refactor(vex): improve SBOM reference handling with project standards (#8457)

knqyf263 · web-flow · commit 1f85b2777354 · 2025-03-03T12:57:13.000Z
diff --git a/pkg/vex/sbomref.go b/pkg/vex/sbomref.go
@@ -2,11 +2,12 @@ package vex
 
 import (
 	"bytes"
-	"fmt"
+	"context"
 	"io"
 	"net/http"
 	"net/url"
 
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/trivy/pkg/fanal/artifact"
@@ -20,15 +21,17 @@ type SBOMReferenceSet struct {
 }
 
 func NewSBOMReferenceSet(report *types.Report) (*SBOMReferenceSet, error) {
-
 	if report.ArtifactType != artifact.TypeCycloneDX {
 		return nil, xerrors.Errorf("externalReferences can only be used when scanning CycloneDX SBOMs: %w", report.ArtifactType)
 	}
 
-	var externalRefs = report.BOM.ExternalReferences()
+	ctx := log.WithContextPrefix(context.Background(), "vex")
+	ctx = log.WithContextAttrs(ctx, log.String("type", "sbom_reference"))
+
+	externalRefs := report.BOM.ExternalReferences()
 	urls := parseToURLs(externalRefs)
 
-	v, err := retrieveExternalVEXDocuments(urls, report)
+	v, err := retrieveExternalVEXDocuments(ctx, urls, report)
 	if err != nil {
 		return nil, xerrors.Errorf("failed to fetch external VEX documents: %w", err)
 	} else if v == nil {
@@ -38,48 +41,41 @@ func NewSBOMReferenceSet(report *types.Report) (*SBOMReferenceSet, error) {
 	return &SBOMReferenceSet{VEXes: v}, nil
 }
 
-func parseToURLs(refs []core.ExternalReference) []url.URL {
-	var urls []url.URL
-	for _, ref := range refs {
-		if ref.Type == core.ExternalReferenceVEX {
-			val, err := url.Parse(ref.URL)
+func parseToURLs(refs []core.ExternalReference) []*url.URL {
+	return lo.FilterMap(refs, func(ref core.ExternalReference, _ int) (*url.URL, bool) {
+		if ref.Type != core.ExternalReferenceVEX {
+			return nil, false
+		}
+		val, err := url.Parse(ref.URL)
+		if err != nil || (val.Scheme != "https" && val.Scheme != "http") {
 			// do not concern ourselves with relative URLs at this point
-			if err != nil || (val.Scheme != "https" && val.Scheme != "http") {
-				continue
-			}
-			urls = append(urls, *val)
+			return nil, false
 		}
-	}
-	return urls
+		return val, true
+	})
 }
 
-func retrieveExternalVEXDocuments(refs []url.URL, report *types.Report) ([]VEX, error) {
-
-	logger := log.WithPrefix("vex").With(log.String("type", "external_reference"))
-
+func retrieveExternalVEXDocuments(ctx context.Context, refs []*url.URL, report *types.Report) ([]VEX, error) {
 	var docs []VEX
 	for _, ref := range refs {
-		doc, err := retrieveExternalVEXDocument(ref, report)
+		doc, err := retrieveExternalVEXDocument(ctx, ref, report)
 		if err != nil {
 			return nil, xerrors.Errorf("failed to retrieve external VEX document: %w", err)
 		}
 		docs = append(docs, doc)
 	}
-	logger.Debug("Retrieved external VEX documents", "count", len(docs))
+	log.DebugContext(ctx, "Retrieved external VEX documents", log.Int("count", len(docs)))
 
 	if len(docs) == 0 {
-		logger.Info("No external VEX documents found")
+		log.DebugContext(ctx, "No external VEX documents found")
 		return nil, nil
 	}
 	return docs, nil
 
 }
 
-func retrieveExternalVEXDocument(vexUrl url.URL, report *types.Report) (VEX, error) {
-
-	logger := log.WithPrefix("vex").With(log.String("type", "external_reference"))
-
-	logger.Info(fmt.Sprintf("Retrieving external VEX document from host %s", vexUrl.Host))
+func retrieveExternalVEXDocument(ctx context.Context, vexUrl *url.URL, report *types.Report) (VEX, error) {
+	log.DebugContext(ctx, "Retrieving external VEX document", log.String("url", vexUrl.String()))
 
 	res, err := http.Get(vexUrl.String())
 	if err != nil {
@@ -96,15 +92,14 @@ func retrieveExternalVEXDocument(vexUrl url.URL, report *types.Report) (VEX, err
 		return nil, xerrors.Errorf("unable to read response into memory: %w", err)
 	}
 
