Add support for vulnerabilities in load_sbom pipeline #1729 (#1817)

Signed-off-by: tdruez <tdruez@nexb.com>

Author: tdruez

scanpipe/pipes/cyclonedx.py

@@ -150,9 +150,12 @@ def is_cyclonedx_bom(input_location):
     return False
 
 
-def cyclonedx_component_to_package_data(cdx_component, dependencies=None):
+def cyclonedx_component_to_package_data(
+    cdx_component, dependencies=None, vulnerabilities=None
+):
     """Return package_data from CycloneDX component."""
     dependencies = dependencies or {}
+    vulnerabilities = vulnerabilities or {}
     extra_data = {}
 
     # Store the original bom_ref and dependencies for future processing.
@@ -175,13 +178,24 @@ def cyclonedx_component_to_package_data(cdx_component, dependencies=None):
         nested_purls = [component.bom_ref.value for component in nested_components]
         extra_data["nestedComponents"] = sorted(nested_purls)
 
+    affected_by_vulnerabilities = []
+    if affected_by := vulnerabilities.get(bom_ref):
+        for cdx_vulnerability in affected_by:
+            affected_by_vulnerabilities.append(
+                {
+                    "vulnerability_id": str(cdx_vulnerability.id),
+                    "summary": cdx_vulnerability.description,
+                }
+            )
+
     package_data = {
         "name": cdx_component.name,
         "extracted_license_statement": declared_license,
         "copyright": cdx_component.copyright,
         "version": cdx_component.version,
         "description": cdx_component.description,
         "extra_data": extra_data,
+        "affected_by_vulnerabilities": affected_by_vulnerabilities,
         **package_url_dict,
         **get_checksums(cdx_component),
         **get_properties_data(cdx_component),
@@ -216,7 +230,6 @@ def delete_ignored_root_properties(cyclonedx_document_json):
         "services",
         "externalReferences",
         "compositions",
-        "vulnerabilities",
         "annotations",
         "formulation",
         "declarations",
@@ -324,7 +337,12 @@ def resolve_cyclonedx_packages(input_location):
         if depends_on := [str(dep.ref) for dep in entry.dependencies]:
             dependencies[str(entry.ref)].extend(depends_on)
 
+    vulnerabilities = defaultdict(list)
+    for vulnerability in cyclonedx_bom.vulnerabilities:
+        for affected_target in vulnerability.affects:
+            vulnerabilities[str(affected_target.ref)].append(vulnerability)
+
     return [
-        cyclonedx_component_to_package_data(component, dependencies)
+        cyclonedx_component_to_package_data(component, dependencies, vulnerabilities)
         for component in components
     ]

scanpipe/tests/data/cyclonedx/python-3.13.0-vulnerabilities.cdx.json

@@ -0,0 +1,97 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:f9350ed3-ac98-4d15-90ef-62b39dc55d5a",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2025-08-18T05:43:10+00:00",
+    "component": {
+      "bom-ref": "pkg:oci/python@sha256%3A0de818129b26ed8f46fd772f540c80e277b67a28229531a1ba0fdacfaed19bcb?arch=amd64&repository_url=index.docker.io%2Flibrary%2Fpython",
+      "type": "container",
+      "name": "python:3.13.0-slim",
+      "purl": "pkg:oci/python@sha256%3A0de818129b26ed8f46fd772f540c80e277b67a28229531a1ba0fdacfaed19bcb?arch=amd64&repository_url=index.docker.io%2Flibrary%2Fpython"
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "pkg:deb/debian/tar@1.34%2Bdfsg-1.2%2Bdeb12u1?arch=amd64&distro=debian-12.8",
+      "type": "library",
+      "supplier": {
+        "name": "Janos Lenart <ocsi@debian.org>"
+      },
+      "name": "tar",
+      "version": "1.34+dfsg-1.2+deb12u1",
+      "purl": "pkg:deb/debian/tar@1.34%2Bdfsg-1.2%2Bdeb12u1?arch=amd64&distro=debian-12.8"
+    }
+  ],
+  "vulnerabilities": [
+    {
+      "id": "CVE-2005-2541",
+      "source": {
+        "name": "debian",
+        "url": "https://salsa.debian.org/security-tracker-team/security-tracker"
+      },
+      "ratings": [
+        {
+          "source": {
+            "name": "debian"
+          },
+          "severity": "low"
+        },
+        {
+          "source": {
+            "name": "nvd"
+          },
+          "score": 10,
+          "severity": "high",
+          "method": "CVSSv2",
+          "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"
+        },
+        {
+          "source": {
+            "name": "redhat"
+          },
+          "score": 7,
+          "severity": "medium",
+          "method": "CVSSv31",
+          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"
+        }
+      ],
+      "description": "Tar 1.15.1 does not properly warn the user when...",
+      "advisories": [
+        {
+          "url": "https://avd.aquasec.com/nvd/cve-2005-2541"
+        },
+        {
+          "url": "http://marc.info/?l=bugtraq&m=112327628230258&w=2"
+        },
+        {
+          "url": "https://access.redhat.com/security/cve/CVE-2005-2541"
+        },
+        {
+          "url": "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E"
+        },
+        {
+          "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-2541"
+        },
+        {
+          "url": "https://www.cve.org/CVERecord?id=CVE-2005-2541"
+        }
+      ],
+      "published": "2005-08-10T04:00:00+00:00",
+      "updated": "2025-04-03T01:03:51+00:00",
+      "affects": [
+        {
+          "ref": "pkg:deb/debian/tar@1.34%2Bdfsg-1.2%2Bdeb12u1?arch=amd64&distro=debian-12.8",
+          "versions": [
+            {
+              "version": "1.34+dfsg-1.2+deb12u1",
+              "status": "affected"
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}

