fix deprecated VulnerabilityMetadata with direct references since m.vulnerability now contains the metadata

Signed-off-by: Kyle Steere <[email protected]>

Author: kbsteere

pkg/scan/apk.go

@@ -353,10 +353,7 @@ func (s *Scanner) APKSBOM(ctx context.Context, ssbom *sbomSyft.SBOM) (*Result, e
 			continue
 		}
 
-		finding, err := mapMatchToFinding(m, s.vulnProvider)
-		if err != nil {
-			return nil, fmt.Errorf("failed to map match to finding: %w", err)
-		}
+		finding := mapMatchToFinding(m)
 		if finding == nil {
 			return nil, fmt.Errorf("failed to map match to finding: nil")
 		}

pkg/scan/finding.go

@@ -1,7 +1,6 @@
 package scan
 
 import (
-	"fmt"
 	"sort"
 	"strings"
 
@@ -84,36 +83,16 @@ type TriageAssessment struct {
 	Reason string
 }
 
-func mapMatchToFinding(m match.Match, vulnProvider vulnerability.Provider) (*Finding, error) {
-	metadata, err := vulnProvider.VulnerabilityMetadata(m.Vulnerability.Reference)
-	if err != nil {
-		return nil, fmt.Errorf("retrieving metadata for vulnerability %s (%s): %w", m.Vulnerability.ID, m.Vulnerability.Namespace, err)
-	}
-
-	var relatedMetadatas []*vulnerability.Metadata
-	for _, relatedRef := range m.Vulnerability.RelatedVulnerabilities {
-		relatedMetadata, err := vulnProvider.VulnerabilityMetadata(relatedRef)
-		if err != nil {
-			return nil, fmt.Errorf("retrieving metadata for related vulnerability %s (%s): %w", relatedRef.ID, relatedRef.Namespace, err)
-		}
-		if relatedMetadata == nil {
-			continue
-		}
-		relatedMetadatas = append(relatedMetadatas, relatedMetadata)
-	}
-
+func mapMatchToFinding(m match.Match) *Finding {
 	var aliases []string
-	for _, rel := range relatedMetadatas {
-		if rel == nil {
-			continue
-		}
-		if rel.ID == m.Vulnerability.ID {
+	for _, relatedRef := range m.Vulnerability.RelatedVulnerabilities {
+		if relatedRef.ID == m.Vulnerability.ID {
 			// Don't count the matched vulnerability ID as its own alias. In v0.88.0, Grype
 			// began listing vulnerabilities as their own related vulnerabilities, and we
 			// filed a bug here: https://github.com/anchore/grype/issues/2514
 			continue
 		}
-		aliases = append(aliases, rel.ID)
+		aliases = append(aliases, relatedRef.ID)
 	}
 
 	// Filter locations to only include those marked as "primary evidence"
@@ -141,13 +120,13 @@ func mapMatchToFinding(m match.Match, vulnProvider vulnerability.Provider) (*Fin
 		},
 		Vulnerability: Vulnerability{
 			ID:           m.Vulnerability.ID,
-			Severity:     metadata.Severity,
+			Severity:     m.Vulnerability.Metadata.Severity,
 			Aliases:      aliases,
 			FixedVersion: getFixedVersion(m.Vulnerability),
 		},
 	}
 
