quay · crozzy · May 16, 2025
@@ -109,6 +109,9 @@ func (mc *Controller) dbFilter() (bool, bool) {
 func (mc *Controller) findInterested(records []*claircore.IndexRecord) []*claircore.IndexRecord {
 	out := []*claircore.IndexRecord{}
 	for _, record := range records {
+		if record.Package.NormalizedVersion.Kind == claircore.UnmatchableKind {
+			continue
+		}
 		if mc.m.Filter(record) {
 			out = append(out, record)
 		}

@@ -118,6 +118,16 @@ func TestSimple(t *testing.T) {
 				Original: "4-22",
 			},
 		},
+		{
+			Name: "tester",
+			In:   "1742843776",
+			Err:  false,
+			Want: Version{
+				Major:    1742843776,
+				Minor:    0,
+				Original: "1742843776",
+			},
+		},
 	}
 
 	for _, tc := range tt {

@@ -48,7 +48,7 @@ func (m *Matcher) Query() []driver.MatchConstraint {
 // added "ANY" attributes from the pattern.
 //
 // TODO(crozzy) Remove once RH VEX data updates CPEs with standard matching expressions.
-func isCPESubstringMatch(recordCPE cpe.WFN, vulnCPE cpe.WFN) bool {
+func IsCPESubstringMatch(recordCPE cpe.WFN, vulnCPE cpe.WFN) bool {
 	return strings.HasPrefix(recordCPE.String(), strings.TrimRight(vulnCPE.String(), ":*"))
 }
 
@@ -75,7 +75,7 @@ func (m *Matcher) Vulnerable(ctx context.Context, record *claircore.IndexRecord,
 			Msg("unable to unbind repo CPE")
 		return false, nil
 	}
-	if !cpe.Compare(vuln.Repo.CPE, record.Repository.CPE).IsSuperset() && !isCPESubstringMatch(record.Repository.CPE, vuln.Repo.CPE) {
+	if !cpe.Compare(vuln.Repo.CPE, record.Repository.CPE).IsSuperset() && !IsCPESubstringMatch(record.Repository.CPE, vuln.Repo.CPE) {
 		return false, nil
 	}
 

@@ -288,7 +288,7 @@ func TestIsCPEStringSubsetMatch(t *testing.T) {
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
 			tt := tc
-			matched := isCPESubstringMatch(tt.recordCPE, tt.vulnCPE)
+			matched := IsCPESubstringMatch(tt.recordCPE, tt.vulnCPE)
 			if matched != tt.match {
 				t.Errorf("unexpected matching %s and %s", tt.recordCPE, tt.vulnCPE)
 			}

@@ -15,13 +15,17 @@ func (c *coalescer) Coalesce(ctx context.Context, ls []*indexer.LayerArtifacts)
 	if ctx.Err() != nil {
 		return nil, ctx.Err()
 	}
+
 	ir := &claircore.IndexReport{
 		Environments: map[string][]*claircore.Environment{},
 		Packages:     map[string]*claircore.Package{},
 		Repositories: map[string]*claircore.Repository{},
 	}
 
-	for _, l := range ls {
+	// We need to find the last layer that has rhcc content.
+	lastRHCCLayer := true
+	for i := len(ls) - 1; i >= 0; i-- {
+		l := ls[i]
 		if len(l.Repos) == 0 {
 			continue
 		}
@@ -34,7 +38,14 @@ func (c *coalescer) Coalesce(ctx context.Context, ls []*indexer.LayerArtifacts)
 			if pkg.RepositoryHint != `rhcc` {
 				continue
 			}
+			if !lastRHCCLayer {
+				// Discount the package for matching by setting its
+				// NormalizedVersion.Kind to UnmatchableKind.
+				pkg.NormalizedVersion.Kind = claircore.UnmatchableKind
+			}
+
 			ir.Packages[pkg.ID] = pkg
+
 			ir.Environments[pkg.ID] = []*claircore.Environment{
 				{
 					PackageDB:     pkg.PackageDB,
@@ -43,6 +54,7 @@ func (c *coalescer) Coalesce(ctx context.Context, ls []*indexer.LayerArtifacts)
 				},
 			}
 		}
+		lastRHCCLayer = false
 	}
 	return ir, nil
 }
@@ -2,7 +2,7 @@ package rhcc
 
 import (
 	"context"
-	"strconv"
+	"encoding/json"
 	"testing"
 
