feat(vex): fix failing tests

Author: JigyasuRajput

cve_bin_tool/util.py

@@ -421,7 +421,9 @@ def decode_bom_ref(ref: str):
     urn_cdx_with_purl = re.compile(
         r"urn:cdx:(?P<bomSerialNumber>[^/]+)\/(?P<bom_version>[^#]+)#(?P<purl>pkg:[^\s]+)"
     )
+
     location = "location/to/product"
+
     match = (
         urn_cdx_with_purl.match(ref)
         or urn_cbt_ext_ref.match(ref)

cve_bin_tool/vex_manager/parse.py

@@ -35,9 +35,66 @@ def __init__(self, filename: str, vextype: str, logger=None):
         self.parsed_data = defaultdict(dict)
         self.serialNumbers = set()
         self.vex_handler = VexHandler(self.logger)
+        self.vex_product_info = {}
 
     def parse_vex(self) -> DefaultDict[ProductInfo, TriageData]:
         """Parses the VEX file and extracts the necessary fields from the vulnerabilities."""
         # Use VexHandler to parse the VEX file
         self.parsed_data = self.vex_handler.parse(self.filename, self.vextype)
+        self._extract_product_info()
         return self.parsed_data
+
+    def _extract_product_info(self):
+        """Extracts the product information from the parsed VEX file"""
+        product_info = {}
+
+        # Try to get metadata from the VEX handler
+        try:
+            # Get the actual VEX type that was detected
+            detected_type = self.vex_handler._detect_vex_type(self.filename)
+            if detected_type:
+                self.vextype = detected_type
+
+            # For CycloneDX, try to extract metadata from the parsed file
+            if self.vextype == "cyclonedx":
+                import json
+
+                try:
+                    with open(self.filename, encoding="utf-8") as f:
+                        vex_data = json.load(f)
+
+                    metadata = vex_data.get("metadata", {})
+                    component = metadata.get("component", {})
+
+                    product_info["product"] = component.get("name", "")
+                    product_info["release"] = component.get("version", "")
+                    product_info["vendor"] = component.get("supplier", {}).get(
+                        "name", ""
+                    )
+
+                except (json.JSONDecodeError, FileNotFoundError, KeyError) as e:
+                    self.logger.warning(
+                        f"Could not extract product info from CycloneDX VEX: {e}"
+                    )
+
+            elif self.vextype == "csaf":
+                # For CSAF, product info would be in the document
+                product_info["product"] = ""
+                product_info["release"] = ""
+                product_info["vendor"] = ""
+
+            elif self.vextype == "openvex":
+                # For OpenVEX, limited product info available
+                product_info["product"] = ""
+                product_info["release"] = ""
+                product_info["vendor"] = ""
+
+        except Exception as e:
+            self.logger.debug(f"Error extracting product info: {e}")
+
+        # Set default values if not found
+        for key in ["product", "release", "vendor"]:
+            if key not in product_info:
+                product_info[key] = ""
+
+        self.vex_product_info = product_info

test/test_vex.py

@@ -368,7 +368,8 @@ def test_triage(self):
         )
 
         # Check if the command succeeded
-        if result.returncode != 0:
+        # Exit code 1 is expected when CVEs are found, 0 when none are found
+        if result.returncode not in [0, 1]:
             print(f"Command failed with return code {result.returncode}")
             print(f"STDOUT: {result.stdout}")
             print(f"STDERR: {result.stderr}")
@@ -428,7 +429,8 @@ def test_filter_triage(self):
         )
 
         # Check if the command succeeded
-        if result.returncode != 0:
+        # Exit code 1 is expected when CVEs are found, 0 when none are found
+        if result.returncode not in [0, 1]:
             print(f"Command failed with return code {result.returncode}")
             print(f"STDOUT: {result.stdout}")
             print(f"STDERR: {result.stderr}")