Merge pull request #381 from viveksahu26/fix/signature_field_msg

fix signature field msg
interlynk-io · Jan 13, 2025 · be22ee7 · be22ee7
2 parents 97b9091 + 175c478
commit be22ee7
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 14 deletions.
diff --git a/pkg/compliance/bsiV2.go b/pkg/compliance/bsiV2.go
@@ -16,6 +16,7 @@ package compliance
 
 import (
 	"context"
+	"os"
 	"strings"
 
 	"github.com/interlynk-io/sbomqs/pkg/compliance/common"
@@ -105,7 +106,13 @@ func bsiV2SbomSignature(doc sbom.Document) *db.Record {
 		pubKey := doc.Signature().GetPublicKey()
 		blob := doc.Signature().GetBlob()
 		sig := doc.Signature().GetSigValue()
-		valid, err := common.VerifySignature(pubKey, blob, sig)
+
+		pubKeyData, err := os.ReadFile(pubKey)
+		if err != nil {
+			return db.NewRecordStmt(SBOM_SIGNATURE, "doc", "Sig not detected!", 0.0, "")
+		}
+
+		valid, err := common.VerifySignature(pubKeyData, blob, sig)
 		if err != nil {
 			return db.NewRecordStmt(SBOM_SIGNATURE, "doc", "Verification failed!", 0.0, "")
 		}
@@ -114,7 +121,7 @@ func bsiV2SbomSignature(doc sbom.Document) *db.Record {
 			result = "Signature verification succeeded!"
 		} else {
 			score = 5.0
-			result = "Signature verification failed!"
+			result = "Signature provided but verification failed!"
 		}
 
 		common.RemoveFileIfExists("extracted_public_key.pem")

diff --git a/pkg/compliance/common/common.go b/pkg/compliance/common/common.go
@@ -489,12 +489,7 @@ func AreLicensesValid(licenses []licenses.License) bool {
 	return spdx+aboutcode+custom == len(licenses)
 }
 
-func VerifySignature(publicKeyPath, sbomPath, signaturePath string) (bool, error) {
-	pubKeyData, err := os.ReadFile(publicKeyPath)
-	if err != nil {
-		return false, err
-	}
-
+func VerifySignature(pubKeyData []byte, sbomPath, signaturePath string) (bool, error) {
 	block, _ := pem.Decode(pubKeyData)
 	if block == nil || block.Type != "PUBLIC KEY" {
 		return false, fmt.Errorf("invalid public key")

diff --git a/pkg/sbom/cdx.go b/pkg/sbom/cdx.go
@@ -31,6 +31,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/interlynk-io/sbomqs/pkg/cpe"
 	"github.com/interlynk-io/sbomqs/pkg/licenses"
+	"github.com/interlynk-io/sbomqs/pkg/logger"
 	"github.com/interlynk-io/sbomqs/pkg/omniborid"
 	"github.com/interlynk-io/sbomqs/pkg/purl"
 	"github.com/interlynk-io/sbomqs/pkg/swhid"
@@ -170,7 +171,7 @@ func (c *CdxDoc) parse() {
 	c.parsePrimaryCompAndRelationships()
 	c.parseVulnerabilities()
 	if c.Signature().GetSigValue() == "" && c.Signature().GetPublicKey() == "" {
-		fmt.Println("Extract public key and signature from SBOM")
+		c.addToLogs("extract public key and signature from cylonedx sbom itself")
 		c.parseSignature()
 	}
 	c.parseComps()
@@ -255,6 +256,8 @@ func (c *CdxDoc) parseVulnerabilities() {
 // until and unless cyclondx-go library supports signature, this part is useless
 // So, we are using tech hack to parse signature directly from JSON sbom file
 func (c *CdxDoc) parseSignature() {
+	log := logger.FromContext(c.ctx)
+	log.Debug("parseSignature()")
 	c.SignatureDetail = &Signature{}
 	if c.doc.Declarations != nil {
 		if c.doc.Declarations.Signature != nil {
@@ -265,27 +268,27 @@ func (c *CdxDoc) parseSignature() {
 			// decode the signature
 			signatureValue, err := base64.StdEncoding.DecodeString(sigValue)
 			if err != nil {
-				fmt.Println("Error decoding signature:", err)
+				log.Debug("Error decoding signature:", err)
 				return
 			}
 
 			// write the signature to a file
 			if err := os.WriteFile("extracted_signature.bin", signatureValue, 0o600); err != nil {
-				fmt.Println("Error writing signature to file:", err)
+				log.Debug("Error writing signature to file: %s", err)
 				return
 			}
 			c.addToLogs("Signature written to file: extracted_signature.bin")
 
 			// extract the public key modulus and exponent
 			modulus, err := base64.StdEncoding.DecodeString(pubKeyModulus)
 			if err != nil {
-				fmt.Println("Error decoding public key modulus:", err)
+				log.Debug("Error decoding public key modulus:", err)
 				return
 			}
 
 			exponent := decodeBase64URLEncodingToInt(pubKeyExponent)
 			if exponent == 0 {
-				fmt.Println("Invalid public key exponent.")
+				c.addToLogs("Invalid public key exponent.")
 				return
 			}
 
@@ -298,7 +301,7 @@ func (c *CdxDoc) parseSignature() {
 			// write the public key to a PEM file
 			pubKeyPEM := publicKeyToPEM(pubKey)
 			if err := os.WriteFile("extracted_public_key.pem", pubKeyPEM, 0o600); err != nil {
-				fmt.Println("Error writing public key to file:", err)
+				log.Debug("Error writing public key to file:", err)
 				return
 			}