Skip to content

feat: integrate RapidFort advisory matching for their curated images#3327

Open
vaibhav-rf wants to merge 4 commits intoanchore:mainfrom
vaibhav-rf:feat/add-rapidfort-advisories
Open

feat: integrate RapidFort advisory matching for their curated images#3327
vaibhav-rf wants to merge 4 commits intoanchore:mainfrom
vaibhav-rf:feat/add-rapidfort-advisories

Conversation

@vaibhav-rf
Copy link
Copy Markdown

@vaibhav-rf vaibhav-rf commented Mar 31, 2026

Summary

Adds a dedicated RapidFort matcher that activates when the scanned image carries
a maintainer=RapidFort* Docker label. RapidFort advisories are stored under
rapidfort-{os}:{version} namespaces (e.g. rapidfort-ubuntu:20.04) — fully
isolated from standard distro scans so non-RF images are never affected.

Supported base distros: Ubuntu (dpkg), Alpine (apk), Red Hat (rpm).

Changes

New: grype/matcher/rapidfort/

File Purpose
matcher.go Core matcher: upstream + binary lookups, RPM release-identifier filtering, already-fixed suppression, dedup
label.go IsRapidFortImage — detects RF-curated images via maintainer label
matcher_test.go Unit tests: release identifier detection, RPM release matching, distro version mapping, already-fixed filter
label_test.go IsRapidFortImage edge cases: nil source, non-image, case-insensitive key/value

Modified: existing packages

File Change
grype/matcher/matchers.go ApplySelectionPolicy replaces dpkg/apk/rpm matchers with RapidFortMatcher for RF images; Java/stock matchers are preserved
grype/matcher/matchers_test.go Tests for selection policy: RF image, non-RF image, no source
grype/match/matcher_type.go Register RapidFortMatcher type (excluded from AllMatcherTypes — it is a conditional override)
grype/distro/type.go Add RapidFortUbuntu, RapidFortAlpine, RapidFortRedHat distro types with IDMapping entries
grype/db/internal/provider/unmarshal/os_vulnerability.go Add Identifier field to OSFixedIn for per-release RPM advisory routing
grype/db/v6/build/transformers/os/transform.go getPackageType maps RF distros; getFix emits release-identifier advisory references from Identifier field

Test fixtures

File Purpose
test-fixtures/rapidfort-ubuntu-20.04.json Transform test: Ubuntu dpkg advisory with VulnerableRange and fix availability
test-fixtures/rapidfort-redhat-9.json Transform test: Red Hat rpm advisory with el9 (unfixed) and fc36 (fixed) entries

Design notes

Namespace isolation — The RF matcher queries rapidfort-{os}:{version} namespaces
that vunnel emits exclusively for RF advisories. Standard distro matchers (dpkg/apk/rpm)
never see these namespaces, so there is zero cross-contamination.

RPM release-identifier routing — Red Hat advisories carry per-release Identifier
fields (e.g. el9, fc36). The matcher derives the installed release from the package
version suffix (.el9, .fc41, .rf) and filters to advisories with a matching
release-identifier:* advisory reference. Unknown release identifiers fall back to
matching el* advisories.

Matcher activationApplySelectionPolicy in matchers.go checks
IsRapidFortImage and, when true, replaces dpkg/apk/rpm matchers with a single
RapidFortMatcher. This avoids double-reporting and keeps RF advisory logic
self-contained.

Test plan

  • go test ./grype/matcher/rapidfort/... — all matcher and label tests pass
  • go test ./grype/matcher/... — selection policy tests pass
  • go test ./grype/db/v6/build/transformers/os/... — transform tests pass for both RF fixtures
  • go test ./grype/distro/... — distro type registration passes
  • Scan a RapidFort-curated image: verify rapidfort-matcher appears in match details
  • Scan a non-RapidFort image: verify rapidfort-matcher is absent from match details

@vaibhav-rf
feat: integrate advisories for Rapidfort curated images
edd182b
@vaibhav-rf
refactor(matcher): move RF matcher selection into matcher package
63022e0 
- Add ApplySelectionPolicy to decide matchers from scan context
- For RF-curated images: replace dpkg/apk with rapidfort matcher
- For non-RF sources: keep default matchers unchanged
- Remove RapidFort imports from root.go; pass pkgContext into getMatchers
- Reuse a single rapidfort matcher instance for both dpkg and apk
- Add tests for nil context, non-RF image, and RF image
@vaibhav-rf
feat(rapidfort): add Red Hat support for RapidFort DB + matcher
1128363 
- Register rapidfort-redhat distro and wire RapidFort matcher
- Parse OS FixedIn Identifier; v6 transform: release-identifier refs with
  vendor advisory URL when present
- Add rapidfort-redhat-9 transform fixture and matcher unit tests
@vaibhav-rf
fix(rapidfort): correct binary match type and expand test coverage
8060542 
Binary lookups were incorrectly labeled ExactIndirectMatch; pass
match.Type explicitly so binary path reports ExactDirectMatch.

Add TestIsRapidFortImage (nil, non-image, case-insensitive key/value,
non-RF label) and Alpine case in TestRapidfortDistroVersion.

Signed-off-by: Vaibhav Thatai <vaibhav@rapidfort.com>
@willmurphyscode
Copy link
Copy Markdown
Contributor

willmurphyscode commented Apr 9, 2026

Hi @vaibhav-rf is there a publicly pullable test image I can try this out on?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vaibhav-rf @willmurphyscode