-	return f, nil
+	return f
 }
 
 func getFixedVersion(vuln vulnerability.Vulnerability) string {

pkg/scan/finding_test.go

@@ -0,0 +1,272 @@
+package scan
+
+import (
+	"testing"
+
+	"github.com/anchore/grype/grype/match"
+	"github.com/anchore/grype/grype/pkg"
+	"github.com/anchore/grype/grype/vulnerability"
+	"github.com/anchore/syft/syft/file"
+	syftPkg "github.com/anchore/syft/syft/pkg"
+)
+
+func TestMapMatchToFinding(t *testing.T) {
+	tests := []struct {
+		name  string
+		match match.Match
+		want  *Finding
+	}{
+		{
+			name: "basic vulnerability with metadata",
+			match: match.Match{
+				Vulnerability: vulnerability.Vulnerability{
+					Reference: vulnerability.Reference{
+						ID:        "CVE-2023-1234",
+						Namespace: "nvd:cpe",
+					},
+					PackageName: "test-package",
+					Fix: vulnerability.Fix{
+						State:    vulnerability.FixStateFixed,
+						Versions: []string{"1.0.1"},
+					},
+					RelatedVulnerabilities: []vulnerability.Reference{},
+					Metadata: &vulnerability.Metadata{
+						ID:       "CVE-2023-1234",
+						Severity: "high",
+					},
+				},
+				Package: pkg.Package{
+					ID:      pkg.ID("pkg-123"),
+					Name:    "test-package",
+					Version: "1.0.0",
+					Type:    syftPkg.ApkPkg,
+					PURL:    "pkg:apk/wolfi/[email protected]",
+					Locations: file.NewLocationSet(
+						file.NewLocation("/usr/bin/test"),
+					),
+				},
+			},
+			want: &Finding{
+				Package: Package{
+					ID:       "pkg-123",
+					Name:     "test-package",
+					Version:  "1.0.0",
+					Type:     "apk",
+					Location: "/usr/bin/test",
+					PURL:     "pkg:apk/wolfi/[email protected]",
+				},
+				Vulnerability: Vulnerability{
+					ID:           "CVE-2023-1234",
+					Severity:     "high",
+					Aliases:      []string{},
+					FixedVersion: "1.0.1",
+				},
+			},
+		},
+		{
+			name: "vulnerability with related vulnerabilities (aliases)",
+			match: match.Match{
+				Vulnerability: vulnerability.Vulnerability{
+					Reference: vulnerability.Reference{
+						ID:        "CVE-2023-1234",
+						Namespace: "nvd:cpe",
+					},
+					PackageName: "test-package",
+					Fix: vulnerability.Fix{
+						State:    vulnerability.FixStateFixed,
+						Versions: []string{"1.0.1"},
+					},
+					RelatedVulnerabilities: []vulnerability.Reference{
+						{
+							ID:        "GHSA-xxxx-yyyy-zzzz",
+							Namespace: "github:language:go",
+						},
+						{
+							ID:        "CVE-2023-5678",
+							Namespace: "nvd:cpe",
+						},
+					},
+					Metadata: &vulnerability.Metadata{
+						ID:       "CVE-2023-1234",
+						Severity: "high",
+					},
+				},
+				Package: pkg.Package{
+					ID:      pkg.ID("pkg-123"),
+					Name:    "test-package",
+					Version: "1.0.0",
+					Type:    syftPkg.ApkPkg,
+					PURL:    "pkg:apk/wolfi/[email protected]",
+					Locations: file.NewLocationSet(
+						file.NewLocation("/usr/bin/test"),
+					),
+				},
+			},
+			want: &Finding{
+				Package: Package{
+					ID:       "pkg-123",
+					Name:     "test-package",
+					Version:  "1.0.0",
+					Type:     "apk",
+					Location: "/usr/bin/test",
+					PURL:     "pkg:apk/wolfi/[email protected]",
+				},
+				Vulnerability: Vulnerability{
+					ID:           "CVE-2023-1234",
+					Severity:     "high",
+					Aliases:      []string{"GHSA-xxxx-yyyy-zzzz", "CVE-2023-5678"},
+					FixedVersion: "1.0.1",
+				},
+			},
+		},
+		{
+			name: "vulnerability with self-referencing related vulnerability (should be filtered)",
+			match: match.Match{
+				Vulnerability: vulnerability.Vulnerability{
+					Reference: vulnerability.Reference{
+						ID:        "CVE-2023-1234",
+						Namespace: "nvd:cpe",
+					},
+					PackageName: "test-package",
+					Fix: vulnerability.Fix{
+						State:    vulnerability.FixStateFixed,
+						Versions: []string{"1.0.1"},
+					},
+					RelatedVulnerabilities: []vulnerability.Reference{
+						{
+							ID:        "CVE-2023-1234", // Same as main vulnerability
+							Namespace: "nvd:cpe",
+						},
+						{
+							ID:        "GHSA-xxxx-yyyy-zzzz",
+							Namespace: "github:language:go",
+						},
+					},
