feat: add config for handling missing epochs on package versions (#2976)

Add config to RPM and DPKG matcher for handling of missing package epochs.

Both RPMs and DPKGs (debs) can have an epoch in the version number, but this
epoch is often omitted from user facing tools. Add the capacity to configure
grype's matching behavior when the epoch is missing to two options:

- "zero": assume that the missing epoch is "0"
- "auto": assume that the missing epoch matches the vulnerability in question

So for example if given package version 2.0.0 and no epoch, and vuln with
constraint < 1:1.5.0 (epoch 1) the configs result in:

- "zero": 2.0.0 becomes "0:2.0.0" which is less than 1:1.5.0
- "auto": drops the epoch on both sides, so 2.0.0 > 1.5.0

When not specified, these config values default to the behavior grype had
previously, which is "zero" in the DPKG matcher and "auto" in the RPM matcher.
This difference in defaults should be revisited before 1.0.

---------

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

Author: willmurphyscode

cmd/grype/cli/commands/root.go

@@ -19,10 +19,12 @@ import (
 	"github.com/anchore/grype/grype/match"
 	"github.com/anchore/grype/grype/matcher"
 	"github.com/anchore/grype/grype/matcher/dotnet"
+	"github.com/anchore/grype/grype/matcher/dpkg"
 	"github.com/anchore/grype/grype/matcher/golang"
 	"github.com/anchore/grype/grype/matcher/java"
 	"github.com/anchore/grype/grype/matcher/javascript"
 	"github.com/anchore/grype/grype/matcher/python"
+	"github.com/anchore/grype/grype/matcher/rpm"
 	"github.com/anchore/grype/grype/matcher/ruby"
 	"github.com/anchore/grype/grype/matcher/stock"
 	"github.com/anchore/grype/grype/pkg"
@@ -323,25 +325,33 @@ func checkForAppUpdate(id clio.Identification, opts *options.Grype) {
 	}
 }
 
-func getMatchers(opts *options.Grype) []match.Matcher {
-	return matcher.NewDefaultMatchers(
-		matcher.Config{
-			Java: java.MatcherConfig{
-				ExternalSearchConfig: opts.ExternalSources.ToJavaMatcherConfig(),
-				UseCPEs:              opts.Match.Java.UseCPEs,
-			},
-			Ruby:       ruby.MatcherConfig(opts.Match.Ruby),
-			Python:     python.MatcherConfig(opts.Match.Python),
-			Dotnet:     dotnet.MatcherConfig(opts.Match.Dotnet),
-			Javascript: javascript.MatcherConfig(opts.Match.Javascript),
-			Golang: golang.MatcherConfig{
-				UseCPEs:                                opts.Match.Golang.UseCPEs,
-				AlwaysUseCPEForStdlib:                  opts.Match.Golang.AlwaysUseCPEForStdlib,
-				AllowMainModulePseudoVersionComparison: opts.Match.Golang.AllowMainModulePseudoVersionComparison,
-			},
-			Stock: stock.MatcherConfig(opts.Match.Stock),
+func getMatcherConfig(opts *options.Grype) matcher.Config {
+	return matcher.Config{
+		Java: java.MatcherConfig{
+			ExternalSearchConfig: opts.ExternalSources.ToJavaMatcherConfig(),
+			UseCPEs:              opts.Match.Java.UseCPEs,
 		},
-	)
+		Ruby:       ruby.MatcherConfig(opts.Match.Ruby),
+		Python:     python.MatcherConfig(opts.Match.Python),
+		Dotnet:     dotnet.MatcherConfig(opts.Match.Dotnet),
+		Javascript: javascript.MatcherConfig(opts.Match.Javascript),
+		Golang: golang.MatcherConfig{
+			UseCPEs:                                opts.Match.Golang.UseCPEs,
+			AlwaysUseCPEForStdlib:                  opts.Match.Golang.AlwaysUseCPEForStdlib,
+			AllowMainModulePseudoVersionComparison: opts.Match.Golang.AllowMainModulePseudoVersionComparison,
+		},
+		Stock: stock.MatcherConfig(opts.Match.Stock),
+		Rpm: rpm.MatcherConfig{
+			MissingEpochStrategy: opts.Match.Rpm.MissingEpochStrategy,
+		},
+		Dpkg: dpkg.MatcherConfig{
+			MissingEpochStrategy: opts.Match.Dpkg.MissingEpochStrategy,
+		},
+	}
+}
+
+func getMatchers(opts *options.Grype) []match.Matcher {
+	return matcher.NewDefaultMatchers(getMatcherConfig(opts))
 }
 
