remove pURL related processing

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

go.mod

@@ -8,7 +8,6 @@ require (
 	github.com/alicebob/sqlittle v1.4.0
 	github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04
 	github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4
-	github.com/anchore/packageurl-go v0.0.0-20210922164639-b3fa992ebd29
 	github.com/anchore/stereoscope v0.0.0-20220110181730-c91cf94a3718
 	github.com/anchore/syft v0.36.1-0.20220126161937-9f7104d4f194
 	github.com/bmatcuk/doublestar/v2 v2.0.4

grype/matcher/apk/matcher.go

@@ -159,7 +159,7 @@ func (m *Matcher) findApkPackage(store vulnerability.Provider, d *distro.Distro,
 func (m *Matcher) matchBySourceIndirection(store vulnerability.Provider, d *distro.Distro, p pkg.Package) ([]match.Match, error) {
 	var matches []match.Match
 
-	for indirectPackage := range pkg.UpstreamPackages(p) {
+	for _, indirectPackage := range pkg.UpstreamPackages(p) {
 		indirectMatches, err := m.findApkPackage(store, d, indirectPackage)
 		if err != nil {
 			return nil, fmt.Errorf("failed to find vulnerabilities for apk upstream source package: %w", err)

grype/matcher/dpkg/matcher.go

@@ -43,7 +43,7 @@ func (m *Matcher) Match(store vulnerability.Provider, d *distro.Distro, p pkg.Pa
 func (m *Matcher) matchUpstreamPackages(store vulnerability.ProviderByDistro, d *distro.Distro, p pkg.Package) ([]match.Match, error) {
 	var matches []match.Match
 
-	for indirectPackage := range pkg.UpstreamPackages(p) {
+	for _, indirectPackage := range pkg.UpstreamPackages(p) {
 		indirectMatches, err := search.ByPackageDistro(store, d, indirectPackage, m.Type())
 		if err != nil {
 			return nil, fmt.Errorf("failed to find vulnerabilities for dpkg upstream source package: %w", err)

grype/matcher/rpmdb/matcher.go

@@ -107,7 +107,7 @@ func (m *Matcher) Match(store vulnerability.Provider, d *distro.Distro, p pkg.Pa
 func (m *Matcher) matchUpstreamPackages(store vulnerability.ProviderByDistro, d *distro.Distro, p pkg.Package) ([]match.Match, error) {
 	var matches []match.Match
 
-	for indirectPackage := range pkg.UpstreamPackages(p) {
+	for _, indirectPackage := range pkg.UpstreamPackages(p) {
 		indirectMatches, err := search.ByPackageDistro(store, d, indirectPackage, m.Type())
 		if err != nil {
 			return nil, fmt.Errorf("failed to find vulnerabilities for rpm upstream source package: %w", err)

grype/pkg/package.go

@@ -3,8 +3,6 @@ package pkg
 import (
 	"fmt"
 	"regexp"
-	"strconv"
-	"strings"
 
 	"github.com/anchore/grype/internal"
 	"github.com/anchore/grype/internal/log"
@@ -93,51 +91,10 @@ func dataFromPkg(p pkg.Package) (MetadataType, interface{}, []UpstreamPackage) {
 		}
 	case pkg.ApkMetadataType:
 		upstreams = apkDataFromPkg(p)
-	case "":
-		// let's try to extract matching-specific information from additional sources other than syft json shapes.
-
-		// TODO: add java cases here
-		switch p.Type {
-		case pkg.ApkPkg:
-			upstreams = apkDataFromPURL(p.PURL)
-		case pkg.DebPkg:
-			upstreams = dpkgDataFromPURL(p.PURL)
-		case pkg.RpmPkg:
-			m, u := rpmdbDataFromPURL(p.PURL)
-			upstreams = u
-			if m != nil {
-				metadata = *m
-				metadataType = RpmdbMetadataType
-			}
-		}
 	}
 	return metadataType, metadata, upstreams
 }
 
