rhcc: modify matching to account for CPE matching

With the introduction on the labels.json file to identify RH produced
container images Clair needs to start accounting for the CPE surfaced in
the labels.json file and the VEX data. Care is taken here to ensure the
original Dockerfile parsing process still works as expected (although,
dockerfile images will require a re-index to include needed metadata).

Signed-off-by: crozzy <[email protected]>

Author: crozzy

internal/matcher/controller.go

@@ -109,6 +109,9 @@ func (mc *Controller) dbFilter() (bool, bool) {
 func (mc *Controller) findInterested(records []*claircore.IndexRecord) []*claircore.IndexRecord {
 	out := []*claircore.IndexRecord{}
 	for _, record := range records {
+		if record.Package.NormalizedVersion.Kind == claircore.UnmatchableKind {
+			continue
+		}
 		if mc.m.Filter(record) {
 			out = append(out, record)
 		}

rhel/matcher.go

@@ -50,7 +50,7 @@ func (m *Matcher) Query() []driver.MatchConstraint {
 //
 // TODO(crozzy) Remove once RH VEX data updates CPEs with standard matching
 // expressions.
-func isCPESubstringMatch(recordCPE cpe.WFN, vulnCPE cpe.WFN) bool {
+func IsCPESubstringMatch(recordCPE cpe.WFN, vulnCPE cpe.WFN) bool {
 	return strings.HasPrefix(recordCPE.String(), strings.TrimRight(vulnCPE.String(), ":*"))
 }
 
@@ -78,7 +78,7 @@ func (m *Matcher) Vulnerable(ctx context.Context, record *claircore.IndexRecord,
 			Msg("unable to unbind repo CPE")
 		return false, nil
 	}
-	if !cpe.Compare(vuln.Repo.CPE, record.Repository.CPE).IsSuperset() && !isCPESubstringMatch(record.Repository.CPE, vuln.Repo.CPE) {
+	if !cpe.Compare(vuln.Repo.CPE, record.Repository.CPE).IsSuperset() && !IsCPESubstringMatch(record.Repository.CPE, vuln.Repo.CPE) {
 		return false, nil
 	}
 

rhel/matcher_test.go

@@ -290,7 +290,7 @@ func TestIsCPEStringSubsetMatch(t *testing.T) {
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
 			tt := tc
-			matched := isCPESubstringMatch(tt.recordCPE, tt.vulnCPE)
+			matched := IsCPESubstringMatch(tt.recordCPE, tt.vulnCPE)
 			if matched != tt.match {
 				t.Errorf("unexpected matching %s and %s", tt.recordCPE, tt.vulnCPE)
 			}

rhel/rhcc/matcher.go

@@ -8,6 +8,8 @@ import (
 
 	"github.com/quay/claircore"
 	"github.com/quay/claircore/libvuln/driver"
+	"github.com/quay/claircore/rhel"
+	"github.com/quay/claircore/toolkit/types/cpe"
 )
 
 // Matcher is an instance of the rhcc matcher. It's exported so it can be used
@@ -26,16 +28,31 @@ func (*matcher) Name() string { return "rhel-container-matcher" }
 // Filter implements [driver.Matcher].
 func (*matcher) Filter(r *claircore.IndexRecord) bool {
 	return r.Repository != nil &&
-		r.Repository.Name == GoldRepo.Name
+		r.Repository.Key == RepositoryKey
 }
 
 // Query implements [driver.Matcher].
 func (*matcher) Query() []driver.MatchConstraint {
-	return []driver.MatchConstraint{driver.RepositoryName}
+	return []driver.MatchConstraint{driver.RepositoryKey}
 }
 
 // Vulnerable implements [driver.Matcher].
 func (*matcher) Vulnerable(ctx context.Context, record *claircore.IndexRecord, vuln *claircore.Vulnerability) (bool, error) {
+	var err error
+	if record.Repository.Name != GoldRepo.Name {
+		// This is not a gold repo record, so we need to check if the CPE matches.
+		vuln.Repo.CPE, err = cpe.Unbind(vuln.Repo.Name)
+		if err != nil {
+			zlog.Warn(ctx).
+				Str("vulnerability name", vuln.Name).
+				Err(err).
+				Msg("unable to unbind repo CPE")
+			return false, nil
+		}
+		if !cpe.Compare(vuln.Repo.CPE, record.Repository.CPE).IsSuperset() && !rhel.IsCPESubstringMatch(record.Repository.CPE, vuln.Repo.CPE) {
+			return false, nil
+		}
+	}
 	pkgVer, fixedInVer := rpmVersion.NewVersion(record.Package.Version), rpmVersion.NewVersion(vuln.FixedInVersion)
 	zlog.Debug(ctx).
 		Str("record", record.Package.Version).

