bugfix/367 fix cyclonedx parser crash if the package does not have pu…

…rl in metadata
smithy-security · Sep 24, 2024 · de2c300 · de2c300
1 parent 9a4c91a
commit de2c300
Show file tree

Hide file tree

Showing 6 changed files with 59 additions and 26 deletions.
diff --git a/components/consumers/dependency-track/main_test.go b/components/consumers/dependency-track/main_test.go
@@ -59,7 +59,7 @@ func TestUploadBomsFromRaw(t *testing.T) {
 	require.NoError(t, err)
 
 	client = c
-	issues, err := cyclonedx.ToDracon(rawSaaSBOM, "json")
+	issues, err := cyclonedx.ToDracon(rawSaaSBOM, "json", "")
 
 	require.NoError(t, err)
 	ltr := v1.LaunchToolResponse{
@@ -112,7 +112,7 @@ func TestUploadBomsFromEnriched(t *testing.T) {
 	require.NoError(t, err)
 
 	client = c
-	issues, err := cyclonedx.ToDracon(rawSaaSBOM, "json")
+	issues, err := cyclonedx.ToDracon(rawSaaSBOM, "json", "")
 
 	require.NoError(t, err)
 	ltr := v1.LaunchToolResponse{
@@ -206,7 +206,7 @@ func TestUploadBomsFromEnrichedWithOwners(t *testing.T) {
 	require.NoError(t, err)
 
 	client = c
-	issues, err := cyclonedx.ToDracon(rawSaaSBOM, "json")
+	issues, err := cyclonedx.ToDracon(rawSaaSBOM, "json", "")
 	require.NoError(t, err)
 
 	ltr := v1.LaunchToolResponse{

diff --git a/components/enrichers/depsdev/main.go b/components/enrichers/depsdev/main.go
@@ -184,7 +184,7 @@ func enrichIssue(i *v1.Issue) (*v1.EnrichedIssue, error) {
 	if err != nil {
 		return &enrichedIssue, err
 	}
-	originalIssue, err := cyclonedx.ToDracon(marshalled, "json")
+	originalIssue, err := cyclonedx.ToDracon(marshalled, "json", "")
 	if err != nil {
 		return &enrichedIssue, err
 	}

diff --git a/components/producers/cdxgen/main.go b/components/producers/cdxgen/main.go
@@ -31,5 +31,5 @@ func main() {
 }
 
 func handleCycloneDX(inFile []byte) ([]*v1.Issue, error) {
-	return cyclonedx.ToDracon(inFile, "json")
+	return cyclonedx.ToDracon(inFile, "json", "")
 }
diff --git a/components/producers/docker-trivy/main.go b/components/producers/docker-trivy/main.go
@@ -92,7 +92,7 @@ func handleSarif(inFile []byte) ([]*v1.Issue, error) {
 }
 
 func handleCycloneDX(inFile []byte) ([]*v1.Issue, error) {
-	return cyclonedx.ToDracon(inFile, "json")
+	return cyclonedx.ToDracon(inFile, "json", "")
 }
 
 func parseCombinedOut(results types.CombinedOut) []*v1.Issue {

diff --git a/pkg/cyclonedx/cyclonedx.go b/pkg/cyclonedx/cyclonedx.go
@@ -12,7 +12,8 @@ import (
 )
 
 // ToDracon accepts a cycloneDX bom file and transforms to an array containing a singular v1.Issue.
-func ToDracon(inFile []byte, format string) ([]*v1.Issue, error) {
+// revive:disable:cognitive-complexity,cyclomatic High complexity score but
+func ToDracon(inFile []byte, format, targetOverride string) ([]*v1.Issue, error) {
 	bom := new(cdx.BOM)
 	var decoder cdx.BOMDecoder
 	var issues []*v1.Issue
@@ -42,10 +43,15 @@ func ToDracon(inFile []byte, format string) ([]*v1.Issue, error) {
 	}
 	result := strings.TrimSpace(buf.String())
 	target := ""
-	if bom.Metadata.Component.BOMRef != "" {
-		target = bom.Metadata.Component.BOMRef
-	} else {
-		target = bom.Metadata.Component.PackageURL
+	if bom.Metadata != nil && bom.Metadata.Component != nil {
+		if bom.Metadata.Component.BOMRef != "" {
+			target = bom.Metadata.Component.BOMRef
+		} else {
+			target = bom.Metadata.Component.PackageURL
+		}
+	}
+	if targetOverride != "" {
+		target = targetOverride
 	}
 
 	return []*v1.Issue{

diff --git a/pkg/cyclonedx/cyclonedx_test.go b/pkg/cyclonedx/cyclonedx_test.go
@@ -5,7 +5,6 @@ import (
 	"os"
 	"testing"
 
