fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871)

pkg/detector/library/driver.go

@@ -133,6 +133,7 @@ func (d *Driver) DetectVulnerabilities(pkgID, pkgName, pkgVer string) ([]types.D
 			InstalledVersion: pkgVer,
 			FixedVersion:     createFixedVersions(adv),
 			DataSource:       adv.DataSource,
+			Custom:           adv.Custom,
 		}
 		vulns = append(vulns, vuln)
 	}

pkg/detector/library/driver_test.go

@@ -182,6 +182,32 @@ func TestDriver_Detect(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "Custom data for vulnerability",
+			fixtures: []string{
+				"testdata/fixtures/go-custom-data.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			libType: ftypes.GoBinary,
+			args: args{
+				pkgName: "github.com/docker/docker",
+				pkgVer:  "23.0.14",
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "GHSA-v23v-6jw2-98fq",
+					PkgName:          "github.com/docker/docker",
+					InstalledVersion: "23.0.14",
+					FixedVersion:     "23.0.15, 26.1.5, 27.1.1, 25.0.6",
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.GHSA,
+						Name: "GitHub Security Advisory Go",
+						URL:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago",
+					},
+					Custom: map[string]any{"Severity": 2.0},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/detector/library/testdata/fixtures/data-source.yaml

@@ -25,3 +25,8 @@
         ID: "ghsa"
         Name: "GitHub Security Advisory Pip"
         URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
+    - key: "go::GitHub Security Advisory Go"
+      value:
+        ID: "ghsa"
+        Name: "GitHub Security Advisory Go"
+        URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"

pkg/detector/library/testdata/fixtures/go-custom-data.yaml

@@ -0,0 +1,18 @@
+- bucket: "go::GitHub Security Advisory Go"
+  pairs:
+    - bucket: github.com/docker/docker
+      pairs:
+        - key: "GHSA-v23v-6jw2-98fq"
+          value:
+            PatchedVersions:
+              - "23.0.15"
+              - "26.1.5"
+              - "27.1.1"
+              - "25.0.6"
+            VulnerableVersions:
+              - ">=19.03.0, <23.0.15"
+              - ">=26.0.0, <26.1.5"
+              - ">=27.0.0, <27.1.1"
+              - ">=24.0.0, <25.0.6"
+            Custom:
+              Severity: 2

pkg/rpc/convert.go

@@ -71,6 +71,7 @@ func ConvertToRPCPkgs(pkgs []ftypes.Package) []*common.Package {
 			DependsOn:  pkg.DependsOn,
 			Digest:     pkg.Digest.String(),
 			Indirect:   pkg.Indirect,
+			Maintainer: pkg.Maintainer,
 		})
 	}
 	return rpcPkgs
@@ -226,6 +227,7 @@ func ConvertFromRPCPkgs(rpcPkgs []*common.Package) []ftypes.Package {
 			DependsOn:  pkg.DependsOn,
 			Digest:     digest.Digest(pkg.Digest),
 			Indirect:   pkg.Indirect,
+			Maintainer: pkg.Maintainer,
 		})
 	}
 	return pkgs