 	"github.com/quay/zlog"
@@ -16,60 +16,97 @@ func TestCoalescer(t *testing.T) {
 	t.Parallel()
 	ctx := zlog.Test(context.Background(), t)
 	coalescer := &coalescer{}
-	pkgs := test.GenUniquePackages(6)
-	for _, p := range pkgs {
-		// Mark them as if they came from this package's package scanner
-		p.RepositoryHint = `rhcc`
-	}
 	repo := []*claircore.Repository{&GoldRepo}
+	repo[0].ID = "1" // Assign it an ID and check it later.
 	layerArtifacts := []*indexer.LayerArtifacts{
 		{
 			Hash: test.RandomSHA256Digest(t),
-			Pkgs: pkgs[:1],
 		},
 		{
 			Hash: test.RandomSHA256Digest(t),
-			Pkgs: pkgs[:2],
 		},
 		{
-			Hash:  test.RandomSHA256Digest(t),
-			Pkgs:  pkgs[:3],
+			Hash: test.RandomSHA256Digest(t),
+			Pkgs: []*claircore.Package{
+				{
+					ID:             "1",
+					Name:           "ubi8",
+					Version:        "8.4",
+					RepositoryHint: "rhcc",
+					Kind:           claircore.BINARY,
+					Arch:           "x86_64",
+					PackageDB:      "Dockerfile-rhacm",
+					Source: &claircore.Package{
+						ID:        "3",
+						Name:      "ubi8-container",
+						Version:   "8.10-1088",
+						Kind:      claircore.SOURCE,
+						Arch:      "x86_64",
+						PackageDB: "Dockerfile-rhacm",
+					},
+				},
+			},
 			Repos: repo,
 		},
 		{
 			Hash: test.RandomSHA256Digest(t),
-			Pkgs: pkgs[:4],
 		},
 		{
-			Hash:  test.RandomSHA256Digest(t),
-			Pkgs:  pkgs[:5],
+			Hash: test.RandomSHA256Digest(t),
+			Pkgs: []*claircore.Package{
+				{
+					ID:             "2",
+					Name:           "rhacm2/acm-grafana-rhel8",
+					Version:        "v2.9.5-8",
+					RepositoryHint: "rhcc",
+					Kind:           claircore.BINARY,
+					Arch:           "x86_64",
+					PackageDB:      "Dockerfile-rhacm",
+					Source: &claircore.Package{
+						ID:        "4",
+						Name:      "acm-grafana-container",
+						Version:   "v2.9.5-8",
+						Kind:      claircore.SOURCE,
+						Arch:      "x86_64",
+						PackageDB: "Dockerfile-rhacm",
+					},
+				},
+			},
 			Repos: repo,
 		},
 		{
 			Hash: test.RandomSHA256Digest(t),
-			Pkgs: pkgs,
 		},
 	}
 	ir, err := coalescer.Coalesce(ctx, layerArtifacts)
 	if err != nil {
 		t.Fatalf("received error from coalesce method: %v", err)
 	}
-	// Expect 0-5 to have gotten associated with the repository.
-	for i := range pkgs {
-		es, ok := ir.Environments[strconv.Itoa(i)]
-		if !ok && i == 5 {
-			// Left out the last package.
-			continue
-		}
-		e := es[0]
-		if len(e.RepositoryIDs) == 0 {
-			t.Error("expected some repositories")
-		}
-		for _, id := range e.RepositoryIDs {
-			r := ir.Repositories[id]
-			if got, want := r.Name, GoldRepo.Name; got != want {
-				t.Errorf("got: %q, want: %q", got, want)
-			}
+	report, err := json.MarshalIndent(ir, "", "  ")
+	if err != nil {
+		t.Fatalf("failed to marshal index report: %v", err)
+	}
+	t.Log(string(report))
+	// Check that index report only has the package found in the last layer
+	// that has rhcc content.
+	if len(ir.Packages) != 2 {
+		t.Errorf("expected 1 package, got %d", len(ir.Packages))
+	}
+	if len(ir.Environments["2"]) != 1 {
+		t.Errorf("expected 1 environment, got %d", len(ir.Environments["2"]))
+	}
+	if len(ir.Environments["2"][0].RepositoryIDs) != 1 {
+		t.Errorf("expected 1 repository, got %d", len(ir.Environments["2"][0].RepositoryIDs))
+	}
+	if ir.Environments["2"][0].RepositoryIDs[0] != "1" {
+		t.Errorf("expected repository ID 1, got %s", ir.Environments["2"][0].RepositoryIDs[0])
+	}
+	if len(ir.Repositories) != 1 {
+		t.Errorf("expected 1 repository, got %d", len(ir.Repositories))
+	}
+	for _, repo := range ir.Repositories {
+		if repo.Key != RepositoryKey {
+			t.Errorf("expected repository key %s, got %s", RepositoryKey, repo.Key)
 		}
 	}
 }
@@ -8,6 +8,8 @@ import (
 
