fix: check unescaped BomRef when matching PkgIdentifier (#6025)

Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com>
2025-12-12 07:40:48 -08:00 · 2024-02-06 17:09:53 +06:00
parent 458c5d95e6
commit 6ccc0a554b
3 changed files with 54 additions and 0 deletions
--- a/pkg/fanal/types/artifact.go
+++ b/pkg/fanal/types/artifact.go
@@ -2,6 +2,7 @@ package types

 import (
 	"encoding/json"
+	"strings"
 	"time"

 	v1 "github.com/google/go-containerregistry/pkg/v1"
@@ -156,6 +157,13 @@ func (id *PkgIdentifier) Empty() bool {
 }

 func (id *PkgIdentifier) Match(s string) bool {
+	// Encode string as PURL
+	if strings.HasPrefix(s, "pkg:") {
+		if p, err := packageurl.FromString(s); err == nil {
+			s = p.String()
+		}
+	}
+
 	switch {
 	case id.BOMRef == s:
 		return true
--- a/pkg/vex/testdata/cyclonedx.json
+++ b/pkg/vex/testdata/cyclonedx.json
@@ -18,6 +18,27 @@
          "ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0"
        }
      ]
+    },
+    {
+      "id": "CVE-2022-27943",
+      "source": {
+        "name": "ubuntu",
+        "url": "https://git.launchpad.net/ubuntu-cve-tracker"
+      },
+      "affects": [
+        {
+          "ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04",
+          "versions": [
+            {
+              "version": "12.3.0-1ubuntu1~22.04",
+              "status": "affected"
+            }
+          ]
+        }
+      ],
+      "analysis": {
+        "state": "not_affected"
+      }
    }
  ]
 }
--- a/pkg/vex/vex_test.go
+++ b/pkg/vex/vex_test.go
@@ -149,6 +149,31 @@ func TestVEX_Filter(t *testing.T) {
 							},
 						},
 					},
+					{
+						VulnerabilityID:  "CVE-2022-27943",
+						PkgID:            "libstdc++6@12.3.0-1ubuntu1~22.04",
+						PkgName:          "libstdc++6",
+						InstalledVersion: "12.3.0-1ubuntu1~22.04",
+						PkgIdentifier: ftypes.PkgIdentifier{
+							BOMRef: "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?distro=ubuntu-22.04&arch=amd64",
+							PURL: &packageurl.PackageURL{
+								Type:      packageurl.TypeDebian,
+								Namespace: "ubuntu",
+								Name:      "libstdc++6",
+								Version:   "12.3.0-1ubuntu1~22.04",
+								Qualifiers: []packageurl.Qualifier{
+									{
+										Key:   "arch",
+										Value: "amd64",
+									},
+									{
+										Key:   "distro",
+										Value: "ubuntu-22.04",
+									},
+								},
+							},
+						},
+					},
 				},
 			},
 			want: []types.DetectedVulnerability{