add NoVuln node to ingestion when a package isn't affected

Signed-off-by: m-brophy <mbrophy@redhat.com>
guacsec · Sep 25, 2023 · ab80852 · ab80852
1 parent 3c29ffd
commit ab80852
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 1 deletion.
diff --git a/internal/testing/testdata/exampledata/rhsa-csaf.json b/internal/testing/testdata/exampledata/rhsa-csaf.json
@@ -120,7 +120,10 @@
                 "name": "openssl-1:1.1.1k-8.el8_6.aarch64",
                 "product": {
                   "name": "openssl-1:1.1.1k-8.el8_6.aarch64",
-                  "product_id": "openssl-1:1.1.1k-8.el8_6.aarch64"
+                  "product_id": "openssl-1:1.1.1k-8.el8_6.aarch64",
+                  "product_identification_helper": {
+                    "purl": "pkg:rpm/redhat/openssl@1.1.1k-8.el8_6?arch=aarch64&epoch=1"
+                  }
                 }
               },
               {

diff --git a/internal/testing/testdata/testdata.go b/internal/testing/testdata/testdata.go
@@ -2223,6 +2223,29 @@ var (
 	CsafExampleRedHat []byte
 
 	CsafVexIngest = []assembler.VexIngest{
+		{
+			Pkg: &model.PkgInputSpec{
+				Type:       "rpm",
+				Namespace:  strP("redhat"),
+				Name:       "openssl",
+				Version:    strP("1.1.1k-8.el8_6"),
+				Qualifiers: []model.PackageQualifierInputSpec{{Key: "arch", Value: "aarch64"}, {Key: "epoch", Value: "1"}},
+				Subpath:    strP(""),
+			},
+			Vulnerability: &model.VulnerabilityInputSpec{Type: "cve", VulnerabilityID: "cve-2023-0286"},
+			VexData: &model.VexStatementInputSpec{
+				Status:           generated.VexStatusFixed,
+				VexJustification: generated.VexJustificationNotProvided,
+				Statement: `For details on how to apply this update, which includes the changes described in this advisory, refer to:
+
+https://access.redhat.com/articles/11258
+
+For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.`,
+
+				KnownSince: parseRfc3339("2023-03-23T11:14:00Z"),
+				Origin:     "RHSA-2023:1441",
+			},
+		},
 		{
 			Pkg: &model.PkgInputSpec{
 				Type:       "rpm",
@@ -2248,6 +2271,23 @@ For the update to take effect, all services linked to the OpenSSL library must b
 		},
 	}
 	CsafCertifyVulnIngest = []assembler.CertifyVulnIngest{
+		{
+			Pkg: &model.PkgInputSpec{
+				Type:      "rpm",
+				Namespace: strP("redhat"),
+				Name:      "openssl",
+				Version:   strP("1.1.1k-8.el8_6"),
+				Qualifiers: []model.PackageQualifierInputSpec{
+					{Key: "arch", Value: "aarch64"},
+					{Key: "epoch", Value: "1"},
+				},
+				Subpath: strP(""),
+			},
+			Vulnerability: &model.VulnerabilityInputSpec{Type: "NoVuln", VulnerabilityID: ""},
+			VulnData: &model.ScanMetadataInput{
+				TimeScanned: parseRfc3339("2023-03-23T11:14:00Z"),
+			},
+		},
 		{
 			Pkg: &model.PkgInputSpec{
 				Type:      "rpm",

diff --git a/pkg/ingestor/parser/csaf/parser_csaf.go b/pkg/ingestor/parser/csaf/parser_csaf.go
@@ -301,6 +301,19 @@ func (c *csafParser) GetPredicates(ctx context.Context) *assembler.IngestPredica
 						VulnData:      &vulnData,
 					}
 					cvs = append(cvs, cv)
+				} else if status == "known_not_affected" || status == "fixed" {
+					vulnData := generated.ScanMetadataInput{
+						TimeScanned: c.csaf.Document.Tracking.CurrentReleaseDate,
+					}
+					noVuln := generated.VulnerabilityInputSpec{
+						Type: "NoVuln",
+					}
+					cv := assembler.CertifyVulnIngest{
+						Pkg:           vi.Pkg,
+						Vulnerability: &noVuln,
+						VulnData:      &vulnData,
+					}
+					cvs = append(cvs, cv)
 				}
 				vis = append(vis, *vi)
 			}