Include information about CVE patches in CycloneDX output

Signed-off-by: Arnout Engelen <arnout@bzzt.net>
tiiuae · Dec 23, 2023 · c5b2ce3 · c5b2ce3
1 parent 9e5ca03
commit c5b2ce3
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/src/sbomnix/sbomdb.py b/src/sbomnix/sbomdb.py
@@ -383,6 +383,26 @@ def _drv_to_cdx_component(drv, uid="store_path"):
     if "meta_description" in drv._asdict() and drv.meta_description:
         component["description"] = drv.meta_description
     _cdx_component_add_licenses(component, drv)
+    if drv.patches:
+        security_patches = []
+        for p in drv.patches.split(' '):
+            print(p)
+            m = re.search(r'CVE-\d{4}-\d+', p)
+            if m:
+                patch = {
+                    "type": "unofficial",
+                    "resolves": [
+                        {
+                            "type": "security",
+                            "id": m.group(0)
+                        }
+                    ]
+                }
+                security_patches.append(patch)
+        if security_patches:
+            pedigree = {}
+            pedigree["patches"] = security_patches
+            component["pedigree"] = pedigree
     properties = []
     for output_path in drv.outputs:
         prop = {}