From bd9cad4e74e21dac2c88639737c94daab2178b7f Mon Sep 17 00:00:00 2001
From: Ulf Lilleengen <ulf.lilleengen@gmail.com>
Date: Tue, 6 Jun 2023 09:08:21 +0200
Subject: [PATCH] Ensure only CVE id is set for CSAF documents

---
 pkg/ingestor/parser/csaf/parser_csaf.go | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/pkg/ingestor/parser/csaf/parser_csaf.go b/pkg/ingestor/parser/csaf/parser_csaf.go
index 73d14fa3ef2..0704e24def0 100644
--- a/pkg/ingestor/parser/csaf/parser_csaf.go
+++ b/pkg/ingestor/parser/csaf/parser_csaf.go
@@ -154,7 +154,7 @@ func (c *csafParser) findPkgSpec(ctx context.Context, product_id string) (*gener
 	return helpers.PurlToPkg(*purl)
 }
 
-func (c *csafParser) generateVexIngest(ctx context.Context, cve *generated.CVEInputSpec, ghsa *generated.GHSAInputSpec, vuln *csaf.Vulnerability, status string, product_id string) *assembler.VexIngest {
+func (c *csafParser) generateVexIngest(ctx context.Context, cve *generated.CVEInputSpec, vuln *csaf.Vulnerability, status string, product_id string) *assembler.VexIngest {
 	logger := logging.FromContext(ctx)
 	vi := &assembler.VexIngest{}
 
@@ -194,7 +194,6 @@ func (c *csafParser) generateVexIngest(ctx context.Context, cve *generated.CVEIn
 
 	vi.VexData = &vd
 	vi.CVE = cve
-	vi.GHSA = ghsa
 
 	pkg, err := c.findPkgSpec(ctx, product_id)
 	if err != nil {
@@ -214,8 +213,9 @@ func (c *csafParser) GetPredicates(ctx context.Context) *assembler.IngestPredica
 	if len(c.csaf.Vulnerabilities) > 0 {
 
 		for _, v := range c.csaf.Vulnerabilities {
-			cve, ghsa, err := helpers.OSVToGHSACVE(v.CVE)
-			if err != nil {
+			// CVE field only contains CVE id, use the helper to parse and create the CVE input spec.
+			cve, _, err := helpers.OSVToGHSACVE(v.CVE)
+			if err != nil || cve == nil {
 				return nil
 			}
 
@@ -224,7 +224,7 @@ func (c *csafParser) GetPredicates(ctx context.Context) *assembler.IngestPredica
 				products := v.ProductStatus[status]
 				if len(products) > 0 {
 					for _, product := range products {
-						vi := c.generateVexIngest(ctx, cve, ghsa, &v, status, product)
+						vi := c.generateVexIngest(ctx, cve, &v, status, product)
 						if vi == nil {
 							continue
 						}
@@ -236,7 +236,6 @@ func (c *csafParser) GetPredicates(ctx context.Context) *assembler.IngestPredica
 							cv := assembler.CertifyVulnIngest{
 								Pkg:      vi.Pkg,
 								CVE:      cve,
-								GHSA:     ghsa,
 								VulnData: &vulnData,
 							}
 							cvs = append(cvs, cv)