@@ -16,6 +16,11 @@ import (
1616 "testing"
1717
1818 "chainguard.dev/melange/pkg/cli"
19+ "github.com/anchore/grype/grype/db/v5/search"
20+ "github.com/anchore/grype/grype/match"
21+ grypePkg "github.com/anchore/grype/grype/pkg"
22+ "github.com/anchore/grype/grype/vulnerability"
23+ "github.com/anchore/syft/syft/pkg"
1924 "github.com/wolfi-dev/wolfictl/pkg/sbom"
2025)
2126
@@ -164,3 +169,169 @@ func TestScanner_ScanAPK(t *testing.T) {
164169 }
165170 }
166171}
172+
173+ func Test_shouldAllowMatch (t * testing.T ) {
174+ cases := []struct {
175+ name string
176+ m match.Match
177+ expected bool
178+ }{
179+ {
180+ name : "non-Go package" ,
181+ m : match.Match {
182+ Vulnerability : vulnerability.Vulnerability {},
183+ Package : grypePkg.Package {
184+ Name : "foo" ,
185+ Type : pkg .GemPkg ,
186+ },
187+ Details : []match.Detail {
188+ {
189+ Type : "" ,
190+ SearchedBy : nil ,
191+ Found : nil ,
192+ Matcher : "" ,
193+ Confidence : 0 ,
194+ },
195+ },
196+ },
197+ expected : true ,
198+ },
199+ {
200+ name : "Go stdlib" ,
201+ m : match.Match {
202+ Vulnerability : vulnerability.Vulnerability {},
203+ Package : grypePkg.Package {
204+ Name : "stdlib" ,
205+ Type : pkg .GoModulePkg ,
206+ },
207+ Details : []match.Detail {
208+ {
209+ Type : match .CPEMatch ,
210+ },
211+ },
212+ },
213+ expected : true ,
214+ },
215+ {
216+ name : "not a CPE-based match" ,
217+ m : match.Match {
218+ Vulnerability : vulnerability.Vulnerability {},
219+ Package : grypePkg.Package {
220+ Name : "foo" ,
221+ Type : pkg .GoModulePkg ,
222+ },
223+ Details : []match.Detail {
224+ {
225+ Type : "not CPE!" ,
226+ },
227+ },
228+ },
229+ expected : true ,
230+ },
231+ {
232+ name : "legit CPE match" ,
233+ m : match.Match {
234+ Vulnerability : vulnerability.Vulnerability {
235+ Fix : vulnerability.Fix {
236+ Versions : []string {"0.35.0" },
237+ State : vulnerability .FixStateFixed ,
238+ },
239+ },
240+ Package : grypePkg.Package {
241+ Name : "foo" ,
242+ Type : pkg .GoModulePkg ,
243+ },
244+ Details : []match.Detail {
245+ {
246+ Type : match .CPEMatch ,
247+ Found : search.CPEResult {
248+ VersionConstraint : "< 0.35.0" ,
249+ },
250+ },
251+ },
252+ },
253+ expected : true ,
254+ },
255+ {
256+ name : "no version constraint for CPE" ,
257+ m : match.Match {
258+ Vulnerability : vulnerability.Vulnerability {
259+ Fix : vulnerability.Fix {
260+ Versions : []string {"0.35.0" },
261+ State : vulnerability .FixStateFixed ,
262+ },
263+ },
264+ Package : grypePkg.Package {
265+ Name : "foo" ,
266+ Type : pkg .GoModulePkg ,
267+ },
268+ Details : []match.Detail {
269+ {
270+ Type : match .CPEMatch ,
271+ Found : search.CPEResult {
272+ VersionConstraint : "none (unknown)" ,
273+ },
274+ },
275+ },
276+ },
277+ expected : false ,
278+ },
279+ {
280+ name : "no fixed version for CPE-based match" ,
281+ m : match.Match {
282+ Vulnerability : vulnerability.Vulnerability {
283+ Fix : vulnerability.Fix {
284+ State : vulnerability .FixStateNotFixed ,
285+ },
286+ },
287+ Package : grypePkg.Package {
288+ Name : "foo" ,
289+ Type : pkg .GoModulePkg ,
290+ },
291+ Details : []match.Detail {
292+ {
293+ Type : match .CPEMatch ,
294+ Found : search.CPEResult {
295+ VersionConstraint : "< 0.35.0" ,
296+ },
297+ },
298+ },
299+ },
300+ expected : false ,
301+ },
302+ {
303+ name : "bad fixed version for CPE-based match" ,
304+ m : match.Match {
305+ Vulnerability : vulnerability.Vulnerability {
306+ Fix : vulnerability.Fix {
307+ Versions : []string {"2025-03-03" },
308+ State : vulnerability .FixStateFixed ,
309+ },
310+ },
311+ Package : grypePkg.Package {
312+ Name : "foo" ,
313+ Type : pkg .GoModulePkg ,
314+ },
315+ Details : []match.Detail {
316+ {
317+ Type : match .CPEMatch ,
318+ Found : search.CPEResult {
319+ VersionConstraint : "< 2025-03-03" ,
320+ },
321+ },
322+ },
323+ },
324+ expected : false ,
325+ },
326+ }
327+
328+ for _ , tt := range cases {
329+ t .Run (tt .name , func (t * testing.T ) {
330+ allow , _ := shouldAllowMatch (tt .m )
331+
332+ if allow != tt .expected {
333+ t .Errorf ("got %t, want %t" , allow , tt .expected )
334+ }
335+ })
336+ }
337+ }
0 commit comments