Added removal of debug prints, subcomponent checks, eventType accepted handling, time nil pointer check, http request improvements and url checks

Author: Dboy0ZDev

normalize/sbom_graph.go

@@ -157,7 +157,7 @@ func validateVexReportOpenVEX(report *ov.VEX) error {
 	if report.Author == "" {
 		return fmt.Errorf("invalid OpenVEX report: missing author")
 	}
-	if report.Timestamp.IsZero() {
+	if report.Timestamp != nil && report.Timestamp.IsZero() {
 		return fmt.Errorf("invalid OpenVEX report: missing timestamp")
 	}
 	if report.Version == 0 {

services/scan_service.go

@@ -68,7 +68,10 @@ type scanService struct {
 }
 
 var newGitHubClient = func() *github.Client {
-	return github.NewClient(nil)
+	return github.NewClient(&http.Client{
+		Transport: utils.EgressTransport,
+		Timeout:   10 * time.Minute,
+	})
 }
 
 var downloadRawFileFn = DownloadRawFile
@@ -877,10 +880,6 @@ func (s *scanService) ScanSBOMWithoutSaving(ctx context.Context, bom *cyclonedx.
 
 func (s *scanService) FetchOpenVexFromGitHub(ctx context.Context, targetURL string) (vexReports []*normalize.VexReportOpenVEX, err error) {
 	client := newGitHubClient()
-	githubDomain := "https://github.com"
-	if !strings.HasPrefix(targetURL, githubDomain) {
-		return nil, fmt.Errorf("invalid github repository url")
-	}
 	owner, repo, err := ParseGitHubURL(targetURL)
 	if err != nil {
 		return nil, err
@@ -918,6 +917,7 @@ func (s *scanService) FetchOpenVexFromGitHub(ctx context.Context, targetURL stri
 		}
 
 		content, err := downloadRawFileFn(
+			ctx,
 			owner,
 			repo,
 			branch,
@@ -947,11 +947,23 @@ func ParseGitHubURL(rawURL string) (owner string, repo string, err error) {
 	if err != nil {
 		return "", "", err
 	}
+	const githubDomain = "github.com"
+	if u.Host != githubDomain {
+		return "", "", fmt.Errorf("invalid github repository url")
+	}
 	parts := strings.Split(strings.Trim(u.Path, "/"), "/")
-	return parts[0], parts[1], nil
+	if len(parts) < 2 {
+		return "", "", fmt.Errorf("invalid github repository url path: expected /{owner}/{repo}, got %q", u.Path)
+	}
+	owner = parts[0]
+	repo = strings.TrimSuffix(parts[1], ".git")
+	if owner == "" || repo == "" {
+		return "", "", fmt.Errorf("invalid github repository url path: expected non-empty owner and repo, got %q", u.Path)
+	}
+	return owner, repo, nil
 }
 
-func DownloadRawFile(owner, repo, branch, filePath string) ([]byte, error) {
+func DownloadRawFile(ctx context.Context, owner, repo, branch, filePath string) ([]byte, error) {
 
 	rawURL := fmt.Sprintf(
 		"https://raw.githubusercontent.com/%s/%s/%s/%s",
@@ -960,11 +972,25 @@ func DownloadRawFile(owner, repo, branch, filePath string) ([]byte, error) {
 		branch,
 		filePath,
 	)
-	resp, err := http.Get(rawURL)
+	resp, err := http.NewRequestWithContext(ctx, http.MethodGet, rawURL, nil)
 	if err != nil {
 		return nil, err
 	}
 	defer resp.Body.Close()
-	return io.ReadAll(resp.Body)
-
+	switch resp.Response.StatusCode {
+	case http.StatusOK:
+		file, err := io.ReadAll(resp.Body)
+		if err != nil {
+			return nil, fmt.Errorf("401 Unauthorized")
+		}
+		return file, nil
+	case http.StatusNotFound:
+		return nil, fmt.Errorf("404 Source not found")
+	case http.StatusUnauthorized:
+		return nil, fmt.Errorf("401 Unauthorized")
+	case http.StatusInternalServerError:
+		return nil, fmt.Errorf("500 Internal Server error")
+	default:
+		return nil, fmt.Errorf("Unexpected status: %d\n", resp.Response.StatusCode)
+	}
 }

