Ensure only CVE id is set for CSAF documents

Signed-off-by: Ulf Lilleengen <ulf.lilleengen@gmail.com>
guacsec · Jun 6, 2023 · 1e6a567 · 1e6a567
1 parent 94e2ab3
commit 1e6a567
Showing 1 changed file with 5 additions and 6 deletions.
diff --git a/pkg/ingestor/parser/csaf/parser_csaf.go b/pkg/ingestor/parser/csaf/parser_csaf.go
@@ -154,7 +154,7 @@ func (c *csafParser) findPkgSpec(ctx context.Context, product_id string) (*gener
 	return helpers.PurlToPkg(*purl)
 }
 
-func (c *csafParser) generateVexIngest(ctx context.Context, cve *generated.CVEInputSpec, ghsa *generated.GHSAInputSpec, vuln *csaf.Vulnerability, status string, product_id string) *assembler.VexIngest {
+func (c *csafParser) generateVexIngest(ctx context.Context, cve *generated.CVEInputSpec, vuln *csaf.Vulnerability, status string, product_id string) *assembler.VexIngest {
 	logger := logging.FromContext(ctx)
 	vi := &assembler.VexIngest{}
 
@@ -194,7 +194,6 @@ func (c *csafParser) generateVexIngest(ctx context.Context, cve *generated.CVEIn
 
 	vi.VexData = &vd
 	vi.CVE = cve
-	vi.GHSA = ghsa
 
 	pkg, err := c.findPkgSpec(ctx, product_id)
 	if err != nil {
@@ -214,8 +213,9 @@ func (c *csafParser) GetPredicates(ctx context.Context) *assembler.IngestPredica
 	if len(c.csaf.Vulnerabilities) > 0 {
 
 		for _, v := range c.csaf.Vulnerabilities {
-			cve, ghsa, err := helpers.OSVToGHSACVE(v.CVE)
-			if err != nil {
+			// CVE field only contains CVE id, use the helper to parse and create the CVE input spec.
+			cve, _, err := helpers.OSVToGHSACVE(v.CVE)
+			if err != nil || cve == nil {
 				return nil
 			}
 
@@ -224,7 +224,7 @@ func (c *csafParser) GetPredicates(ctx context.Context) *assembler.IngestPredica
 				products := v.ProductStatus[status]
 				if len(products) > 0 {
 					for _, product := range products {
-						vi := c.generateVexIngest(ctx, cve, ghsa, &v, status, product)
+						vi := c.generateVexIngest(ctx, cve, &v, status, product)
 						if vi == nil {
 							continue
 						}
@@ -236,7 +236,6 @@ func (c *csafParser) GetPredicates(ctx context.Context) *assembler.IngestPredica
 							cv := assembler.CertifyVulnIngest{
 								Pkg:      vi.Pkg,
 								CVE:      cve,
-								GHSA:     ghsa,
 								VulnData: &vulnData,
 							}
 							cvs = append(cvs, cv)