Merge pull request #49 from puerco/match-functions

Identifier matching functions

Author: puerco

go.mod

@@ -23,6 +23,7 @@ require (
 )
 
 require (
+	github.com/package-url/packageurl-go v0.1.1
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/stretchr/testify v1.8.4
 	golang.org/x/sys v0.8.0 // indirect

go.sum

@@ -21,6 +21,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/owenrumney/go-sarif v1.1.1 h1:QNObu6YX1igyFKhdzd7vgzmw7XsWN3/6NMGuDzBgXmE=
 github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U=
+github.com/package-url/packageurl-go v0.1.1 h1:KTRE0bK3sKbFKAk3yy63DpeskU7Cvs/x/Da5l+RtzyU=
+github.com/package-url/packageurl-go v0.1.1/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=

pkg/vex/component.go

@@ -0,0 +1,72 @@
+/*
+Copyright 2023 The OpenVEX Authors
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package vex
+
+import "strings"
+
+// Component abstracts the common construct shared by product and subcomponents
+// allowing OpenVEX statements to point to a piece of software by referencing it
+// by hash or identifier.
+//
+// The ID should be an IRI uniquely identifying the product. Software can be
+// referenced as a VEX product or subcomponent using only its IRI or it may be
+// referenced by its crptographic hashes and/or other identifiers but, in no case,
+// must an IRI describe two different pieces of software or used to describe
+// a range of software.
+type Component struct {
+	// ID is an IRI identifying the component. It is optional as the component
+	// can also be identified using hashes or software identifiers.
+	ID string `json:"@id,omitempty"`
+
+	// Hashes is a map of hashes to identify the component using cryptographic
+	// hashes.
+	Hashes map[Algorithm]Hash `json:"hashes,omitempty"`
+
+	// Identifiers is a list of software identifiers that describe the component.
+	Identifiers map[IdentifierType]string `json:"identifiers,omitempty"`
+
+	// Supplier is an optional machine-readable identifier for the supplier of
+	// the component. Valid examples include email address or IRIs.
+	Supplier string `json:"supplier,omitempty"`
+}
+
+// Matches returns true if one of the components identifiers match a string.
+// All types except purl are checked string vs string. Purls are a special
+// case and can match from more generic to more specific.
+// Note that a future iterarion of this function will treat CPEs in the same
+// way.
+func (c *Component) Matches(identifier string) bool {
+	// If we have an exact match in the ID, match
+	if c.ID == identifier && c.ID != "" {
+		return true
+	} else if strings.HasPrefix(c.ID, "pkg:") {
+		// ... but the identifier can be a purl. If it is, then do
+		// a purl comparison:
+		if PurlMatches(c.ID, identifier) {
+			return true
+		}
+	}
+
+	for t, id := range c.Identifiers {
+		if id == identifier {
+			return true
+		}
+
+		if t == PURL && strings.HasPrefix(identifier, "pkg:") {
+			if PurlMatches(id, identifier) {
+				return true
+			}
+		}
+	}
+
+	for _, hashVal := range c.Hashes {
+		if hashVal == Hash(identifier) {
+			return true
+		}
+	}
+
+	return false
+}