services/scan_service_test.go

@@ -332,7 +332,7 @@ func TestFetchOpenVexFromGitHub(t *testing.T) {
 		}
 
 		calls := 0
-		downloadRawFileFn = func(owner, repo, branch, filePath string) ([]byte, error) {
+		downloadRawFileFn = func(ctx context.Context, owner, repo, branch, filePath string) ([]byte, error) {
 			calls++
 			assert.Equal(t, "octo-org", owner)
 			assert.Equal(t, "openvex-repo", repo)
@@ -390,7 +390,7 @@ func TestFetchOpenVexFromGitHub(t *testing.T) {
 		}
 
 		calls := 0
-		downloadRawFileFn = func(owner, repo, branch, filePath string) ([]byte, error) {
+		downloadRawFileFn = func(ctx context.Context, owner, repo, branch, filePath string) ([]byte, error) {
 			calls++
 			assert.Equal(t, "octo-org", owner)
 			assert.Equal(t, "multi-vex-repo", repo)

services/vex_rule_service.go

@@ -545,7 +545,6 @@ func (s *VEXRuleService) parseVEXRulesFromOpenVEXReport(ctx context.Context, ass
 			var err error
 			var componentPurl packageurl.PackageURL
 			if product.Identifiers != nil && product.Identifiers[ov.PURL] != "" {
-				fmt.Println(product.Identifiers[ov.PURL])
 				componentPurl, err = packageurl.FromString(product.Identifiers[ov.PURL])
 			} else if product.ID != "" {
 				componentPurl, err = packageurl.FromString(product.ID)
@@ -559,7 +558,14 @@ func (s *VEXRuleService) parseVEXRulesFromOpenVEXReport(ctx context.Context, ass
 				continue
 			}
 
-			justification := statement.ImpactStatement
+			var justification string
+			switch statement.Status {
+			case ov.StatusAffected:
+				justification = statement.ActionStatement
+			case ov.StatusNotAffected:
+				justification = statement.ImpactStatement
+			}
+
 			mechanicalJustification := dtos.MechanicalJustificationType(statement.Justification)
 
 			eventType, err := mapOpenVEXToEventType(&statement)
@@ -574,7 +580,7 @@ func (s *VEXRuleService) parseVEXRulesFromOpenVEXReport(ctx context.Context, ass
 				componentPurlStr = componentPurl.String()
 			}
 
-			if product.Subcomponents != nil {
+			if len(product.Subcomponents) > 0 {
 				for _, subcomponent := range product.Subcomponents {
 					var subcomponentPurl packageurl.PackageURL
 					subcomponentPurl, err = packageurl.FromString(subcomponent.ID)
@@ -632,9 +638,12 @@ func mapOpenVEXToEventType(s *ov.Statement) (dtos.VulnEventType, error) {
 	case ov.StatusNotAffected:
 		return dtos.EventTypeFalsePositive, nil
 	case ov.StatusAffected:
-		return dtos.EventTypeAccepted, nil
+		if s.ActionStatement != "" {
+			return dtos.EventTypeComment, nil
+		}
+		return "", fmt.Errorf("vulnerability analysis state is exploitable, no event type mapping")
 	default:
-		return "", fmt.Errorf("unknown vulnerability analysis state: %s", s.Status)
+		return "", fmt.Errorf("unsupported OpenVEX vulnerability analysis state: %s", s.Status)
 	}
 }
 

services/vex_rule_service_test.go

@@ -847,7 +847,7 @@ func TestParseVEXRulesInBOM_ComponentPurlWithEncodedAtSign(t *testing.T) {
 	vexRuleRepo.AssertExpectations(t)
 }
 