-func dpkgDataFromPURL(p string) (upstreams []UpstreamPackage) {
-	qualifiers := getPURLQualifiers(p)
-	upstream := qualifiers[purlUpstreamQualifier]
-	if upstream == "" {
-		return nil
-	}
-
-	var sourceVersion string
-	src := upstream
-
-	fields := strings.SplitN(upstream, "@", 2)
-	if len(fields) > 1 {
-		src = fields[0]
-		sourceVersion = fields[1]
-	}
-
-	return []UpstreamPackage{
-		{
-			Name:    src,
-			Version: sourceVersion,
-		},
-	}
-}
-
 func dpkgDataFromPkg(p pkg.Package) (upstreams []UpstreamPackage) {
 	if value, ok := p.Metadata.(pkg.DpkgMetadata); ok {
 		if value.Source != "" {
@@ -175,31 +132,6 @@ func rpmdbDataFromPkg(p pkg.Package) (metadata *RpmdbMetadata, upstreams []Upstr
 	return metadata, upstreams
 }
 
-func rpmdbDataFromPURL(p string) (meta *RpmdbMetadata, upstreams []UpstreamPackage) {
-	qualifiers := getPURLQualifiers(p)
-	upstream := qualifiers[purlUpstreamQualifier]
-	epoch := qualifiers[purlEpochQualifier]
-
-	if epoch != "" {
-		value, err := strconv.Atoi(epoch)
-		if err != nil {
-			log.Warnf("unable to parse RPM epoch=%q: %+v")
-		} else {
-			meta = &RpmdbMetadata{Epoch: &value}
-		}
-	}
-
-	if upstream != "" {
-		name, version := getNameAndELVersion(upstream)
-		upstreams = append(upstreams, UpstreamPackage{
-			Name:    name,
-			Version: version,
-		})
-	}
-
-	return meta, upstreams
-}
-
 func getNameAndELVersion(sourceRpm string) (string, string) {
 	groupMatches := internal.MatchCaptureGroups(rpmPackageNamePattern, sourceRpm)
 	version := groupMatches["version"] + "-" + groupMatches["release"]
@@ -231,17 +163,6 @@ func javaDataFromPkg(p pkg.Package) (metadata *JavaMetadata) {
 	return metadata
 }
 
-func apkDataFromPURL(p string) (upstreams []UpstreamPackage) {
-	qualifiers := getPURLQualifiers(p)
-	upstream := qualifiers[purlUpstreamQualifier]
-	if upstream != "" {
-		upstreams = append(upstreams, UpstreamPackage{
-			Name: upstream,
-		})
-	}
-	return upstreams
-}
-
 func apkDataFromPkg(p pkg.Package) (upstreams []UpstreamPackage) {
 	if value, ok := p.Metadata.(pkg.ApkMetadata); ok {
 		if value.OriginPackage != "" {

grype/pkg/package_test.go

@@ -49,31 +49,6 @@ func TestNew(t *testing.T) {
 				},
 			},
 		},
-		{
-			name: "dpkg with source info in purl",
-			syftPkg: syftPkg.Package{
-				Type: syftPkg.DebPkg,
-				PURL: "pkg:deb/debian/p@v?upstream=source-info&distro=debian-11",
-			},
-			upstreams: []UpstreamPackage{
-				{
-					Name: "source-info",
-				},
-			},
-		},
-		{
-			name: "dpkg with source info in purl + version",
-			syftPkg: syftPkg.Package{
-				Type: syftPkg.DebPkg,
-				PURL: "pkg:deb/debian/p@v?upstream=source-info@2.3&distro=debian-11",
-			},
-			upstreams: []UpstreamPackage{
-				{
-					Name:    "source-info",
-					Version: "2.3",
-				},
-			},
-		},
 		{
 			name: "rpmdb with source info",
 			syftPkg: syftPkg.Package{
@@ -124,29 +99,6 @@ func TestNew(t *testing.T) {
 				},
 			},
 		},
-		{
-			name: "rpmdb with source info in purl",
-			syftPkg: syftPkg.Package{
-				Type: syftPkg.RpmPkg,
-				PURL: "pkg:rpm/rhel/libcrypto@0.9.2-1?upstream=openssl-0.9.2-1.src.rpm&distro=rhel-8.4",
-			},
-			upstreams: []UpstreamPackage{
-				{
-					Name:    "openssl",
-					Version: "0.9.2-1",
-				},
-			},
-		},
-		{
-			name: "rpmdb with epoch in purl",
-			syftPkg: syftPkg.Package{
-				Type: syftPkg.RpmPkg,
-				PURL: "pkg:rpm/rhel/libcrypto@0.9.2-1?epoch=30&distro=rhel-8.4",
-			},
-			metadata: RpmdbMetadata{
-				Epoch: intRef(30),
-			},
-		},
 		{
 			name: "java pkg",
 			syftPkg: syftPkg.Package{
@@ -208,18 +160,6 @@ func TestNew(t *testing.T) {
 				},
 			},
 		},
-		{
-			name: "apk with source info in purl",
-			syftPkg: syftPkg.Package{
-				Type: syftPkg.ApkPkg,
-				PURL: "pkg:alpine/p@v?arch=a&upstream=origin&distro=alpine-3.4.6",
-			},
-			upstreams: []UpstreamPackage{
-				{
-					Name: "origin",
-				},
-			},
-		},
 		// the below packages are those that have no metadata or upstream info to parse out
 		{
 			name: "npm-metadata",