scanpipe/tests/pipes/test_cyclonedx.py

@@ -248,6 +248,20 @@ def test_scanpipe_cyclonedx_resolve_cyclonedx_packages_dependencies(self):
         ]
         self.assertEqual(expected_depends_on, extra_data["depends_on"])
 
+    def test_scanpipe_cyclonedx_resolve_cyclonedx_packages_vulnerabilities(self):
+        input_location = self.data / "python-3.13.0-vulnerabilities.cdx.json"
+        packages = cyclonedx.resolve_cyclonedx_packages(input_location)
+        self.assertEqual(1, len(packages))
+
+        affected_by = packages[0]["affected_by_vulnerabilities"]
+        expected = [
+            {
+                "vulnerability_id": "CVE-2005-2541",
+                "summary": "Tar 1.15.1 does not properly warn the user when...",
+            }
+        ]
+        self.assertEqual(expected, affected_by)
+
     def test_scanpipe_cyclonedx_resolve_cyclonedx_packages_pre_validation(self):
         # This SBOM includes multiple deserialization issues that are "fixed"
         # by the pre-validation cleanup.

scanpipe/tests/test_pipelines.py

@@ -1388,11 +1388,11 @@ def test_scanpipe_fetch_scores_pipeline_integration(self, mock_is_available):
             "scoring_tool_documentation_url": "https://github.com/[trunc...]",
             "score_date": "2025-07-24T18:50:16Z",
         }
-        with mock.patch("scorecode.ossf_scorecard.fetch_scorecard_info") as fetch:
+        with mock.patch("scorecode.ossf_scorecard.fetch_scorecard") as fetch:
             fetch.return_value = PackageScore(**package_score_data)
-            exitcode, out = pipeline.execute()
-
+        exitcode, out = pipeline.execute()
         self.assertEqual(0, exitcode, msg=out)
+
         package1.refresh_from_db()
         scorecard_entry = package1.scores.filter(scoring_tool="ossf-scorecard").first()
         self.assertIsNotNone(scorecard_entry)
@@ -1617,6 +1617,31 @@ def test_scanpipe_load_sbom_pipeline_cyclonedx_with_dependencies_integration(sel
         dependency = project1.discovereddependencies.all()[0]
         self.assertEqual("bom.1.4.json", str(dependency.datafile_resource))
 
+    def test_scanpipe_load_sbom_pipeline_cyclonedx_with_vulnerabilities(self):
+        pipeline_name = "load_sbom"
+        project1 = make_project()
+
+        input_location = (
+            self.data / "cyclonedx" / "python-3.13.0-vulnerabilities.cdx.json"
+        )
+        project1.copy_input_from(input_location)
+
+        run = project1.add_pipeline(pipeline_name)
+        pipeline = run.make_pipeline_instance()
+
+        exitcode, out = pipeline.execute()
+        self.assertEqual(0, exitcode, msg=out)
+
+        self.assertEqual(1, project1.discoveredpackages.count())
+        package = project1.discoveredpackages.get()
+        expected = [
+            {
+                "vulnerability_id": "CVE-2005-2541",
+                "summary": "Tar 1.15.1 does not properly warn the user when...",
+            }
+        ]
+        self.assertEqual(expected, package.affected_by_vulnerabilities)
+
     @mock.patch("scanpipe.pipes.purldb.request_post")
     @mock.patch("uuid.uuid4")
     def test_scanpipe_deploy_to_develop_pipeline_integration(
@@ -1747,20 +1772,6 @@ def test_scanpipe_deploy_to_develop_pipeline_with_about_file(
         )
         self.assertIn(expected, message.description)
 
-    def test_scanpipe_deploy_to_develop_pipeline_without_selected_groups(self):
-        pipeline_name = "map_deploy_to_develop"
-        project1 = make_project(name="Analysis")
-
-        data_dir = self.data / "d2d" / "about_files"
-        project1.copy_input_from(data_dir / "from-with-about-file.zip")
-        project1.copy_input_from(data_dir / "to-with-jar.zip")
-
-        run = project1.add_pipeline(pipeline_name=pipeline_name)
-        pipeline = run.make_pipeline_instance()
-
-        exitcode, out = pipeline.execute()
-        self.assertEqual(0, exitcode, msg=out)
-
     @mock.patch("scanpipe.pipes.purldb.request_post")
     @mock.patch("scanpipe.pipes.purldb.is_available")
     def test_scanpipe_populate_purldb_pipeline_integration(