anchore · tomersein · Aug 4, 2024 · Nov 20, 2024 · Aug 4, 2024 · Nov 25, 2024
diff --git a/grype/presenter/json/test-fixtures/snapshot/TestJsonDirsPresenter.golden b/grype/presenter/json/test-fixtures/snapshot/TestJsonDirsPresenter.golden
@@ -38,7 +38,8 @@
      },
      "found": {
       "constraint": ">= 20"
-     }
+     },
+     "suggestedFixedVersion": "the-next-version"
     }
    ],
    "artifact": {
@@ -103,7 +104,8 @@
      },
      "found": {
       "constraint": "somecpe"
-     }
+     },
+     "suggestedFixedVersion": ""
     }
    ],
    "artifact": {

diff --git a/grype/presenter/json/test-fixtures/snapshot/TestJsonImgsPresenter.golden b/grype/presenter/json/test-fixtures/snapshot/TestJsonImgsPresenter.golden
@@ -38,7 +38,8 @@
      },
      "found": {
       "constraint": ">= 20"
-     }
+     },
+     "suggestedFixedVersion": "the-next-version"
     }
    ],
    "artifact": {
@@ -103,7 +104,8 @@
      },
      "found": {
       "constraint": "somecpe"
-     }
+     },
+     "suggestedFixedVersion": ""
     }
    ],
    "artifact": {

diff --git a/grype/presenter/models/match.go b/grype/presenter/models/match.go
@@ -6,7 +6,9 @@ import (
 
 	"github.com/anchore/grype/grype/match"
 	"github.com/anchore/grype/grype/pkg"
+	"github.com/anchore/grype/grype/version"
 	"github.com/anchore/grype/grype/vulnerability"
+	"github.com/anchore/grype/internal/log"
 )
 
 // Match is a single item for the JSON array reported
@@ -19,10 +21,11 @@ type Match struct {
 
 // MatchDetails contains all data that indicates how the result match was found
 type MatchDetails struct {
-	Type       string      `json:"type"`
-	Matcher    string      `json:"matcher"`
-	SearchedBy interface{} `json:"searchedBy"` // The specific attributes that were used to search (other than package name and version) --this indicates "how" the match was made.
-	Found      interface{} `json:"found"`      // The specific attributes on the vulnerability object that were matched with --this indicates "what" was matched on / within.
+	Type                  string      `json:"type"`
+	Matcher               string      `json:"matcher"`
+	SearchedBy            interface{} `json:"searchedBy"` // The specific attributes that were used to search (other than package name and version) --this indicates "how" the match was made.
+	Found                 interface{} `json:"found"`      // The specific attributes on the vulnerability object that were matched with --this indicates "what" was matched on / within.
+	SuggestedFixedVersion string      `json:"suggestedFixedVersion"`
 }
 
 func newMatch(m match.Match, p pkg.Package, metadataProvider vulnerability.MetadataProvider) (*Match, error) {
@@ -43,12 +46,14 @@ func newMatch(m match.Match, p pkg.Package, metadataProvider vulnerability.Metad
 	}
 
 	details := make([]MatchDetails, len(m.Details))
+	suggestedFixedVersion := calculateSuggestedFixedVersion(p, m.Vulnerability.Fix.Versions)
 	for idx, d := range m.Details {
 		details[idx] = MatchDetails{
-			Type:       string(d.Type),
-			Matcher:    string(d.Matcher),
-			SearchedBy: d.SearchedBy,
-			Found:      d.Found,
+			Type:                  string(d.Type),
+			Matcher:               string(d.Matcher),
+			SearchedBy:            d.SearchedBy,
+			Found:                 d.Found,
+			SuggestedFixedVersion: suggestedFixedVersion,
 		}
 	}
 
@@ -93,3 +98,59 @@ func (m MatchSort) Less(i, j int) bool {
 func (m MatchSort) Swap(i, j int) {
 	m[i], m[j] = m[j], m[i]
 }
+
+func calculateSuggestedFixedVersion(p pkg.Package, fixedVersions []string) string {
+	if len(fixedVersions) == 0 {
+		return ""
+	}
+
+	if len(fixedVersions) == 1 {
+		return fixedVersions[0]
+	}
+
+	format := version.FormatFromPkg(p)
+	parseConstraint := func(constStr string) (version.Constraint, error) {
+		constraint, err := version.GetConstraint(constStr, format)
+		if err != nil {
+			log.WithFields("package", p.Name).Trace("skipping sorting fixed versions")
+		}
+		return constraint, err
+	}
+
+	checkSatisfaction := func(constraint version.Constraint, v *version.Version) bool {
+		satisfied, err := constraint.Satisfied(v)
+		if err != nil {
+			log.WithFields("package", p.Name).Trace("error while checking version satisfaction for sorting")
+		}
+		return satisfied && err == nil
+	}
+
+	sort.SliceStable(fixedVersions, func(i, j int) bool {
+		v1, err1 := version.NewVersion(fixedVersions[i], format)
+		v2, err2 := version.NewVersion(fixedVersions[j], format)
+		if err1 != nil || err2 != nil {
+			log.WithFields("package", p.Name).Trace("error while parsing version for sorting")
+			return false
+		}
+
+		packageConstraint, err := parseConstraint(fmt.Sprintf("<=%s", p.Version))
+		if err != nil {
+			return false
+		}
+
+		v1Satisfied := checkSatisfaction(packageConstraint, v1)
+		v2Satisfied := checkSatisfaction(packageConstraint, v2)
+
+		if v1Satisfied != v2Satisfied {
+			return !v1Satisfied
+		}
+
+		internalConstraint, err := parseConstraint(fmt.Sprintf("<=%s", v1.Raw))
+		if err != nil {
+			return false
+		}
+		return !checkSatisfaction(internalConstraint, v2)
+	})
+
+	return fixedVersions[0]
+}