openvex: normalize Docker Hub aliases for repository_url matching (#3172)

---------
Signed-off-by: Lakshya Jain <lakshyajain1995@gmail.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>

Author: jainlakshya

grype/vex/openvex/implementation.go

@@ -83,6 +83,30 @@ func productIdentifierFromVEX(doc *openvex.VEX) []string {
 	return products
 }
 
+func normalizeDockerHubRepositoryURL(repoURL string) string {
+	repoURL = strings.TrimSpace(repoURL)
+	if repoURL == "" {
+		return repoURL
+	}
+
+	repoURL = strings.TrimPrefix(repoURL, "https://")
+	repoURL = strings.TrimPrefix(repoURL, "http://")
+
+	repoURL = strings.TrimSuffix(repoURL, "/")
+
+	host, rest, hasSlash := strings.Cut(repoURL, "/")
+
+	switch strings.ToLower(host) {
+	case "docker.io", "index.docker.io", "registry-1.docker.io":
+		host = "index.docker.io"
+	}
+
+	if !hasSlash || rest == "" {
+		return host
+	}
+	return host + "/" + rest
+}
+
 func identifiersFromTags(tags []string, name string) []string {
 	identifiers := []string{}
 
@@ -130,11 +154,14 @@ func identifiersFromDigests(digests []string) []string {
 			fmt.Sprintf("/%s", name),
 		)
 
+		repoURL = normalizeDockerHubRepositoryURL(repoURL)
+
 		qMap := map[string]string{}
 
 		if repoURL != "" {
 			qMap["repository_url"] = repoURL
 		}
+
 		qs := packageurl.QualifiersFromMap(qMap)
 		identifiers = append(identifiers, packageurl.NewPackageURL(
 			"oci", "", name, shaString, qs, "",

grype/vex/openvex/implementation_test.go

@@ -1,8 +1,10 @@
 package openvex
 
 import (
+	"strings"
 	"testing"
 
+	"github.com/anchore/packageurl-go"
 	openvex "github.com/openvex/go-vex/pkg/vex"
 	"github.com/stretchr/testify/require"
 
@@ -413,3 +415,53 @@ func TestProductIdentifiersFromContext(t *testing.T) {
 		})
 	}
 }
+
+func TestIdentifiersFromDigests_NormalizesDockerHubRepositoryURL(t *testing.T) {
+	const hash = "124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126"
+	const digest = "docker.io/library/alpine@sha256:" + hash
+
+	ids := identifiersFromDigests([]string{digest})
+
+	var repoURL string
+	for _, id := range ids {
+		if !strings.HasPrefix(id, "pkg:oci/") {
+			continue
+		}
+
+		p, err := packageurl.FromString(id)
+		require.NoError(t, err)
+
+		if p.Name == "alpine" && p.Version == "sha256:"+hash {
+			repoURL = p.Qualifiers.Map()["repository_url"]
+			break
+		}
+	}
+
+	require.NotEmpty(t, repoURL, "expected to find alpine purl in identifiers: %#v", ids)
+	require.Equal(t, "index.docker.io/library", repoURL)
+}
+
+func TestNormalizeDockerHubRepositoryURL(t *testing.T) {
+	tests := []struct {
+		input    string
+		expected string
+	}{
+		{"docker.io/library", "index.docker.io/library"},
+		{"index.docker.io/library", "index.docker.io/library"},
+		{"registry-1.docker.io/library", "index.docker.io/library"},
+		{"https://docker.io/library", "index.docker.io/library"},
+		{"http://docker.io/library", "index.docker.io/library"},
+		{"gcr.io/myorg", "gcr.io/myorg"},
+		{"", ""},
+		{"DOCKER.IO/Library", "index.docker.io/Library"},
+		{"docker.io", "index.docker.io"},
+		{"docker.io/", "index.docker.io"},
+		{"  docker.io/library  ", "index.docker.io/library"},
+	}
+	for _, tc := range tests {
+		t.Run(tc.input, func(t *testing.T) {
+			got := normalizeDockerHubRepositoryURL(tc.input)
+			require.Equal(t, tc.expected, got)
+		})
+	}
+}