feat(cyclonedx): inject vulneraribilities_report annotation for CycloneDX

internal/schemavalidators/schemavalidators.go

@@ -18,6 +18,7 @@ package schemavalidators
 import (
 	_ "embed"
 	"errors"
+	"slices"
 	"strings"
 
 	"github.com/hashicorp/go-multierror"
@@ -121,6 +122,18 @@ func ValidateCycloneDX(data interface{}, version CycloneDXVersion) error {
 		if errors.As(err, &invalidJSONTypeError) {
 			return ErrInvalidJSONPayload
 		}
+		var validationError *jsonschema.ValidationError
+		if errors.As(err, &validationError) {
+			if slices.ContainsFunc(validationError.Causes, func(v0 *jsonschema.ValidationError) bool {
+				return slices.ContainsFunc(v0.Causes, func(v1 *jsonschema.ValidationError) bool {
+					// workaround: Some scanners like Jfrog Xray might report null `cwes` element ("cwes": null)
+					// the validator would fail with "expected array, but got null"
+					return v1.KeywordLocation == "/properties/vulnerabilities/items/$ref/properties/cwes/type"
+				})
+			}) {
+				return nil
+			}
+		}
 		return err
 	}
 

pkg/attestation/crafter/materials/cyclonedxjson.go

@@ -34,7 +34,8 @@ const (
 	// containerComponentKind is the kind of the main component when it's a container
 	containerComponentKind = "container"
 	// aquaTrivyRepoDigestPropertyKey is the key used by Aqua Trivy to store the repo digest
-	aquaTrivyRepoDigestPropertyKey = "aquasecurity:trivy:RepoDigest"
+	aquaTrivyRepoDigestPropertyKey   = "aquasecurity:trivy:RepoDigest"
+	annotationSBOMHasVulnerabilities = "chainloop.material.sbom.vulnerabilities_report"
 )
 
 type CyclonedxJSONCrafter struct {
@@ -44,8 +45,9 @@ type CyclonedxJSONCrafter struct {
 
 // cyclonedxDoc internal struct to unmarshall the incoming CycloneDX JSON
 type cyclonedxDoc struct {
-	SpecVersion string          `json:"specVersion"`
-	Metadata    json.RawMessage `json:"metadata"`
+	SpecVersion     string          `json:"specVersion"`
+	Metadata        json.RawMessage `json:"metadata"`
+	Vulnerabilities json.RawMessage `json:"vulnerabilities"`
 }
 
 type cyclonedxMetadataV14 struct {
@@ -124,28 +126,39 @@ func (i *CyclonedxJSONCrafter) Craft(ctx context.Context, filePath string) (*api
 		i.logger.Debug().Err(err).Msg("error decoding file to extract main information, skipping ...")
 	}
 
-	switch doc.SpecVersion {
-	case "1.4":
+	// Try with metadata tools format > v1.5
+	var metaV15 cyclonedxMetadataV15
+	if err = json.Unmarshal(doc.Metadata, &metaV15); err != nil {
+		// try with v1.4
 		var metaV14 cyclonedxMetadataV14
 		if err = json.Unmarshal(doc.Metadata, &metaV14); err != nil {
 			i.logger.Debug().Err(err).Msg("error decoding file to extract main information, skipping ...")
 		} else {
 			i.extractMetadata(m, &metaV14)
 		}
-	default: // 1.5 onwards
-		var metaV15 cyclonedxMetadataV15
-		if err = json.Unmarshal(doc.Metadata, &metaV15); err != nil {
-			i.logger.Debug().Err(err).Msg("error decoding file to extract main information, skipping ...")
-		} else {
-			i.extractMetadata(m, &metaV15)
-		}
+	} else {
+		i.extractMetadata(m, &metaV15)
 	}
 
+	i.injectAnnotations(m, &doc)
+
 	return res, nil
 }
 
+func (i *CyclonedxJSONCrafter) injectAnnotations(m *api.Attestation_Material, doc *cyclonedxDoc) {
+	// store whether the SBOM has a vulnerabilities report
+	if doc.Vulnerabilities != nil {
+		if m.Annotations == nil {
+			m.Annotations = make(map[string]string)
+		}
+		m.Annotations[annotationSBOMHasVulnerabilities] = "true"
+	}
+}
+
 func (i *CyclonedxJSONCrafter) extractMetadata(m *api.Attestation_Material, metadata any) {
-	m.Annotations = make(map[string]string)
+	if m.Annotations == nil {
+		m.Annotations = make(map[string]string)
+	}
 
 	switch meta := metadata.(type) {
 	case *cyclonedxMetadataV14:

pkg/attestation/crafter/materials/cyclonedxjson_test.go

@@ -115,6 +115,47 @@ func TestCyclonedxJSONCraft(t *testing.T) {
 				"chainloop.material.tool.version": "0.101.1",
 			},
 		},
+		{
+			name:                     "1.5 version with legacy tools",
+			filePath:                 "./testdata/sbom.cyclonedx-1.5-legacy-tools.json",
+			wantDigest:               "sha256:7bcc88d02bc19447f3fbe6bb76f12bf0f3788b3796b401716c1d62735f9c8c88",
+			wantFilename:             "sbom.cyclonedx-1.5-legacy-tools.json",
+			wantMainComponent:        "ghcr.io/chainloop-dev/chainloop/control-plane",
+			wantMainComponentKind:    "container",
+			wantMainComponentVersion: "v0.55.0",
+			annotations: map[string]string{
+				"chainloop.material.tool.name":    "syft",
+				"chainloop.material.tool.version": "0.73.0",
+			},
+		},
+		{
+			name:                     "1.5 version with vulnerabilities",
+			filePath:                 "./testdata/sbom.cyclonedx-1.5-vulnerabilities.json",
+			wantDigest:               "sha256:16248b84917cee938826bd4de98b84b243715891524bf5e6ebfc33f2c499e60b",
+			wantFilename:             "sbom.cyclonedx-1.5-vulnerabilities.json",
+			wantMainComponent:        "ghcr.io/chainloop-dev/chainloop/control-plane",
+			wantMainComponentKind:    "container",
+			wantMainComponentVersion: "v0.55.0",
+			annotations: map[string]string{
+				"chainloop.material.tool.name":                   "syft",
+				"chainloop.material.tool.version":                "0.101.1",
+				"chainloop.material.sbom.vulnerabilities_report": "true",
+			},
+		},
+		{
+			name:                     "1.5 version with vulnerability with null cwes",
+			filePath:                 "./testdata/sbom.cyclonedx-1.5-null-cwes.json",
+			wantDigest:               "sha256:0b3aef5f26a3c28da82cbc510cee7633cd5b2cb264d3fa25eebbc10795546ffb",
+			wantFilename:             "sbom.cyclonedx-1.5-null-cwes.json",
+			wantMainComponent:        "ghcr.io/chainloop-dev/chainloop/control-plane",
+			wantMainComponentKind:    "container",
+			wantMainComponentVersion: "v0.55.0",
+			annotations: map[string]string{
+				"chainloop.material.tool.name":                   "syft",
+				"chainloop.material.tool.version":                "0.101.1",
+				"chainloop.material.sbom.vulnerabilities_report": "true",
+			},
+		},
 	}
 
 	schema := &contractAPI.CraftingSchema_Material{