fix(apk): find secdb entries for origin packages

Signed-off-by: Dan Luhring <[email protected]>
anchore · Jan 24, 2024 · 8ab6e16 · 8ab6e16
1 parent 636248d
commit 8ab6e16
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/grype/matcher/apk/matcher.go b/grype/matcher/apk/matcher.go
@@ -58,6 +58,13 @@ func (m *Matcher) cpeMatchesWithoutSecDBFixes(store vulnerability.Provider, d *d
  if err != nil {
  return nil, err
  }
+ for _, upstreamPkg := range pkg.UpstreamPackages(p) {
+ secDBVulnerabilitiesForUpstream, err := store.GetByDistro(d, upstreamPkg)
+ if err != nil {
+ return nil, err
+ }
+ secDBVulnerabilities = append(secDBVulnerabilities, secDBVulnerabilitiesForUpstream...)
+ }
 
  secDBVulnerabilitiesByID := vulnerabilitiesByID(secDBVulnerabilities)