fix(sbom): add missed primaryURL and source severity for CycloneDX (

#5399)

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: knqyf263 <[email protected]>

integration/testdata/pom-cyclonedx.json.golden

@@ -149,6 +149,9 @@
       "description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).",
       "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4",
       "advisories": [
+        {
+          "url": "https://avd.aquasec.com/nvd/cve-2020-9548"
+        },
         {
           "url": "https://access.redhat.com/security/cve/CVE-2020-9548"
         },
@@ -268,6 +271,9 @@
       "description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
       "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.7",
       "advisories": [
+        {
+          "url": "https://avd.aquasec.com/nvd/cve-2021-20190"
+        },
         {
           "url": "https://access.redhat.com/security/cve/CVE-2021-20190"
         },

pkg/sbom/cyclonedx/core/cyclonedx.go

@@ -155,7 +155,7 @@ func (c *CycloneDX) marshalVulnerability(bomRef string, vuln types.DetectedVulne
 		Ratings:     cdxRatings(vuln),
 		CWEs:        cwes(vuln.CweIDs),
 		Description: vuln.Description,
-		Advisories:  cdxAdvisories(vuln.References),
+		Advisories:  cdxAdvisories(append([]string{vuln.PrimaryURL}, vuln.References...)),
 	}
 	if vuln.FixedVersion != "" {
 		v.Recommendation = fmt.Sprintf("Upgrade %s to version %s", vuln.PkgName, vuln.FixedVersion)
@@ -341,19 +341,18 @@ func UnmarshalProperties(properties *[]cdx.Property) map[string]string {
 }
 
 func cdxAdvisories(refs []string) *[]cdx.Advisory {
+	refs = lo.Uniq(refs)
+	advs := lo.FilterMap(refs, func(ref string, _ int) (cdx.Advisory, bool) {
+		return cdx.Advisory{URL: ref}, ref != ""
+	})
+
 	// cyclonedx converts link to empty `[]cdx.Advisory` to `null`
 	// `bom-1.5.schema.json` doesn't support this - `Invalid type. Expected: array, given: null`
 	// we need to explicitly set `nil` for empty `refs` slice
-	if len(refs) == 0 {
+	if len(advs) == 0 {
 		return nil
 	}
 
-	var advs []cdx.Advisory
-	for _, ref := range refs {
-		advs = append(advs, cdx.Advisory{
-			URL: ref,
-		})
-	}
 	return &advs
 }
 

pkg/sbom/cyclonedx/marshal_test.go

@@ -522,6 +522,11 @@ func TestMarshaler_Marshal(t *testing.T) {
 						Description: "In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.",
 						Published:   "2018-12-31T19:29:00+00:00",
 						Updated:     "2019-10-31T01:15:00+00:00",
+						Advisories: &[]cdx.Advisory{
+							{
+								URL: "https://avd.aquasec.com/nvd/cve-2018-20623",
+							},
+						},
 						Affects: &[]cdx.Affects{
 							{
 								Ref: "pkg:rpm/centos/[email protected]?arch=aarch64&distro=centos-8.3.2011",
@@ -991,6 +996,9 @@ func TestMarshaler_Marshal(t *testing.T) {
 						},
 						Description: "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
 						Advisories: &[]cdx.Advisory{
+							{
+								URL: "https://avd.aquasec.com/nvd/cve-2022-23633",
+							},
 							{
 								URL: "http://www.openwall.com/lists/oss-security/2022/02/11/5",
 							},
@@ -1384,6 +1392,9 @@ func TestMarshaler_Marshal(t *testing.T) {
 						CWEs:        lo.ToPtr([]int{94}),
 						Description: "The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0...",
 						Advisories: &[]cdx.Advisory{
+							{
+								URL: "https://avd.aquasec.com/nvd/cve-2023-34468",
+							},
 							{
 								URL: "http://www.openwall.com/lists/oss-security/2023/06/12/3",
 							},

pkg/vulnerability/vulnerability.go

@@ -91,6 +91,13 @@ func (c Client) FillInfo(vulns []types.DetectedVulnerability) {
 		if vulns[i].SeveritySource != "" {
 			severity = vulns[i].Severity
 			severitySource = vulns[i].SeveritySource
+
+			// Store package-specific severity in vendor severities
+			if vuln.VendorSeverity == nil {
+				vuln.VendorSeverity = make(dbTypes.VendorSeverity)
+			}
+			s, _ := dbTypes.NewSeverity(severity) // skip error handling because `SeverityUnknown` will be returned in case of error
+			vuln.VendorSeverity[severitySource] = s
 		}
 
 		// Add the vulnerability detail

pkg/vulnerability/vulnerability_test.go

@@ -218,9 +218,12 @@ func TestClient_FillInfo(t *testing.T) {
 					Status:          dbTypes.StatusAffected,
 					SeveritySource:  vulnerability.Debian,
 					Vulnerability: dbTypes.Vulnerability{
-						Title:            "dos",
-						Description:      "dos vulnerability",
-						Severity:         dbTypes.SeverityLow.String(),
+						Title:       "dos",
+						Description: "dos vulnerability",
+						Severity:    dbTypes.SeverityLow.String(),
+						VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{
+							vulnerability.Debian: dbTypes.SeverityLow,
+						},
 						References:       []string{"http://example.com"},
 						LastModifiedDate: utils.MustTimeParse("2020-01-01T01:01:00Z"),
 						PublishedDate:    utils.MustTimeParse("2001-01-01T01:01:00Z"),