guacsec · kodiakhq · Apr 23, 2024 · Apr 21, 2024 · Apr 22, 2024
@@ -22,7 +22,6 @@ import (
 	"net/http"
 	"os"
 	"strings"
-	"sync"
 
 	"github.com/Khan/genqlient/graphql"
 	model "github.com/guacsec/guac/pkg/assembler/clients/generated"
@@ -433,24 +432,17 @@ func searchDependencyPackagesReverse(ctx context.Context, gqlclient graphql.Clie
 	}
 }
 
-func concurrentVulnAndVexNeighbors(ctx context.Context, gqlclient graphql.Client, pkgID string, isDep model.AllHasSBOMTreeIncludedDependenciesIsDependency, resultChan chan<- struct {
+type pkgVersionNeighborQueryResults struct {
 	pkgVersionNeighborResponse *model.NeighborsResponse
 	isDep                      model.AllHasSBOMTreeIncludedDependenciesIsDependency
-}, wg *sync.WaitGroup) {
-	defer wg.Done()
+}
 
-	logger := logging.FromContext(ctx)
+func getVulnAndVexNeighbors(ctx context.Context, gqlclient graphql.Client, pkgID string, isDep model.AllHasSBOMTreeIncludedDependenciesIsDependency) (*pkgVersionNeighborQueryResults, error) {
 	pkgVersionNeighborResponse, err := model.Neighbors(ctx, gqlclient, pkgID, []model.Edge{model.EdgePackageCertifyVuln, model.EdgePackageCertifyVexStatement})
 	if err != nil {
-		logger.Errorf("error querying neighbor for vulnerability: %w", err)
-		return
+		return nil, fmt.Errorf("failed to get neighbors for pkgID: %s with error %w", pkgID, err)
 	}
-
-	// Send the results to the resultChan
-	resultChan <- struct {
-		pkgVersionNeighborResponse *model.NeighborsResponse
-		isDep                      model.AllHasSBOMTreeIncludedDependenciesIsDependency
-	}{pkgVersionNeighborResponse, isDep}
+	return &pkgVersionNeighborQueryResults{pkgVersionNeighborResponse: pkgVersionNeighborResponse, isDep: isDep}, nil
 }
 
 // searchPkgViaHasSBOM takes in either a purl or URI for the initial value to find the hasSBOM node.
@@ -460,7 +452,7 @@ func searchPkgViaHasSBOM(ctx context.Context, gqlclient graphql.Client, searchSt
 	var path []string
 	var tableRows []table.Row
 	checkedPkgIDs := make(map[string]bool)
-	var wg sync.WaitGroup
+	var collectedPkgVersionResults []*pkgVersionNeighborQueryResults
 
 	queue := make([]string, 0) // the queue of nodes in bfs
 	type dfsNode struct {
@@ -474,11 +466,6 @@ func searchPkgViaHasSBOM(ctx context.Context, gqlclient graphql.Client, searchSt
 	nodeMap[searchString] = dfsNode{}
 	queue = append(queue, searchString)
 
-	resultChan := make(chan struct {
-		pkgVersionNeighborResponse *model.NeighborsResponse
-		isDep                      model.AllHasSBOMTreeIncludedDependenciesIsDependency
-	})
-
 	for len(queue) > 0 {
 		now := queue[0]
 		queue = queue[1:]
@@ -560,8 +547,11 @@ func searchPkgViaHasSBOM(ctx context.Context, gqlclient graphql.Client, searchSt
 					if !dfsN.expanded {
 						queue = append(queue, pkgID)
 					}
-					wg.Add(1)
-					go concurrentVulnAndVexNeighbors(ctx, gqlclient, pkgID, isDep, resultChan, &wg)
+					pkgVersionNeighbors, err := getVulnAndVexNeighbors(ctx, gqlclient, pkgID, isDep)
+					if err != nil {
+						return nil, nil, fmt.Errorf("getVulnAndVexNeighbors failed with error: %w", err)
+					}
+					collectedPkgVersionResults = append(collectedPkgVersionResults, pkgVersionNeighbors)
 					checkedPkgIDs[pkgID] = true
 				}
 			}
@@ -570,16 +560,10 @@ func searchPkgViaHasSBOM(ctx context.Context, gqlclient graphql.Client, searchSt
 		nodeMap[now] = nowNode
 	}
 
