fix: stabilize cpe sorting during collection sort (#3009)

anchore · Jul 9, 2024 · f7ffcc5 · f7ffcc5
1 parent b101f44
commit f7ffcc5
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/syft/cpe/by_source_then_specificity_test.go b/syft/cpe/by_source_then_specificity_test.go
@@ -64,6 +64,28 @@ func TestBySourceThenSpecificity(t *testing.T) {
 				Must("cpe:2.3:a:some:package:*:*:*:*:*:*:*:*", "some-unknown-source"),
 			},
 		},
+		{
+			name: "lexical sorting on equal sources puts escaped characters later",
+			input: []CPE{
+				Must("cpe:2.3:a:jenkins:pipeline\\\\:_supporting_apis:865.v43e78cc44e0d:*:*:*:*:jenkins:*:*", "nvd-cpe-dictionary"),
+				Must("cpe:2.3:a:jenkins:pipeline_supporting_apis:865.v43e78cc44e0d:*:*:*:*:jenkins:*:*", "nvd-cpe-dictionary"),
+			},
+			want: []CPE{
+				Must("cpe:2.3:a:jenkins:pipeline_supporting_apis:865.v43e78cc44e0d:*:*:*:*:jenkins:*:*", "nvd-cpe-dictionary"),
+				Must("cpe:2.3:a:jenkins:pipeline\\\\:_supporting_apis:865.v43e78cc44e0d:*:*:*:*:jenkins:*:*", "nvd-cpe-dictionary"),
+			},
+		},
+		{
+			name: "lexical sorting on equal sources puts more specific attributes earlier",
+			input: []CPE{
+				Must("cpe:2.3:a:jenkins:mailer:472.vf7c289a_4b_420:*:*:*:*:*:*:*", "nvd-cpe-dictionary"),
+				Must("cpe:2.3:a:jenkins:mailer:472.vf7c289a_4b_420:*:*:*:*:jenkins:*:*", "nvd-cpe-dictionary"),
+			},
+			want: []CPE{
+				Must("cpe:2.3:a:jenkins:mailer:472.vf7c289a_4b_420:*:*:*:*:jenkins:*:*", "nvd-cpe-dictionary"),
+				Must("cpe:2.3:a:jenkins:mailer:472.vf7c289a_4b_420:*:*:*:*:*:*:*", "nvd-cpe-dictionary"),
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/syft/pkg/cataloger/internal/cpegenerate/generate.go b/syft/pkg/cataloger/internal/cpegenerate/generate.go
@@ -127,6 +127,7 @@ func FromDictionaryFind(p pkg.Package) ([]cpe.CPE, bool) {
 		return []cpe.CPE{}, false
 	}
 
+	sort.Sort(cpe.BySourceThenSpecificity(parsedCPEs))
 	return parsedCPEs, true
 }
 
@@ -163,12 +164,12 @@ func FromPackageAttributes(p pkg.Package) []cpe.CPE {
 	// filter out any known combinations that don't accurately represent this package
 	cpes = filter(cpes, p, cpeFilters...)
 
-	sort.Sort(cpe.BySpecificity(cpes))
 	var result []cpe.CPE
 	for _, c := range cpes {
 		result = append(result, cpe.CPE{Attributes: c, Source: cpe.GeneratedSource})
 	}
 
+	sort.Sort(cpe.BySourceThenSpecificity(result))
 	return result
 }