test/rhel/rhcc_matcher_integration_test.go

@@ -58,6 +58,12 @@ func TestMatcherIntegration(t *testing.T) {
 			cveID:       "CVE-2020-8565",
 			match:       false,
 		},
+		{
+			Name:        "Clair labels",
+			indexReport: "clair-rhel8-v3.5.5-4-labels",
+			cveID:       "CVE-2021-3762",
+			match:       true,
+		},
 	}
 
 	integration.NeedDB(t)

test/rhel/testdata/clair-rhel8-v3.5.5-4-indexreport.json

@@ -75,7 +75,8 @@
   "repository": {
     "1": {
       "name": "Red Hat Container Catalog",
-      "uri": "https://catalog.redhat.com/software/containers/explore"
+      "uri": "https://catalog.redhat.com/software/containers/explore",
+      "key": "rhcc-container-repository"
     }
   },
   "environments": {

test/rhel/testdata/clair-rhel8-v3.5.5-4-labels-indexreport.json

@@ -0,0 +1,122 @@
+{
+  "err": "",
+  "state": "IndexFinished",
+  "success": true,
+  "packages": {
+    "32": {
+      "id": "32",
+      "cpe": "",
+      "arch": "x86_64",
+      "kind": "source",
+      "name": "quay-clair-container",
+      "source": {
+        "id": "1",
+        "cpe": "",
+        "name": "",
+        "version": "",
+        "normalized_version": ""
+      },
+      "version": "v3.5.5-4",
+      "normalized_version": "rhctag:3.5.0.0.0.0.0.0.0.0"
+    },
+    "34": {
+      "id": "34",
+      "cpe": "",
+      "arch": "x86_64",
+      "kind": "binary",
+      "name": "quay/clair-rhel8",
+      "source": {
+        "id": "32",
+        "cpe": "",
+        "arch": "x86_64",
+        "kind": "source",
+        "name": "quay-clair-container",
+        "version": "v3.5.5-4",
+        "normalized_version": ""
+      },
+      "version": "v3.5.5-4",
+      "normalized_version": "rhctag:3.5.0.0.0.0.0.0.0.0"
+    },
+    "36": {
+      "id": "36",
+      "cpe": "",
+      "arch": "x86_64",
+      "kind": "source",
+      "name": "ubi8-container",
+      "source": {
+        "id": "1",
+        "cpe": "",
+        "name": "",
+        "version": "",
+        "normalized_version": ""
+      },
+      "version": "8.4-206.1626828523",
+      "normalized_version": "rhctag:8.4.0.0.0.0.0.0.0.0"
+    },
+    "38": {
+      "id": "38",
+      "cpe": "",
+      "arch": "x86_64",
+      "kind": "binary",
+      "name": "ubi8",
+      "source": {
+        "id": "36",
+        "cpe": "",
+        "arch": "x86_64",
+        "kind": "source",
+        "name": "ubi8-container",
+        "version": "8.4-206.1626828523",
+        "normalized_version": ""
+      },
+      "version": "8.4-206.1626828523",
+      "normalized_version": "rhctag:8.4.0.0.0.0.0.0.0.0"
+    }
+  },
+  "repository": {
+    "1": {
+      "id": "1",
+      "name": "cpe:2.3:a:redhat:quay:3:*:el8:*:*:*:*:*",
+      "key": "rhcc-container-repository",
+      "cpe": "cpe:2.3:a:redhat:quay:3:*:el8:*:*:*:*:*"
+    }
+  },
+  "environments": {
+    "32": [
+      {
+        "package_db": "root/buildinfo/labels.json",
+        "introduced_in": "sha256:a5ac7bbd6645d6b98e41600a1510d7378d74e6b0b858622b57fce2a8a05a87e5",
+        "repository_ids": [
+          "1"
+        ]
+      }
+    ],
+    "34": [
+      {
+        "package_db": "root/buildinfo/labels.json",
+        "introduced_in": "sha256:a5ac7bbd6645d6b98e41600a1510d7378d74e6b0b858622b57fce2a8a05a87e5",
+        "repository_ids": [
+          "1"
+        ]
+      }
+    ],
+    "36": [
+      {
+        "package_db": "root/buildinfo/labels.json",
+        "introduced_in": "sha256:a50df8fd88fecefc26fd331f832672108deb08cf9d2b303a5b86156a7f51b5d8",
+        "repository_ids": [
+          "1"
+        ]
+      }
+    ],
+    "38": [
+      {
+        "package_db": "root/buildinfo/labels.json",
+        "introduced_in": "sha256:a50df8fd88fecefc26fd331f832672108deb08cf9d2b303a5b86156a7f51b5d8",
+        "repository_ids": [
+          "1"
+        ]
+      }
+    ]
+  },
+  "manifest_hash": "sha256:e7a9c9de4b2375d2d846b6b3d3e476f9a180d5d2a27282f62ff8f5d6fb96889c"
+}

test/rhel/testdata/rook-ceph-operator-container-4.6-115.d1788e1.release_4.6-indexreport.json

@@ -41,7 +41,8 @@
   "repository": {
     "1": {
       "name": "Red Hat Container Catalog",
-      "uri": "https://catalog.redhat.com/software/containers/explore"
+      "uri": "https://catalog.redhat.com/software/containers/explore",
+      "key": "rhcc-container-repository"
     }
   },
   "environments": {

test/rhel/testdata/rook-ceph-operator-container-4.7-159.76b9b11.release_4.7-indexreport.json

@@ -41,7 +41,8 @@
   "repository": {
     "1": {
       "name": "Red Hat Container Catalog",
-      "uri": "https://catalog.redhat.com/software/containers/explore"
+      "uri": "https://catalog.redhat.com/software/containers/explore",
+      "key": "rhcc-container-repository"
     }
   },
   "environments": {