Hello!
have a little question to understand better the logic in RPM matching.
I have a finding (attached below) on a package named “dbus-libs”
in the upstream’s version I see the version without the epuch (dbus), and in the package itself i see the version with the epoch.
my question is, where i can find the logic which trims the epoch (in grype), or how can we know if we can ignore this epoch while doing matching?
I’m trying to understand if i can relate the versions the same way, since the package dbus-libs is a transitive package of dbus \ we get the vulnerability using the upstream.
Thanks!
"matchDetails": [
{
"type": "exact-direct-match",
"matcher": "rpm-matcher",
"searchedBy": {
"distro": {
"type": "amazonlinux",
"version": "2"
},
"namespace": "amazon:distro:amazonlinux:2",
"package": {
"name": "dbus-libs",
"version": "1:1.10.24-7.amzn2"
}
},
"found": {
"versionConstraint": "< 1.10.24-7.amzn2.0.3 (rpm)",
"vulnerabilityID": "ALAS-2023-2006"
}
},
{
"type": "exact-indirect-match",
"matcher": "rpm-matcher",
"searchedBy": {
"distro": {
"type": "amazonlinux",
"version": "2"
},
"namespace": "amazon:distro:amazonlinux:2",
"package": {
"name": "dbus",
"version": "1.10.24-7.amzn2"
}
},