pkg/vex/component_test.go

@@ -0,0 +1,84 @@
+/*
+Copyright 2023 The OpenVEX Authors
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package vex
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestComponentMatches(t *testing.T) {
+	for testCase, tc := range map[string]struct {
+		identifier string
+		component  *Component
+		mustMatch  bool
+	}{
+		"iri": {
+			"https://example.com/document.spdx.json#node",
+			&Component{ID: "https://example.com/document.spdx.json#node"},
+			true,
+		},
+		"misc identifier": {
+			"madeup-2023-12345",
+			&Component{
+				Identifiers: map[IdentifierType]string{"customIdentifier": "madeup-2023-12345"},
+			},
+			true,
+		},
+		"wrong misc identifier": {
+			"madeup-2023-12345",
+			&Component{
+				Identifiers: map[IdentifierType]string{"customIdentifier": "another-string"},
+			},
+			false,
+		},
+		"same purl": {
+			"pkg:apk/wolfi/[email protected]?arch=x86_64",
+			&Component{
+				Identifiers: map[IdentifierType]string{PURL: "pkg:apk/wolfi/[email protected]?arch=x86_64"},
+			},
+			true,
+		},
+		"globing purl": {
+			"pkg:oci/curl@sha256:47fed8868b46b060efb8699dc40e981a0c785650223e03602d8c4493fc75b68c",
+			&Component{
+				Identifiers: map[IdentifierType]string{PURL: "pkg:oci/curl"},
+			},
+			true,
+		},
+		"globing purl (inverse)": {
+			"pkg:oci/curl",
+			&Component{
+				Identifiers: map[IdentifierType]string{
+					PURL: "pkg:oci/curl@sha256:47fed8868b46b060efb8699dc40e981a0c785650223e03602d8c4493fc75b68c",
+				},
+			},
+			false,
+		},
+		"hash": {
+			"77d86e9752cb933569dfa1f693ee4338e65b28b4",
+			&Component{
+				Hashes: map[Algorithm]Hash{
+					SHA1: "77d86e9752cb933569dfa1f693ee4338e65b28b4",
+				},
+			},
+			true,
+		},
+		"wrong hash": {
+			"77d86e9752cb933569dfa1f693ee4338e65b28b4",
+			&Component{
+				Hashes: map[Algorithm]Hash{
+					SHA1: "b5cc41d90d7ccc195c4a24ceb32656942c9854ea",
+				},
+			},
+			false,
+		},
+	} {
+		require.Equal(t, tc.mustMatch, tc.component.Matches(tc.identifier), fmt.Sprintf("failed: %s", testCase))
+	}
+}

pkg/vex/product.go

@@ -5,32 +5,6 @@ SPDX-License-Identifier: Apache-2.0
 
 package vex
 
-// Component abstracts the common construct shared by product and subcomponents
-// allowing OpenVEX statements to point to a piece of software by referencing it
-// by hash or identifier.
-//
-// The ID should be an IRI uniquely identifying the product. Software can be
-// referenced as a VEX product or subcomponent using only its IRI or it may be
-// referenced by its crptographic hashes and/or other identifiers but, in no case,
-// must an IRI describe two different pieces of software or used to describe
-// a range of software.
-type Component struct {
-	// ID is an IRI identifying the component. It is optional as the component
-	// can also be identified using hashes or software identifiers.
-	ID string `json:"@id,omitempty"`
-
-	// Hashes is a map of hashes to identify the component using cryptographic
-	// hashes.
-	Hashes map[Algorithm]Hash `json:"hashes,omitempty"`
-
-	// Identifiers is a list of software identifiers that describe the component.
-	Identifiers map[IdentifierType]string `json:"identifiers,omitempty"`
-
-	// Supplier is an optional machine-readable identifier for the supplier of
-	// the component. Valid examples include email address or IRIs.
-	Supplier string `json:"supplier,omitempty"`
-}
-
 // Product abstracts the VEX product into a struct that can identify software
 // through various means. The main one is the ID field which contains an IRI
 // identifying the product, possibly pointing to another document with more data,
@@ -48,6 +22,28 @@ type Subcomponent struct {
 	Component
 }
 
+// Product returns true if an identifier and subcomponent identifier match any
+// of the identifiers in the product and subcomponents.
+func (p *Product) Matches(identifier, subIdentifier string) bool {
+	if !p.Component.Matches(identifier) {
+		return false
+	}
+
+	// If the product has no subcomponents or no subcomponent was specified,
+	// matching the product part is enough:
+	if len(p.Subcomponents) == 0 || subIdentifier == "" {
+		return true
+	}
+
+	for _, s := range p.Subcomponents {
+		if s.Component.Matches(subIdentifier) {
+			return true
+		}
+	}
+
+	return false
+}
+
 type (
 	IdentifierLocator string
 	IdentifierType    string

