feat(vex): improve relationship support in CSAF VEX (#6735)

Signed-off-by: knqyf263 <knqyf263@gmail.com>
2025-12-23 07:29:00 -08:00 · 2024-05-28 14:51:07 +04:00
parent e66dbb9357
commit a447f6ba94
7 changed files with 325 additions and 279 deletions
--- a/pkg/vex/vex_test.go
+++ b/pkg/vex/vex_test.go
@@ -129,6 +129,43 @@ var (
 			},
 		},
 	}
+	argoComponent = core.Component{
+		Type:    core.TypeLibrary,
+		Name:    "argo-cd",
+		Version: "2.9.3-2",
+		PkgIdentifier: ftypes.PkgIdentifier{
+			UID: "07",
+			PURL: &packageurl.PackageURL{
+				Type:    packageurl.TypeBitnami,
+				Name:    "argo-cd",
+				Version: "2.9.3-2",
+				Qualifiers: packageurl.Qualifiers{
+					{
+						Key:   "arch",
+						Value: "amd64",
+					},
+					{
+						Key:   "distro",
+						Value: "debian-12",
+					},
+				},
+			},
+		},
+	}
+	clientGoComponent = core.Component{
+		Type:    core.TypeLibrary,
+		Name:    "k8s.io/client-go",
+		Version: "0.24.2",
+		PkgIdentifier: ftypes.PkgIdentifier{
+			UID: "08",
+			PURL: &packageurl.PackageURL{
+				Type:      packageurl.TypeGolang,
+				Namespace: "k8s.io",
+				Name:      "client-go",
+				Version:   "0.24.2",
+			},
+		},
+	}
 	vuln1 = types.DetectedVulnerability{
 		VulnerabilityID:  "CVE-2021-44228",
 		PkgName:          springComponent.Name,
@@ -165,6 +202,15 @@ var (
 			PURL: goTransitiveComponent.PkgIdentifier.PURL,
 		},
 	}
+	vuln5 = types.DetectedVulnerability{
+		VulnerabilityID:  "CVE-2023-2727",
+		PkgName:          clientGoComponent.Name,
+		InstalledVersion: clientGoComponent.Version,
+		PkgIdentifier: ftypes.PkgIdentifier{
+			UID:  clientGoComponent.PkgIdentifier.UID,
+			PURL: clientGoComponent.PkgIdentifier.PURL,
+		},
+	}
 )

 func TestMain(m *testing.M) {
@@ -390,91 +436,38 @@ func TestVEX_Filter(t *testing.T) {
 			},
 		},
 		{
-			name: "CSAF (not affected vuln)",
+			name: "CSAF, not affected",
 			fields: fields{
-				filePath: "testdata/csaf-not-affected.json",
+				filePath: "testdata/csaf.json",
 			},
 			args: args{
-				vulns: []types.DetectedVulnerability{
-					{
-						VulnerabilityID:  "CVE-2021-44228",
-						PkgName:          "spring-boot",
-						InstalledVersion: "2.6.0",
-						PkgIdentifier: ftypes.PkgIdentifier{
-							PURL: &packageurl.PackageURL{
-								Type:      packageurl.TypeMaven,
-								Namespace: "org.springframework.boot",
-								Name:      "spring-boot",
-								Version:   "2.6.0",
-							},
-						},
-					},
-				},
+				bom:   newTestBOM5(),
+				vulns: []types.DetectedVulnerability{vuln5},
 			},
 			want: []types.DetectedVulnerability{},
 		},
 		{
-			name: "CSAF (affected vuln)",
+			name: "CSAF with relationships, not affected",
 			fields: fields{
-				filePath: "testdata/csaf-affected.json",
+				filePath: "testdata/csaf-relationships.json",
 			},
 			args: args{
-				vulns: []types.DetectedVulnerability{
-					{
-						VulnerabilityID:  "CVE-2021-44228",
-						PkgName:          "def",
-						InstalledVersion: "1.0",
-						PkgIdentifier: ftypes.PkgIdentifier{
-							PURL: &packageurl.PackageURL{
-								Type:      packageurl.TypeMaven,
-								Namespace: "org.example.company",
-								Name:      "def",
-								Version:   "1.0",
-							},
-						},
-					},
-				},
-			},
-			want: []types.DetectedVulnerability{
-				{
-					VulnerabilityID:  "CVE-2021-44228",
-					PkgName:          "def",
-					InstalledVersion: "1.0",
-					PkgIdentifier: ftypes.PkgIdentifier{
-						PURL: &packageurl.PackageURL{
-							Type:      packageurl.TypeMaven,
-							Namespace: "org.example.company",
-							Name:      "def",
-							Version:   "1.0",
-						},
-					},
-				},
-			},
-		},
-		{
-			name: "CSAF (not affected vuln) with sub components",
-			fields: fields{
-				filePath: "testdata/csaf-not-affected-sub-components.json",
-			},
-			args: args{
-				vulns: []types.DetectedVulnerability{
-					{
-						VulnerabilityID:  "CVE-2023-2727",
-						PkgName:          "kubernetes",
-						InstalledVersion: "v1.24.2",
-						PkgIdentifier: ftypes.PkgIdentifier{
-							PURL: &packageurl.PackageURL{
-								Type:      packageurl.TypeGolang,
-								Namespace: "k8s.io",
-								Name:      "kubernetes",
-								Version:   "v1.24.2",
-							},
-						},
-					},
-				},
+				bom:   newTestBOM5(),
+				vulns: []types.DetectedVulnerability{vuln5},
 			},
 			want: []types.DetectedVulnerability{},
 		},
+		{
+			name: "CSAF with relationships, affected",
+			fields: fields{
+				filePath: "testdata/csaf-relationships.json",
+			},
+			args: args{
+				bom:   newTestBOM6(),
+				vulns: []types.DetectedVulnerability{vuln5},
+			},
+			want: []types.DetectedVulnerability{vuln5},
+		},
 		{
 			name: "unknown format",
 			fields: fields{
@@ -579,3 +572,26 @@ func newTestBOM4() *core.BOM {
 	bom.AddRelationship(&goDirectComponent2, &goTransitiveComponent, core.RelationshipDependsOn)
 	return bom
 }
+
+func newTestBOM5() *core.BOM {
+	// - oci:debian?tag=12
+	//     - pkg:bitnami/argo-cd@2.9.3-2?arch=amd64&distro=debian-12
+	//         - pkg:golang/k8s.io/client-go@0.24.2
+	bom := core.NewBOM(core.Options{Parents: true})
+	bom.AddComponent(&ociComponent)
+	bom.AddComponent(&argoComponent)
+	bom.AddComponent(&clientGoComponent)
+	bom.AddRelationship(&ociComponent, &argoComponent, core.RelationshipContains)
+	bom.AddRelationship(&argoComponent, &clientGoComponent, core.RelationshipDependsOn)
+	return bom
+}
+
+func newTestBOM6() *core.BOM {
+	// - oci:debian?tag=12
+	//     - pkg:golang/k8s.io/client-go@0.24.2
+	bom := core.NewBOM(core.Options{Parents: true})
+	bom.AddComponent(&ociComponent)
+	bom.AddComponent(&clientGoComponent)
+	bom.AddRelationship(&ociComponent, &clientGoComponent, core.RelationshipContains)
+	return bom
+}