-	// Close the result channel once all goroutines are done
-	go func() {
-		wg.Wait()
-		close(resultChan)
-	}()
-
 	checkedCertifyVulnIDs := make(map[string]bool)
 
 	// Collect results from the channel
-	for result := range resultChan {
+	for _, result := range collectedPkgVersionResults {
 		for _, neighbor := range result.pkgVersionNeighborResponse.Neighbors {
 			if certifyVuln, ok := neighbor.(*model.NeighborsNeighborsCertifyVuln); ok {
 				if !checkedCertifyVulnIDs[certifyVuln.Id] {

diff --git a/internal/testing/testdata/exampledata/cyclonedx-vex-no-analysis.json b/internal/testing/testdata/exampledata/cyclonedx-vex-no-analysis.json
@@ -0,0 +1,50 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4",
+  "version": 1,
+  "metadata" : {
+    "timestamp" : "2022-03-03T00:00:00Z",
+    "component" : {
+      "name" : "ABC",
+      "type" : "application",
+      "bom-ref" : "product-ABC"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "id": "CVE-2021-44228",
+      "source": {
+        "name": "NVD",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
+      },
+      "ratings": [
+        {
+          "source": {
+            "name": "NVD",
+            "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1"
+          },
+          "score": 10.0,
+          "severity": "critical",
+          "method": "CVSSv31",
+          "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
+        }
+      ],
+      "description": "com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the DOMDeserializer class. The highest threat from this vulnerability is data integrity.",
+      "affects": [
+        {
+          "ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#product-ABC",
+          "versions": [
+            {
+              "version": "2.4",
+              "status": "affected"
+            },
+            {
+              "version": "2.6",
+              "status": "affected"
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/internal/testing/testdata/testdata.go b/internal/testing/testdata/testdata.go
@@ -18,7 +18,6 @@ package testdata
 import (
 	_ "embed"
 	"encoding/base64"
-	"fmt"
 	"time"
 
 	"github.com/google/go-cmp/cmp"
@@ -111,6 +110,9 @@ var (
 	//go:embed exampledata/cyclonedx-vex-affected.json
 	CycloneDXVEXAffected []byte
 
+	//go:embed exampledata/cyclonedx-vex-no-analysis.json
+	CycloneDXVEXWithoutAnalysis []byte
+
 	//go:embed exampledata/cyclonedx-vex.xml
 	CyloneDXVEXExampleXML []byte
 
