From 495c479dfd20acc14df8844a1b7825560ddd6f8e Mon Sep 17 00:00:00 2001
From: Lukas Hoehl <lukas.hoehl@stackit.de>
Date: Sun, 27 Oct 2024 10:01:12 +0100
Subject: [PATCH] rebase

Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.de>
---
 internal/testing/cmd/pubsub_test/cmd/osv.go | 10 +----
 pkg/certifier/osv/osv_test.go               | 41 ++++++++++++++-------
 pkg/ingestor/parser/vuln/score.go           |  2 +-
 pkg/ingestor/parser/vuln/vuln.go            |  2 +-
 4 files changed, 31 insertions(+), 24 deletions(-)

diff --git a/internal/testing/cmd/pubsub_test/cmd/osv.go b/internal/testing/cmd/pubsub_test/cmd/osv.go
index 415be0535a..88c6e3f432 100644
--- a/internal/testing/cmd/pubsub_test/cmd/osv.go
+++ b/internal/testing/cmd/pubsub_test/cmd/osv.go
@@ -56,7 +56,6 @@ var osvCmd = &cobra.Command{
 			viper.GetString("pubsubAddr"),
 			viper.GetBool("poll"),
 			viper.GetInt("interval"),
-			viper.GetBool("add-vuln-metadata"),
 		)
 		if err != nil {
 			fmt.Printf("unable to validate flags: %v\n", err)
@@ -65,11 +64,7 @@ var osvCmd = &cobra.Command{
 		}
 
 		if err := certify.RegisterCertifier(func() certifier.Certifier {
-			cerifierOpts := []osv.CertifierOpts{}
-			if opts.addVulnMetadata {
-				cerifierOpts = append(cerifierOpts, osv.WithVulnerabilityMetadata())
-			}
-			return osv.NewOSVCertificationParser(cerifierOpts...)
+			return osv.NewOSVCertificationParser()
 		}, certifier.CertifierOSV); err != nil {
 			logger.Fatalf("unable to register certifier: %v", err)
 		}
@@ -78,7 +73,7 @@ var osvCmd = &cobra.Command{
 	},
 }
 
-func validateOsvFlags(user string, pass string, dbAddr string, realm string, pubsubAddr string, poll bool, interval int, addVulnMetadata bool) (options, error) {
+func validateOsvFlags(user string, pass string, dbAddr string, realm string, pubsubAddr string, poll bool, interval int) (options, error) {
 	var opts options
 	opts.user = user
 	opts.pass = pass
@@ -87,7 +82,6 @@ func validateOsvFlags(user string, pass string, dbAddr string, realm string, pub
 	opts.pubsubAddr = pubsubAddr
 	opts.poll = poll
 	opts.interval = interval
-	opts.addVulnMetadata = addVulnMetadata
 
 	return opts, nil
 }
diff --git a/pkg/certifier/osv/osv_test.go b/pkg/certifier/osv/osv_test.go
index 30e863a0fb..fa7ed0ac46 100644
--- a/pkg/certifier/osv/osv_test.go
+++ b/pkg/certifier/osv/osv_test.go
@@ -32,6 +32,7 @@ import (
 
 	osv_models "github.com/google/osv-scanner/pkg/models"
 	osv_scanner "github.com/google/osv-scanner/pkg/osv"
+	"github.com/guacsec/guac/pkg/assembler/clients/generated"
 	attestation_vuln "github.com/guacsec/guac/pkg/certifier/attestation/vuln"
 	"github.com/guacsec/guac/pkg/certifier/components/root_package"
 	attestationv1 "github.com/in-toto/attestation/go/v1"
@@ -250,17 +251,13 @@ func Test_createAttestation(t *testing.T) {
 					Subject:       []*attestationv1.ResourceDescriptor{{Name: ""}},
 				},
 				Predicate: attestation_vuln.VulnerabilityPredicate{
-					Invocation: attestation_vuln.Invocation{
-						Uri:        INVOC_URI,
-						ProducerID: PRODUCER_ID,
-					},
 					Scanner: attestation_vuln.Scanner{
 						Uri:     URI,
 						Version: VERSION,
-						Result:  []attestation_vuln.Result{{VulnerabilityId: "testId"}},
+						Result:  []attestation_vuln.Result{{Id: "testId"}},
 					},
 					Metadata: attestation_vuln.Metadata{
-						ScannedOn: &currentTime,
+						ScanStartedOn: &currentTime,
 					},
 				},
 			},
@@ -281,15 +278,31 @@ func Test_createAttestation(t *testing.T) {
 					},
 				},
 			},
-			Predicate: attestation_vuln.VulnerabilityPredicate{
-				Scanner: attestation_vuln.Scanner{
-					Uri:     URI,
-					Version: VERSION,
-					Result:  []attestation_vuln.Result{{Id: "testId"}},
+			want: &attestation_vuln.VulnerabilityStatement{
+				Statement: attestationv1.Statement{
+					Type:          attestationv1.StatementTypeUri,
+					PredicateType: attestation_vuln.PredicateVuln,
+					Subject:       []*attestationv1.ResourceDescriptor{{Name: ""}},
 				},
-				Metadata: attestation_vuln.Metadata{
-					ScanStartedOn: &currentTime,
-					ScanFinishedOn: &currentTime,
+				Predicate: attestation_vuln.VulnerabilityPredicate{
+					Scanner: attestation_vuln.Scanner{
+						Uri:     URI,
+						Version: VERSION,
+						Result: []attestation_vuln.Result{
+							{
+								Id: "CVE-2024-3094",
+								Severity: []attestation_vuln.Severity{
+									{
+										Method: string(generated.VulnerabilityScoreTypeCvssv3),
+										Score:  "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+									},
+								},
+							},
+						},
+					},
+					Metadata: attestation_vuln.Metadata{
+						ScanStartedOn: &currentTime,
+					},
 				},
 			},
 		},
diff --git a/pkg/ingestor/parser/vuln/score.go b/pkg/ingestor/parser/vuln/score.go
index 73fa7b20f0..8aadc796c8 100644
--- a/pkg/ingestor/parser/vuln/score.go
+++ b/pkg/ingestor/parser/vuln/score.go
@@ -4,7 +4,7 @@ import (
 	"strconv"
 
 	"github.com/guacsec/guac/pkg/assembler/clients/generated"
-	attestation_vuln "github.com/guacsec/guac/pkg/certifier/attestation"
+	attestation_vuln "github.com/guacsec/guac/pkg/certifier/attestation/vuln"
 	gocvss20 "github.com/pandatix/go-cvss/20"
 	gocvss30 "github.com/pandatix/go-cvss/30"
 	gocvss31 "github.com/pandatix/go-cvss/31"
diff --git a/pkg/ingestor/parser/vuln/vuln.go b/pkg/ingestor/parser/vuln/vuln.go
index 42ce1ab255..d32eb87bbf 100644
--- a/pkg/ingestor/parser/vuln/vuln.go
+++ b/pkg/ingestor/parser/vuln/vuln.go
@@ -156,7 +156,7 @@ func parseVulns(_ context.Context, s *attestation_vuln.VulnerabilityStatement) (
 		ivs = append(ivs, iv)
 
 		var severityErrors error
-		for _, severity := range id.Severity {
+		for _, severity := range res.Severity {
 			score, err := parseScoreBasedOnMethod(severity)
 			if err != nil {
 				severityErrors = errors.Join(fmt.Errorf("parsing severity score failed for method %s: %w", severity.Method, err))