grype/pkg/upstream_package.go

@@ -12,47 +12,42 @@ type UpstreamPackage struct {
 	Version string // the version of the package
 }
 
-func UpstreamPackages(p Package) <-chan Package {
-	ret := make(chan Package)
-	go func() {
-		defer close(ret)
+func UpstreamPackages(p Package) (pkgs []Package) {
+	original := p
+	for _, u := range p.Upstreams {
+		tmp := original
 
-		original := p
-		for _, u := range p.Upstreams {
-			tmp := original
+		if u.Name == "" {
+			continue
+		}
 
-			if u.Name == "" {
-				continue
-			}
+		tmp.Name = u.Name
+		if u.Version != "" {
+			tmp.Version = u.Version
+		}
+		tmp.Upstreams = nil
 
-			tmp.Name = u.Name
+		// for each cpe, replace pkg name with origin and add to set
+		cpeStrings := strset.New()
+		for _, cpe := range tmp.CPEs {
 			if u.Version != "" {
-				tmp.Version = u.Version
+				cpe.Version = u.Version
 			}
-			tmp.Upstreams = nil
 
-			// for each cpe, replace pkg name with origin and add to set
-			cpeStrings := strset.New()
-			for _, cpe := range tmp.CPEs {
-				if u.Version != "" {
-					cpe.Version = u.Version
-				}
+			updatedCPEString := strings.ReplaceAll(cpe.BindToFmtString(), p.Name, u.Name)
 
-				updatedCPEString := strings.ReplaceAll(cpe.BindToFmtString(), p.Name, u.Name)
-
-				cpeStrings.Add(updatedCPEString)
-			}
-
-			// with each entry in set, convert string to CPE and update the new CPEs
-			var updatedCPEs []pkg.CPE
-			for _, cpeString := range cpeStrings.List() {
-				updatedCPE, _ := pkg.NewCPE(cpeString)
-				updatedCPEs = append(updatedCPEs, updatedCPE)
-			}
-			tmp.CPEs = updatedCPEs
+			cpeStrings.Add(updatedCPEString)
+		}
 
-			ret <- tmp
+		// with each entry in set, convert string to CPE and update the new CPEs
+		var updatedCPEs []pkg.CPE
+		for _, cpeString := range cpeStrings.List() {
+			updatedCPE, _ := pkg.NewCPE(cpeString)
+			updatedCPEs = append(updatedCPEs, updatedCPE)
 		}
-	}()
-	return ret
+		tmp.CPEs = updatedCPEs
+
+		pkgs = append(pkgs, tmp)
+	}
+	return pkgs
 }

grype/pkg/upstream_package_test.go

@@ -94,7 +94,7 @@ func TestUpstreamPackages(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			var actual []Package
-			for upstream := range UpstreamPackages(tt.pkg) {
+			for _, upstream := range UpstreamPackages(tt.pkg) {
 				actual = append(actual, upstream)
 			}
 			assert.Equalf(t, tt.expected, actual, "UpstreamPackages(%v)", tt.pkg)