feat: integrate RapidFort advisory matching for their curated images#3327
feat: integrate RapidFort advisory matching for their curated images#3327vaibhav-rf wants to merge 5 commits into
Conversation
|
Hi @vaibhav-rf is there a publicly pullable test image I can try this out on? |
|
Hi @willmurphyscode, Thank you for reaching out regarding the test images. We are currently in the process of creating them and will share them with you shortly. These images will include coverage across all relevant operating systems: Alpine, Ubuntu, and Red Hat to support comprehensive end-to-end testing of the PRs. Appreciate your patience. Thanks Again. |
Signed-off-by: Vaibhav Thatai <vaibhav@rapidfort.com>
- Add ApplySelectionPolicy to decide matchers from scan context - For RF-curated images: replace dpkg/apk with rapidfort matcher - For non-RF sources: keep default matchers unchanged - Remove RapidFort imports from root.go; pass pkgContext into getMatchers - Reuse a single rapidfort matcher instance for both dpkg and apk - Add tests for nil context, non-RF image, and RF image Signed-off-by: Vaibhav Thatai <vaibhav@rapidfort.com>
- Register rapidfort-redhat distro and wire RapidFort matcher - Parse OS FixedIn Identifier; v6 transform: release-identifier refs with vendor advisory URL when present - Add rapidfort-redhat-9 transform fixture and matcher unit tests Signed-off-by: Vaibhav Thatai <vaibhav@rapidfort.com>
Binary lookups were incorrectly labeled ExactIndirectMatch; pass match.Type explicitly so binary path reports ExactDirectMatch. Add TestIsRapidFortImage (nil, non-image, case-insensitive key/value, non-RF label) and Alpine case in TestRapidfortDistroVersion. Signed-off-by: Vaibhav Thatai <vaibhav@rapidfort.com>
vaibhav-rf
force-pushed
the
feat/add-rapidfort-advisories
branch
from
8060542 to
55e0aac
Compare
|
Hi @willmurphyscode, Follow-up on my earlier message - the test images have been created and pushed. You can pull them using: These cover Alpine, Ubuntu, and Red Hat for end-to-end testing of the PRs. Let me know if you run into any issues pulling them. Thanks! |
…advisories # Conflicts: # grype/db/v6/build/transformers/os/testdata/rapidfort-redhat-9.json # grype/db/v6/build/transformers/os/testdata/rapidfort-ubuntu-20.04.json # grype/db/v6/build/transformers/os/transform_test.go # grype/distro/type.go
|
Just checking in on the test images we shared earlier. Were you able to pull them and validate the PRs? Please let us know if you encountered any issues during testing or if there's any additional information we can provide. Looking forward to hearing your feedback. Thanks! |
|
Hi @willmurphyscode, Circling back on this, we haven't heard back since sharing the test images and PRs for review. Is there anything we can do on our end to help move this forward, or any additional information you need? Happy to assist however we can. Thanks! |
|
Hi @ravinder-rapidfort thanks for the ping! I hope to take a look at this pretty soon. |
|
Thanks for the update! Just checking in to see if you've had a chance to take a look. Let us know if anything comes up happy to help. |
3 participants
Summary
Adds a dedicated RapidFort matcher that activates when the scanned image carries
a
maintainer=RapidFort*Docker label. RapidFort advisories are stored underrapidfort-{os}:{version}namespaces (e.g.rapidfort-ubuntu:20.04) — fullyisolated from standard distro scans so non-RF images are never affected.
Supported base distros: Ubuntu (dpkg), Alpine (apk), Red Hat (rpm).
Changes
New:
grype/matcher/rapidfort/matcher.golabel.goIsRapidFortImage— detects RF-curated images via maintainer labelmatcher_test.golabel_test.goIsRapidFortImageedge cases: nil source, non-image, case-insensitive key/valueModified: existing packages
grype/matcher/matchers.goApplySelectionPolicyreplaces dpkg/apk/rpm matchers withRapidFortMatcherfor RF images; Java/stock matchers are preservedgrype/matcher/matchers_test.gogrype/match/matcher_type.goRapidFortMatchertype (excluded fromAllMatcherTypes— it is a conditional override)grype/distro/type.goRapidFortUbuntu,RapidFortAlpine,RapidFortRedHatdistro types withIDMappingentriesgrype/db/internal/provider/unmarshal/os_vulnerability.goIdentifierfield toOSFixedInfor per-release RPM advisory routinggrype/db/v6/build/transformers/os/transform.gogetPackageTypemaps RF distros;getFixemitsrelease-identifieradvisory references fromIdentifierfieldTest fixtures
test-fixtures/rapidfort-ubuntu-20.04.jsontest-fixtures/rapidfort-redhat-9.jsonDesign notes
Namespace isolation — The RF matcher queries
rapidfort-{os}:{version}namespacesthat vunnel emits exclusively for RF advisories. Standard distro matchers (dpkg/apk/rpm)
never see these namespaces, so there is zero cross-contamination.
RPM release-identifier routing — Red Hat advisories carry per-release
Identifierfields (e.g.
el9,fc36). The matcher derives the installed release from the packageversion suffix (
.el9,.fc41,.rf) and filters to advisories with a matchingrelease-identifier:*advisory reference. Unknown release identifiers fall back tomatching
el*advisories.Matcher activation —
ApplySelectionPolicyinmatchers.gochecksIsRapidFortImageand, when true, replaces dpkg/apk/rpm matchers with a singleRapidFortMatcher. This avoids double-reporting and keeps RF advisory logicself-contained.
Test plan
go test ./grype/matcher/rapidfort/...— all matcher and label tests passgo test ./grype/matcher/...— selection policy tests passgo test ./grype/db/v6/build/transformers/os/...— transform tests pass for both RF fixturesgo test ./grype/distro/...— distro type registration passesrapidfort-matcherappears in match detailsrapidfort-matcheris absent from match details