[feature] Unionize parsing for cdx SBOM and VEX data (guacsec#1247)

* calls vex parser from within cdx parser

Signed-off-by: stevemenezes <[email protected]>

* parse vulnerabilities within the Parse method

Signed-off-by: stevemenezes <[email protected]>

* remove redundant declarations

Signed-off-by: stevemenezes <[email protected]>

* delete unused files

Signed-off-by: stevemenezes <[email protected]>

* make fmt

Signed-off-by: stevemenezes <[email protected]>

* address comments

Signed-off-by: stevemenezes <[email protected]>

* modify timestamp

Signed-off-by: stevemenezes <[email protected]>

---------

Signed-off-by: stevemenezes <[email protected]>

internal/testing/testdata/exampledata/cyclonedx-vex-affected.json

@@ -36,7 +36,7 @@
       },
       "affects": [
         {
-          "ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:maven/com.fasterxml.jackson.core/jackson-databind@",
+          "ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#product-ABC",
           "versions": [
             {
               "version": "2.4",

internal/testing/testdata/testdata.go

@@ -18,6 +18,7 @@ package testdata
 import (
 	_ "embed"
 	"encoding/base64"
+	"fmt"
 	"time"
 
 	jsoniter "github.com/json-iterator/go"
@@ -154,7 +155,7 @@ var (
 				Status:           generated.VexStatusNotAffected,
 				VexJustification: generated.VexJustificationVulnerableCodeNotInExecutePath,
 				Statement:        "Automated dataflow analysis and manual code review indicates that the vulnerable code is not reachable, either directly or indirectly.",
-				StatusNotes:      "not_affected:code_not_reachable",
+				StatusNotes:      fmt.Sprintf("%s:%s", generated.VexStatusNotAffected, generated.VexJustificationVulnerableCodeNotInExecutePath),
 				KnownSince:       parseUTCTime("2020-12-03T00:00:00.000Z"),
 			},
 		},
@@ -185,51 +186,43 @@ var (
 			},
 		},
 	}
+	CycloneDXUnAffectedPredicates = assembler.IngestPredicates{
+		VulnMetadata: CycloneDXUnAffectedVulnMetadata,
+		Vex:          CycloneDXUnAffectedVexIngest,
+	}
 
-	// CycloneDX VEX testdata in triage
-	pkg1, _ = asmhelpers.PurlToPkg("pkg:maven/com.fasterxml.jackson.core/[email protected]")
-	pkg2, _ = asmhelpers.PurlToPkg("pkg:maven/com.fasterxml.jackson.core/[email protected]")
-
-	vulnSpecAffected = &generated.VulnerabilityInputSpec{
+	// CycloneDX VEX testdata affected packages.
+	VulnSpecAffected = &generated.VulnerabilityInputSpec{
 		Type:            "cve",
 		VulnerabilityID: "cve-2021-44228",
 	}
-	vexDataAffected = &generated.VexStatementInputSpec{
-		Status:      generated.VexStatusAffected,
-		Statement:   "Versions of Product ABC are affected by the vulnerability. Customers are advised to upgrade to the latest release.",
-		StatusNotes: "exploitable:",
-	}
-	CycloneDXAffectedVexIngest = []assembler.VexIngest{
-		{
-			Pkg:           pkg1,
-			Vulnerability: vulnSpecAffected,
-			VexData:       vexDataAffected,
-		},
-		{
-			Pkg:           pkg2,
-			Vulnerability: vulnSpecAffected,
-			VexData:       vexDataAffected,
-		},
+	VexDataAffected = &generated.VexStatementInputSpec{
+		Status:           generated.VexStatusAffected,
+		VexJustification: generated.VexJustificationNotProvided,
+		Statement:        "Versions of Product ABC are affected by the vulnerability. Customers are advised to upgrade to the latest release.",
+		StatusNotes:      fmt.Sprintf("%s:%s", generated.VexStatusAffected, generated.VexJustificationNotProvided),
+		KnownSince:       time.Unix(0, 0),
 	}
 	CycloneDXAffectedVulnMetadata = []assembler.VulnMetadataIngest{
 		{
-			Vulnerability: vulnSpecAffected,
+			Vulnerability: VulnSpecAffected,
 			VulnMetadata: &generated.VulnerabilityMetadataInputSpec{
 				ScoreType:  generated.VulnerabilityScoreTypeCvssv31,
 				ScoreValue: 10,
+				Timestamp:  time.Unix(0, 0),
 			},
 		},
 	}
-	CycloneDXAffectedCertifyVuln = []assembler.CertifyVulnIngest{
-		{
-			Pkg:           pkg1,
-			Vulnerability: vulnSpecAffected,
-			VulnData:      &generated.ScanMetadataInput{},
-		},
+
+	topLevelPkg, _     = asmhelpers.PurlToPkg("pkg:guac/cdx/ABC")
+	HasSBOMVexAffected = []assembler.HasSBOMIngest{
 		{
-			Pkg:           pkg2,
-			Vulnerability: vulnSpecAffected,
-			VulnData:      &generated.ScanMetadataInput{},
+			Pkg: topLevelPkg,
+			HasSBOM: &model.HasSBOMInputSpec{
+				Algorithm:  "sha256",
+				Digest:     "eb62836ed6339a2d57f66d2e42509718fd480a1befea83f925e918444c369114",
+				KnownSince: parseRfc3339("2022-03-03T00:00:00Z"),
+			},
 		},
 	}
 