@@ -186,8 +188,8 @@ var (
 			VexData: &generated.VexStatementInputSpec{
 				Status:           generated.VexStatusNotAffected,
 				VexJustification: generated.VexJustificationVulnerableCodeNotInExecutePath,
-				Statement:        "Automated dataflow analysis and manual code review indicates that the vulnerable code is not reachable, either directly or indirectly.",
-				StatusNotes:      fmt.Sprintf("%s:%s", generated.VexStatusNotAffected, generated.VexJustificationVulnerableCodeNotInExecutePath),
+				Statement:        "com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the DOMDeserializer class. The highest threat from this vulnerability is data integrity.",
+				StatusNotes:      "Automated dataflow analysis and manual code review indicates that the vulnerable code is not reachable, either directly or indirectly.",
 				KnownSince:       parseUTCTime("2020-12-03T00:00:00.000Z"),
 			},
 		},
@@ -231,8 +233,15 @@ var (
 	VexDataAffected = &generated.VexStatementInputSpec{
 		Status:           generated.VexStatusAffected,
 		VexJustification: generated.VexJustificationNotProvided,
-		Statement:        "Versions of Product ABC are affected by the vulnerability. Customers are advised to upgrade to the latest release.",
-		StatusNotes:      fmt.Sprintf("%s:%s", generated.VexStatusAffected, generated.VexJustificationNotProvided),
+		Statement:        "",
+		StatusNotes:      "Versions of Product ABC are affected by the vulnerability. Customers are advised to upgrade to the latest release.",
+		KnownSince:       time.Unix(0, 0),
+	}
+	VexDataNoAnalysis = &generated.VexStatementInputSpec{
+		Status:           generated.VexStatusAffected,
+		VexJustification: generated.VexJustificationNotProvided,
+		Statement:        "com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the DOMDeserializer class. The highest threat from this vulnerability is data integrity.",
+		StatusNotes:      "",
 		KnownSince:       time.Unix(0, 0),
 	}
 	CycloneDXAffectedVulnMetadata = []assembler.VulnMetadataIngest{
@@ -245,6 +254,16 @@ var (
 			},
 		},
 	}
+	CycloneDXNoAnalysisVulnMetadata = []assembler.VulnMetadataIngest{
+		{
+			Vulnerability: VulnSpecAffected,
+			VulnMetadata: &generated.VulnerabilityMetadataInputSpec{
+				ScoreType:  generated.VulnerabilityScoreTypeCvssv31,
+				ScoreValue: 10,
+				Timestamp:  time.Unix(0, 0),
+			},
+		},
+	}
 
 	topLevelPkg, _     = asmhelpers.PurlToPkg("pkg:guac/cdx/ABC")
 	HasSBOMVexAffected = []assembler.HasSBOMIngest{
@@ -257,6 +276,16 @@ var (
 			},
 		},
 	}
+	HasSBOMVexNoAnalysis = []assembler.HasSBOMIngest{
+		{
+			Pkg: topLevelPkg,
+			HasSBOM: &model.HasSBOMInputSpec{
+				Algorithm:  "sha256",
+				Digest:     "265c99f1f9a09b7fc10c14c97ca1a07fc52ae470f5cbcddd9baf5585fb28221c",
+				KnownSince: parseRfc3339("2022-03-03T00:00:00Z"),
+			},
+		},
+	}
 
 	// DSSE/SLSA Testdata
 

@@ -137,7 +137,7 @@ func purlConvert(p purl.PackageURL) (*model.PkgInputSpec, error) {
 		purl.TypeDebian, purl.TypeGem, purl.TypeGithub,
 		purl.TypeGolang, purl.TypeHackage, purl.TypeHex, purl.TypeMaven,
 		purl.TypeNPM, purl.TypeNuget, purl.TypePyPi, purl.TypeRPM, purl.TypeSwift,
-		purl.TypeGeneric:
+		purl.TypeGeneric, purl.TypeYocto, purl.TypeCpan:
 		// some code
 		r := pkg(p.Type, p.Namespace, p.Name, p.Version, p.Subpath, p.Qualifiers.Map())
 		return r, nil

@@ -208,6 +208,14 @@ func TestPurlConvert(t *testing.T) {
 			expected: pkg("oci", "registry.redhat.io/ubi9", "ubi9-container", "sha256:8614ce95268b970880a1eca97dddfce5154fab35418d839c5f75012cccaca0d9", "", map[string]string{
 				"tag": "9.2-489",
 			}),
+		}, {
+			purlUri: "pkg:yocto/dmidecode@2.12-r0?arch=core2-32",
+			expected: pkg("yocto", "", "dmidecode", "2.12-r0", "", map[string]string{
+				"arch": "core2-32",
+			}),
+		}, {
+			purlUri:  "pkg:cpan/Pod-Perldoc@3.20",
+			expected: pkg("cpan", "", "Pod-Perldoc", "3.20", "", map[string]string{}),
 		},
 	}