interlynk-io · riteshnoronha · Nov 25, 2024 · Nov 25, 2024 · Nov 25, 2024
diff --git a/pkg/compliance/bsi.go b/pkg/compliance/bsi.go
@@ -80,6 +80,7 @@ const (
 	PACK_INFO
 	SBOM_TYPE
 	PACK_EXT_REF
+	SBOM_VULNERABILITES
 )
 
 func bsiResult(ctx context.Context, doc sbom.Document, fileName string, outFormat string) {

diff --git a/pkg/compliance/bsiV2.go b/pkg/compliance/bsiV2.go
@@ -35,6 +35,7 @@ func bsiV2Result(ctx context.Context, doc sbom.Document, fileName string, outFor
 
 	dtb := db.NewDB()
 
+	dtb.AddRecord(bsiV2Vulnerabilities(doc))
 	dtb.AddRecord(bsiSpec(doc))
 	dtb.AddRecord(bsiV2SpecVersion(doc))
 	dtb.AddRecord(bsiBuildPhase(doc))
@@ -60,6 +61,21 @@ func bsiV2Result(ctx context.Context, doc sbom.Document, fileName string, outFor
 	}
 }
 
+func bsiV2Vulnerabilities(doc sbom.Document) *db.Record {
+	result, score := "no-vulnerability", 10.0
+
+	vuln := doc.Vulnerabilities()
+
+	if vuln != nil {
+		vulnId := vuln.GetID()
+		if vulnId != "" {
+			result = vulnId
+		}
+		score = 0.0
+	}
+	return db.NewRecordStmt(SBOM_VULNERABILITES, "doc", result, score, "")
+}
+
 func bsiV2SpecVersion(doc sbom.Document) *db.Record {
 	spec := doc.Spec().GetSpecType()
 	version := doc.Spec().GetVersion()

diff --git a/pkg/compliance/bsi_report.go b/pkg/compliance/bsi_report.go
@@ -45,6 +45,7 @@ var bsiSectionDetails = map[int]bsiSection{
 	COMP_DOWNLOAD_URL:    {Title: "Additional fields components", ID: "5.3.2", Required: false, DataField: "URI of the executable form of the component"},
 	COMP_SOURCE_HASH:     {Title: "Additional fields components", ID: "5.3.2", Required: false, DataField: "Hash value of the source code of the component"},
 	COMP_OTHER_UNIQ_IDS:  {Title: "Additional fields components", ID: "5.3.2", Required: false, DataField: "Other unique identifiers"},
+	SBOM_VULNERABILITES:  {Title: "Definition of SBOM", ID: "3.1", Required: true, DataField: "vuln"},
 }
 
 type run struct {

diff --git a/pkg/compliance/bsi_v2_report.go b/pkg/compliance/bsi_v2_report.go
@@ -23,16 +23,6 @@ import (
 	"github.com/olekukonko/tablewriter"
 )
 
-var bsiV2SectionDetails = map[int]bsiSection{
-	SBOM_SPEC:         {Title: "SBOM formats", ID: "4", Required: true, DataField: "specification"},
-	SBOM_SPEC_VERSION: {Title: "SBOM formats", ID: "4", Required: true, DataField: "specification version"},
-	SBOM_BUILD:        {Title: "Level of Detail", ID: "5.1", Required: true, DataField: "build process"},
-	SBOM_DEPTH:        {Title: "Level of Detail", ID: "5.1", Required: true, DataField: "depth"},
-	SBOM_CREATOR:      {Title: "Required fields sboms ", ID: "5.2.1", Required: true, DataField: "creator of sbom"},
-	SBOM_TIMESTAMP:    {Title: "Required fields sboms", ID: "5.2.1", Required: true, DataField: "timestamp"},
-	SBOM_URI:          {Title: "Additional fields sboms", ID: "5.3.1", Required: false, DataField: "SBOM-URI"},
-}
-
 func bsiV2JSONReport(dtb *db.DB, fileName string) {
 	name := "BSI TR-03183-2 v2.0.0 Compliance Report"
 	revision := "TR-03183-2 (2.0.0)"

diff --git a/pkg/sbom/cdx.go b/pkg/sbom/cdx.go
@@ -55,6 +55,7 @@ type CdxDoc struct {
 	PrimaryComponent PrimaryComp
 	Dependencies     map[string][]string
 	composition      map[string]string
+	vuln             GetVulnerabilities
 }
 
 func newCDXDoc(ctx context.Context, f io.ReadSeeker, format FileFormat) (Document, error) {
@@ -142,6 +143,10 @@ func (c CdxDoc) GetComposition(componentID string) string {
 	return c.composition[componentID]
 }
 
+func (s CdxDoc) Vulnerabilities() GetVulnerabilities {
+	return s.vuln
+}
+
 func (c *CdxDoc) parse() {
 	c.parseDoc()
 	c.parseSpec()
@@ -151,6 +156,7 @@ func (c *CdxDoc) parse() {
 	c.parseTool()
 	c.parseCompositions()
 	c.parsePrimaryCompAndRelationships()
+	c.parseVulnerabilities()
 	c.parseComps()
 }
 
@@ -210,6 +216,16 @@ func (c *CdxDoc) parseSpec() {
 	c.CdxSpec = sp
 }
 
+func (c *CdxDoc) parseVulnerabilities() {
+	vuln := Vulnerability{}
+	for _, v := range *c.doc.Vulnerabilities {
+		if v.ID != "" {
+			vuln.Id = v.ID
+		}
+	}
+	c.vuln = vuln
+}
+
 func (c *CdxDoc) requiredFields() bool {
 	if c.doc == nil {
 		c.addToLogs("cdx doc is not parsable")

diff --git a/pkg/sbom/document.go b/pkg/sbom/document.go
@@ -31,4 +31,6 @@ type Document interface {
 
 	PrimaryComp() GetPrimaryComp
 	GetRelationships(string) []string
+
+	Vulnerabilities() GetVulnerabilities
 }
diff --git a/pkg/sbom/spdx.go b/pkg/sbom/spdx.go
@@ -57,6 +57,7 @@ type SpdxDoc struct {
 	Lifecycle        string
 	Dependencies     map[string][]string
 	composition      map[string]string
+	vuln             GetVulnerabilities
 }
 
 func newSPDXDoc(ctx context.Context, f io.ReadSeeker, format FileFormat, version FormatVersion) (Document, error) {
@@ -152,6 +153,10 @@ func (s SpdxDoc) GetComposition(componentID string) string {
 	return s.composition[componentID]
 }
 
+func (s SpdxDoc) Vulnerabilities() GetVulnerabilities {
+	return s.vuln
+}
+
 func (s *SpdxDoc) parse() {
 	s.parseDoc()
 	s.parseSpec()
@@ -209,6 +214,7 @@ func (s *SpdxDoc) parseSpec() {
 	if s.doc.DocumentNamespace != "" {
 		sp.uri = s.doc.DocumentNamespace
 	}
+	s.vuln = nil
 
 	s.SpdxSpec = sp
 }

diff --git a/pkg/sbom/vulnerabilities.go b/pkg/sbom/vulnerabilities.go
@@ -0,0 +1,27 @@
+// Copyright 2024 Interlynk.io
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package sbom
+
+type GetVulnerabilities interface {
+	GetID() string
+}
+
+type Vulnerability struct {
+	Id string
+}
+
+func (v Vulnerability) GetID() string {
+	return v.Id
+}