pkg/handler/processor/guesser/guesser_test.go

@@ -209,26 +209,6 @@ func Test_GuessDocument(t *testing.T) {
 		},
 		expectedType:   processor.DocumentCsaf,
 		expectedFormat: processor.FormatJSON,
-	}, {
-		name: "valid cdx vex json Document",
-		document: &processor.Document{
-			Blob:              testdata.CycloneDXVEXUnAffected,
-			Type:              processor.DocumentUnknown,
-			Format:            processor.FormatUnknown,
-			SourceInformation: processor.SourceInformation{},
-		},
-		expectedType:   processor.DocumentCdxVex,
-		expectedFormat: processor.FormatJSON,
-	}, {
-		name: "valid cdx vex xml Document",
-		document: &processor.Document{
-			Blob:              testdata.CyloneDXVEXExampleXML,
-			Type:              processor.DocumentUnknown,
-			Format:            processor.FormatUnknown,
-			SourceInformation: processor.SourceInformation{},
-		},
-		expectedType:   processor.DocumentCdxVex,
-		expectedFormat: processor.FormatXML,
 	}}
 	for _, tt := range testCases {
 		t.Run(tt.name, func(t *testing.T) {

pkg/handler/processor/guesser/type_cyclonedx.go

@@ -38,19 +38,13 @@ func (_ *cycloneDXTypeGuesser) GuessDocumentType(blob []byte, format processor.F
 		decoder := cdx.NewBOMDecoder(reader, cdx.BOMFileFormatJSON)
 		err := decoder.Decode(bom)
 		if err == nil && bom.BOMFormat == cycloneDXFormat {
-			if bom.Vulnerabilities != nil {
-				return processor.DocumentCdxVex
-			}
 			return processor.DocumentCycloneDX
 		}
 	case processor.FormatXML:
 		bom := new(cdx.BOM)
 		decoder := cdx.NewBOMDecoder(reader, cdx.BOMFileFormatXML)
 		err := decoder.Decode(bom)
 		if err == nil && strings.HasPrefix(bom.XMLNS, "http://cyclonedx.org/schema/bom/") {
-			if bom.Vulnerabilities != nil {
-				return processor.DocumentCdxVex
-			}
 			return processor.DocumentCycloneDX
 		}
 	}

pkg/handler/processor/guesser/type_cyclonedx_test.go

@@ -72,18 +72,6 @@ func Test_cyclonedxTypeGuesser_GuessDocumentType(t *testing.T) {
 			format:   processor.FormatXML,
 			expected: processor.DocumentCycloneDX,
 		},
-		{
-			name:     "valid cyclonedx vex json Document",
-			blob:     testdata.CycloneDXVEXUnAffected,
-			format:   processor.FormatJSON,
-			expected: processor.DocumentCdxVex,
-		},
-		{
-			name:     "valid cyclonedx vex xml Document",
-			blob:     testdata.CyloneDXVEXExampleXML,
-			format:   processor.FormatXML,
-			expected: processor.DocumentCdxVex,
-		},
 	}
 	for _, tt := range testCases {
 		t.Run(tt.name, func(t *testing.T) {

pkg/handler/processor/process/process.go

@@ -27,7 +27,6 @@ import (
 	"github.com/guacsec/guac/pkg/emitter"
 	"github.com/guacsec/guac/pkg/handler/collector"
 	"github.com/guacsec/guac/pkg/handler/processor"
-	"github.com/guacsec/guac/pkg/handler/processor/cdx_vex"
 	"github.com/guacsec/guac/pkg/handler/processor/csaf"
 	"github.com/guacsec/guac/pkg/handler/processor/cyclonedx"
 	"github.com/guacsec/guac/pkg/handler/processor/deps_dev"
@@ -58,7 +57,6 @@ func init() {
 	_ = RegisterDocumentProcessor(&scorecard.ScorecardProcessor{}, processor.DocumentScorecard)
 	_ = RegisterDocumentProcessor(&cyclonedx.CycloneDXProcessor{}, processor.DocumentCycloneDX)
 	_ = RegisterDocumentProcessor(&deps_dev.DepsDev{}, processor.DocumentDepsDev)
-	_ = RegisterDocumentProcessor(&cdx_vex.CdxVexProcessor{}, processor.DocumentCdxVex)
 }
 
 func RegisterDocumentProcessor(p processor.DocumentProcessor, d processor.DocumentType) error {

pkg/handler/processor/processor.go

@@ -63,7 +63,6 @@ const (
 	DocumentCycloneDX        DocumentType = "CycloneDX"
 	DocumentDepsDev          DocumentType = "DEPS_DEV"
 	DocumentCsaf             DocumentType = "CSAF"
-	DocumentCdxVex           DocumentType = "CDX_VEX"
 	DocumentOpenVEX          DocumentType = "OPEN_VEX"
 	DocumentIngestPredicates DocumentType = "INGEST_PREDICATES"
 	DocumentUnknown          DocumentType = "UNKNOWN"