fix(report): tidy dependencies for multiple repo on integration with GSA (#1593)

* initialize dependencyGraphManifests out of loop * remove GitHubSecurityAlert.PackageName * tidy dependency map for multi repo * set repo name into SBOM components & purl for multi repo
2023-02-07 19:47:32 +09:00
parent ad2edbb844
commit 1927ed344c
5 changed files with 25 additions and 17 deletions
--- a/models/github.go
+++ b/models/github.go
@@ -1,21 +1,28 @@
 package models

 import (
+	"fmt"
 	"strings"

 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 )

 // DependencyGraphManifests has a map of DependencyGraphManifest
-// key: Filename
+// key: BlobPath
 type DependencyGraphManifests map[string]DependencyGraphManifest

 type DependencyGraphManifest struct {
+	BlobPath     string       `json:"blobPath"`
 	Filename     string       `json:"filename"`
 	Repository   string       `json:"repository"`
 	Dependencies []Dependency `json:"dependencies"`
 }

+// RepoURLFilename should be same format with GitHubSecurityAlert.RepoURLManifestPath()
+func (m DependencyGraphManifest) RepoURLFilename() string {
+	return fmt.Sprintf("%s/%s", m.Repository, m.Filename)
+}
+
 // Ecosystem returns a name of ecosystem(or package manager) of manifest(lock) file in trivy way
 // https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#supported-package-ecosystems
 func (m DependencyGraphManifest) Ecosystem() string {
--- a/models/vulninfos.go
+++ b/models/vulninfos.go
@@ -299,10 +299,8 @@ func (g GitHubSecurityAlerts) Names() (names []string) {
 	return names
 }

-// GitHubSecurityAlert has detected CVE-ID, PackageName, Status fetched via GitHub API
+// GitHubSecurityAlert has detected CVE-ID, GSAVulnerablePackage, Status fetched via GitHub API
 type GitHubSecurityAlert struct {
-	// TODO: PackageName deprecated. it will be removed next time.
-	PackageName   string               `json:"packageName"`
 	Repository    string               `json:"repository"`
 	Package       GSAVulnerablePackage `json:"package,omitempty"`
 	FixedIn       string               `json:"fixedIn"`
@@ -316,6 +314,11 @@ func (a GitHubSecurityAlert) RepoURLPackageName() string {
 	return fmt.Sprintf("%s %s", a.Repository, a.Package.Name)
 }

+// RepoURLManifestPath should be same format with DependencyGraphManifest.RepoURLFilename()
+func (a GitHubSecurityAlert) RepoURLManifestPath() string {
+	return fmt.Sprintf("%s/%s", a.Repository, a.Package.ManifestPath)
+}
+
 type GSAVulnerablePackage struct {
 	Name             string `json:"name"`
 	Ecosystem        string `json:"ecosystem"`