Merge pull request #30 from puerco/latest-statement

Add vex.EffectiveStatement deprecate StatementFromID
openvex · Jun 10, 2023 · a3ed304 · a3ed304
2 parents 88cbbf4 + 1088af6
commit a3ed304
Show file tree

Hide file tree

Showing 2 changed files with 119 additions and 4 deletions.
diff --git a/pkg/vex/vex.go b/pkg/vex/vex.go
@@ -169,12 +169,39 @@ func (vexDoc *VEX) ToJSON(w io.Writer) error {
 	return nil
 }
 
+// EffectiveStatement returns the latest VEX statement for a given product and
+// vulnerability, that is the statement that contains the latest data about
+// impact to a given product.
+func (vexDoc *VEX) EffectiveStatement(product, vulnID string) (s *Statement) {
+	statements := vexDoc.Statements
+	var t time.Time
+	if vexDoc.Timestamp != nil {
+		t = *vexDoc.Timestamp
+	}
+
+	SortStatements(statements, t)
+
+	for i := len(statements) - 1; i >= 0; i-- {
+		if statements[i].Vulnerability != vulnID {
+			continue
+		}
+		for _, p := range statements[i].Products {
+			if p == product {
+				return &statements[i]
+			}
+		}
+	}
+	return nil
+}
+
 // StatementFromID returns a statement for a given vulnerability if there is one.
+//
+// Deprecated: vex.StatementFromID is deprecated and will be removed in an upcoming version
 func (vexDoc *VEX) StatementFromID(id string) *Statement {
-	for _, statement := range vexDoc.Statements { //nolint:gocritic // turning off for rule rangeValCopy
-		if statement.Vulnerability == id {
-			logrus.Infof("VEX doc contains statement for CVE %s", id)
-			return &statement
+	logrus.Warn("vex.StatementFromID is deprecated and will be removed in an upcoming version")
+	for i := range vexDoc.Statements {
+		if vexDoc.Statements[i].Vulnerability == id && len(vexDoc.Statements[i].Products) > 0 {
+			return vexDoc.EffectiveStatement(vexDoc.Statements[i].Products[0], id)
 		}
 	}
 	return nil

diff --git a/pkg/vex/vex_test.go b/pkg/vex/vex_test.go
@@ -30,6 +30,94 @@ func TestLoadCSAF(t *testing.T) {
 	require.Equal(t, vexDoc.Metadata.ID, "2022-EVD-UC-01-NA-001")
 }
 
+func TestEffectiveStatement(t *testing.T) {
+	date1 := time.Date(2023, 4, 17, 20, 34, 58, 0, time.UTC)
+	date2 := time.Date(2023, 4, 18, 20, 34, 58, 0, time.UTC)
+	for _, tc := range []struct {
+		vexDoc         *VEX
+		vulnID         string
+		product        string
+		shouldNil      bool
+		expectedDate   *time.Time
+		expectedStatus Status
+	}{
+		{
+			// Single statement
+			vexDoc: &VEX{
+				Statements: []Statement{
+					{
+						Vulnerability: "CVE-2014-123456",
+						Timestamp:     &date1,
+						Products:      []string{"pkg://deb@1.0"},
+						Status:        StatusNotAffected,
+					},
+				},
+			},
+			vulnID:         "CVE-2014-123456",
+			product:        "pkg://deb@1.0",
+			shouldNil:      false,
+			expectedDate:   &date1,
+			expectedStatus: StatusNotAffected,
+		},
+		{
+			// Two consecutive statemente
+			vexDoc: &VEX{
+				Statements: []Statement{
+					{
+						Vulnerability: "CVE-2014-123456",
+						Timestamp:     &date1,
+						Products:      []string{"pkg://deb@1.0"},
+						Status:        StatusUnderInvestigation,
+					},
+					{
+						Vulnerability: "CVE-2014-123456",
+						Timestamp:     &date2,
+						Products:      []string{"pkg://deb@1.0"},
+						Status:        StatusNotAffected,
+					},
+				},
+			},
+			vulnID:         "CVE-2014-123456",
+			product:        "pkg://deb@1.0",
+			shouldNil:      false,
+			expectedDate:   &date2,
+			expectedStatus: StatusNotAffected,
+		},
+		{
+			// Different products
+			vexDoc: &VEX{
+				Statements: []Statement{
+					{
+						Vulnerability: "CVE-2014-123456",
+						Timestamp:     &date1,
+						Products:      []string{"pkg://deb@1.0"},
+						Status:        StatusUnderInvestigation,
+					},
+					{
+						Vulnerability: "CVE-2014-123456",
+						Timestamp:     &date2,
+						Products:      []string{"pkg://deb@2.0"},
+						Status:        StatusNotAffected,
+					},
+				},
+			},
+			vulnID:         "CVE-2014-123456",
+			product:        "pkg://deb@1.0",
+			shouldNil:      false,
+			expectedDate:   &date1,
+			expectedStatus: StatusUnderInvestigation,
+		},
+	} {
+		s := tc.vexDoc.EffectiveStatement(tc.product, tc.vulnID)
+		if tc.shouldNil {
+			require.Nil(t, s)
+		} else {
+			require.Equal(t, tc.expectedDate, s.Timestamp)
+			require.Equal(t, tc.expectedStatus, s.Status)
+		}
+	}
+}
+
 func genTestDoc(t *testing.T) VEX {
 	ts, err := time.Parse(time.RFC3339, "2022-12-22T16:36:43-05:00")
 	require.NoError(t, err)