diff --git a/scanpipe/pipes/cyclonedx.py b/scanpipe/pipes/cyclonedx.py index bba33e18bb..9f375d4da1 100644 --- a/scanpipe/pipes/cyclonedx.py +++ b/scanpipe/pipes/cyclonedx.py @@ -30,6 +30,7 @@ from cyclonedx.model import license as cdx_license_model from cyclonedx.model.bom import Bom from cyclonedx.schema import SchemaVersion +from cyclonedx.schema.schema import BaseSchemaVersion from cyclonedx.validation import ValidationError from cyclonedx.validation.json import JsonStrictValidator from defusedxml import ElementTree as SafeElementTree @@ -184,10 +185,12 @@ def cyclonedx_component_to_package_data( affected_by_vulnerabilities = [] if affected_by := vulnerabilities.get(bom_ref): for cdx_vulnerability in affected_by: + cdx_vulnerability_json = cdx_vulnerability.as_json(view_=BaseSchemaVersion) affected_by_vulnerabilities.append( { "vulnerability_id": str(cdx_vulnerability.id), "summary": cdx_vulnerability.description, + "cdx_vulnerability_json": cdx_vulnerability_json, } ) diff --git a/scanpipe/tests/pipes/test_cyclonedx.py b/scanpipe/tests/pipes/test_cyclonedx.py index 3ae61035f0..977a80b20e 100644 --- a/scanpipe/tests/pipes/test_cyclonedx.py +++ b/scanpipe/tests/pipes/test_cyclonedx.py @@ -250,13 +250,25 @@ def test_scanpipe_cyclonedx_resolve_cyclonedx_packages_vulnerabilities(self): self.assertEqual(1, len(packages)) affected_by = packages[0]["affected_by_vulnerabilities"] + self.assertEqual("CVE-2005-2541", affected_by[0]["vulnerability_id"]) + self.assertEqual( + "Tar 1.15.1 does not properly warn the user when...", + affected_by[0]["summary"], + ) + self.assertIn("cdx_vulnerability_json", affected_by[0]) + vulnerability_json = affected_by[0]["cdx_vulnerability_json"] + cdx_vulnerability = json.loads(vulnerability_json) expected = [ - { - "vulnerability_id": "CVE-2005-2541", - "summary": "Tar 1.15.1 does not properly warn the user when...", - } + "advisories", + "affects", + "description", + "id", + "published", + "ratings", + "source", + "updated", ] - self.assertEqual(expected, affected_by) + self.assertEqual(expected, list(cdx_vulnerability.keys())) def test_scanpipe_cyclonedx_resolve_cyclonedx_packages_pre_validation(self): # This SBOM includes multiple deserialization issues that are "fixed" diff --git a/scanpipe/tests/test_pipelines.py b/scanpipe/tests/test_pipelines.py index 3512f6ac21..931ea7fe9f 100644 --- a/scanpipe/tests/test_pipelines.py +++ b/scanpipe/tests/test_pipelines.py @@ -1638,13 +1638,25 @@ def test_scanpipe_load_sbom_pipeline_cyclonedx_with_vulnerabilities(self): self.assertEqual(1, project1.discoveredpackages.count()) package = project1.discoveredpackages.get() + affected_by = package.affected_by_vulnerabilities[0] + cdx_vulnerability_json = affected_by.pop("cdx_vulnerability_json") + expected = { + "vulnerability_id": "CVE-2005-2541", + "summary": "Tar 1.15.1 does not properly warn the user when...", + } + self.assertEqual(expected, affected_by) + cdx_vulnerability = json.loads(cdx_vulnerability_json) expected = [ - { - "vulnerability_id": "CVE-2005-2541", - "summary": "Tar 1.15.1 does not properly warn the user when...", - } + "advisories", + "affects", + "description", + "id", + "published", + "ratings", + "source", + "updated", ] - self.assertEqual(expected, package.affected_by_vulnerabilities) + self.assertEqual(expected, list(cdx_vulnerability.keys())) @mock.patch("scanpipe.pipes.purldb.request_post") @mock.patch("uuid.uuid4")