Add justification, impact_statement and action_statement in OpenVEX

tdruez · tdruez · commit 96c7c6c8f242 · 2025-12-11T14:04:37.000+04:00
Signed-off-by: tdruez &lt;tdruez@aboutcode.org&gt;
diff --git a/dje/outputs.py b/dje/outputs.py
@@ -359,6 +359,30 @@ def get_csaf_security_advisory(product):
     return security_advisory
 
 
+CDX_STATE_TO_OPENVEX_STATUS = {
+    "resolved": openvex.Status.fixed,
+    "resolved_with_pedigree": openvex.Status.fixed,
+    "exploitable": openvex.Status.affected,
+    "in_triage": openvex.Status.under_investigation,
+    "false_positive": openvex.Status.not_affected,
+    "not_affected": openvex.Status.not_affected,
+}
+
+
+justification_ovex = openvex.Justification
+CDX_JUSTIFICATION_TO_OPENVEX_JUSTIFICATION = {
+    "code_not_present": justification_ovex.vulnerable_code_not_present,
+    "code_not_reachable": justification_ovex.vulnerable_code_not_in_execute_path,
+    "protected_at_perimeter": justification_ovex.vulnerable_code_cannot_be_controlled_by_adversary,
+    "protected_at_runtime": justification_ovex.inline_mitigations_already_exist,
+    "protected_by_compiler": justification_ovex.inline_mitigations_already_exist,
+    "protected_by_mitigating_control": justification_ovex.inline_mitigations_already_exist,
+    "requires_configuration": justification_ovex.vulnerable_code_cannot_be_controlled_by_adversary,
+    "requires_dependency": justification_ovex.component_not_present,
+    "requires_environment": justification_ovex.vulnerable_code_cannot_be_controlled_by_adversary,
+}
+
+
 def get_openvex_timestamp():
     return datetime.now(UTC).isoformat()
 
@@ -373,24 +397,42 @@ def get_openvex_vulnerability(vulnerability):
 
 
 def get_openvex_statement(vulnerability):
-    products = [
+    components = [
         openvex.Component1(field_id=package.package_url)
         for package in vulnerability.affected_packages.all()
     ]
 
-    status = openvex.Status.under_investigation
+    status = default_status = openvex.Status.under_investigation
+    status_notes = msgspec.UNSET
+    justification = msgspec.UNSET
+    impact_statement = msgspec.UNSET
+    action_statement = msgspec.UNSET
+
     vulnerability_analyses = vulnerability.vulnerability_analyses.all()
     if len(vulnerability_analyses) == 1:
         analysis = vulnerability_analyses[0]
-        print(analysis)
+        status = CDX_STATE_TO_OPENVEX_STATUS.get(analysis.state, default_status)
+        status_notes = analysis.detail
+
+        if analysis.justification:
+            justification = CDX_JUSTIFICATION_TO_OPENVEX_JUSTIFICATION.get(analysis.justification)
+        if justification == msgspec.UNSET and status == openvex.Status.not_affected:
+            impact_statement = "Unknown"
+
+        if analysis.responses:
+            action_statement = ", ".join(analysis.responses)
+        elif status == openvex.Status.affected:
+            action_statement = "Unknown"
 
     return openvex.Statement(
         vulnerability=get_openvex_vulnerability(vulnerability),
         timestamp=get_openvex_timestamp(),
-        products=products,
+        products=components,
         status=status,
-        # status_notes: analysis.detail
-        # justification: analysis.justification
+        status_notes=status_notes,
+        justification=justification,
+        impact_statement=impact_statement,
+        action_statement=action_statement,
     )
 
 
diff --git a/dje/tests/testfiles/outputs/openvex_document.json b/dje/tests/testfiles/outputs/openvex_document.json
@@ -14,13 +14,16 @@
           "CVE-1984-1010"
         ]
       },
-      "status": "under_investigation",
+      "status": "not_affected",
       "timestamp": "2024-12-19T12:00:00+00:00",
       "products": [
         {
           "@id": "pkg:type/name@1.0"
         }
-      ]
+      ],
+      "status_notes": "Code is not present",
+      "justification": "vulnerable_code_not_present",
+      "action_statement": "can_not_fix, rollback"
     },
     {
       "vulnerability": {
@@ -29,13 +32,16 @@
         "description": "",
         "aliases": []
       },
-      "status": "under_investigation",
+      "status": "affected",
       "timestamp": "2024-12-19T12:00:00+00:00",
       "products": [
         {
           "@id": "pkg:type/name@2.0"
         }
-      ]
+      ],
+      "status_notes": "Need an update",
+      "justification": "vulnerable_code_not_present",
+      "action_statement": "update"
     },
     {
       "vulnerability": {

Original file line number	Diff line number	Diff line change
`@@ -14,13 +14,16 @@`
`14`	`14`	`"CVE-1984-1010"`
`15`	`15`	`]`
`16`	`16`	`},`
`17`		`- "status": "under_investigation",`
	`17`	`+ "status": "not_affected",`
`18`	`18`	`"timestamp": "2024-12-19T12:00:00+00:00",`
`19`	`19`	`"products": [`
`20`	`20`	`{`
`21`	`21`	`"@id": "pkg:type/[email protected]"`
`22`	`22`	`}`
`23`		`- ]`
	`23`	`+ ],`
	`24`	`+ "status_notes": "Code is not present",`
	`25`	`+ "justification": "vulnerable_code_not_present",`
	`26`	`+ "action_statement": "can_not_fix, rollback"`
`24`	`27`	`},`
`25`	`28`	`{`
`26`	`29`	`"vulnerability": {`
`@@ -29,13 +32,16 @@`
`29`	`32`	`"description": "",`
`30`	`33`	`"aliases": []`
`31`	`34`	`},`
`32`		`- "status": "under_investigation",`
	`35`	`+ "status": "affected",`
`33`	`36`	`"timestamp": "2024-12-19T12:00:00+00:00",`
`34`	`37`	`"products": [`
`35`	`38`	`{`
`36`	`39`	`"@id": "pkg:type/[email protected]"`
`37`	`40`	`}`
`38`		`- ]`
	`41`	`+ ],`
	`42`	`+ "status_notes": "Need an update",`
	`43`	`+ "justification": "vulnerable_code_not_present",`
	`44`	`+ "action_statement": "update"`
`39`	`45`	`},`
`40`	`46`	`{`
`41`	`47`	`"vulnerability": {`