+					Metadata: &vulnerability.Metadata{
+						ID:       "CVE-2023-1234",
+						Severity: "high",
+					},
+				},
+				Package: pkg.Package{
+					ID:      pkg.ID("pkg-123"),
+					Name:    "test-package",
+					Version: "1.0.0",
+					Type:    syftPkg.ApkPkg,
+					PURL:    "pkg:apk/wolfi/[email protected]",
+					Locations: file.NewLocationSet(
+						file.NewLocation("/usr/bin/test"),
+					),
+				},
+			},
+			want: &Finding{
+				Package: Package{
+					ID:       "pkg-123",
+					Name:     "test-package",
+					Version:  "1.0.0",
+					Type:     "apk",
+					Location: "/usr/bin/test",
+					PURL:     "pkg:apk/wolfi/[email protected]",
+				},
+				Vulnerability: Vulnerability{
+					ID:           "CVE-2023-1234",
+					Severity:     "high",
+					Aliases:      []string{"GHSA-xxxx-yyyy-zzzz"}, // CVE-2023-1234 filtered out
+					FixedVersion: "1.0.1",
+				},
+			},
+		},
+		{
+			name: "vulnerability with no fix",
+			match: match.Match{
+				Vulnerability: vulnerability.Vulnerability{
+					Reference: vulnerability.Reference{
+						ID:        "CVE-2023-1234",
+						Namespace: "nvd:cpe",
+					},
+					PackageName: "test-package",
+					Fix: vulnerability.Fix{
+						State: vulnerability.FixStateUnknown,
+					},
+					RelatedVulnerabilities: []vulnerability.Reference{},
+					Metadata: &vulnerability.Metadata{
+						ID:       "CVE-2023-1234",
+						Severity: "critical",
+					},
+				},
+				Package: pkg.Package{
+					ID:      pkg.ID("pkg-123"),
+					Name:    "test-package",
+					Version: "1.0.0",
+					Type:    syftPkg.ApkPkg,
+					PURL:    "pkg:apk/wolfi/[email protected]",
+					Locations: file.NewLocationSet(
+						file.NewLocation("/usr/bin/test"),
+					),
+				},
+			},
+			want: &Finding{
+				Package: Package{
+					ID:       "pkg-123",
+					Name:     "test-package",
+					Version:  "1.0.0",
+					Type:     "apk",
+					Location: "/usr/bin/test",
+					PURL:     "pkg:apk/wolfi/[email protected]",
+				},
+				Vulnerability: Vulnerability{
+					ID:           "CVE-2023-1234",
+					Severity:     "critical",
+					Aliases:      []string{},
+					FixedVersion: "", // No fix available
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := mapMatchToFinding(tt.match)
+			if got == nil {
+				t.Fatal("mapMatchToFinding() returned nil")
+			}
+
+			// Compare the results
+			if got.Package.ID != tt.want.Package.ID {
+				t.Errorf("Package.ID = %v, want %v", got.Package.ID, tt.want.Package.ID)
+			}
+			if got.Package.Name != tt.want.Package.Name {
+				t.Errorf("Package.Name = %v, want %v", got.Package.Name, tt.want.Package.Name)
+			}
+			if got.Package.Version != tt.want.Package.Version {
+				t.Errorf("Package.Version = %v, want %v", got.Package.Version, tt.want.Package.Version)
+			}
+			if got.Package.Type != tt.want.Package.Type {
+				t.Errorf("Package.Type = %v, want %v", got.Package.Type, tt.want.Package.Type)
+			}
+			if got.Package.PURL != tt.want.Package.PURL {
+				t.Errorf("Package.PURL = %v, want %v", got.Package.PURL, tt.want.Package.PURL)
+			}
+
+			if got.Vulnerability.ID != tt.want.Vulnerability.ID {
+				t.Errorf("Vulnerability.ID = %v, want %v", got.Vulnerability.ID, tt.want.Vulnerability.ID)
+			}
+			if got.Vulnerability.Severity != tt.want.Vulnerability.Severity {
+				t.Errorf("Vulnerability.Severity = %v, want %v", got.Vulnerability.Severity, tt.want.Vulnerability.Severity)
+			}
+			if got.Vulnerability.FixedVersion != tt.want.Vulnerability.FixedVersion {
+				t.Errorf("Vulnerability.FixedVersion = %v, want %v", got.Vulnerability.FixedVersion, tt.want.Vulnerability.FixedVersion)
+			}
+
+			// Compare aliases
+			if len(got.Vulnerability.Aliases) != len(tt.want.Vulnerability.Aliases) {
+				t.Errorf("Vulnerability.Aliases length = %v, want %v", len(got.Vulnerability.Aliases), len(tt.want.Vulnerability.Aliases))
+			} else {
+				for i := range got.Vulnerability.Aliases {
+					if got.Vulnerability.Aliases[i] != tt.want.Vulnerability.Aliases[i] {
+						t.Errorf("Vulnerability.Aliases[%d] = %v, want %v", i, got.Vulnerability.Aliases[i], tt.want.Vulnerability.Aliases[i])
+					}
+				}
+			}
+		})
+	}
+}