fix: include release component in upstream qualifier (#740)

* fix: include release component in upstream qulifier for rhel10 CN-482

The upstream qualifier in the PURL was only including the version from
the source RPM, omitting the release component. This caused false
positive vulnerabilities for RHEL 10 packages where the installed
version was equal to or greater than the fix version.

Example:
- Before: upstream=glibc@2.39 (missing release)
- After:  upstream=glibc@2.39-46.el10_0 (complete version)
This caused version comparison failures because in RPM versioning,
a version without a release is considered older than the same version with a release:
2.39 < 2.39-43.el10_0 → TRUE (incorrectly triggers vulnerability)

* test: verify upstream qualifier includes release

* test: update snapshots to include release in upstream qualifier

Author: adrobuta

lib/analyzer/package-managers/rpm.ts

@@ -49,7 +49,10 @@ function purl(
     const sourcePackage = parseSourceRPM(pkg.sourceRPM);
     if (sourcePackage) {
       let upstream = sourcePackage.name;
-      if (sourcePackage.version) {
+      if (sourcePackage.version && sourcePackage.release) {
+        // Include full version with release for accurate vulnerability matching
+        upstream += `@${sourcePackage.version}-${sourcePackage.release}`;
+      } else if (sourcePackage.version) {
         upstream += `@${sourcePackage.version}`;
       }
       qualifiers.upstream = upstream;

test/lib/analyzer/package-managers/rpm.spec.ts

@@ -188,7 +188,7 @@ describe("RPM Package Version and Epoch Handling", () => {
       expect(purl).toContain("distro=rhel-8.2");
     });
 
-    it("should include epoch=0 with sourceRPM upstream qualifier", () => {
+    it("should include epoch=0 with sourceRPM upstream qualifier including release", () => {
       const result = mapRpmSqlitePackages(
         "test-image",
         [
@@ -206,11 +206,68 @@ describe("RPM Package Version and Epoch Handling", () => {
 
       const purl = result.Analysis[0].Purl;
       expect(purl).toContain("epoch=0");
-      expect(purl).toContain("upstream=libxml2%402.9.7"); // @ is URL-encoded as %40
+      // upstream should include full version with release for accurate vulnerability matching
+      expect(purl).toContain("upstream=libxml2%402.9.7-14.el8"); // @ is URL-encoded as %40
     });
   });
 });
 
+describe("upstream qualifier includes full version with release", () => {
+  it("should generate upstream with version-release to prevent false positives", () => {
+    // This test ensures we don't have the false positive issue where:
+    // - Package: pam-libs@1.6.1-8.el10
+    // - Vulnerability fixed in: 0:1.6.1-8.el10
+    // Without the release in upstream, version comparison fails incorrectly
+    const result = mapRpmSqlitePackages(
+      "test-image",
+      [
+        {
+          name: "pam-libs",
+          version: "1.6.1",
+          release: "8.el10",
+          sourceRPM: "pam-1.6.1-8.el10.src.rpm",
+          size: 1000,
+        },
+      ],
+      [],
+      { name: "rhel", version: "10.1" },
+    );
+
+    const purl = result.Analysis[0].Purl;
+    // upstream MUST include the release (8.el10) for accurate vulnerability matching
+    expect(purl).toContain("upstream=pam%401.6.1-8.el10");
+    // Verify the full PURL format
+    expect(purl).toBe(
+      "pkg:rpm/rhel/pam-libs@1.6.1-8.el10?distro=rhel-10.1&upstream=pam%401.6.1-8.el10",
+    );
+  });
+
+  it("should generate upstream with version-release for glibc packages", () => {
+    // Another false positive scenario:
+    // - Package: glibc@2.39-58.el10_1.2
+    // - Vulnerability fixed in: 0:2.39-43.el10_0
+    // Without release, "2.39" is compared against "2.39-43" and matches incorrectly
+    const result = mapRpmSqlitePackages(
+      "test-image",
+      [
+        {
+          name: "glibc",
+          version: "2.39",
+          release: "58.el10_1.2",
+          sourceRPM: "glibc-2.39-58.el10_1.2.src.rpm",
+          size: 5000,
+        },
+      ],
+      [],
+      { name: "rhel", version: "10.1" },
+    );
+
+    const purl = result.Analysis[0].Purl;
+    // upstream MUST include the release for proper version comparison
+    expect(purl).toContain("upstream=glibc%402.39-58.el10_1.2");
+  });
+});
+
 describe("parseSourceRPM", () => {
   it("should correctly parse all valid source RPM strings from source_rpms.csv", () => {
     const csvFilePath = path.join(