Use data driven approach when detecting Alpine:edge and Debian:sid #2556

wagoodman · 2025-03-21T21:29:22Z

This removes client-side logic for identifying edge or unstable distro kinds and instead leverages the existing OS overrides table for this matching.

Before these changes:

$ grype -q alpine:edge
NAME        INSTALLED  FIXED-IN   TYPE  VULNERABILITY   SEVERITY                
libcrypto3  3.3.2-r4   3.3.3-r0   apk   CVE-2024-12797  Medium    (alpine:3.20)  
libcrypto3  3.3.2-r4   3.3.2-r5   apk   CVE-2024-13176  Medium    (alpine:3.21)  
libssl3     3.3.2-r4   3.3.3-r0   apk   CVE-2024-12797  Medium    (alpine:3.20)  
libssl3     3.3.2-r4   3.3.2-r5   apk   CVE-2024-13176  Medium    (alpine:3.21)  
musl        1.2.5-r9   1.2.5-r10  apk   CVE-2025-26519  High      (alpine:edge)  
musl-utils  1.2.5-r9   1.2.5-r10  apk   CVE-2025-26519  High      (alpine:edge)

$ grype -q debian:sid
No vulnerabilities found

After these changes (needs a local DB build):

$ grype -q alpine:edge
NAME        INSTALLED  FIXED-IN   TYPE  VULNERABILITY   SEVERITY 
libcrypto3  3.3.2-r4   3.3.3-r0   apk   CVE-2024-12797  Medium    
libcrypto3  3.3.2-r4   3.3.2-r5   apk   CVE-2024-13176  Medium    
libssl3     3.3.2-r4   3.3.3-r0   apk   CVE-2024-12797  Medium    
libssl3     3.3.2-r4   3.3.2-r5   apk   CVE-2024-13176  Medium    
musl        1.2.5-r9   1.2.5-r10  apk   CVE-2025-26519  High      
musl-utils  1.2.5-r9   1.2.5-r10  apk   CVE-2025-26519  High

$ grype -q debian:sid
NAME                INSTALLED                  FIXED-IN  TYPE  VULNERABILITY     SEVERITY   
apt                 2.9.33                               deb   CVE-2011-3374     Negligible  
bsdutils            1:2.40.4-5                           deb   CVE-2022-0563     Negligible  
coreutils           9.5-1+b1                             deb   CVE-2016-2781     Low         
coreutils           9.5-1+b1                             deb   CVE-2017-18018    Negligible  
libapt-pkg7.0       2.9.33                               deb   CVE-2011-3374     Negligible  
libblkid1           2.40.4-5                             deb   CVE-2022-0563     Negligible  
libc-bin            2.41-6                               deb   CVE-2010-4756     Negligible  
libc-bin            2.41-6                               deb   CVE-2018-20796    Negligible  
libc-bin            2.41-6                               deb   CVE-2019-1010022  Negligible  
libc-bin            2.41-6                               deb   CVE-2019-1010023  Negligible  
libc-bin            2.41-6                               deb   CVE-2019-1010024  Negligible  
libc-bin            2.41-6                               deb   CVE-2019-1010025  Negligible  
libc-bin            2.41-6                               deb   CVE-2019-9192     Negligible  
libc6               2.41-6                               deb   CVE-2010-4756     Negligible  
libc6               2.41-6                               deb   CVE-2018-20796    Negligible  
libc6               2.41-6                               deb   CVE-2019-1010022  Negligible  
libc6               2.41-6                               deb   CVE-2019-1010023  Negligible  
libc6               2.41-6                               deb   CVE-2019-1010024  Negligible  
libc6               2.41-6                               deb   CVE-2019-1010025  Negligible  
libc6               2.41-6                               deb   CVE-2019-9192     Negligible  
libmount1           2.40.4-5                             deb   CVE-2022-0563     Negligible  
libpam-modules      1.7.0-3                              deb   CVE-2024-10963    High        
libpam-modules-bin  1.7.0-3                              deb   CVE-2024-10963    High        
libpam-runtime      1.7.0-3                              deb   CVE-2024-10963    High        
libpam0g            1.7.0-3                              deb   CVE-2024-10963    High        
libsmartcols1       2.40.4-5                             deb   CVE-2022-0563     Negligible  
libsystemd0         257.4-3                              deb   CVE-2013-4392     Negligible  
libsystemd0         257.4-3                              deb   CVE-2023-31437    Negligible  
libsystemd0         257.4-3                              deb   CVE-2023-31438    Negligible  
libsystemd0         257.4-3                              deb   CVE-2023-31439    Negligible  
libudev1            257.4-3                              deb   CVE-2013-4392     Negligible  
libudev1            257.4-3                              deb   CVE-2023-31437    Negligible  
libudev1            257.4-3                              deb   CVE-2023-31438    Negligible  
libudev1            257.4-3                              deb   CVE-2023-31439    Negligible  
libuuid1            2.40.4-5                             deb   CVE-2022-0563     Negligible  
login               1:4.16.0-2+really2.40.4-5            deb   CVE-2022-0563     Negligible  
login.defs          1:4.17.3-2                           deb   CVE-2024-56433    Low         
login.defs          1:4.17.3-2                           deb   CVE-2007-5686     Negligible  
mount               2.40.4-5                             deb   CVE-2022-0563     Negligible  
passwd              1:4.17.3-2                           deb   CVE-2024-56433    Low         
passwd              1:4.17.3-2                           deb   CVE-2007-5686     Negligible  
perl-base           5.40.1-2                             deb   CVE-2011-4116     Negligible  
tar                 1.35+dfsg-3.1                        deb   CVE-2005-2541     Negligible  
util-linux          2.40.4-5                             deb   CVE-2022-0563     Negligible

