fix: select fixes based on constraints instead of any fix version

grype/search/version_constraint.go

@@ -65,18 +65,16 @@ func ByFixedVersion(v version.Version) vulnerability.Criteria {
 	return &funcCriteria{
 		func(vuln vulnerability.Vulnerability) (bool, string, error) {
 			var err error
-			if vuln.Fix.State != vulnerability.FixStateFixed {
+			if vuln.Fix.State != vulnerability.FixStateFixed || vuln.Constraint == nil {
 				return false, "", nil
 			}
-			for _, fixVersion := range vuln.Fix.Versions {
-				cmp, e := version.New(fixVersion, v.Format).Compare(&v)
-				if e != nil {
-					err = e
-				}
-				if cmp <= 0 {
-					// fix version is less than or equal to the provided version, so is considered fixed
-					return true, fmt.Sprintf("fix version %v is less than %v", v, fixVersion), err
-				}
+			constraintSatisified, err := vuln.Constraint.Satisfied(&v)
+			if err != nil {
+				return false, "", err
+			}
+			if !constraintSatisified {
+				// v does not fall within the vulnerable constraints
+				return true, "is fixed", err
 			}
 			return false, "", err
 		},

grype/search/version_constraint_test.go

@@ -112,9 +112,9 @@ func Test_ByFixedVersion(t *testing.T) {
 			name:    "fixed version is lower",
 			version: "1.1.0",
 			input: vulnerability.Vulnerability{
+				Constraint: version.MustGetConstraint("< 1.0.0", version.SemanticFormat),
 				Fix: vulnerability.Fix{
-					Versions: []string{"1.0.0"},
-					State:    vulnerability.FixStateFixed,
+					State: vulnerability.FixStateFixed,
 				},
 			},
 			matches: true,
@@ -123,9 +123,9 @@ func Test_ByFixedVersion(t *testing.T) {
 			name:    "fixed version is equal",
 			version: "1.1.0",
 			input: vulnerability.Vulnerability{
+				Constraint: version.MustGetConstraint("< 1.1.0", version.SemanticFormat),
 				Fix: vulnerability.Fix{
-					Versions: []string{"1.1.0"},
-					State:    vulnerability.FixStateFixed,
+					State: vulnerability.FixStateFixed,
 				},
 			},
 			matches: true,
@@ -134,9 +134,9 @@ func Test_ByFixedVersion(t *testing.T) {
 			name:    "one of multiple fix versions matches",
 			version: "1.1.0",
 			input: vulnerability.Vulnerability{
+				Constraint: version.MustGetConstraint(" < 1.0.0 || > 1.1.0, < 1.2.0", version.SemanticFormat),
 				Fix: vulnerability.Fix{
-					Versions: []string{"1.0.0", "1.2.0"},
-					State:    vulnerability.FixStateFixed,
+					State: vulnerability.FixStateFixed,
 				},
 			},
 			matches: true,
@@ -145,9 +145,9 @@ func Test_ByFixedVersion(t *testing.T) {
 			name:    "fixed version is higher",
 			version: "1.1.0",
 			input: vulnerability.Vulnerability{
+				Constraint: version.MustGetConstraint("< 1.2.0", version.SemanticFormat),
 				Fix: vulnerability.Fix{
-					Versions: []string{"1.2.0"},
-					State:    vulnerability.FixStateFixed,
+					State: vulnerability.FixStateFixed,
 				},
 			},
 			matches: false,