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	v1 "github.com/ocurity/dracon/api/proto/v1"
@@ -15,7 +14,7 @@ func TestToDraconLibrary(t *testing.T) {
 	rawLibraryBOM, err := os.ReadFile("./testdata/libraryBOM.json")
 	require.NoError(t, err)
 
-	issues, err := ToDracon(rawLibraryBOM, "json")
+	issues, err := ToDracon(rawLibraryBOM, "json", "")
 	require.NoError(t, err)
 
 	libraryBOM := string(rawLibraryBOM)
@@ -29,21 +28,21 @@ func TestToDraconLibrary(t *testing.T) {
 			CycloneDXSBOM: &libraryBOM,
 		},
 	}
-	assert.Equal(t, expectedIssues[0].Target, issues[0].Target)
-	assert.Equal(t, expectedIssues[0].Type, issues[0].Type)
-	assert.Equal(t, expectedIssues[0].Title, issues[0].Title)
-	assert.Equal(t, expectedIssues[0].Severity, issues[0].Severity)
-	var sbom1, sbom2 map[string]interface{}
+	require.Equal(t, expectedIssues[0].Target, issues[0].Target)
+	require.Equal(t, expectedIssues[0].Type, issues[0].Type)
+	require.Equal(t, expectedIssues[0].Title, issues[0].Title)
+	require.Equal(t, expectedIssues[0].Severity, issues[0].Severity)
+	var sbom1, sbom2 map[string]any
 	require.NoError(t, json.Unmarshal([]byte(*expectedIssues[0].CycloneDXSBOM), &sbom1))
 	require.NoError(t, json.Unmarshal([]byte(*issues[0].CycloneDXSBOM), &sbom2))
-	assert.Equal(t, sbom1, sbom2)
+	require.Equal(t, sbom1, sbom2)
 }
 
 func TestToDraconSaaSInfra(t *testing.T) {
 	rawSaaSBOM, err := os.ReadFile("./testdata/saasBOM.json")
 	require.NoError(t, err)
 
-	issues, err := ToDracon(rawSaaSBOM, "json")
+	issues, err := ToDracon(rawSaaSBOM, "json", "")
 	require.NoError(t, err)
 
 	saasBOM := string(rawSaaSBOM)
@@ -56,13 +55,41 @@ func TestToDraconSaaSInfra(t *testing.T) {
 			CycloneDXSBOM: &saasBOM,
 		},
 	}
-	assert.Equal(t, expectedIssues[0].Target, issues[0].Target)
-	assert.Equal(t, expectedIssues[0].Type, issues[0].Type)
-	assert.Equal(t, expectedIssues[0].Title, issues[0].Title)
-	assert.Equal(t, expectedIssues[0].Severity, issues[0].Severity)
+	require.Equal(t, expectedIssues[0].Target, issues[0].Target)
+	require.Equal(t, expectedIssues[0].Type, issues[0].Type)
+	require.Equal(t, expectedIssues[0].Title, issues[0].Title)
+	require.Equal(t, expectedIssues[0].Severity, issues[0].Severity)
 
-	var sbom1, sbom2 map[string]interface{}
+	var sbom1, sbom2 map[string]any
 	require.NoError(t, json.Unmarshal([]byte(*expectedIssues[0].CycloneDXSBOM), &sbom1))
 	require.NoError(t, json.Unmarshal([]byte(*issues[0].CycloneDXSBOM), &sbom2))
-	assert.Equal(t, sbom1, sbom2)
+	require.Equal(t, sbom1, sbom2)
+}
+
+func TestToDraconTargetOverride(t *testing.T) {
+	rawSaaSBOM, err := os.ReadFile("./testdata/saasBOM.json")
+	require.NoError(t, err)
+
+	issues, err := ToDracon(rawSaaSBOM, "json", "my-awesome-infra")
+	require.NoError(t, err)
+
+	saasBOM := string(rawSaaSBOM)
+	expectedIssues := []*v1.Issue{
+		{
+			Target:        "my-awesome-infra",
+			Type:          "SBOM",
+			Title:         "SBOM for my-awesome-infra",
+			Severity:      v1.Severity_SEVERITY_INFO,
+			CycloneDXSBOM: &saasBOM,
+		},
+	}
+	require.Equal(t, expectedIssues[0].Target, issues[0].Target)
+	require.Equal(t, expectedIssues[0].Type, issues[0].Type)
+	require.Equal(t, expectedIssues[0].Title, issues[0].Title)
+	require.Equal(t, expectedIssues[0].Severity, issues[0].Severity)
+
+	var sbom1, sbom2 map[string]any
+	require.NoError(t, json.Unmarshal([]byte(*expectedIssues[0].CycloneDXSBOM), &sbom1))
+	require.NoError(t, json.Unmarshal([]byte(*issues[0].CycloneDXSBOM), &sbom2))
+	require.Equal(t, sbom1, sbom2)
 }