[TC-1177] product_by_cve: CertifyVuln management mapping into CertifyVexStatement

lib/src/client/semantic/spog/mod.rs

@@ -8,7 +8,7 @@ use std::str::FromStr;
 
 use crate::client::graph::Node;
 use crate::client::intrinsic::certify_vuln::{CertifyVuln, CertifyVulnSpec};
-use crate::client::intrinsic::PackageOrArtifactSpec;
+use crate::client::intrinsic::{PackageOrArtifact, PackageOrArtifactSpec};
 use crate::client::semantic::spog::dependent_product::FindDependentProduct;
 use crate::client::semantic::spog::find_vulnerability::FindVulnerability;
 use crate::client::semantic::spog::find_vulnerability_by_sbom_uri::FindVulnerabilityBySbomURI;
@@ -61,6 +61,18 @@ impl SemanticGuacClient {
 
             let vex = match &entry[0] {
                 QS::CertifyVEXStatement(inner) => CertifyVexStatement::from(inner),
+                QS::CertifyVuln(certify_vuln) => CertifyVexStatement {
+                    id: certify_vuln.id.to_string(),
+                    subject: PackageOrArtifact::Package(Package::from(&certify_vuln.package)),
+                    vulnerability: Vulnerability::from(&certify_vuln.vulnerability),
+                    status: VexStatus::Affected,
+                    vex_justification: VexJustification::NotProvided,
+                    statement: "N/A".to_string(),
+                    status_notes: "N/A".to_string(),
+                    known_since: certify_vuln.metadata.time_scanned, //Default::default(),
+                    origin: certify_vuln.metadata.origin.to_string(),
+                    collector: certify_vuln.metadata.collector.to_string(),
+                },
                 _ => return Err(Error::GraphQL(vec![])),
             };
             let mut path = Vec::new();

lib/src/client/semantic/spog/query.rs

@@ -8,6 +8,7 @@ use crate::client::intrinsic::package::{
 };
 use crate::client::intrinsic::vulnerability::{Vulnerability, VulnerabilityId};
 use crate::client::semantic::spog::query::query_spog::allCertifyVEXStatementTree;
+use crate::client::semantic::spog::query::query_spog::allCertifyVulnTree;
 use crate::client::semantic::spog::query::query_spog::QuerySpogFindTopLevelPackagesRelatedToVulnerability as QS;
 use crate::client::semantic::spog::query::query_spog::QuerySpogFindTopLevelPackagesRelatedToVulnerabilityOnPackage as QSPackage;
 use crate::client::semantic::spog::query::query_spog::VexJustification as QSVexJustification;
@@ -22,7 +23,14 @@ use crate::client::semantic::spog::query::query_spog::{
     AllPkgTreeNamespacesNamesVersionsQualifiers,
 };
 
+use crate::client::intrinsic::certify_vuln::{CertifyVuln, ScanMetadata};
 use crate::client::intrinsic::{PackageOrArtifact, PackageOrArtifactInput, PackageOrArtifactSpec};
+use crate::client::semantic::spog::query::query_spog::{
+    AllCertifyVulnTreeMetadata, AllCertifyVulnTreePackage, AllCertifyVulnTreePackageNamespaces,
+    AllCertifyVulnTreePackageNamespacesNames, AllCertifyVulnTreePackageNamespacesNamesVersions,
+    AllCertifyVulnTreePackageNamespacesNamesVersionsQualifiers, AllCertifyVulnTreeVulnerability,
+    AllCertifyVulnTreeVulnerabilityVulnerabilityIDs,
+};
 
 type Time = chrono::DateTime<Utc>;
 