-func TestParseVEXRulesFromOpenVEXReport(t *testing.T) {
+func TestParseVEXRulesFromOpenVEXReport_SelectValidProductID(t *testing.T) {
 	assetID := uuid.New()
 	service := NewVEXRuleService(nil, nil, nil)
 
@@ -947,7 +947,7 @@ func TestParseVEXRulesFromOpenVEXReport_NormalAndMultipleStatements(t *testing.T
 						Name: "CVE-2024-1111",
 					},
 					Status:        ov.StatusNotAffected,
-					Justification: "component_not_present",
+					Justification: ov.ComponentNotPresent,
 					Products: []ov.Product{
 						{
 							Component: ov.Component{
@@ -965,7 +965,7 @@ func TestParseVEXRulesFromOpenVEXReport_NormalAndMultipleStatements(t *testing.T
 						Name: "CVE-2024-2222",
 					},
 					Status:        ov.StatusNotAffected,
-					Justification: "component_not_present",
+					Justification: ov.ComponentNotPresent,
 					Products: []ov.Product{
 						{
 							Component: ov.Component{
@@ -990,6 +990,24 @@ func TestParseVEXRulesFromOpenVEXReport_NormalAndMultipleStatements(t *testing.T
 						},
 					},
 				},
+				{
+					ID: "stmt-3",
+					Vulnerability: ov.Vulnerability{
+						Name: "CVE-2024-3333",
+					},
+					Status:          ov.StatusAffected,
+					ActionStatement: "Update",
+					Products: []ov.Product{
+						{
+							Component: ov.Component{
+								ID: "pkg:golang/app@1.0",
+								Identifiers: map[ov.IdentifierType]string{
+									ov.PURL: "pkg:golang/app@1.0",
+								},
+							},
+						},
+					},
+				},
 			},
 		},
 	}
@@ -998,19 +1016,24 @@ func TestParseVEXRulesFromOpenVEXReport_NormalAndMultipleStatements(t *testing.T
 	assert.NoError(t, err)
 
 	expected := []struct {
-		cve  string
-		path []string
+		cve                     string
+		path                    []string
+		mechanicalJustification string
+		eventType               dtos.VulnEventType
 	}{
-		{cve: "CVE-2024-1111", path: []string{"pkg:golang/app@1.0"}},
-		{cve: "CVE-2024-2222", path: []string{"pkg:golang/lib@2.0", dtos.PathPatternWildcard, "pkg:golang/lib/sub@2.0"}},
-		{cve: "CVE-2024-2222", path: []string{"pkg:golang/app@1.0"}},
+		{cve: "CVE-2024-1111", path: []string{"pkg:golang/app@1.0"}, mechanicalJustification: string(ov.ComponentNotPresent), eventType: dtos.EventTypeFalsePositive},
+		{cve: "CVE-2024-2222", path: []string{"pkg:golang/lib@2.0", dtos.PathPatternWildcard, "pkg:golang/lib/sub@2.0"}, mechanicalJustification: string(ov.ComponentNotPresent), eventType: dtos.EventTypeFalsePositive},
+		{cve: "CVE-2024-2222", path: []string{"pkg:golang/app@1.0"}, mechanicalJustification: string(ov.ComponentNotPresent), eventType: dtos.EventTypeFalsePositive},
+		{cve: "CVE-2024-3333", path: []string{"pkg:golang/app@1.0"}, mechanicalJustification: "", eventType: dtos.EventTypeComment},
 	}
 
 	assert.Len(t, rules, len(expected), "number of generated rules should match expected")
 
 	// We check by order, results and expected results have to line up for this test
 	for i, exp := range expected {
 		assert.Equal(t, exp.path, []string(rules[i].PathPattern), "path pattern for %s", exp.cve)
+		assert.Equal(t, exp.mechanicalJustification, string(rules[i].MechanicalJustification), "justification for %s", exp.cve)
+		assert.Equal(t, exp.eventType, rules[i].EventType, "eventType for %s", exp.cve)
 	}
 }