-	if v, err := decodeVEX(bytes.NewReader(val), vexUrl.String(), report); err != nil {
+	v, err := decodeVEX(bytes.NewReader(val), vexUrl.String(), report)
+	if err != nil {
 		return nil, xerrors.Errorf("unable to load VEX from external reference: %w", err)
-	} else {
-		return v, nil
 	}
+	return v, nil
 }
 
 func (set *SBOMReferenceSet) NotAffected(vuln types.DetectedVulnerability, product, subComponent *core.Component) (types.ModifiedFinding, bool) {
-
 	for _, vex := range set.VEXes {
 		if m, notAffected := vex.NotAffected(vuln, product, subComponent); notAffected {
 			return m, notAffected
diff --git a/pkg/vex/sbomref_test.go b/pkg/vex/sbomref_test.go
@@ -7,6 +7,7 @@ import (
 	"os"
 	"testing"
 
+	"github.com/samber/lo"
 	"github.com/stretchr/testify/require"
 
 	"github.com/aquasecurity/trivy/pkg/fanal/artifact"
@@ -22,37 +23,32 @@ const (
 )
 
 func setUpServer(t *testing.T) *httptest.Server {
-	s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		println(r.URL.Path)
-		if r.URL.Path == vexExternalRef {
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case vexExternalRef:
 			f, err := os.Open("testdata/" + vexExternalRef + ".json")
 			if err != nil {
-				t.Error(err)
+				t.Fatalf("failed to open testdata: %s", err)
 			}
-
 			defer f.Close()
 
-			_, err = io.Copy(w, f)
-			if err != nil {
-				t.Error(err)
+			if _, err = io.Copy(w, f); err != nil {
+				t.Fatalf("failed to copy testdata: %s", err)
 			}
-		} else if r.URL.Path == vexUnknown {
+		case vexUnknown:
 			f, err := os.Open("testdata/" + vexUnknown + ".json")
 			if err != nil {
-				t.Error(err)
+				t.Fatalf("failed to open testdata: %s", err)
 			}
 			defer f.Close()
 
-			_, err = io.Copy(w, f)
-			if err != nil {
-				t.Error(err)
+			if _, err = io.Copy(w, f); err != nil {
+				t.Fatalf("failed to copy testdata: %s", err)
 			}
+		default:
+			http.NotFound(w, r)
 		}
-
-		http.NotFound(w, r)
-		return
 	}))
-	return s
 }
 
 func setupTestReport(s *httptest.Server, path string) *types.Report {
@@ -80,25 +76,45 @@ func TestRetrieveExternalVEXDocuments(t *testing.T) {
 	s := setUpServer(t)
 	t.Cleanup(s.Close)
 
-	t.Run("external vex retrieval", func(t *testing.T) {
-		set, err := vex.NewSBOMReferenceSet(setupTestReport(s, vexExternalRef))
-		require.NoError(t, err)
-		require.Len(t, set.VEXes, 1)
-	})
-
-	t.Run("incompatible external vex", func(t *testing.T) {
-		_, err := vex.NewSBOMReferenceSet(setupTestReport(s, vexUnknown))
-		require.Error(t, err)
-	})
-
-	t.Run("vex not found", func(t *testing.T) {
-		_, err := vex.NewSBOMReferenceSet(setupTestReport(s, vexNotFound))
-		require.Error(t, err)
-	})
+	tests := []struct {
+		name      string
+		input     *types.Report
+		wantVEXes int
+		wantErr   bool
+	}{
+		{
+			name:      "external vex retrieval",
+			input:     setupTestReport(s, vexExternalRef),
+			wantVEXes: 1,
+			wantErr:   false,
+		},
+		{
+			name:    "incompatible external vex",
+			input:   setupTestReport(s, vexUnknown),
+			wantErr: true,
+		},
+		{
+			name:    "vex not found",
+			input:   setupTestReport(s, vexNotFound),
+			wantErr: true,
+		},
+		{
+			name:      "no external reference",
+			input:     setupEmptyTestReport(),
+			wantVEXes: 0,
+			wantErr:   false,
+		},
+	}
 
-	t.Run("no external reference", func(t *testing.T) {
-		set, err := vex.NewSBOMReferenceSet(setupEmptyTestReport())
-		require.NoError(t, err)
-		require.Nil(t, set)
-	})
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := vex.NewSBOMReferenceSet(tt.input)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			require.Len(t, lo.FromPtr(got).VEXes, tt.wantVEXes)
+		})
+	}
 }
