github.com/quay/claircore@v1.5.28/aws/matcher.go (about) 1 package aws 2 3 import ( 4 "context" 5 6 version "github.com/knqyf263/go-rpm-version" 7 8 "github.com/quay/claircore" 9 "github.com/quay/claircore/libvuln/driver" 10 ) 11 12 type Matcher struct{} 13 14 var _ driver.Matcher = (*Matcher)(nil) 15 16 func (*Matcher) Name() string { 17 return "aws-matcher" 18 } 19 20 func (*Matcher) Filter(record *claircore.IndexRecord) bool { 21 if record.Distribution == nil { 22 return false 23 } 24 25 switch { 26 case (record.Distribution.Name == AL1Dist.Name): 27 return true 28 case (record.Distribution.Name == AL2Dist.Name): 29 return true 30 case (record.Distribution.Name == AL2023Dist.Name): 31 return true 32 case (record.Distribution.DID == ID): 33 return true 34 } 35 36 return false 37 } 38 39 func (*Matcher) Query() []driver.MatchConstraint { 40 return []driver.MatchConstraint{ 41 driver.DistributionDID, 42 driver.DistributionVersionID, 43 } 44 } 45 46 func (*Matcher) Vulnerable(_ context.Context, record *claircore.IndexRecord, vuln *claircore.Vulnerability) (bool, error) { 47 pkgVer := version.NewVersion(record.Package.Version) 48 var vulnVer version.Version 49 // Assume the vulnerability record we have is for the last known vulnerable 50 // version, so greater versions aren't vulnerable. 51 cmp := func(i int) bool { return i != version.GREATER } 52 // But if it's explicitly marked as a fixed-in version, it's only vulnerable 53 // if less than that version. 54 if vuln.FixedInVersion != "" { 55 vulnVer = version.NewVersion(vuln.FixedInVersion) 56 cmp = func(i int) bool { return i == version.LESS } 57 } else { 58 // If a vulnerability doesn't have FixedInVersion, assume it is unfixed. 59 vulnVer = version.NewVersion("65535:0") 60 } 61 // compare version and architecture 62 return cmp(pkgVer.Compare(vulnVer)) && vuln.ArchOperation.Cmp(record.Package.Arch, vuln.Package.Arch), nil 63 }