feat(vex): Add support for CSAF format (#5535)

Signed-off-by: juan131 <jariza@vmware.com> Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com>
2025-12-23 07:29:00 -08:00 · 2024-01-06 11:48:39 +01:00
parent 2cdd65dd64
commit c47ed0d816
11 changed files with 722 additions and 180 deletions
--- a/pkg/vex/vex_test.go
+++ b/pkg/vex/vex_test.go
@@ -1,10 +1,11 @@
 package vex_test

 import (
-	"github.com/package-url/packageurl-go"
 	"os"
 	"testing"

+	"github.com/package-url/packageurl-go"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

@@ -28,10 +29,11 @@ func TestVEX_Filter(t *testing.T) {
 		vulns []types.DetectedVulnerability
 	}
 	tests := []struct {
-		name   string
-		fields fields
-		args   args
-		want   []types.DetectedVulnerability
+		name    string
+		fields  fields
+		args    args
+		want    []types.DetectedVulnerability
+		wantErr string
 	}{
 		{
 			name: "OpenVEX",
@@ -227,11 +229,91 @@ func TestVEX_Filter(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "CSAF (not affected vuln)",
+			fields: fields{
+				filePath: "testdata/csaf-not-affected.json",
+			},
+			args: args{
+				vulns: []types.DetectedVulnerability{
+					{
+						VulnerabilityID:  "CVE-2021-44228",
+						PkgName:          "spring-boot",
+						InstalledVersion: "2.6.0",
+						PkgIdentifier: ftypes.PkgIdentifier{
+							PURL: &ftypes.PackageURL{
+								PackageURL: packageurl.PackageURL{
+									Type:      packageurl.TypeMaven,
+									Namespace: "org.springframework.boot",
+									Name:      "spring-boot",
+									Version:   "2.6.0",
+								},
+							},
+						},
+					},
+				},
+			},
+			want: []types.DetectedVulnerability{},
+		},
+		{
+			name: "CSAF (affected vuln)",
+			fields: fields{
+				filePath: "testdata/csaf-affected.json",
+			},
+			args: args{
+				vulns: []types.DetectedVulnerability{
+					{
+						VulnerabilityID:  "CVE-2021-44228",
+						PkgName:          "def",
+						InstalledVersion: "1.0",
+						PkgIdentifier: ftypes.PkgIdentifier{
+							PURL: &ftypes.PackageURL{
+								PackageURL: packageurl.PackageURL{
+									Type:      packageurl.TypeMaven,
+									Namespace: "org.example.company",
+									Name:      "def",
+									Version:   "1.0",
+								},
+							},
+						},
+					},
+				},
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2021-44228",
+					PkgName:          "def",
+					InstalledVersion: "1.0",
+					PkgIdentifier: ftypes.PkgIdentifier{
+						PURL: &ftypes.PackageURL{
+							PackageURL: packageurl.PackageURL{
+								Type:      packageurl.TypeMaven,
+								Namespace: "org.example.company",
+								Name:      "def",
+								Version:   "1.0",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "unknown format",
+			fields: fields{
+				filePath: "testdata/unknown.json",
+			},
+			args:    args{},
+			wantErr: "unable to load VEX",
+		},
 	}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			v, err := vex.New(tt.fields.filePath, tt.fields.report)
+			if tt.wantErr != "" {
+				require.ErrorContains(t, err, tt.wantErr)
+				return
+			}
 			require.NoError(t, err)
 			assert.Equal(t, tt.want, v.Filter(tt.args.vulns))
 		})