Code Reorg: Split vex package

This commit rearranges the code into new _functions.go files to
get them out of the main vex.go file. Tests are moved into their
corresponding files but no other changes are done.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

Author: puerco

pkg/vex/functions_documents.go

@@ -0,0 +1,26 @@
+/*
+Copyright 2023 The OpenVEX Authors
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package vex
+
+import (
+	"sort"
+)
+
+// SortDocuments sorts and returns a slice of documents based on their date.
+// VEXes should be applied sequentially in chronological order as they capture
+// knowledge about an artifact as it changes over time.
+func SortDocuments(docs []*VEX) []*VEX {
+	sort.Slice(docs, func(i, j int) bool {
+		if docs[j].Timestamp == nil {
+			return true
+		}
+		if docs[i].Timestamp == nil {
+			return false
+		}
+		return docs[i].Timestamp.Before(*(docs[j].Timestamp))
+	})
+	return docs
+}

pkg/vex/functions_documents_test.go

@@ -0,0 +1,97 @@
+/*
+Copyright 2023 The OpenVEX Authors
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package vex
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestMerge(t *testing.T) {
+	doc1, err := Open("testdata/v001-1.vex.json")
+	require.NoError(t, err)
+	doc2, err := Open("testdata/v001-2.vex.json")
+	require.NoError(t, err)
+
+	doc3, err := Open("testdata/v020-1.vex.json")
+	require.NoError(t, err)
+	doc4, err := Open("testdata/v020-2.vex.json")
+	require.NoError(t, err)
+
+	for _, tc := range []struct {
+		opts        MergeOptions
+		docs        []*VEX
+		expectedDoc *VEX
+		shouldErr   bool
+	}{
+		// Zero docs should fail
+		{
+			opts:        MergeOptions{},
+			docs:        []*VEX{},
+			expectedDoc: &VEX{},
+			shouldErr:   true,
+		},
+		// One doc results in the same doc
+		{
+			opts:        MergeOptions{},
+			docs:        []*VEX{doc1},
+			expectedDoc: doc1,
+			shouldErr:   false,
+		},
+		// Two docs, as they are
+		{
+			opts: MergeOptions{},
+			docs: []*VEX{doc1, doc2},
+			expectedDoc: &VEX{
+				Metadata: Metadata{},
+				Statements: []Statement{
+					doc1.Statements[0],
+					doc2.Statements[0],
+				},
+			},
+			shouldErr: false,
+		},
+		// Two docs, filter product
+		{
+			opts: MergeOptions{
+				Products: []string{"pkg:apk/wolfi/[email protected]"},
+			},
+			docs: []*VEX{doc3, doc4},
+			expectedDoc: &VEX{
+				Metadata: Metadata{},
+				Statements: []Statement{
+					doc4.Statements[0],
+				},
+			},
+			shouldErr: false,
+		},
+		// Two docs, filter vulnerability
+		{
+			opts: MergeOptions{
+				Vulnerabilities: []string{"CVE-9876-54321"},
+			},
+			docs: []*VEX{doc3, doc4},
+			expectedDoc: &VEX{
+				Metadata: Metadata{},
+				Statements: []Statement{
+					doc3.Statements[0],
+				},
+			},
+			shouldErr: false,
+		},
+	} {
+		doc, err := MergeDocuments(&tc.opts, tc.docs)
+		if tc.shouldErr {
+			require.Error(t, err)
+			continue
+		}
+
+		// Check doc
+		require.Len(t, doc.Statements, len(tc.expectedDoc.Statements))
+		require.Equal(t, doc.Statements, tc.expectedDoc.Statements)
+	}
+}

