From 31f17d1664b365cbb13befe7b85704b2c94ef23e Mon Sep 17 00:00:00 2001
From: Arnout Engelen <arnout@bzzt.net>
Date: Sat, 23 Dec 2023 15:18:58 +0100
Subject: [PATCH] Include CVE patch info in cdx output

This is helpful when the SBOM is used in vulnerability scanner
software down the line, so it is more easily obvious that these
CVEs have already been patched in this case.

Signed-off-by: Arnout Engelen <arnout@bzzt.net>
---
 src/sbomnix/sbomdb.py | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/sbomnix/sbomdb.py b/src/sbomnix/sbomdb.py
index 9d6d474..f8885eb 100644
--- a/src/sbomnix/sbomdb.py
+++ b/src/sbomnix/sbomdb.py
@@ -383,6 +383,26 @@ def _drv_to_cdx_component(drv, uid="store_path"):
     if "meta_description" in drv._asdict() and drv.meta_description:
         component["description"] = drv.meta_description
     _cdx_component_add_licenses(component, drv)
+    if drv.patches:
+        security_patches = []
+        for p in drv.patches.split(" "):
+            m = re.search(r"CVE-\d{4}-\d+", p, re.IGNORECASE)
+            if m:
+                patch = {
+                    "type": "unofficial",
+                    "resolves": [
+                        {
+                            "type": "security",
+                            "id": m.group(0).upper(),
+                            "references": [f"file://{p}"],
+                        }
+                    ],
+                }
+                security_patches.append(patch)
+        if security_patches:
+            pedigree = {}
+            pedigree["patches"] = security_patches
+            component["pedigree"] = pedigree
     properties = []
     for output_path in drv.outputs:
         prop = {}