.77    UnknownPackage  CVE-2015-7855     Medium    48.4% (97th)   24.8
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2015-7978     High      33.4% (96th)   23.0
ntp                                            4.2.8p18                                  4.2.8, *4.3.77    UnknownPackage  CVE-2015-7705     Critical  25.7% (96th)   22.7
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2015-7979     High      22.5% (95th)   15.4
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2016-7433     Medium    28.3% (96th)   14.4
ntp                                            4.2.8p18                                  4.2.8, *4.3.93    UnknownPackage  CVE-2016-4953     High      19.2% (95th)   13.2
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2016-2516     Medium    23.4% (95th)   13.1
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2015-5300     High      17.8% (94th)   12.2
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2015-8140     Medium    23.5% (95th)   12.1
ntp                                            4.2.8p18                                  4.2.8, *4.3.77    UnknownPackage  CVE-2015-7853     Critical  12.8% (93rd)   11.3
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2016-9311     Medium    19.4% (95th)   11.2
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2016-7429     Low       28.5% (96th)   10.0
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2015-8139     Medium    17.9% (94th)   9.1
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2015-8158     Medium    17.9% (94th)   9.1
ntp                                            4.2.8p18                                  4.2.8             UnknownPackage  CVE-2014-9750     Medium    11.5% (93rd)   6.2
ntp                                            4.2.8p18                                  4.2.8             UnknownPackage  CVE-2018-7185     High      8.8% (92nd)    6.1
ntp                                            4.2.8p18                                  4.2.8             UnknownPackage  CVE-2019-8936     High      8.7% (92nd)    6.0
ntp                                            4.2.8p18                                  4.3.90            UnknownPackage  CVE-2015-7977     Medium    11.6% (93rd)   5.9
ntp                                            4.2.8p18                                  4.2.8             UnknownPackage  CVE-2014-9751     Medium    9.7% (92nd)    5.7
ntp                                            4.2.8p18                                  4.2.8, *4.3.93    UnknownPackage  CVE-2016-4954     High      8.0% (91st)    5.5
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2016-9310     Medium    8.7% (92nd)    5.0
ntp                                            4.2.8p18                                  4.2.8, *4.3.77    UnknownPackage  CVE-2015-7701     High      6.3% (90th)    4.3
ntp                                            4.2.8p18                                  4.2.8, *4.3.90    UnknownPackage  CVE-2015-7973     Medium    7.6% (91st)    4.2
ntp                                            4.2.8p18                                  4.2.8, *4.3.77    UnknownPackage  CVE-2015-7691     High      5.7% (90th)    3.9
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2016-9312     High      5.7% (90th)    3.9
ntp                                            4.2.8p18                                  4.2.8, *4.3.94    UnknownPackage  CVE-2017-6458     High      4.9% (89th)    3.7
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2016-2519     Medium    7.1% (91st)    3.7
ntp                                            4.2.8p18                                  4.2.8, *4.3.90    UnknownPackage  CVE-2015-7974     High      5.1% (89th)    3.4
ntp                                            4.2.8p18                                  4.2.8, *4.3.77    UnknownPackage  CVE-2015-7849     High      4.4% (88th)    3.3
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2015-8138     Medium    6.1% (90th)    3.1
ntp                                            4.2.8p18                                  4.2.8, *4.3.77    UnknownPackage  CVE-2015-7692     High      4.2% (88th)    2.9
ntp                                            4.2.8p18                                  4.2.8, *4.3.77    UnknownPackage  CVE-2015-7854     High      3.6% (87th)    2.7
ntp                                            4.2.8p18                                  4.2.8, *4.3.93    UnknownPackage  CVE-2016-4955     Medium    4.7% (88th)    2.4
ntp                                            4.2.8p18                                  4.2.8, *4.3.77    UnknownPackage  CVE-2015-7703     High      3.2% (86th)    2.1
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2016-2517     Medium    3.8% (87th)    1.9
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2015-7976     Medium    4.2% (88th)    1.9
ntp                                            4.2.8p18                                  4.2.8, *4.3.77    UnknownPackage  CVE-2015-7852     Medium    3.2% (86th)    1.6
ntp                                            4.2.8p18                                  4.2.8, *4.3.77    UnknownPackage  CVE-2015-7850     Medium    2.6% (85th)    1.3
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2019-11331    High      1.4% (79th)    1.0
ntp                                            4.2.8p18                                  4.2.8, *4.3.93    UnknownPackage  CVE-2016-4956     Medium    2.0% (83rd)    1.0
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2015-5146     Medium    1.9% (82nd)    0.9
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2016-1547     Medium    1.3% (78th)    0.6
ntp                                            4.2.8p18                                  4.2.8, *4.3.92    UnknownPackage  CVE-2018-7170     Medium    1.3% (78th)    0.6
ntp                                            4.2.8p18                                  4.2.8, *4.3.77    UnknownPackage  CVE-2015-7848     High      0.9% (74th)    0.6
ntp                                            4.2.8p18                                  4.2.8, *4.3.77    UnknownPackage  CVE-2015-7702     Medium    1.0% (75th)    0.5
ntp                                            4.2.8p18                                  4.3.100           UnknownPackage  CVE-2020-11868    High      0.6% (68th)    0.4
ntp                                            4.2.8p18                                  4.2.8, *4.3.92    UnknownPackage  CVE-2016-2518     Medium    0.8% (72nd)    0.4
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2015-7975     Medium    0.6% (69th)    0.3
ntp                                            4.2.8p18                                  4.2.8, *4.3.100   UnknownPackage  CVE-2020-13817    High      0.4% (58th)    0.3

After

ntp                                            4.2.8p18                                  *4.2.8p9, 4.3.94  UnknownPackage  CVE-2016-7434     High      61.2% (98th)   41.0
ntp                                            4.2.8p18                                                    UnknownPackage  CVE-2019-11331    High      1.4% (79th)    1.0

- Added a new function `combineVersionAndUpdate` to handle the combination of version and update fields for various package types. - Updated the `MatchPackageByCPEs` and `filterCPEsByVersion` functions to utilize the new logic, ensuring consistent version formatting across non-JVM and JVM packages. Signed-off-by: [email protected] <[email protected]> Signed-off-by: ayham291 <[email protected]>

ayham291 force-pushed the fix/cpe-update-field-handling-for-non-jvm-packages branch from 17efd5c to e51a35f Compare August 1, 2025 21:20

ayham291 force-pushed the fix/cpe-update-field-handling-for-non-jvm-packages branch from e51a35f to 0242bcc Compare August 1, 2025 21:21

ayham291 mentioned this pull request Aug 4, 2025

feat: detect patch numbers in fuzzy version comparison #2844

Merged

willmurphyscode added the needs-discussion label Aug 28, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix CPE update field handling for non-JVM packages #2845

Fix CPE update field handling for non-JVM packages #2845

Uh oh!

ayham291 commented Aug 1, 2025

Uh oh!

Uh oh!

Fix CPE update field handling for non-JVM packages #2845

Are you sure you want to change the base?

Fix CPE update field handling for non-JVM packages #2845

Uh oh!

Conversation

ayham291 commented Aug 1, 2025

Fix CPE update field handling for non-JVM packages

Problem

Solution

Changes

Testing

Before

After

Uh oh!

Uh oh!