@@ -208,3 +216,99 @@ impl From<&AllPkgTreeNamespacesNamesVersionsQualifiers> for PackageQualifier {
         }
     }
 }
+
+// VULN
+
+impl From<&allCertifyVulnTree> for CertifyVuln {
+    fn from(value: &allCertifyVulnTree) -> Self {
+        Self {
+            id: value.id.clone(),
+            package: (&value.package).into(),
+            vulnerability: (&value.vulnerability).into(),
+            metadata: (&value.metadata).into(),
+        }
+    }
+}
+
+impl From<&AllCertifyVulnTreePackage> for Package {
+    fn from(value: &AllCertifyVulnTreePackage) -> Self {
+        Self {
+            id: value.id.clone(),
+            r#type: value.type_.clone(),
+            namespaces: value.namespaces.iter().map(|e| e.into()).collect(),
+        }
+    }
+}
+
+impl From<&AllCertifyVulnTreeVulnerability> for Vulnerability {
+    fn from(value: &AllCertifyVulnTreeVulnerability) -> Self {
+        Self {
+            id: value.id.clone(),
+            r#type: value.type_.clone(),
+            vulnerability_ids: value.vulnerability_i_ds.iter().map(|e| e.into()).collect(),
+        }
+    }
+}
+
+impl From<&AllCertifyVulnTreeMetadata> for ScanMetadata {
+    fn from(value: &AllCertifyVulnTreeMetadata) -> Self {
+        Self {
+            db_uri: value.db_uri.clone(),
+            db_version: value.db_version.clone(),
+            scanner_uri: value.scanner_uri.clone(),
+            scanner_version: value.scanner_version.clone(),
+            time_scanned: value.time_scanned,
+            origin: value.origin.clone(),
+            collector: value.collector.clone(),
+        }
+    }
+}
+
+impl From<&AllCertifyVulnTreePackageNamespaces> for PackageNamespace {
+    fn from(value: &AllCertifyVulnTreePackageNamespaces) -> Self {
+        Self {
+            id: value.id.clone(),
+            namespace: value.namespace.clone(),
+            names: value.names.iter().map(|e| e.into()).collect(),
+        }
+    }
+}
+
+impl From<&AllCertifyVulnTreeVulnerabilityVulnerabilityIDs> for VulnerabilityId {
+    fn from(value: &AllCertifyVulnTreeVulnerabilityVulnerabilityIDs) -> Self {
+        Self {
+            id: value.id.clone(),
+            vulnerability_id: value.vulnerability_id.clone(),
+        }
+    }
+}
+
+impl From<&AllCertifyVulnTreePackageNamespacesNames> for PackageName {
+    fn from(value: &AllCertifyVulnTreePackageNamespacesNames) -> Self {
+        Self {
+            id: value.id.clone(),
+            name: value.name.clone(),
+            versions: value.versions.iter().map(|e| e.into()).collect(),
+        }
+    }
+}
+
+impl From<&AllCertifyVulnTreePackageNamespacesNamesVersions> for PackageVersion {
+    fn from(value: &AllCertifyVulnTreePackageNamespacesNamesVersions) -> Self {
+        Self {
+            id: value.id.clone(),
+            version: value.version.clone(),
+            qualifiers: value.qualifiers.iter().map(|e| e.into()).collect(),
+            subpath: value.subpath.clone(),
+        }
+    }
+}
+
+impl From<&AllCertifyVulnTreePackageNamespacesNamesVersionsQualifiers> for PackageQualifier {
+    fn from(value: &AllCertifyVulnTreePackageNamespacesNamesVersionsQualifiers) -> Self {
+        Self {
+            key: value.key.clone(),
+            value: value.value.clone(),
+        }
+    }
+}

lib/src/client/semantic/spog/spog.gql

@@ -1,64 +1,67 @@
 query QuerySpog($vulnerabilityID: String!) {
-  findTopLevelPackagesRelatedToVulnerability(
-    vulnerabilityID: $vulnerabilityID
-  ) {
-    __typename
-    ... on CertifyVEXStatement {
-      ...allCertifyVEXStatementTree
-    }
-    ... on Package {
-      ...allPkgTree
-    }
-    ... on IsDependency {
-      dependencyType
+    findTopLevelPackagesRelatedToVulnerability(
+        vulnerabilityID: $vulnerabilityID
+    ) {
+        __typename
+        ... on CertifyVEXStatement {
+            ...allCertifyVEXStatementTree
+        }
+        ... on CertifyVuln {
+            ...allCertifyVulnTree
+        }
+        ... on Package {
+            ...allPkgTree
+        }
+        ... on IsDependency {
+            dependencyType
+        }
     }
-  }
 }
 
 query FindVulnerability($purl: String!, $offset: Int, $limit: Int) {
-  findVulnerability(purl: $purl, offset: $offset, limit: $limit) {
-    __typename
-    ... on CertifyVEXStatement {
-      ...allCertifyVEXStatementTree
-    }
-    ... on CertifyVuln {
-      ...allCertifyVulnTree
+    findVulnerability(purl: $purl, offset: $offset, limit: $limit) {
+        __typename
+        ... on CertifyVEXStatement {
+            ...allCertifyVEXStatementTree
+        }
+        ... on CertifyVuln {
+            ...allCertifyVulnTree
+        }
     }
-  }
 }
 
 query FindVulnerabilityBySbomURI($sbomURI: String!, $offset: Int, $limit: Int) {
- findVulnerabilityBySbomURI(sbomURI: $sbomURI, offset: $offset, limit: $limit) {
-		__typename
-    ... on CertifyVEXStatement {
-			...allCertifyVEXStatementTree
-    }
-    ... on CertifyVuln {
-			...allCertifyVulnTree
+    findVulnerabilityBySbomURI(sbomURI: $sbomURI, offset: $offset, limit: $limit) {
+        __typename
+        ... on CertifyVEXStatement {
+            ...allCertifyVEXStatementTree
+        }
+        ... on CertifyVuln {
+            ...allCertifyVulnTree
+        }
     }
- }
 }
 
 fragment allPkgTree on Package {
-  id
-  type
-  namespaces {
     id
-    namespace
-    names {
-      id
-      name
-      versions {
+    type
+    namespaces {
         id
-        version
-        qualifiers {
-          key
-          value
+        namespace
+        names {
+            id
+            name
+            versions {
+                id
+                version
+                qualifiers {
+                    key
+                    value
+                }
+                subpath
+            }
         }
-        subpath
-      }
     }
-  }
 }
 
 fragment allCertifyVEXStatementTree on CertifyVEXStatement {