Merge branch 'main' into upgradable-bypass

Author: ashnamehrotra

pkg/patch/platform.go

@@ -83,7 +83,11 @@ func filterPlatforms(discoveredPlatforms []types.PatchPlatform, targetPlatforms
 		targetPlatform = platforms.Normalize(targetPlatform)
 
 		for _, discovered := range discoveredPlatforms {
-			if platforms.Only(targetPlatform).Match(discovered.Platform) {
+			// Use exact matching instead of platforms.Match to avoid cross-architecture matching
+			// This will prevent matching amd64 with 386 even though they're both x86 family
+			if targetPlatform.OS == discovered.OS &&
+				targetPlatform.Architecture == discovered.Architecture &&
+				targetPlatform.Variant == discovered.Variant {
 				filtered = append(filtered, discovered)
 				break
 			}

pkg/report/testdata/trivy_no_history.json

@@ -0,0 +1,26 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "quay.io/prometheus/alertmanager:v0.28.1",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "amd64"
+    }
+  },
+  "Results": [
+    {
+      "Target": "quay.io/prometheus/alertmanager:v0.28.1 (alpine 3.21.0)",
+      "Class": "os-pkgs",
+      "Type": "alpine",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2024-1234",
+          "PkgID": "libssl3@3.3.2-r4",
+          "PkgName": "libssl3",
+          "InstalledVersion": "3.3.2-r4",
+          "FixedVersion": "3.3.2-r5"
+        }
+      ]
+    }
+  ]
+}

pkg/report/trivy.go

@@ -348,13 +348,24 @@ func (t *TrivyParser) ParseWithLibraryPatchLevel(file, libraryPatchLevel string)
 	}
 
 	// Extract Node.js and Yarn versions from image history
-	nodeVersion, yarnVersion := extractVersionsFromImageHistory(report.Metadata.ImageConfig.History)
+	var nodeVersion, yarnVersion string
+	if report.Metadata.ImageConfig.History != nil {
+		nodeVersion, yarnVersion = extractVersionsFromImageHistory(report.Metadata.ImageConfig.History)
+	}
+
+	// Initialize OS metadata with safe defaults
+	osType := ""
+	osVersion := ""
+	if report.Metadata.OS != nil {
+		osType = string(report.Metadata.OS.Family)
+		osVersion = report.Metadata.OS.Name
+	}
 
 	updates := unversioned.UpdateManifest{
 		Metadata: unversioned.Metadata{
 			OS: unversioned.OS{
-				Type:    string(report.Metadata.OS.Family),
-				Version: report.Metadata.OS.Name,
+				Type:    osType,
+				Version: osVersion,
 			},
 			Config: unversioned.Config{
 				Arch:    report.Metadata.ImageConfig.Architecture,

pkg/report/trivy_test.go

@@ -798,3 +798,50 @@ func TestTrivyParserParseWithNodeJS(t *testing.T) {
 		})
 	}
 }
+
+// TestTrivyParserParseNoHistory tests that the parser handles reports without ImageConfig.History gracefully.
+func TestTrivyParserParseNoHistory(t *testing.T) {
+	tests := []struct {
+		name            string
+		file            string
+		wantOSUpdates   int
+		wantLangUpdates int
+		wantErr         bool
+	}{
+		{
+			name:            "Trivy report without ImageConfig.History",
+			file:            "testdata/trivy_no_history.json",
+			wantOSUpdates:   1,
+			wantLangUpdates: 0,
+			wantErr:         false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			parser := &TrivyParser{}
+			manifest, err := parser.Parse(tc.file)
+
+			if tc.wantErr {
+				assert.Error(t, err)
+				return
+			}
+
+			assert.NoError(t, err)
+			assert.NotNil(t, manifest)
+			assert.Equal(t, tc.wantOSUpdates, len(manifest.OSUpdates))
+			assert.Equal(t, tc.wantLangUpdates, len(manifest.LangUpdates))
+
+			// Validate that NodeVersion and YarnVersion are empty when no History is present
+			assert.Empty(t, manifest.Metadata.NodeVersion, "NodeVersion should be empty when ImageConfig.History is nil")
+			assert.Empty(t, manifest.Metadata.YarnVersion, "YarnVersion should be empty when ImageConfig.History is nil")
+
+			// Validate the OS update
+			if tc.wantOSUpdates > 0 {
+				assert.Equal(t, "libssl3", manifest.OSUpdates[0].Name)
+				assert.Equal(t, "3.3.2-r4", manifest.OSUpdates[0].InstalledVersion)
+				assert.Equal(t, "3.3.2-r5", manifest.OSUpdates[0].FixedVersion)
+			}
+		})
+	}
+}