Merge pull request #54 from knqyf263/feat/vuln_match

Better vulnerability match in EffectiveStatement
openvex · Aug 30, 2023 · 08fff22 · 08fff22
2 parents 76b7c3d + b1a8050
commit 08fff22
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 12 deletions.
diff --git a/pkg/vex/vex.go b/pkg/vex/vex.go
@@ -145,13 +145,8 @@ func (vexDoc *VEX) EffectiveStatement(product, vulnID string) (s *Statement) {
 	SortStatements(statements, t)
 
 	for i := len(statements) - 1; i >= 0; i-- {
-		if statements[i].Vulnerability.ID != vulnID {
-			continue
-		}
-		for _, p := range statements[i].Products {
-			if p.ID == product {
-				return &statements[i]
-			}
+		if statements[i].Matches(vulnID, product, nil) {
+			return &statements[i]
 		}
 	}
 	return nil

diff --git a/pkg/vex/vex_test.go b/pkg/vex/vex_test.go
@@ -28,7 +28,7 @@ func TestEffectiveStatement(t *testing.T) {
 			vexDoc: &VEX{
 				Statements: []Statement{
 					{
-						Vulnerability: Vulnerability{ID: "CVE-2014-123456"},
+						Vulnerability: Vulnerability{Name: "CVE-2014-123456"},
 						Timestamp:     &date1,
 						Products:      []Product{{Component: Component{ID: "pkg:deb/[email protected]"}}},
 						Status:        StatusNotAffected,
@@ -45,13 +45,13 @@ func TestEffectiveStatement(t *testing.T) {
 			vexDoc: &VEX{
 				Statements: []Statement{
 					{
-						Vulnerability: Vulnerability{ID: "CVE-2014-123456"},
+						Vulnerability: Vulnerability{Name: "CVE-2014-123456"},
 						Timestamp:     &date1,
 						Products:      []Product{{Component: Component{ID: "pkg:deb/[email protected]"}}},
 						Status:        StatusUnderInvestigation,
 					},
 					{
-						Vulnerability: Vulnerability{ID: "CVE-2014-123456"},
+						Vulnerability: Vulnerability{Name: "CVE-2014-123456"},
 						Timestamp:     &date2,
 						Products:      []Product{{Component: Component{ID: "pkg:deb/[email protected]"}}},
 						Status:        StatusNotAffected,
@@ -68,13 +68,13 @@ func TestEffectiveStatement(t *testing.T) {
 			vexDoc: &VEX{
 				Statements: []Statement{
 					{
-						Vulnerability: Vulnerability{ID: "CVE-2014-123456"},
+						Vulnerability: Vulnerability{Name: "CVE-2014-123456"},
 						Timestamp:     &date1,
 						Products:      []Product{{Component: Component{ID: "pkg:deb/[email protected]"}}},
 						Status:        StatusUnderInvestigation,
 					},
 					{
-						Vulnerability: Vulnerability{ID: "CVE-2014-123456"},
+						Vulnerability: Vulnerability{Name: "CVE-2014-123456"},
 						Timestamp:     &date2,
 						Products:      []Product{{Component: Component{ID: "pkg:deb/[email protected]"}}},
 						Status:        StatusNotAffected,
@@ -87,6 +87,32 @@ func TestEffectiveStatement(t *testing.T) {
 			expectedDate:   &date1,
 			expectedStatus: StatusUnderInvestigation,
 		},
+		"Vulnerability aliases": {
+			vexDoc: &VEX{
+				Statements: []Statement{
+					{
+						Vulnerability: Vulnerability{
+							Name:    "CVE-2014-123456",
+							Aliases: []VulnerabilityID{"ghsa-92xj-mqp7-vmcj"},
+						},
+						Timestamp: &date1,
+						Products:  []Product{{Component: Component{ID: "pkg:deb/[email protected]"}}},
+						Status:    StatusUnderInvestigation,
+					},
+					{
+						Vulnerability: Vulnerability{ID: "CVE-2014-123456"},
+						Timestamp:     &date2,
+						Products:      []Product{{Component: Component{ID: "pkg:deb/[email protected]"}}},
+						Status:        StatusNotAffected,
+					},
+				},
+			},
+			vulnID:         "ghsa-92xj-mqp7-vmcj",
+			product:        "pkg:deb/[email protected]",
+			shouldNil:      false,
+			expectedDate:   &date1,
+			expectedStatus: StatusUnderInvestigation,
+		},
 	} {
 		s := tc.vexDoc.EffectiveStatement(tc.product, tc.vulnID)
 		if tc.shouldNil {