add statements correctly

guacsec · Apr 14, 2023 · 605dd89 · 605dd89
1 parent ffb5af6
commit 605dd89
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 21 deletions.
diff --git a/go.mod b/go.mod
@@ -5,7 +5,7 @@ go 1.19
 require (
 	cloud.google.com/go/storage v1.30.1
 	github.com/fsouza/fake-gcs-server v1.44.2
-	github.com/in-toto/in-toto-golang v0.7.0
+	github.com/in-toto/in-toto-golang v0.7.1
 	github.com/neo4j/neo4j-go-driver/v4 v4.4.7
 	github.com/secure-systems-lab/go-securesystemslib v0.5.0
 	github.com/spf13/cobra v1.7.0
@@ -183,4 +183,4 @@ require (
 	gopkg.in/yaml.v3 v3.0.1
 )
 
-replace github.com/openvex/go-vex => github.com/lulf/go-vex v0.0.0-20230413115232-c95829e95847
+replace github.com/openvex/go-vex => github.com/lulf/go-vex v0.0.0-20230414102936-6c397cafc31e
diff --git a/go.sum b/go.sum
@@ -1380,7 +1380,6 @@ github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK
 github.com/in-toto/in-toto-golang v0.7.1 h1:IzOB18y7/4KoEp4/RiWnuIXUpqi9+5yGlRy/t/QRDWE=
 github.com/in-toto/in-toto-golang v0.7.1/go.mod h1:m7HiDiYvPz+7SkqU9Tnt9hNgJfA31/nr1GSlDlxrQmE=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
-github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/influxdata/influxdb1-client v0.0.0-20200827194710-b269163b24ab/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo=
@@ -1513,8 +1512,8 @@ github.com/linode/linodego v1.4.0/go.mod h1:PVsRxSlOiJyvG4/scTszpmZDTdgS+to3X6eS
 github.com/linode/linodego v1.12.0/go.mod h1:NJlzvlNtdMRRkXb0oN6UWzUkj6t+IBsyveHgZ5Ppjyk=
 github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3/go.mod h1:3r6x7q95whyfWQpmGZTu3gk3v2YkMi05HEzl7Tf7YEo=
 github.com/logrusorgru/aurora/v3 v3.0.0/go.mod h1:vsR12bk5grlLvLXAYrBsb5Oc/N+LxAlxggSjiwMnCUc=
-github.com/lulf/go-vex v0.0.0-20230413115232-c95829e95847 h1:KSsq23FdsKUWrtENspgqgpofjXu/qcTyt8ic4xG0TyU=
-github.com/lulf/go-vex v0.0.0-20230413115232-c95829e95847/go.mod h1:PElJEKBNE2pHF7e+xGKPnF2ysbq/ec5EMzKRsDjRdh4=
+github.com/lulf/go-vex v0.0.0-20230414102936-6c397cafc31e h1:B6ULqASSl4atTvsScHuIk1c3W7sYy43YFsfJPJODdMA=
+github.com/lulf/go-vex v0.0.0-20230414102936-6c397cafc31e/go.mod h1:PElJEKBNE2pHF7e+xGKPnF2ysbq/ec5EMzKRsDjRdh4=
 github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
 github.com/lyft/protoc-gen-star v0.6.1/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=

diff --git a/pkg/assembler/clients/operations/certifyVuln.graphql b/pkg/assembler/clients/operations/certifyVuln.graphql
@@ -53,18 +53,6 @@ mutation CertifyGHSA($pkg: PkgInputSpec!, $ghsa: GHSAInputSpec!, $certifyVuln: V
   }
 }
 
-mutation CertifyRHSA($pkg: PkgInputSpec!, $rhsa: RHSAInputSpec!, $certifyVuln: VulnerabilityMetaDataInput!) {
-  ingestPackage(pkg: $pkg) {
-    ...AllPkgTree
-  }
-  ingestRHSA(rhsa: $rhsa) {
-    ...allRHSATree
-  }
-  ingestVulnerability(pkg: $pkg, vulnerability: {rhsa: $rhsa}, certifyVuln: $certifyVuln) {
-    ...AllCertifyVuln
-  }
-}
-
 mutation CertifyNoKnownVuln($pkg: PkgInputSpec!, $certifyVuln: VulnerabilityMetaDataInput!) {
   ingestPackage(pkg: $pkg) {
     ...AllPkgTree

diff --git a/pkg/ingestor/parser/csaf/parser_csaf.go b/pkg/ingestor/parser/csaf/parser_csaf.go
@@ -30,6 +30,27 @@ import (
 	"github.com/openvex/go-vex/pkg/csaf"
 )
 
