From a1d3fbf66f86c895bf4671f249477fd6619dd868 Mon Sep 17 00:00:00 2001
From: Kota Kanbe <kotakanbe@gmail.com>
Date: Mon, 17 Apr 2023 09:21:30 +0900
Subject: [PATCH] fix(scan): false positives in Debian Pkg for CVE-IDs already
 detected by Trivy (#1639)

* fix(scan): false positives in Debian Pkg for CVE-IDs already detected by Trivy

* fix

* Add detectionMethod only when detected by gost
---
 gost/debian.go | 52 ++++++++++++++++++++++++--------------------------
 1 file changed, 25 insertions(+), 27 deletions(-)

diff --git a/gost/debian.go b/gost/debian.go
index d7197217..b104a5b0 100644
--- a/gost/debian.go
+++ b/gost/debian.go
@@ -160,42 +160,39 @@ func (deb Debian) detectCVEsWithFixState(r *models.ScanResult, fixStatus string)
 					v.CveContents = models.NewCveContents(cve)
 				} else {
 					v.CveContents[models.DebianSecurityTracker] = []models.CveContent{cve}
-					v.Confidences = models.Confidences{models.DebianSecurityTrackerMatch}
 				}
 			} else {
 				v = models.VulnInfo{
 					CveID:       cve.CveID,
 					CveContents: models.NewCveContents(cve),
-					Confidences: models.Confidences{models.DebianSecurityTrackerMatch},
 				}
-
-				if fixStatus == "resolved" {
-					versionRelease := ""
-					if p.isSrcPack {
-						versionRelease = r.SrcPackages[p.packName].Version
-					} else {
-						versionRelease = r.Packages[p.packName].FormatVer()
-					}
-
-					if versionRelease == "" {
-						break
-					}
-
-					affected, err := isGostDefAffected(versionRelease, p.fixes[i].FixedIn)
-					if err != nil {
-						logging.Log.Debugf("Failed to parse versions: %s, Ver: %s, Gost: %s",
-							err, versionRelease, p.fixes[i].FixedIn)
-						continue
-					}
-
-					if !affected {
-						continue
-					}
-				}
-
 				nCVEs++
 			}
 
+			if fixStatus == "resolved" {
+				versionRelease := ""
+				if p.isSrcPack {
+					versionRelease = r.SrcPackages[p.packName].Version
+				} else {
+					versionRelease = r.Packages[p.packName].FormatVer()
+				}
+
+				if versionRelease == "" {
+					break
+				}
+
+				affected, err := isGostDefAffected(versionRelease, p.fixes[i].FixedIn)
+				if err != nil {
+					logging.Log.Debugf("Failed to parse versions: %s, Ver: %s, Gost: %s",
+						err, versionRelease, p.fixes[i].FixedIn)
+					continue
+				}
+
+				if !affected {
+					continue
+				}
+			}
+
 			names := []string{}
 			if p.isSrcPack {
 				if srcPack, ok := r.SrcPackages[p.packName]; ok {
@@ -230,6 +227,7 @@ func (deb Debian) detectCVEsWithFixState(r *models.ScanResult, fixStatus string)
 				}
 			}
 
+			v.Confidences.AppendIfMissing(models.DebianSecurityTrackerMatch)
 			r.ScannedCves[cve.CveID] = v
 		}
 	}