pkg/vex/product_test.go

@@ -0,0 +1,100 @@
+/*
+Copyright 2023 The OpenVEX Authors
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package vex
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestProductMatches(t *testing.T) {
+	for testCase, tc := range map[string]struct {
+		sut          *Product
+		product      string
+		subcomponent string
+		mustMach     bool
+	}{
+		"identifier only": {
+			sut: &Product{
+				Component: Component{ID: "pkg:apk/alpine/[email protected]"},
+			},
+			product:      "pkg:apk/alpine/[email protected]",
+			subcomponent: "",
+			mustMach:     true,
+		},
+		"purl only": {
+			sut: &Product{
+				Component: Component{Identifiers: map[IdentifierType]string{
+					PURL: "pkg:apk/alpine/[email protected]",
+				}},
+			},
+			product:      "pkg:apk/alpine/[email protected]",
+			subcomponent: "",
+			mustMach:     true,
+		},
+		"generic purl only": {
+			sut: &Product{
+				Component: Component{Identifiers: map[IdentifierType]string{
+					PURL: "pkg:apk/alpine/libcrypto3",
+				}},
+			},
+			product:      "pkg:apk/alpine/[email protected]",
+			subcomponent: "",
+			mustMach:     true,
+		},
+		"identifier and components in doc and statement": {
+			sut: &Product{
+				Component: Component{ID: "pkg:oci/alpine@sha256%3A124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126"},
+				Subcomponents: []Subcomponent{
+					{
+						Component{ID: "pkg:apk/alpine/[email protected]"},
+					},
+				},
+			},
+			product:      "pkg:oci/alpine@sha256%3A124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126",
+			subcomponent: "pkg:apk/alpine/[email protected]",
+			mustMach:     true,
+		},
+		"identifier and no components in query": {
+			sut: &Product{
+				Component: Component{ID: "pkg:oci/alpine@sha256%3A124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126"},
+				Subcomponents: []Subcomponent{
+					{
+						Component{ID: "pkg:apk/alpine/[email protected]"},
+					},
+				},
+			},
+			product:      "pkg:oci/alpine@sha256%3A124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126",
+			subcomponent: "",
+			mustMach:     true,
+		},
+		"identifier and no components in document": {
+			sut: &Product{
+				Component:     Component{ID: "pkg:oci/alpine@sha256%3A124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126"},
+				Subcomponents: []Subcomponent{},
+			},
+			product:      "pkg:oci/alpine@sha256%3A124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126",
+			subcomponent: "pkg:apk/alpine/[email protected]",
+			mustMach:     true,
+		},
+		"identifier + multicomponent doc": {
+			sut: &Product{
+				Component: Component{ID: "pkg:oci/alpine@sha256%3A124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126"},
+				Subcomponents: []Subcomponent{
+					{Component{ID: "pkg:apk/alpine/[email protected]"}},
+					{Component{ID: "pkg:apk/alpine/[email protected]"}},
+				},
+			},
+			product:      "pkg:oci/alpine@sha256%3A124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126",
+			subcomponent: "pkg:apk/alpine/[email protected]",
+			mustMach:     true,
+		},
+	} {
+		require.Equal(t, tc.mustMach, tc.sut.Matches(tc.product, tc.subcomponent), fmt.Sprintf("failed: %s", testCase))
+	}
+}

pkg/vex/statement.go

@@ -172,3 +172,37 @@ func SortStatements(stmts []Statement, documentTimestamp time.Time) {
 		return iTime.Before(*jTime)
 	})
 }
+
+// Matches returns true if the statement matches the specified vulnerability
+// identifier, the VEX product and any of the identifiers from the received list.
+func (stmt *Statement) Matches(vuln, product string, subcomponents []string) bool {
+	if !stmt.Vulnerability.Matches(vuln) {
+		return false
+	}
+
+	for i := range stmt.Products {
+		if len(subcomponents) == 0 {
+			if stmt.Products[i].Matches(product, "") {
+				return true
+			}
+		}
+
+		for _, sc := range subcomponents {
+			if stmt.Products[i].Matches(product, sc) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// MatchesProduct returns true if the statement matches the identifier string
+// with an optional subcomponent identifier
+func (stmt *Statement) MatchesProduct(identifier, subidentifier string) bool {
+	for _, p := range stmt.Products {
+		if p.Matches(identifier, subidentifier) {
+			return true
+		}
+	}
+	return false
+}