diff --git a/modules/fundamental/tests/dataset.rs b/modules/fundamental/tests/dataset.rs index 3a6443a83..9b56f7ad3 100644 --- a/modules/fundamental/tests/dataset.rs +++ b/modules/fundamental/tests/dataset.rs @@ -88,6 +88,29 @@ async fn ingest(ctx: TrustifyContext) -> anyhow::Result<()> { assert_eq!(content.len(), 1174356); + let sbom_details = service + .fetch_sbom_details(sbom.id.clone(), vec![], &ctx.db) + .await?; + assert!(sbom_details.is_some()); + let sbom_details = sbom_details.unwrap(); + assert_eq!(sbom_details.summary.head.name, "quarkus-bom"); + + // test advisories + + let advisories = sbom_details.advisories; + assert_eq!(advisories.len(), 22); + + let advisories_affected = advisories + .into_iter() + .filter(|advisory| { + advisory + .status + .iter() + .any(|sbom_status| sbom_status.status == "affected") + }) + .collect::>(); + assert_eq!(advisories_affected.len(), 11); + // done Ok(()) diff --git a/modules/ingestor/src/service/advisory/osv/loader.rs b/modules/ingestor/src/service/advisory/osv/loader.rs index 84a7ee96a..35a37bdf4 100644 --- a/modules/ingestor/src/service/advisory/osv/loader.rs +++ b/modules/ingestor/src/service/advisory/osv/loader.rs @@ -15,7 +15,7 @@ use crate::{ Error, Warnings, }, }; -use osv::schema::{Event, Range, RangeType, ReferenceType, SeverityType, Vulnerability}; +use osv::schema::{Ecosystem, Event, Range, RangeType, ReferenceType, SeverityType, Vulnerability}; use sbom_walker::report::ReportSink; use sea_orm::{ConnectionTrait, TransactionTrait}; use std::{fmt::Debug, str::FromStr}; @@ -142,12 +142,38 @@ impl<'g> OsvLoader<'g> { } for range in affected.ranges.iter().flatten() { - match range.range_type { - RangeType::Semver => { - create_package_status_semver(&advisory_vuln, &purl, range, &tx) - .await?; + match (&range.range_type, &package.ecosystem) { + (RangeType::Semver, _) => { + create_package_status( + &advisory_vuln, + &purl, + range, + &VersionScheme::Semver, + &tx, + ) + .await?; + } + (RangeType::Git, _) => { + create_package_status( + &advisory_vuln, + &purl, + range, + &VersionScheme::Git, + &tx, + ) + .await?; + } + (RangeType::Ecosystem, Ecosystem::Maven(_)) => { + create_package_status( + &advisory_vuln, + &purl, + range, + &VersionScheme::Maven, + &tx, + ) + .await?; } - _ => { + (_, _) => { create_package_status_versions( &advisory_vuln, &purl, @@ -306,11 +332,12 @@ async fn ingest_exact( .await?) } -/// create a package status from a semver range -async fn create_package_status_semver( +/// create a package/purl status +async fn create_package_status( advisory_vuln: &AdvisoryVulnerabilityContext<'_>, purl: &Purl, range: &Range, + version_scheme: &VersionScheme, connection: &C, ) -> Result<(), Error> { let parsed_range = events_to_range(&range.events); @@ -338,7 +365,7 @@ async fn create_package_status_semver( purl, "affected", VersionInfo { - scheme: VersionScheme::Semver, + scheme: *version_scheme, spec, }, connection, @@ -353,7 +380,7 @@ async fn create_package_status_semver( purl, "fixed", VersionInfo { - scheme: VersionScheme::Semver, + scheme: *version_scheme, spec: VersionSpec::Exact(fixed.clone()), }, connection,