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

kzantow · 2025-03-24T15:52:17Z

grype/distro/distro.go

+
+	// fields populated in the constructor
+
+	major     string


I think having these unexported fields on an exported struct with exported fields including Version will lead to confusion about populating them. I think we should just remove these and parse the Version string at times it's requested, unless there's a notable performance issue.

kzantow · 2025-03-24T18:01:26Z

grype/search/distro.go

+
+// TODO: this is a temporary workaround... in the long term the mock should more strongly enforce
+// data overrides and not require this kind of logic being baked into mocks directly.
+func mimicV6DistroTypeOverrides(t distro.Type) distro.Type {


Are there some tests that rely on this? Longer term, I would prefer if we had a separate step the matchers performed to query the provider for OSes, instead of pushing this logic into the stores where it is opaque. I think that could end up being more clear how the overall matching process works and would potentially avoid having this.

Longer term I'd hope to not have matching that is test specific and matching that is for production. This code was added to get the mocks to pass and is not used in production.

fix data driven approach to distro aliases for rolling kinds

095f389

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

kzantow mentioned this pull request Mar 21, 2025

fix: label version distro matching #2555

Closed

fix matcher mock

bcfe416

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

wagoodman changed the title ~~Fix data driven approach to distro aliases for rolling kinds~~ Use data driven approach when detecting Alpine:edge and Debian:sid Mar 24, 2025

wagoodman marked this pull request as ready for review March 24, 2025 15:33

wagoodman enabled auto-merge (squash) March 24, 2025 15:34

wagoodman added the bug Something isn't working label Mar 24, 2025

kzantow reviewed Mar 24, 2025

View reviewed changes

kzantow approved these changes Mar 24, 2025

View reviewed changes

wagoodman merged commit 97a8552 into main Mar 24, 2025
12 checks passed

wagoodman deleted the fix-rolling-distro-matching branch March 24, 2025 18:01

BrewTestBot mentioned this pull request Apr 1, 2025

grype 0.91.0 Homebrew/homebrew-core#217585

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Use data driven approach when detecting Alpine:edge and Debian:sid #2556

Use data driven approach when detecting Alpine:edge and Debian:sid #2556

Uh oh!

wagoodman commented Mar 21, 2025 •

edited

Loading

Uh oh!

kzantow Mar 24, 2025 •

edited

Loading

Uh oh!

kzantow Mar 24, 2025

Uh oh!

wagoodman Mar 24, 2025

Uh oh!

Uh oh!

Uh oh!

Use data driven approach when detecting Alpine:edge and Debian:sid #2556

Use data driven approach when detecting Alpine:edge and Debian:sid #2556

Uh oh!

Conversation

wagoodman commented Mar 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

kzantow Mar 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

kzantow Mar 24, 2025

Choose a reason for hiding this comment

Uh oh!

wagoodman Mar 24, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

wagoodman commented Mar 21, 2025 •

edited

Loading

kzantow Mar 24, 2025 •

edited

Loading