Store the whole vulnerability data from cdx to local models

Signed-off-by: tdruez <tdruez@aboutcode.org>

Author: tdruez

scanpipe/pipes/cyclonedx.py

@@ -30,6 +30,7 @@
 from cyclonedx.model import license as cdx_license_model
 from cyclonedx.model.bom import Bom
 from cyclonedx.schema import SchemaVersion
+from cyclonedx.schema.schema import BaseSchemaVersion
 from cyclonedx.validation import ValidationError
 from cyclonedx.validation.json import JsonStrictValidator
 from defusedxml import ElementTree as SafeElementTree
@@ -184,10 +185,12 @@ def cyclonedx_component_to_package_data(
     affected_by_vulnerabilities = []
     if affected_by := vulnerabilities.get(bom_ref):
         for cdx_vulnerability in affected_by:
+            cdx_vulnerability_json = cdx_vulnerability.as_json(view_=BaseSchemaVersion)
             affected_by_vulnerabilities.append(
                 {
                     "vulnerability_id": str(cdx_vulnerability.id),
                     "summary": cdx_vulnerability.description,
+                    "cdx_vulnerability_json": cdx_vulnerability_json,
                 }
             )
 

scanpipe/tests/pipes/test_cyclonedx.py

@@ -250,13 +250,25 @@ def test_scanpipe_cyclonedx_resolve_cyclonedx_packages_vulnerabilities(self):
         self.assertEqual(1, len(packages))
 
         affected_by = packages[0]["affected_by_vulnerabilities"]
+        self.assertEqual("CVE-2005-2541", affected_by[0]["vulnerability_id"])
+        self.assertEqual(
+            "Tar 1.15.1 does not properly warn the user when...",
+            affected_by[0]["summary"],
+        )
+        self.assertIn("cdx_vulnerability_json", affected_by[0])
+        vulnerability_json = affected_by[0]["cdx_vulnerability_json"]
+        cdx_vulnerability = json.loads(vulnerability_json)
         expected = [
-            {
-                "vulnerability_id": "CVE-2005-2541",
-                "summary": "Tar 1.15.1 does not properly warn the user when...",
-            }
+            "advisories",
+            "affects",
+            "description",
+            "id",
+            "published",
+            "ratings",
+            "source",
+            "updated",
         ]
-        self.assertEqual(expected, affected_by)
+        self.assertEqual(expected, list(cdx_vulnerability.keys()))
 
     def test_scanpipe_cyclonedx_resolve_cyclonedx_packages_pre_validation(self):
         # This SBOM includes multiple deserialization issues that are "fixed"

scanpipe/tests/test_pipelines.py

@@ -1638,13 +1638,25 @@ def test_scanpipe_load_sbom_pipeline_cyclonedx_with_vulnerabilities(self):
 
         self.assertEqual(1, project1.discoveredpackages.count())
         package = project1.discoveredpackages.get()
+        affected_by = package.affected_by_vulnerabilities[0]
+        cdx_vulnerability_json = affected_by.pop("cdx_vulnerability_json")
+        expected = {
+            "vulnerability_id": "CVE-2005-2541",
+            "summary": "Tar 1.15.1 does not properly warn the user when...",
+        }
+        self.assertEqual(expected, affected_by)
+        cdx_vulnerability = json.loads(cdx_vulnerability_json)
         expected = [
-            {
-                "vulnerability_id": "CVE-2005-2541",
-                "summary": "Tar 1.15.1 does not properly warn the user when...",
-            }
+            "advisories",
+            "affects",
+            "description",
+            "id",
+            "published",
+            "ratings",
+            "source",
+            "updated",
         ]
-        self.assertEqual(expected, package.affected_by_vulnerabilities)
+        self.assertEqual(expected, list(cdx_vulnerability.keys()))
 
     @mock.patch("scanpipe.pipes.purldb.request_post")
     @mock.patch("uuid.uuid4")