From c5b2ce3603a8ed0da1c1970afe267cfb56d1ceaf Mon Sep 17 00:00:00 2001
From: Arnout Engelen <arnout@bzzt.net>
Date: Sat, 23 Dec 2023 15:18:58 +0100
Subject: [PATCH] Include information about CVE patches in CycloneDX output

Signed-off-by: Arnout Engelen <arnout@bzzt.net>
---
 src/sbomnix/sbomdb.py | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/sbomnix/sbomdb.py b/src/sbomnix/sbomdb.py
index 9d6d474..ace1158 100644
--- a/src/sbomnix/sbomdb.py
+++ b/src/sbomnix/sbomdb.py
@@ -383,6 +383,26 @@ def _drv_to_cdx_component(drv, uid="store_path"):
     if "meta_description" in drv._asdict() and drv.meta_description:
         component["description"] = drv.meta_description
     _cdx_component_add_licenses(component, drv)
+    if drv.patches:
+        security_patches = []
+        for p in drv.patches.split(' '):
+            print(p)
+            m = re.search(r'CVE-\d{4}-\d+', p)
+            if m:
+                patch = {
+                    "type": "unofficial",
+                    "resolves": [
+                        {
+                            "type": "security",
+                            "id": m.group(0)
+                        }
+                    ]
+                }
+                security_patches.append(patch)
+        if security_patches:
+            pedigree = {}
+            pedigree["patches"] = security_patches
+            component["pedigree"] = pedigree
     properties = []
     for output_path in drv.outputs:
         prop = {}