 func getProviderConfig(opts *options.Grype) pkg.ProviderConfig {

cmd/grype/cli/commands/root_test.go

@@ -12,6 +12,16 @@ import (
 	"github.com/anchore/grype/cmd/grype/cli/options"
 	"github.com/anchore/grype/grype/distro"
 	"github.com/anchore/grype/grype/match"
+	"github.com/anchore/grype/grype/matcher"
+	"github.com/anchore/grype/grype/matcher/dotnet"
+	"github.com/anchore/grype/grype/matcher/dpkg"
+	"github.com/anchore/grype/grype/matcher/golang"
+	"github.com/anchore/grype/grype/matcher/java"
+	"github.com/anchore/grype/grype/matcher/javascript"
+	"github.com/anchore/grype/grype/matcher/python"
+	"github.com/anchore/grype/grype/matcher/rpm"
+	"github.com/anchore/grype/grype/matcher/ruby"
+	"github.com/anchore/grype/grype/matcher/stock"
 	"github.com/anchore/grype/grype/pkg"
 	"github.com/anchore/grype/grype/version"
 	vexStatus "github.com/anchore/grype/grype/vex/status"
@@ -74,6 +84,123 @@ func Test_getProviderConfig(t *testing.T) {
 	}
 }
 
+func Test_getMatcherConfig(t *testing.T) {
+	tests := []struct {
+		name string
+		opts *options.Grype
+		want matcher.Config
+	}{
+		{
+			name: "default options",
+			opts: options.DefaultGrype(clio.Identification{
+				Name:    "test",
+				Version: "1.0",
+			}),
+			want: matcher.Config{
+				Java: java.MatcherConfig{
+					ExternalSearchConfig: java.ExternalSearchConfig{
+						SearchMavenUpstream: false,
+						MavenBaseURL:        "https://search.maven.org/solrsearch/select",
+						MavenRateLimit:      300000000, // 300ms in nanoseconds
+					},
+					UseCPEs: false,
+				},
+				Ruby:       ruby.MatcherConfig{},
+				Python:     python.MatcherConfig{},
+				Dotnet:     dotnet.MatcherConfig{},
+				Javascript: javascript.MatcherConfig{},
+				Golang: golang.MatcherConfig{
+					UseCPEs:                                false,
+					AlwaysUseCPEForStdlib:                  true,
+					AllowMainModulePseudoVersionComparison: false,
+				},
+				Stock: stock.MatcherConfig{UseCPEs: true},
+				Rpm: rpm.MatcherConfig{
+					MissingEpochStrategy: "auto",
+				},
+				Dpkg: dpkg.MatcherConfig{
+					MissingEpochStrategy: "zero",
+				},
+			},
+		},
+		{
+			name: "rpm missing-epoch-strategy set to zero",
+			opts: func() *options.Grype {
+				opts := options.DefaultGrype(clio.Identification{Name: "test", Version: "1.0"})
+				opts.Match.Rpm.MissingEpochStrategy = "zero"
+				return opts
+			}(),
+			want: matcher.Config{
+				Java: java.MatcherConfig{
+					ExternalSearchConfig: java.ExternalSearchConfig{
+						SearchMavenUpstream: false,
+						MavenBaseURL:        "https://search.maven.org/solrsearch/select",
+						MavenRateLimit:      300000000,
+					},
+					UseCPEs: false,
+				},
+				Ruby:       ruby.MatcherConfig{},
+				Python:     python.MatcherConfig{},
+				Dotnet:     dotnet.MatcherConfig{},
+				Javascript: javascript.MatcherConfig{},
+				Golang: golang.MatcherConfig{
+					UseCPEs:                                false,
+					AlwaysUseCPEForStdlib:                  true,
+					AllowMainModulePseudoVersionComparison: false,
+				},
+				Stock: stock.MatcherConfig{UseCPEs: true},
+				Rpm: rpm.MatcherConfig{
+					MissingEpochStrategy: "zero",
+				},
+				Dpkg: dpkg.MatcherConfig{
+					MissingEpochStrategy: "zero",
+				},
+			},
+		},
+		{
+			name: "dpkg missing-epoch-strategy set to auto",
+			opts: func() *options.Grype {
+				opts := options.DefaultGrype(clio.Identification{Name: "test", Version: "1.0"})
+				opts.Match.Dpkg.MissingEpochStrategy = "auto"
+				return opts
+			}(),
+			want: matcher.Config{
+				Java: java.MatcherConfig{
+					ExternalSearchConfig: java.ExternalSearchConfig{
+						SearchMavenUpstream: false,
+						MavenBaseURL:        "https://search.maven.org/solrsearch/select",
+						MavenRateLimit:      300000000,
+					},
+					UseCPEs: false,
+				},
+				Ruby:       ruby.MatcherConfig{},
+				Python:     python.MatcherConfig{},
+				Dotnet:     dotnet.MatcherConfig{},
+				Javascript: javascript.MatcherConfig{},
+				Golang: golang.MatcherConfig{
+					UseCPEs:                                false,
+					AlwaysUseCPEForStdlib:                  true,
+					AllowMainModulePseudoVersionComparison: false,
+				},
+				Stock: stock.MatcherConfig{UseCPEs: true},
+				Rpm: rpm.MatcherConfig{
+					MissingEpochStrategy: "auto",
+				},
+				Dpkg: dpkg.MatcherConfig{
+					MissingEpochStrategy: "auto",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if d := cmp.Diff(tt.want, getMatcherConfig(tt.opts)); d != "" {
+				t.Errorf("getMatcherConfig() mismatch (-want +got):\n%s", d)
+			}
+		})
+	}
+}
+
 func Test_applyVexRules(t *testing.T) {
 	tests := []struct {
 		name                   string

