From 1d4091c072447148483455892d1447806ba7eb69 Mon Sep 17 00:00:00 2001 From: sg Date: Fri, 20 Sep 2024 09:48:26 +0100 Subject: [PATCH] bugfix/367 fix cyclonedx parser crash if the package does not have purl in metadata --- .../consumers/dependency-track/main_test.go | 6 +- components/enrichers/depsdev/main.go | 2 +- components/producers/cdxgen/main.go | 2 +- components/producers/docker-trivy/main.go | 2 +- pkg/cyclonedx/cyclonedx.go | 16 ++++-- pkg/cyclonedx/cyclonedx_test.go | 57 ++++++++++++++----- 6 files changed, 59 insertions(+), 26 deletions(-) diff --git a/components/consumers/dependency-track/main_test.go b/components/consumers/dependency-track/main_test.go index 41ef3402d..d1755eef3 100644 --- a/components/consumers/dependency-track/main_test.go +++ b/components/consumers/dependency-track/main_test.go @@ -59,7 +59,7 @@ func TestUploadBomsFromRaw(t *testing.T) { require.NoError(t, err) client = c - issues, err := cyclonedx.ToDracon(rawSaaSBOM, "json") + issues, err := cyclonedx.ToDracon(rawSaaSBOM, "json", "") require.NoError(t, err) ltr := v1.LaunchToolResponse{ @@ -112,7 +112,7 @@ func TestUploadBomsFromEnriched(t *testing.T) { require.NoError(t, err) client = c - issues, err := cyclonedx.ToDracon(rawSaaSBOM, "json") + issues, err := cyclonedx.ToDracon(rawSaaSBOM, "json", "") require.NoError(t, err) ltr := v1.LaunchToolResponse{ @@ -206,7 +206,7 @@ func TestUploadBomsFromEnrichedWithOwners(t *testing.T) { require.NoError(t, err) client = c - issues, err := cyclonedx.ToDracon(rawSaaSBOM, "json") + issues, err := cyclonedx.ToDracon(rawSaaSBOM, "json", "") require.NoError(t, err) ltr := v1.LaunchToolResponse{ diff --git a/components/enrichers/depsdev/main.go b/components/enrichers/depsdev/main.go index c39d276a6..46acbf176 100644 --- a/components/enrichers/depsdev/main.go +++ b/components/enrichers/depsdev/main.go @@ -184,7 +184,7 @@ func enrichIssue(i *v1.Issue) (*v1.EnrichedIssue, error) { if err != nil { return &enrichedIssue, err } - originalIssue, err := cyclonedx.ToDracon(marshalled, "json") + originalIssue, err := cyclonedx.ToDracon(marshalled, "json", "") if err != nil { return &enrichedIssue, err } diff --git a/components/producers/cdxgen/main.go b/components/producers/cdxgen/main.go index 09f8e9d31..ca2d4c147 100644 --- a/components/producers/cdxgen/main.go +++ b/components/producers/cdxgen/main.go @@ -31,5 +31,5 @@ func main() { } func handleCycloneDX(inFile []byte) ([]*v1.Issue, error) { - return cyclonedx.ToDracon(inFile, "json") + return cyclonedx.ToDracon(inFile, "json", "") } diff --git a/components/producers/docker-trivy/main.go b/components/producers/docker-trivy/main.go index 973688190..b13abd917 100644 --- a/components/producers/docker-trivy/main.go +++ b/components/producers/docker-trivy/main.go @@ -92,7 +92,7 @@ func handleSarif(inFile []byte) ([]*v1.Issue, error) { } func handleCycloneDX(inFile []byte) ([]*v1.Issue, error) { - return cyclonedx.ToDracon(inFile, "json") + return cyclonedx.ToDracon(inFile, "json", "") } func parseCombinedOut(results types.CombinedOut) []*v1.Issue { diff --git a/pkg/cyclonedx/cyclonedx.go b/pkg/cyclonedx/cyclonedx.go index 8a71a055b..3af4218fa 100644 --- a/pkg/cyclonedx/cyclonedx.go +++ b/pkg/cyclonedx/cyclonedx.go @@ -12,7 +12,8 @@ import ( ) // ToDracon accepts a cycloneDX bom file and transforms to an array containing a singular v1.Issue. -func ToDracon(inFile []byte, format string) ([]*v1.Issue, error) { +// revive:disable:cognitive-complexity,cyclomatic High complexity score but +func ToDracon(inFile []byte, format, targetOverride string) ([]*v1.Issue, error) { bom := new(cdx.BOM) var decoder cdx.BOMDecoder var issues []*v1.Issue @@ -42,10 +43,15 @@ func ToDracon(inFile []byte, format string) ([]*v1.Issue, error) { } result := strings.TrimSpace(buf.String()) target := "" - if bom.Metadata.Component.BOMRef != "" { - target = bom.Metadata.Component.BOMRef - } else { - target = bom.Metadata.Component.PackageURL + if bom.Metadata != nil && bom.Metadata.Component != nil { + if bom.Metadata.Component.BOMRef != "" { + target = bom.Metadata.Component.BOMRef + } else { + target = bom.Metadata.Component.PackageURL + } + } + if targetOverride != "" { + target = targetOverride } return []*v1.Issue{ diff --git a/pkg/cyclonedx/cyclonedx_test.go b/pkg/cyclonedx/cyclonedx_test.go index 8839ffb2c..81851025b 100644 --- a/pkg/cyclonedx/cyclonedx_test.go +++ b/pkg/cyclonedx/cyclonedx_test.go @@ -5,7 +5,6 @@ import ( "os" "testing" - "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" v1 "github.com/ocurity/dracon/api/proto/v1" @@ -15,7 +14,7 @@ func TestToDraconLibrary(t *testing.T) { rawLibraryBOM, err := os.ReadFile("./testdata/libraryBOM.json") require.NoError(t, err) - issues, err := ToDracon(rawLibraryBOM, "json") + issues, err := ToDracon(rawLibraryBOM, "json", "") require.NoError(t, err) libraryBOM := string(rawLibraryBOM) @@ -29,21 +28,21 @@ func TestToDraconLibrary(t *testing.T) { CycloneDXSBOM: &libraryBOM, }, } - assert.Equal(t, expectedIssues[0].Target, issues[0].Target) - assert.Equal(t, expectedIssues[0].Type, issues[0].Type) - assert.Equal(t, expectedIssues[0].Title, issues[0].Title) - assert.Equal(t, expectedIssues[0].Severity, issues[0].Severity) - var sbom1, sbom2 map[string]interface{} + require.Equal(t, expectedIssues[0].Target, issues[0].Target) + require.Equal(t, expectedIssues[0].Type, issues[0].Type) + require.Equal(t, expectedIssues[0].Title, issues[0].Title) + require.Equal(t, expectedIssues[0].Severity, issues[0].Severity) + var sbom1, sbom2 map[string]any require.NoError(t, json.Unmarshal([]byte(*expectedIssues[0].CycloneDXSBOM), &sbom1)) require.NoError(t, json.Unmarshal([]byte(*issues[0].CycloneDXSBOM), &sbom2)) - assert.Equal(t, sbom1, sbom2) + require.Equal(t, sbom1, sbom2) } func TestToDraconSaaSInfra(t *testing.T) { rawSaaSBOM, err := os.ReadFile("./testdata/saasBOM.json") require.NoError(t, err) - issues, err := ToDracon(rawSaaSBOM, "json") + issues, err := ToDracon(rawSaaSBOM, "json", "") require.NoError(t, err) saasBOM := string(rawSaaSBOM) @@ -56,13 +55,41 @@ func TestToDraconSaaSInfra(t *testing.T) { CycloneDXSBOM: &saasBOM, }, } - assert.Equal(t, expectedIssues[0].Target, issues[0].Target) - assert.Equal(t, expectedIssues[0].Type, issues[0].Type) - assert.Equal(t, expectedIssues[0].Title, issues[0].Title) - assert.Equal(t, expectedIssues[0].Severity, issues[0].Severity) + require.Equal(t, expectedIssues[0].Target, issues[0].Target) + require.Equal(t, expectedIssues[0].Type, issues[0].Type) + require.Equal(t, expectedIssues[0].Title, issues[0].Title) + require.Equal(t, expectedIssues[0].Severity, issues[0].Severity) - var sbom1, sbom2 map[string]interface{} + var sbom1, sbom2 map[string]any require.NoError(t, json.Unmarshal([]byte(*expectedIssues[0].CycloneDXSBOM), &sbom1)) require.NoError(t, json.Unmarshal([]byte(*issues[0].CycloneDXSBOM), &sbom2)) - assert.Equal(t, sbom1, sbom2) + require.Equal(t, sbom1, sbom2) +} + +func TestToDraconTargetOverride(t *testing.T) { + rawSaaSBOM, err := os.ReadFile("./testdata/saasBOM.json") + require.NoError(t, err) + + issues, err := ToDracon(rawSaaSBOM, "json", "my-awesome-infra") + require.NoError(t, err) + + saasBOM := string(rawSaaSBOM) + expectedIssues := []*v1.Issue{ + { + Target: "my-awesome-infra", + Type: "SBOM", + Title: "SBOM for my-awesome-infra", + Severity: v1.Severity_SEVERITY_INFO, + CycloneDXSBOM: &saasBOM, + }, + } + require.Equal(t, expectedIssues[0].Target, issues[0].Target) + require.Equal(t, expectedIssues[0].Type, issues[0].Type) + require.Equal(t, expectedIssues[0].Title, issues[0].Title) + require.Equal(t, expectedIssues[0].Severity, issues[0].Severity) + + var sbom1, sbom2 map[string]any + require.NoError(t, json.Unmarshal([]byte(*expectedIssues[0].CycloneDXSBOM), &sbom1)) + require.NoError(t, json.Unmarshal([]byte(*issues[0].CycloneDXSBOM), &sbom2)) + require.Equal(t, sbom1, sbom2) }