Skip to content

alpine: add Alias support #1888

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hdonnay wants to merge 1 commit into
base: main
Choose a base branch
from
Open

alpine: add Alias support #1888

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 16 additions & 9 deletions alpine/parser.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,16 @@ import (
"encoding/json"
"io"
"log/slog"
"unique"

"github.com/quay/claircore"
"github.com/quay/claircore/libvuln/driver"
"github.com/quay/claircore/toolkit/types"
)

const (
cveURLPrefix = "https://security.alpinelinux.org/vuln/"
)
const cveURLPrefix = "https://security.alpinelinux.org/vuln/"

var space = unique.Make(cveURLPrefix)

@crozzy crozzy May 20, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thoughts on these being declared in secdb.go it seems like that's where they're used


var _ driver.Parser = (*updater)(nil)

Expand Down Expand Up @@ -50,15 +51,21 @@ func (u *updater) parse(ctx context.Context, sdb *SecurityDB) ([]*claircore.Vuln
return out, nil
}

// unpackSecFixes takes a map of secFixes and creates a claircore.Vulnerability for each all CVEs present.
func unpackSecFixes(partial claircore.Vulnerability, secFixes map[string][]string) []*claircore.Vulnerability {
// UnpackSecFixes creates a [claircore.Vulnerability] for every flaw ID on every
// version.
func unpackSecFixes(partial claircore.Vulnerability, secFixes map[string][]Flaw) []*claircore.Vulnerability {
out := []*claircore.Vulnerability{}
for fixedIn, IDs := range secFixes {
for _, id := range IDs {
for fixedIn, flaws := range secFixes {
for _, flaw := range flaws {
v := partial
v.Name = id
v.Name = flaw.String()
v.FixedInVersion = fixedIn
v.Links = cveURLPrefix + id
v.Links = cveURLPrefix + flaw.String()
self, aka := flaw.Aliases()
v.Self = self
if aka.Valid() {
v.Aliases = append(v.Aliases, aka)
}
out = append(out, &v)
}
}
Expand Down
58 changes: 49 additions & 9 deletions alpine/parser_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,9 @@ import (
"fmt"
"os"
"sort"
"strings"
"testing"
"unique"

"github.com/google/go-cmp/cmp"

Expand All @@ -27,7 +29,9 @@ var v3_10CommunityTruncatedVulns = []*claircore.Vulnerability{
Name: "botan",
Kind: types.SourcePackage,
},
Dist: dist310,
Dist: dist310,
Self: selfAlias("CVE-2018-20187"),
Aliases: cveAlias("CVE-2018-20187"),
},
{
Name: "CVE-2018-12435",
Expand All @@ -39,7 +43,9 @@ var v3_10CommunityTruncatedVulns = []*claircore.Vulnerability{
Name: "botan",
Kind: types.SourcePackage,
},
Dist: dist310,
Dist: dist310,
Self: selfAlias("CVE-2018-12435"),
Aliases: cveAlias("CVE-2018-12435"),
},
{
Name: "CVE-2018-9860",
Expand All @@ -51,7 +57,9 @@ var v3_10CommunityTruncatedVulns = []*claircore.Vulnerability{
Name: "botan",
Kind: types.SourcePackage,
},
Dist: dist310,
Dist: dist310,
Self: selfAlias("CVE-2018-9860"),
Aliases: cveAlias("CVE-2018-9860"),
},
{
Name: "CVE-2018-9127",
Expand All @@ -63,7 +71,9 @@ var v3_10CommunityTruncatedVulns = []*claircore.Vulnerability{
Name: "botan",
Kind: types.SourcePackage,
},
Dist: dist310,
Dist: dist310,
Self: selfAlias("CVE-2018-9127"),
Aliases: cveAlias("CVE-2018-9127"),
},
{
Name: "CVE-2019-9929",
Expand All @@ -75,7 +85,9 @@ var v3_10CommunityTruncatedVulns = []*claircore.Vulnerability{
Name: "cfengine",
Kind: types.SourcePackage,
},
Dist: dist310,
Dist: dist310,
Self: selfAlias("CVE-2019-9929"),
Aliases: cveAlias("CVE-2019-9929"),
},
{
Name: "CVE-2017-6949",
Expand All @@ -87,7 +99,9 @@ var v3_10CommunityTruncatedVulns = []*claircore.Vulnerability{
Name: "chicken",
Kind: types.SourcePackage,
},
Dist: dist310,
Dist: dist310,
Self: selfAlias("CVE-2017-6949"),
Aliases: cveAlias("CVE-2017-6949"),
},
{
Name: "CVE-2017-9334",
Expand All @@ -99,7 +113,9 @@ var v3_10CommunityTruncatedVulns = []*claircore.Vulnerability{
Name: "chicken",
Kind: types.SourcePackage,
},
Dist: dist310,
Dist: dist310,
Self: selfAlias("CVE-2017-9334"),
Aliases: cveAlias("CVE-2017-9334"),
},
{
Name: "CVE-2016-6830",
Expand All @@ -111,7 +127,9 @@ var v3_10CommunityTruncatedVulns = []*claircore.Vulnerability{
Name: "chicken",
Kind: types.SourcePackage,
},
Dist: dist310,
Dist: dist310,
Self: selfAlias("CVE-2016-6830"),
Aliases: cveAlias("CVE-2016-6830"),
},
{
Name: "CVE-2016-6831",
Expand All @@ -123,7 +141,9 @@ var v3_10CommunityTruncatedVulns = []*claircore.Vulnerability{
Name: "chicken",
Kind: types.SourcePackage,
},
Dist: dist310,
Dist: dist310,
Self: selfAlias("CVE-2016-6831"),
Aliases: cveAlias("CVE-2016-6831"),
},
}

