fix(vex): don't suppress vulns for packages with infinity loop (#9465)

pkg/vex/vex.go

@@ -192,8 +192,8 @@ func reachRoot(leaf *core.Component, components map[uuid.UUID]*core.Component, p
 			return false
 		case c.Root:
 			return true
-		case len(parents[c.ID()]) == 0:
-			// Should never reach here as all components other than the root should have at least one parent.
+		case lo.Every(lo.Keys(visited), parents[c.ID()]):
+			// Should never go here, since all components except the root must have at least one parent and be related to the root component.
 			// If it does, it means the component tree is not connected due to a bug in the SBOM generation.
 			// In this case, so as not to filter out all the vulnerabilities accidentally, return true for fail-safe.
 			return true

pkg/vex/vex_test.go

@@ -56,6 +56,20 @@ var (
 			},
 		},
 	}
+	baseFilesPackage = ftypes.Package{
+		ID:      "base-files@5.3",
+		Name:    "base-files",
+		Version: "5.3",
+		Identifier: ftypes.PkgIdentifier{
+			UID: "07",
+			PURL: &packageurl.PackageURL{
+				Type:      packageurl.TypeDebian,
+				Namespace: "debian",
+				Name:      "base-files",
+				Version:   "5.3",
+			},
+		},
+	}
 	goModulePackage = ftypes.Package{
 		ID:           "github.com/aquasecurity/go-module@v1.0.0",
 		Name:         "github.com/aquasecurity/go-module",
@@ -539,6 +553,38 @@ repositories:
 				}),
 			}, fmt.Sprintf("%s/debian@%s", strings.TrimPrefix(tr.URL, "http://"), d.String())),
 		},
+		{
+			name: "infinity loop for OS packages",
+			args: args{
+				// - oci:debian?tag=12
+				//     - pkg:deb/debian/bash@5.3
+				//        - pkg:deb/debian/base-files@5.3
+				//     - pkg:deb/debian/base-files@5.3
+				//        - pkg:deb/debian/bash@5.3
+				report: imageReport([]types.Result{
+					infinityLoopOSPackagesResult(types.Result{
+						Vulnerabilities: []types.DetectedVulnerability{
+							vuln3,
+						},
+					}),
+				}),
+				opts: vex.Options{
+					Sources: []vex.Source{
+						{
+							Type:     vex.TypeFile,
+							FilePath: "testdata/openvex-multiple.json",
+						},
+					},
+				},
+			},
+			want: imageReport([]types.Result{
+				infinityLoopOSPackagesResult(types.Result{
+					Vulnerabilities: []types.DetectedVulnerability{
+						vuln3,
+					},
+				}),
+			}),
+		},
 		{
 			name: "unknown format",
 			args: args{
@@ -654,6 +700,24 @@ func bashResult(result types.Result) types.Result {
 	return result
 }
 
+func infinityLoopOSPackagesResult(result types.Result) types.Result {
+	result.Type = ftypes.Debian
+	result.Class = types.ClassOSPkg
+
+	bashPkg := clonePackage(bashPackage)
+	baseFilesPkg := clonePackage(baseFilesPackage)
+
+	bashPkg.DependsOn = []string{baseFilesPkg.ID}
+	baseFilesPkg.DependsOn = []string{bashPkg.ID}
+
+	result.Packages = []ftypes.Package{
+		bashPkg,
+		baseFilesPkg,
+	}
+
+	return result
+}
+
 func goSinglePathResult(result types.Result) types.Result {
 	result.Type = ftypes.GoModule
 	result.Class = types.ClassLangPkg
@@ -679,11 +743,11 @@ func goMultiPathResult(result types.Result) types.Result {
 	result.Type = ftypes.GoModule
 	result.Class = types.ClassLangPkg
 
-	// - pkg:golang/github.com/aquasecurity/go-module@v2.0.0
-	//     - pkg:golang/github.com/aquasecurity/go-direct1@v3.0.0
-	//         - pkg:golang/github.com/aquasecurity/go-transitive@v5.0.0
-	//     - pkg:golang/github.com/aquasecurity/go-direct2@v4.0.0
+	// - pkg:golang/github.com/aquasecurity/go-module@v1.0.0
+	//     - pkg:golang/github.com/aquasecurity/go-direct1@v2.0.0
 	//         - pkg:golang/github.com/aquasecurity/go-transitive@v5.0.0
+	//     - pkg:golang/github.com/aquasecurity/go-direct2@v3.0.0
+	//         - pkg:golang/github.com/aquasecurity/go-transitive@v4.0.0
 	goModule := clonePackage(goModulePackage)
 	goDirect1 := clonePackage(goDirectPackage1)
 	goDirect2 := clonePackage(goDirectPackage2)