feat(cyclonedx): add recommendation (#3336)

Co-authored-by: knqyf263 <knqyf263@gmail.com>

integration/testdata/centos-7-cyclonedx.json.golden

@@ -185,6 +185,7 @@
         203
       ],
       "description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
+      "recommendation": "Upgrade openssl-libs to version 1:1.0.2k-19.el7",
       "advisories": [
         {
           "url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html"
@@ -401,6 +402,7 @@
         327
       ],
       "description": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).",
+      "recommendation": "Upgrade openssl-libs to version 1:1.0.2k-19.el7",
       "advisories": [
         {
           "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html"

integration/testdata/fluentd-multiple-lockfiles-cyclonedx.json.golden

@@ -63,6 +63,7 @@
         502
       ],
       "description": "A deserialization of untrusted data vulnerability exists in rails \u003c 5.2.4.3, rails \u003c 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.",
+      "recommendation": "Upgrade activesupport to version 6.0.3.1, 5.2.4.3",
       "advisories": [
         {
           "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html"
@@ -284,6 +285,7 @@
         787
       ],
       "description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
+      "recommendation": "Upgrade libidn2-0 to version 2.0.5-1+deb10u1",
       "advisories": [
         {
           "url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00008.html"

pkg/sbom/cyclonedx/marshal.go

@@ -315,6 +315,9 @@ func toCdxVulnerability(bomRef string, vuln types.DetectedVulnerability) cdx.Vul
 		Description: vuln.Description,
 		Advisories:  cdxAdvisories(vuln.References),
 	}
+	if vuln.FixedVersion != "" {
+		v.Recommendation = fmt.Sprintf("Upgrade %s to version %s", vuln.PkgName, vuln.FixedVersion)
+	}
 	if vuln.PublishedDate != nil {
 		v.Published = vuln.PublishedDate.Format(timeLayout)
 	}

pkg/sbom/cyclonedx/marshal_test.go

@@ -824,6 +824,7 @@ func TestMarshaler_Marshal(t *testing.T) {
 							Name: string(vulnerability.RubySec),
 							URL:  "https://github.com/rubysec/ruby-advisory-db",
 						},
+						Recommendation: "Upgrade actionpack to version ~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2",
 						Ratings: &[]cdx.VulnerabilityRating{
 							{
 								Source: &cdx.Source{