Expand Down Expand Up @@ -173,3 +193,23 @@ func TestParser(t *testing.T) {
})
}
}

func selfAlias(id string) claircore.Alias {
return claircore.Alias{
Space: space,
Name: id,
}
}

func cveAlias(id string) []claircore.Alias {
space, name, ok := strings.Cut(id, `-`)
if !ok || space != `CVE` {
panic("programmer error: bad CVE id")
}
return []claircore.Alias{
{
Space: unique.Make(`CVE`),
Name: name,
},
}
}
52 changes: 40 additions & 12 deletions alpine/secdb.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,11 @@
package alpine

// Details define a package's name and relevant security fixes included in a
// given version.
type Details struct {
Name string `json:"name"`
// Fixed package version string mapped to an array of CVE ids affecting the
// package.
Secfixes map[string][]string `json:"secfixes"`
}
import (
"strings"
"unique"

// Package wraps the Details.
type Package struct {
Pkg Details `json:"pkg"`
}
"github.com/quay/claircore"
)

// SecurityDB is the security database structure.
type SecurityDB struct {
Expand All @@ -22,3 +15,38 @@ type SecurityDB struct {
Apkurl string `json:"apkurl"`
Packages []Package `json:"packages"`
}

// Package wraps the Details.
type Package struct {
Pkg Details `json:"pkg"`
}

// Details define a package's name and relevant security fixes included in a
// given version.
type Details struct {
Name string `json:"name"`
// Fixed package version string mapped to an array of CVE ids affecting the
// package.
Secfixes map[string][]Flaw `json:"secfixes"`
}

// Flaw is a helper to create Aliases on demand.
type Flaw string

// Aliases constructs aliases for the Flaw.
//
// The "aka" alias may not be valid. The caller should check with
// [claircore.Alias.Valid].
func (f Flaw) Aliases() (self, aka claircore.Alias) {
s := string(f)
self.Space = space
self.Name = s
if space, name, ok := strings.Cut(s, `-`); ok {
aka.Space = unique.Make(space)
aka.Name = name
}
return
}

// String implements [fmt.Stringer].
func (f Flaw) String() string { return string(f) }
6 changes: 3 additions & 3 deletions alpine/secdb_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ var v3_10CommunityTruncatedSecDB = SecurityDB{
{
Pkg: Details{
Name: "botan",
Secfixes: map[string][]string{
Secfixes: map[string][]Flaw{
"2.9.0-r0": {"CVE-2018-20187"},
"2.7.0-r0": {"CVE-2018-12435"},
"2.6.0-r0": {"CVE-2018-9860"},
Expand All @@ -29,15 +29,15 @@ var v3_10CommunityTruncatedSecDB = SecurityDB{
{
Pkg: Details{
Name: "cfengine",
Secfixes: map[string][]string{
Secfixes: map[string][]Flaw{
"3.12.2-r0": {"CVE-2019-9929"},
},
},
},
{
Pkg: Details{
Name: "chicken",
Secfixes: map[string][]string{
Secfixes: map[string][]Flaw{
"4.12.0-r3": {"CVE-2017-6949"},
"4.12.0-r2": {"CVE-2017-9334"},
"4.11.1-r0": {"CVE-2016-6830", "CVE-2016-6831"},
Expand Down
Loading