cmd/grype/cli/options/match.go

@@ -1,6 +1,11 @@
 package options
 
-import "github.com/anchore/clio"
+import (
+	"fmt"
+
+	"github.com/anchore/clio"
+	"github.com/anchore/grype/grype/version"
+)
 
 // matchConfig contains all matching-related configuration options available to the user via the application config.
 type matchConfig struct {
@@ -13,10 +18,13 @@ type matchConfig struct {
 	Ruby       matcherConfig `yaml:"ruby" json:"ruby" mapstructure:"ruby"`                   // settings for the ruby matcher
 	Rust       matcherConfig `yaml:"rust" json:"rust" mapstructure:"rust"`                   // settings for the rust matcher
 	Stock      matcherConfig `yaml:"stock" json:"stock" mapstructure:"stock"`                // settings for the default/stock matcher
+	Rpm        rpmConfig     `yaml:"rpm" json:"rpm" mapstructure:"rpm"`                      // settings for the rpm matcher
+	Dpkg       dpkgConfig    `yaml:"dpkg" json:"dpkg" mapstructure:"dpkg"`                   // settings for the dpkg matcher
 }
 
 var _ interface {
 	clio.FieldDescriber
+	clio.PostLoader
 } = (*matchConfig)(nil)
 
 type matcherConfig struct {
@@ -29,6 +37,54 @@ type golangConfig struct {
 	AllowMainModulePseudoVersionComparison bool `yaml:"allow-main-module-pseudo-version-comparison" json:"allow-main-module-pseudo-version-comparison" mapstructure:"allow-main-module-pseudo-version-comparison"` // if pseudo versions should be compared
 }
 
+// rpmConfig contains configuration for the RPM matcher.
+type rpmConfig struct {
+	matcherConfig `yaml:",inline" mapstructure:",squash"`
+	// MissingEpochStrategy controls how missing epochs in package versions are handled
+	// during vulnerability matching.
+	//
+	// Valid values:
+	//   - "zero" (default): Treat missing epochs as 0
+	//   - "auto": Assume missing epoch matches the constraint's epoch
+	//
+	// The "zero" strategy follows RPM specification guidance and maintains backward
+	// compatibility with existing Grype behavior. The "auto" strategy reduces false
+	// positives by recognizing that distros rarely track multiple epochs of the same
+	// package in the same release.
+	//
+	// Example:
+	//   Package version: 2.0.0 (no epoch)
+	//   Constraint: < 1:1.5.0 (epoch 1)
+	//
+	//   With "zero": Treat package as 0:2.0.0 → MATCH (0 < 1)
+	//   With "auto": Treat package as 1:2.0.0 → NO MATCH (2.0.0 > 1.5.0)
+	MissingEpochStrategy version.MissingEpochStrategy `yaml:"missing-epoch-strategy" json:"missing-epoch-strategy" mapstructure:"missing-epoch-strategy"`
+}
+
+// dpkgConfig contains configuration for the dpkg matcher.
+type dpkgConfig struct {
+	matcherConfig `yaml:",inline" mapstructure:",squash"`
+	// MissingEpochStrategy controls how missing epochs in package versions are handled
+	// during vulnerability matching.
+	//
+	// Valid values:
+	//   - "zero" (default): Treat missing epochs as 0
+	//   - "auto": Assume missing epoch matches the constraint's epoch
+	//
+	// The "zero" strategy follows dpkg specification guidance and maintains backward
+	// compatibility with existing Grype behavior. The "auto" strategy reduces false
+	// positives by recognizing that distros rarely track multiple epochs of the same
+	// package in the same release.
+	//
+	// Example:
+	//   Package version: 2.0.0 (no epoch)
+	//   Constraint: < 1:1.5.0 (epoch 1)
+	//
+	//   With "zero": Treat package as 0:2.0.0 → MATCH (0 < 1)
+	//   With "auto": Treat package as 1:2.0.0 → NO MATCH (2.0.0 > 1.5.0)
+	MissingEpochStrategy version.MissingEpochStrategy `yaml:"missing-epoch-strategy" json:"missing-epoch-strategy" mapstructure:"missing-epoch-strategy"`
+}
+
 func defaultGolangConfig() golangConfig {
 	return golangConfig{
 		matcherConfig: matcherConfig{
@@ -39,6 +95,20 @@ func defaultGolangConfig() golangConfig {
 	}
 }
 