+var (
+	justificationsMap = map[string]generated.VexJustification{
+		"component_not_present":                             generated.VexJustificationComponentNotPresent,
+		"vulnerable_code_not_present":                       generated.VexJustificationVulnerableCodeNotPresent,
+		"vulnerable_code_not_in_execute_path":               generated.VexJustificationVulnerableCodeNotInExecutePath,
+		"vulnerable_code_cannot_be_controlled_by_adversary": generated.VexJustificationVulnerableCodeCannotBeControlledByAdversary,
+		"inline_mitigations_already_exist":                  generated.VexJustificationInlineMitigationsAlreadyExist,
+	}
+
+	vexStatusMap = map[string]generated.VexStatus{
+		"known_not_affected":  generated.VexStatusNotAffected,
+		"known_affected":      generated.VexStatusAffected,
+		"fixed":               generated.VexStatusFixed,
+		"first_fixed":         generated.VexStatusFixed,
+		"under_investigation": generated.VexStatusUnderInvestigation,
+		"first_affected":      generated.VexStatusAffected,
+		"last_affected":       generated.VexStatusAffected,
+		"recommended":         generated.VexStatusAffected,
+	}
+)
+
 type csafParser struct {
 	doc               *processor.Document
 	identifierStrings *common.IdentifierStrings
@@ -95,6 +116,30 @@ func findProductRef(ctx context.Context, tree csaf.ProductBranch, product_id str
 	return nil
 }
 
+func findActionStatement(tree *csaf.Vulnerability, product_id string) *string {
+	for _, r := range tree.Remediations {
+		for _, p := range r.ProductIDs {
+			if p == product_id {
+				return &r.Details
+			}
+		}
+	}
+	return nil
+}
+
+func findImpactStatement(tree *csaf.Vulnerability, product_id string) *string {
+	for _, t := range tree.Threats {
+		if t.Category == "impact" {
+			for _, p := range t.ProductIDs {
+				if p == product_id {
+					return &t.Details
+				}
+			}
+		}
+	}
+	return nil
+}
+
 func (c *csafParser) findPkgSpec(ctx context.Context, product_id string) (*generated.PkgInputSpec, error) {
 	pref := findProductRef(ctx, c.csaf.ProductTree, product_id)
 	if pref == nil {
@@ -116,6 +161,22 @@ func (c *csafParser) generateVexIngest(ctx context.Context, cve *generated.CVEIn
 	vd := generated.VexStatementInputSpec{}
 	vd.KnownSince = c.csaf.Document.Tracking.CurrentReleaseDate
 	vd.Origin = c.csaf.Document.Tracking.ID
+	vd.VexJustification = generated.VexJustificationNotProvided
+
+	if vexStatus, ok := vexStatusMap[status]; ok {
+		vd.Status = vexStatus
+	}
+
+	var statement *string
+	if vd.Status == generated.VexStatusNotAffected {
+		statement = findImpactStatement(vuln, product_id)
+	} else {
+		statement = findActionStatement(vuln, product_id)
+	}
+
+	if statement != nil {
+		vd.Statement = *statement
+	}
 
 	for _, flag := range vuln.Flags {
 		found := false
@@ -125,7 +186,9 @@ func (c *csafParser) generateVexIngest(ctx context.Context, cve *generated.CVEIn
 			}
 		}
 		if found {
-			vd.Justification = flag.Label
+			if just, ok := justificationsMap[flag.Label]; ok {
+				vd.VexJustification = just
+			}
 		}
 	}
 
@@ -144,13 +207,10 @@ func (c *csafParser) generateVexIngest(ctx context.Context, cve *generated.CVEIn
 }
 
 func (c *csafParser) GetPredicates(ctx context.Context) *assembler.IngestPredicates {
-	logger := logging.FromContext(ctx)
-
 	rv := &assembler.IngestPredicates{}
 	var vis []assembler.VexIngest
 	var cvs []assembler.CertifyVulnIngest
 
-	logger.Infof("[csaf] starting ingestion")
 	if len(c.csaf.Vulnerabilities) > 0 {
 
 		for _, v := range c.csaf.Vulnerabilities {