pkg/vex/functions_files.go

@@ -0,0 +1,219 @@
+/*
+Copyright 2023 The OpenVEX Authors
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package vex
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/openvex/go-vex/pkg/csaf"
+	"github.com/sirupsen/logrus"
+	"gopkg.in/yaml.v3"
+)
+
+// Load reads the VEX document file at the given path and returns a decoded VEX
+// object. If Load is unable to read the file or decode the document, it returns
+// an error.
+func Load(path string) (*VEX, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("loading VEX file: %w", err)
+	}
+
+	return Parse(data)
+}
+
+// Parse parses an OpenVEX document in the latest version from the data byte array.
+func Parse(data []byte) (*VEX, error) {
+	vexDoc := &VEX{}
+	if err := json.Unmarshal(data, vexDoc); err != nil {
+		return nil, fmt.Errorf("%s: %w", errMsgParse, err)
+	}
+	return vexDoc, nil
+}
+
+// OpenYAML opens a VEX file in YAML format.
+func OpenYAML(path string) (*VEX, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("opening YAML file: %w", err)
+	}
+	vexDoc := New()
+	if err := yaml.Unmarshal(data, &vexDoc); err != nil {
+		return nil, fmt.Errorf("unmarshalling VEX data: %w", err)
+	}
+	return &vexDoc, nil
+}
+
+// OpenJSON opens an OpenVEX file in JSON format.
+func OpenJSON(path string) (*VEX, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("opening JSON file: %w", err)
+	}
+	vexDoc := New()
+	if err := json.Unmarshal(data, &vexDoc); err != nil {
+		return nil, fmt.Errorf("unmarshalling VEX data: %w", err)
+	}
+	return &vexDoc, nil
+}
+
+// parseContext light parses a JSON document to look for the OpenVEX context locator
+func parseContext(rawDoc []byte) (string, error) {
+	pd := struct {
+		Context string `json:"@context"`
+	}{}
+
+	if err := json.Unmarshal(rawDoc, &pd); err != nil {
+		return "", fmt.Errorf("parsing context from json data: %w", err)
+	}
+
+	if strings.HasPrefix(pd.Context, Context) {
+		return pd.Context, nil
+	}
+	return "", nil
+}
+
+// Open tries to autodetect the vex format and open it
+func Open(path string) (*VEX, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("opening VEX file: %w", err)
+	}
+
+	documentContextLocator, err := parseContext(data)
+	if err != nil {
+		return nil, err
+	}
+
+	if documentContextLocator == ContextLocator() {
+		return Parse(data)
+	} else if documentContextLocator != "" {
+		version := strings.TrimPrefix(documentContextLocator, Context)
+		version = strings.TrimPrefix(version, "/")
+
+		// If version is nil, then we assume v0.0.1
+		if version == "" {
+			version = "v0.0.1"
+		}
+
+		parser := getLegacyVersionParser(version)
+		if parser == nil {
+			return nil, fmt.Errorf("unable to get parser for version %s", version)
+		}
+
+		doc, err := parser(data)
+		if err != nil {
+			return nil, fmt.Errorf("parsing document: %w", err)
+		}
+
+		return doc, nil
+	}
+
+	if bytes.Contains(data, []byte(`"csaf_version"`)) {
+		logrus.Info("Abriendo CSAF")
+
+		doc, err := OpenCSAF(path, []string{})
+		if err != nil {
+			return nil, fmt.Errorf("attempting to open csaf doc: %w", err)
+		}
+		return doc, nil
+	}
+
+	return nil, fmt.Errorf("unable to detect document format reading %s", path)
+}
+
+// OpenCSAF opens a CSAF document and builds a VEX object from it.
+func OpenCSAF(path string, products []string) (*VEX, error) {
+	csafDoc, err := csaf.Open(path)
+	if err != nil {
+		return nil, fmt.Errorf("opening csaf doc: %w", err)
+	}
+
+	productDict := map[string]string{}
+	filterDict := map[string]string{}
+	for _, pid := range products {
+		filterDict[pid] = pid
+	}
+
+	prods := csafDoc.ProductTree.ListProducts()
+	for _, sp := range prods {
+		// Check if we need to filter
+		if len(filterDict) > 0 {
+			foundID := false
+			for _, i := range sp.IdentificationHelper {
+				if _, ok := filterDict[i]; ok {
+					foundID = true
+					break
+				}
+			}
+			_, ok := filterDict[sp.ID]
+			if !foundID && !ok {
+				continue
+			}
+		}
+
+		for _, h := range sp.IdentificationHelper {
+			productDict[sp.ID] = h
+		}
+	}
+
+	// Create the vex doc
+	v := &VEX{
+		Metadata: Metadata{
+			ID:         csafDoc.Document.Tracking.ID,
+			Author:     "",
+			AuthorRole: "",
+			Timestamp:  &time.Time{},
+		},
+		Statements: []Statement{},
+	}
+
+	// Cycle the CSAF vulns list and get those that apply
+	for i := range csafDoc.Vulnerabilities {
+		for status, docProducts := range csafDoc.Vulnerabilities[i].ProductStatus {
+			for _, productID := range docProducts {
+				if _, ok := productDict[productID]; ok {
+					// Check we have a valid status
+					if StatusFromCSAF(status) == "" {
+						return nil, fmt.Errorf("invalid status for product %s", productID)
+					}
+
+					// TODO search the threats struct for justification, etc
+					just := ""
+					for _, t := range csafDoc.Vulnerabilities[i].Threats {
+						// Search the threats for a justification
+						for _, p := range t.ProductIDs {
+							if p == productID {
+								just = t.Details
+							}
+						}
+					}
+
+					v.Statements = append(v.Statements, Statement{
+						Vulnerability:   Vulnerability{Name: VulnerabilityID(csafDoc.Vulnerabilities[i].CVE)},
+						Status:          StatusFromCSAF(status),
+						Justification:   "", // Justifications are not machine readable in csaf, it seems
+						ActionStatement: just,
+						Products: []Product{
+							{
+								Component: Component{
+									ID: productID,
+								},
+							},
+						},
+					})
+				}
+			}
+		}
+	}
+
+	return v, nil
+}