+func defaultRpmConfig() rpmConfig {
+	return rpmConfig{
+		matcherConfig:        matcherConfig{UseCPEs: false},
+		MissingEpochStrategy: version.MissingEpochStrategyAuto,
+	}
+}
+
+func defaultDpkgConfig() dpkgConfig {
+	return dpkgConfig{
+		matcherConfig:        matcherConfig{UseCPEs: false},
+		MissingEpochStrategy: version.MissingEpochStrategyZero,
+	}
+}
+
 func defaultMatchConfig() matchConfig {
 	useCpe := matcherConfig{UseCPEs: true}
 	dontUseCpe := matcherConfig{UseCPEs: false}
@@ -52,7 +122,37 @@ func defaultMatchConfig() matchConfig {
 		Ruby:       dontUseCpe,
 		Rust:       dontUseCpe,
 		Stock:      useCpe,
+		Rpm:        defaultRpmConfig(),
+		Dpkg:       defaultDpkgConfig(),
+	}
+}
+
+func (cfg *matchConfig) PostLoad() error {
+	if err := cfg.Rpm.PostLoad(); err != nil {
+		return err
+	}
+	if err := cfg.Dpkg.PostLoad(); err != nil {
+		return err
+	}
+	return nil
+}
+
+// PostLoad validates the RPM configuration.
+func (cfg *rpmConfig) PostLoad() error {
+	if cfg.MissingEpochStrategy != version.MissingEpochStrategyZero && cfg.MissingEpochStrategy != version.MissingEpochStrategyAuto {
+		return fmt.Errorf("invalid rpm.missing-epoch-strategy: %q (allowable: %s, %s)",
+			cfg.MissingEpochStrategy, version.MissingEpochStrategyZero, version.MissingEpochStrategyAuto)
+	}
+	return nil
+}
+
+// PostLoad validates the dpkg configuration.
+func (cfg *dpkgConfig) PostLoad() error {
+	if cfg.MissingEpochStrategy != version.MissingEpochStrategyZero && cfg.MissingEpochStrategy != version.MissingEpochStrategyAuto {
+		return fmt.Errorf("invalid dpkg.missing-epoch-strategy: %q (allowable: %s, %s)",
+			cfg.MissingEpochStrategy, version.MissingEpochStrategyZero, version.MissingEpochStrategyAuto)
 	}
+	return nil
 }
 
 func (cfg *matchConfig) DescribeFields(descriptions clio.FieldDescriptionSet) {
@@ -67,4 +167,8 @@ func (cfg *matchConfig) DescribeFields(descriptions clio.FieldDescriptionSet) {
 	descriptions.Add(&cfg.Ruby.UseCPEs, usingCpeDescription)
 	descriptions.Add(&cfg.Rust.UseCPEs, usingCpeDescription)
 	descriptions.Add(&cfg.Stock.UseCPEs, usingCpeDescription)
+	descriptions.Add(&cfg.Rpm.MissingEpochStrategy,
+		`strategy for handling missing epochs in RPM package versions during matching (options: zero, auto)`)
+	descriptions.Add(&cfg.Dpkg.MissingEpochStrategy,
+		`strategy for handling missing epochs in dpkg package versions during matching (options: zero, auto)`)
 }