pkg/rpc/convert_test.go

@@ -183,6 +183,78 @@ func TestConvertFromRpcPkgs(t *testing.T) {
 				},
 			},
 		},
+		{
+			args: args{
+				rpcPkgs: []*common.Package{
+					{
+						Name:       "binary",
+						Version:    "4.2+dfsg",
+						Release:    "0.1+deb7u4",
+						Epoch:      0,
+						Arch:       "amd64",
+						SrcName:    "bash",
+						SrcVersion: "4.2+dfsg",
+						SrcRelease: "0.1+deb7u4",
+						SrcEpoch:   0,
+						Licenses:   []string{"GPL-3.0"},
+						Locations: []*common.Location{
+							{
+								StartLine: 10,
+								EndLine:   20,
+							},
+							{
+								StartLine: 22,
+								EndLine:   32,
+							},
+						},
+						Layer: &common.Layer{
+							Digest: "sha256:8d42b73fc1ddc2e9e66c954966f144665825e69f4ed10c66342ae7c26b38d4e4",
+							DiffId: "sha256:745d171eb8c3d69f788da3a1b053056231ad140b80be71d6869229846a1f3a77",
+						},
+						Digest:   "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2",
+						Indirect: false,
+						Identifier: &common.PkgIdentifier{
+							Uid: "63f8bef824b960e3",
+						},
+						Maintainer: "alice@example.com",
+					},
+				},
+			},
+			want: []ftypes.Package{
+				{
+					Name:       "binary",
+					Version:    "4.2+dfsg",
+					Release:    "0.1+deb7u4",
+					Epoch:      0,
+					Arch:       "amd64",
+					SrcName:    "bash",
+					SrcVersion: "4.2+dfsg",
+					SrcRelease: "0.1+deb7u4",
+					SrcEpoch:   0,
+					Licenses:   []string{"GPL-3.0"},
+					Locations: []ftypes.Location{
+						{
+							StartLine: 10,
+							EndLine:   20,
+						},
+						{
+							StartLine: 22,
+							EndLine:   32,
+						},
+					},
+					Layer: ftypes.Layer{
+						Digest: "sha256:8d42b73fc1ddc2e9e66c954966f144665825e69f4ed10c66342ae7c26b38d4e4",
+						DiffID: "sha256:745d171eb8c3d69f788da3a1b053056231ad140b80be71d6869229846a1f3a77",
+					},
+					Digest:   "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2",
+					Indirect: false,
+					Identifier: ftypes.PkgIdentifier{
+						UID: "63f8bef824b960e3",
+					},
+					Maintainer: "alice@example.com",
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

rpc/common/service.pb.go

@@ -465,6 +465,7 @@ type Package struct {
 	Digest     string      `protobuf:"bytes,16,opt,name=digest,proto3" json:"digest,omitempty"`
 	Dev        bool        `protobuf:"varint,17,opt,name=dev,proto3" json:"dev,omitempty"`
 	Indirect   bool        `protobuf:"varint,18,opt,name=indirect,proto3" json:"indirect,omitempty"`
+	Maintainer string      `protobuf:"bytes,21,opt,name=maintainer,proto3" json:"maintainer,omitempty"`
 }
 
 func (x *Package) Reset() {
@@ -632,6 +633,13 @@ func (x *Package) GetIndirect() bool {
 	return false
 }
 
+func (x *Package) GetMaintainer() string {
+	if x != nil {
+		return x.Maintainer
+	}
+	return ""
+}
+
 type PkgIdentifier struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -2428,7 +2436,7 @@ var file_rpc_common_service_proto_rawDesc = []byte{
 	0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, 0x74, 0x68, 0x12, 0x31, 0x0a, 0x08, 0x70, 0x61, 0x63, 0x6b,
 	0x61, 0x67, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x74, 0x72, 0x69,
 	0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x50, 0x61, 0x63, 0x6b, 0x61, 0x67,
-	0x65, 0x52, 0x08, 0x70, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x73, 0x22, 0xc1, 0x04, 0x0a, 0x07,
+	0x65, 0x52, 0x08, 0x70, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x73, 0x22, 0xe1, 0x04, 0x0a, 0x07,
 	0x50, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x0d, 0x20,
 	0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18,
 	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x76,
@@ -2464,7 +2472,9 @@ var file_rpc_common_service_proto_rawDesc = []byte{
 	0x65, 0x73, 0x74, 0x18, 0x10, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73,
 	0x74, 0x12, 0x10, 0x0a, 0x03, 0x64, 0x65, 0x76, 0x18, 0x11, 0x20, 0x01, 0x28, 0x08, 0x52, 0x03,
 	0x64, 0x65, 0x76, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x18,
-	0x12, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x22,
+	0x12, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x12,
+	0x1e, 0x0a, 0x0a, 0x6d, 0x61, 0x69, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x18, 0x15, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x0a, 0x6d, 0x61, 0x69, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x22,
 	0x4e, 0x0a, 0x0d, 0x50, 0x6b, 0x67, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72,
 	0x12, 0x12, 0x0a, 0x04, 0x70, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
 	0x70, 0x75, 0x72, 0x6c, 0x12, 0x17, 0x0a, 0x07, 0x62, 0x6f, 0x6d, 0x5f, 0x72, 0x65, 0x66, 0x18,

rpc/common/service.proto

@@ -54,6 +54,7 @@ message Package {
   string            digest      = 16;
   bool              dev         = 17;
   bool              indirect    = 18;
+  string            maintainer  = 21;
 }
 
 message PkgIdentifier {