github.com/quay/claircore@v1.5.28/rhel/matcher.go (about) 1 package rhel 2 3 import ( 4 "context" 5 6 version "github.com/knqyf263/go-rpm-version" 7 8 "github.com/quay/claircore" 9 "github.com/quay/claircore/libvuln/driver" 10 ) 11 12 // Matcher implements driver.Matcher. 13 type Matcher struct{} 14 15 var _ driver.Matcher = (*Matcher)(nil) 16 17 // Name implements driver.Matcher. 18 func (*Matcher) Name() string { 19 return "rhel" 20 } 21 22 // Filter implements driver.Matcher. 23 func (*Matcher) Filter(record *claircore.IndexRecord) bool { 24 return record.Repository != nil && record.Repository.Key == repositoryKey 25 } 26 27 // Query implements driver.Matcher. 28 func (*Matcher) Query() []driver.MatchConstraint { 29 return []driver.MatchConstraint{ 30 driver.PackageModule, 31 driver.RepositoryName, 32 } 33 } 34 35 // Vulnerable implements driver.Matcher. 36 func (m *Matcher) Vulnerable(_ context.Context, record *claircore.IndexRecord, vuln *claircore.Vulnerability) (bool, error) { 37 pkgVer := version.NewVersion(record.Package.Version) 38 var vulnVer version.Version 39 // Assume the vulnerability record we have is for the last known vulnerable 40 // version, so greater versions aren't vulnerable. 41 cmp := func(i int) bool { return i != version.GREATER } 42 // But if it's explicitly marked as a fixed-in version, it's only vulnerable 43 // if less than that version. 44 if vuln.FixedInVersion != "" { 45 vulnVer = version.NewVersion(vuln.FixedInVersion) 46 cmp = func(i int) bool { return i == version.LESS } 47 } else { 48 // If a vulnerability doesn't have FixedInVersion, assume it is unfixed. 49 vulnVer = version.NewVersion("65535:0") 50 } 51 // compare version and architecture 52 return cmp(pkgVer.Compare(vulnVer)) && vuln.ArchOperation.Cmp(record.Package.Arch, vuln.Package.Arch), nil 53 }