 	"github.com/quay/claircore"
 	"github.com/quay/claircore/libvuln/driver"
+	"github.com/quay/claircore/rhel"
+	"github.com/quay/claircore/toolkit/types/cpe"
 )
 
 // Matcher is an instance of the rhcc matcher. It's exported so it can be used
@@ -26,16 +28,31 @@ func (*matcher) Name() string { return "rhel-container-matcher" }
 // Filter implements [driver.Matcher].
 func (*matcher) Filter(r *claircore.IndexRecord) bool {
 	return r.Repository != nil &&
-		r.Repository.Name == GoldRepo.Name
+		r.Repository.Key == RepositoryKey
 }
 
 // Query implements [driver.Matcher].
 func (*matcher) Query() []driver.MatchConstraint {
-	return []driver.MatchConstraint{driver.RepositoryName}
+	return []driver.MatchConstraint{driver.RepositoryKey}
 }
 
 // Vulnerable implements [driver.Matcher].
 func (*matcher) Vulnerable(ctx context.Context, record *claircore.IndexRecord, vuln *claircore.Vulnerability) (bool, error) {
+	var err error
+	if record.Repository.Name != GoldRepo.Name {
+		// This is not a gold repo record, so we need to check if the CPE matches.
+		vuln.Repo.CPE, err = cpe.Unbind(vuln.Repo.Name)
+		if err != nil {
+			zlog.Warn(ctx).
+				Str("vulnerability name", vuln.Name).
+				Err(err).
+				Msg("unable to unbind repo CPE")
+			return false, nil
+		}
+		if !cpe.Compare(vuln.Repo.CPE, record.Repository.CPE).IsSuperset() && !rhel.IsCPESubstringMatch(record.Repository.CPE, vuln.Repo.CPE) {
+			return false, nil
+		}
+	}
 	pkgVer, fixedInVer := rpmVersion.NewVersion(record.Package.Version), rpmVersion.NewVersion(vuln.FixedInVersion)
 	zlog.Debug(ctx).
 		Str("record", record.Package.Version).

@@ -8,9 +8,12 @@ import (
 	"github.com/quay/claircore"
 )
 
+const RepositoryKey = "rhcc-container-repository"
+
 // GoldRepo is the claircore.Repository that every RHCC index record is associated with.
 // It is also the claircore.Repository that is associated with OCI VEX vulnerabilities.
 var GoldRepo = claircore.Repository{
 	Name: "Red Hat Container Catalog",
 	URI:  `https://catalog.redhat.com/software/containers/explore`,
+	Key:  RepositoryKey,
 }