Include CVE patch info in cdx output

This is helpful when the SBOM is used in vulnerability scanner software down the line, so it is more easily obvious that these CVEs have already been patched in this case. Signed-off-by: Arnout Engelen <[email protected]>
henrirosten · Dec 27, 2023 · 31f17d1 · 31f17d1
1 parent 9e5ca03
commit 31f17d1
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/src/sbomnix/sbomdb.py b/src/sbomnix/sbomdb.py
@@ -383,6 +383,26 @@ def _drv_to_cdx_component(drv, uid="store_path"):
     if "meta_description" in drv._asdict() and drv.meta_description:
         component["description"] = drv.meta_description
     _cdx_component_add_licenses(component, drv)
+    if drv.patches:
+        security_patches = []
+        for p in drv.patches.split(" "):
+            m = re.search(r"CVE-\d{4}-\d+", p, re.IGNORECASE)
+            if m:
+                patch = {
+                    "type": "unofficial",
+                    "resolves": [
+                        {
+                            "type": "security",
+                            "id": m.group(0).upper(),
+                            "references": [f"file://{p}"],
+                        }
+                    ],
+                }
+                security_patches.append(patch)
+        if security_patches:
+            pedigree = {}
+            pedigree["patches"] = security_patches
+            component["pedigree"] = pedigree
     properties = []
     for output_path in drv.outputs:
         prop = {}