Skip to content

Commit 08fff22

Browse files
puercopuerco
authored
Merge pull request #54 from knqyf263/feat/vuln_match
Better vulnerability match in EffectiveStatement
2 parents 76b7c3d + b1a8050 commit 08fff22

File tree

2 files changed

+33
-12
lines changed

2 files changed

+33
-12
lines changed

pkg/vex/vex.go

Lines changed: 2 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -145,13 +145,8 @@ func (vexDoc *VEX) EffectiveStatement(product, vulnID string) (s *Statement) {
145145
SortStatements(statements, t)
146146

147147
for i := len(statements) - 1; i >= 0; i-- {
148-
if statements[i].Vulnerability.ID != vulnID {
149-
continue
150-
}
151-
for _, p := range statements[i].Products {
152-
if p.ID == product {
153-
return &statements[i]
154-
}
148+
if statements[i].Matches(vulnID, product, nil) {
149+
return &statements[i]
155150
}
156151
}
157152
return nil

pkg/vex/vex_test.go

Lines changed: 31 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ func TestEffectiveStatement(t *testing.T) {
2828
vexDoc: &VEX{
2929
Statements: []Statement{
3030
{
31-
Vulnerability: Vulnerability{ID: "CVE-2014-123456"},
31+
Vulnerability: Vulnerability{Name: "CVE-2014-123456"},
3232
Timestamp: &date1,
3333
Products: []Product{{Component: Component{ID: "pkg:deb/[email protected]"}}},
3434
Status: StatusNotAffected,
@@ -45,13 +45,13 @@ func TestEffectiveStatement(t *testing.T) {
4545
vexDoc: &VEX{
4646
Statements: []Statement{
4747
{
48-
Vulnerability: Vulnerability{ID: "CVE-2014-123456"},
48+
Vulnerability: Vulnerability{Name: "CVE-2014-123456"},
4949
Timestamp: &date1,
5050
Products: []Product{{Component: Component{ID: "pkg:deb/[email protected]"}}},
5151
Status: StatusUnderInvestigation,
5252
},
5353
{
54-
Vulnerability: Vulnerability{ID: "CVE-2014-123456"},
54+
Vulnerability: Vulnerability{Name: "CVE-2014-123456"},
5555
Timestamp: &date2,
5656
Products: []Product{{Component: Component{ID: "pkg:deb/[email protected]"}}},
5757
Status: StatusNotAffected,
@@ -68,13 +68,13 @@ func TestEffectiveStatement(t *testing.T) {
6868
vexDoc: &VEX{
6969
Statements: []Statement{
7070
{
71-
Vulnerability: Vulnerability{ID: "CVE-2014-123456"},
71+
Vulnerability: Vulnerability{Name: "CVE-2014-123456"},
7272
Timestamp: &date1,
7373
Products: []Product{{Component: Component{ID: "pkg:deb/[email protected]"}}},
7474
Status: StatusUnderInvestigation,
7575
},
7676
{
77-
Vulnerability: Vulnerability{ID: "CVE-2014-123456"},
77+
Vulnerability: Vulnerability{Name: "CVE-2014-123456"},
7878
Timestamp: &date2,
7979
Products: []Product{{Component: Component{ID: "pkg:deb/[email protected]"}}},
8080
Status: StatusNotAffected,
@@ -87,6 +87,32 @@ func TestEffectiveStatement(t *testing.T) {
8787
expectedDate: &date1,
8888
expectedStatus: StatusUnderInvestigation,
8989
},
90+
"Vulnerability aliases": {
91+
vexDoc: &VEX{
92+
Statements: []Statement{
93+
{
94+
Vulnerability: Vulnerability{
95+
Name: "CVE-2014-123456",
96+
Aliases: []VulnerabilityID{"ghsa-92xj-mqp7-vmcj"},
97+
},
98+
Timestamp: &date1,
99+
Products: []Product{{Component: Component{ID: "pkg:deb/[email protected]"}}},
100+
Status: StatusUnderInvestigation,
101+
},
102+
{
103+
Vulnerability: Vulnerability{ID: "CVE-2014-123456"},
104+
Timestamp: &date2,
105+
Products: []Product{{Component: Component{ID: "pkg:deb/[email protected]"}}},
106+
Status: StatusNotAffected,
107+
},
108+
},
109+
},
110+
vulnID: "ghsa-92xj-mqp7-vmcj",
111+
product: "pkg:deb/[email protected]",
112+
shouldNil: false,
113+
expectedDate: &date1,
114+
expectedStatus: StatusUnderInvestigation,
115+
},
90116
} {
91117
s := tc.vexDoc.EffectiveStatement(tc.product, tc.vulnID)
92118
if tc.shouldNil {

0 commit comments

Comments
 (0)