fix: check unescaped BomRef when matching PkgIdentifier (#6025)

DmitriyLewen · knqyf263 · web-flow · commit 6ccc0a554b07 · 2024-02-06T11:09:53.000Z
Signed-off-by: knqyf263 &lt;knqyf263@gmail.com&gt;
Co-authored-by: knqyf263 &lt;knqyf263@gmail.com&gt;
diff --git a/pkg/fanal/types/artifact.go b/pkg/fanal/types/artifact.go
@@ -2,6 +2,7 @@ package types
 
 import (
 	"encoding/json"
+	"strings"
 	"time"
 
 	v1 "github.com/google/go-containerregistry/pkg/v1"
@@ -156,6 +157,13 @@ func (id *PkgIdentifier) Empty() bool {
 }
 
 func (id *PkgIdentifier) Match(s string) bool {
+	// Encode string as PURL
+	if strings.HasPrefix(s, "pkg:") {
+		if p, err := packageurl.FromString(s); err == nil {
+			s = p.String()
+		}
+	}
+
 	switch {
 	case id.BOMRef == s:
 		return true
diff --git a/pkg/vex/testdata/cyclonedx.json b/pkg/vex/testdata/cyclonedx.json
@@ -18,6 +18,27 @@
           "ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0"
         }
       ]
+    },
+    {
+      "id": "CVE-2022-27943",
+      "source": {
+        "name": "ubuntu",
+        "url": "https://git.launchpad.net/ubuntu-cve-tracker"
+      },
+      "affects": [
+        {
+          "ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04",
+          "versions": [
+            {
+              "version": "12.3.0-1ubuntu1~22.04",
+              "status": "affected"
+            }
+          ]
+        }
+      ],
+      "analysis": {
+        "state": "not_affected"
+      }
     }
   ]
 }
diff --git a/pkg/vex/vex_test.go b/pkg/vex/vex_test.go
@@ -149,6 +149,31 @@ func TestVEX_Filter(t *testing.T) {
 							},
 						},
 					},
+					{
+						VulnerabilityID:  "CVE-2022-27943",
+						PkgID:            "libstdc++6@12.3.0-1ubuntu1~22.04",
+						PkgName:          "libstdc++6",
+						InstalledVersion: "12.3.0-1ubuntu1~22.04",
+						PkgIdentifier: ftypes.PkgIdentifier{
+							BOMRef: "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?distro=ubuntu-22.04&arch=amd64",
+							PURL: &packageurl.PackageURL{
+								Type:      packageurl.TypeDebian,
+								Namespace: "ubuntu",
+								Name:      "libstdc++6",
+								Version:   "12.3.0-1ubuntu1~22.04",
+								Qualifiers: []packageurl.Qualifier{
+									{
+										Key:   "arch",
+										Value: "amd64",
+									},
+									{
+										Key:   "distro",
+										Value: "ubuntu-22.04",
+									},
+								},
+							},
+						},
+					},
 				},
 			},
 			want: []types.DetectedVulnerability{

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,27 @@`
`18`	`18`	`"ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:maven/com.fasterxml.jackson.core/[email protected]"`
`19`	`19`	`}`
`20`	`20`	`]`
	`21`	`+ },`
	`22`	`+ {`
	`23`	`+ "id": "CVE-2022-27943",`
	`24`	`+ "source": {`
	`25`	`+ "name": "ubuntu",`
	`26`	`+ "url": "https://git.launchpad.net/ubuntu-cve-tracker"`
	`27`	`+ },`
	`28`	`+ "affects": [`
	`29`	`+ {`
	`30`	`+ "ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:deb/ubuntu/libstdc%2B%[email protected]~22.04?arch=amd64&distro=ubuntu-22.04",`
	`31`	`+ "versions": [`
	`32`	`+ {`
	`33`	`+ "version": "12.3.0-1ubuntu1~22.04",`
	`34`	`+ "status": "affected"`
	`35`	`+ }`
	`36`	`+ ]`
	`37`	`+ }`
	`38`	`+ ],`
	`39`	`+ "analysis": {`
	`40`	`+ "state": "not_affected"`
	`41`	`+ }`
`21`	`42`	`}`
`22`	`43`	`]`
`23`	`44`	`}`