search

guacsec / guac

GUAC aggregates software security metadata into a high fidelity graph database.
https://guac.sh
Apache License 2.0
1.26k stars 165 forks source link

[bug] `guacone query vuln` does not return VEX statements when a vulnerability ID is passed in #1539

Closed ridhoq closed 8 months ago

ridhoq commented 9 months ago

Describe the bug When running guacone query vuln <purl> --vuln-id <vuln-id>, the table output does not show any related VEX statements when they are present. However, if you were to run guacone query vuln <purl> without a vulnerability ID, related VEX statements are returned.

To Reproduce Steps to reproduce the behavior:

  1. Collect a SBOM that contains dependencies with vulnerabilities
  2. Collect a VEX statement using a vulnerability ID that is present in the SBOM 
    {
"@context": "https://openvex.dev/ns",
"@id": "https://openvex.dev/docs/public/vex-88f73742d154e9e356788e7e475effd622c4fb18c3955a523319c34c7d2b6da6",
"author": "Unknown Author",
"role": "Document Creator",
"timestamp": "2023-11-16T22:34:40.160264197Z",
"version": 1,
"statements": [
{
  "vulnerability": {
    "name": "ghsa-4374-p667-p6c8"
  },
  "products": [
    {
      "@id": "pkg:swid/MySBOMDocument"
    }
  ],
  "status": "not_affected",
  "justification": "vulnerable_code_not_in_execute_path"
}
]
}
  3. Run guacone query vuln pkg:swid/MySBOMDocument --vuln-id ghsa-4374-p667-p6c8
  4. Observer that there is no VEX statement returned as a table row

Expected behavior VEX statements should always be returned, regardless of whether a vulnerability ID is passed in.

GUAC version Latest on main

Additional context Will update the description with a better test case if I find one. I discovered the bug on an internal SBOM.

pxp928 commented 9 months ago

Thanks for the bug report @ridhoq! The issue seems to be that we are not taking into account VEX during the query with a purl and vulnerability ID: https://github.com/guacsec/guac/blob/main/cmd/guacone/cmd/vulnerability.go#L121. We are filtering on certifyVuln edge but we should also be including certifyVex edges from the vulnerability.

Specifically, queryVulnsViaVulnNodeNeighbors will need to be updated.

ridhoq commented 9 months ago

@pxp928 I took a stab at it in in #1540. Let me know if it's in the right direction.

pxp928 commented 9 months ago

Cool will take a look!