feat: Add DHI namespace to PURLs for Docker Hardened Images packages (#727)

parker-snyk · web-flow · commit 49e92c096709 · 2025-11-14T11:45:42.000-05:00
feat: add DHI namespace to PURLs for Docker Hardened Images packages

Docker Hardened Images patches binaries in their packages. The PURLs need
to identify these patched packages with a "dhi" namespace so the
vulnerability service can map them to the DHI vulnerability feed instead
of the standard feeds. Without this, we get false positives from matching
DHI's patched packages against unpatched vulnerability data.

For deb packages, the Maintainer field in the dpkg database identifies DHI
packages as "Docker Hardened Images &lt;dhi@docker.com&gt;". When this maintainer
is found, the PURL namespace is set to "dhi" instead of the distro name.

For example:
- Standard: pkg:deb/debian/curl@7.88.1-10+deb12u8?distro=debian-bookworm
- DHI: pkg:deb/dhi/curl@7.88.1-10+deb12u8?distro=debian-bookworm

Changes:
- Parse Maintainer field from dpkg database
- Check maintainer in purl generation and override namespace to "dhi"
- Add tests for DHI namespace behavior
diff --git a/lib/analyzer/package-managers/apt.ts b/lib/analyzer/package-managers/apt.ts
@@ -93,6 +93,11 @@ export function purl(
     vendor = osRelease.name;
   }
 
+  // Use 'dhi' namespace for Docker Hardened Images packages
+  if (curPkg.Maintainer === "Docker Hardened Images <dhi@docker.com>") {
+    vendor = "dhi";
+  }
+
   return new PackageURL(
     "deb",
     vendor,
@@ -151,6 +156,9 @@ function parseDpkgLine(
         curPkg.Provides.push(name);
       }
       break;
+    case "Maintainer":
+      curPkg.Maintainer = value;
+      break;
     case "Pre-Depends":
     case "Depends":
       for (const depElem of value.split(",")) {
diff --git a/lib/analyzer/types.ts b/lib/analyzer/types.ts
@@ -10,6 +10,7 @@ export interface AnalyzedPackage {
   Version?: string;
   Source?: string;
   SourceVersion?: string;
+  Maintainer?: string;
   Provides: string[];
   Deps: {
     [name: string]: any;
diff --git a/test/lib/analyzer/package-managers/apt.spec.ts b/test/lib/analyzer/package-managers/apt.spec.ts
@@ -39,4 +39,30 @@ describe("purl()", () => {
       } as unknown as AnalyzedPackageWithVersion),
     ).toEqual("pkg:deb/bar@1.2.3-4?upstream=foo%405.6.7%2B8");
   });
+
+  it("uses 'dhi' namespace for Docker Hardened Images packages", () => {
+    expect(
+      purl(
+        {
+          Name: "curl",
+          Version: "7.88.1-10+deb12u8",
+          Maintainer: "Docker Hardened Images <dhi@docker.com>",
+        } as unknown as AnalyzedPackageWithVersion,
+        { name: "debian", version: "12", prettyName: "Debian GNU/Linux 12" },
+      ),
+    ).toEqual("pkg:deb/dhi/curl@7.88.1-10%2Bdeb12u8?distro=debian-bookworm");
+  });
+
+  it("uses osRelease vendor when maintainer is not Docker Hardened Images", () => {
+    expect(
+      purl(
+        {
+          Name: "curl",
+          Version: "7.88.1-10+deb12u8",
+          Maintainer: "Some Other Maintainer <other@example.com>",
+        } as unknown as AnalyzedPackageWithVersion,
+        { name: "debian", version: "12", prettyName: "Debian GNU/Linux 12" },
+      ),
+    ).toEqual("pkg:deb/debian/curl@7.88.1-10%2Bdeb12u8?distro=debian-bookworm");
+  });
 });
