set statusnote if all detail fields are empty

irenaliu18 · irenaliu18 · commit c51c29de382a · 2025-11-19T09:39:39.000-08:00
Signed-off-by: Irena Liu &lt;irena.liu@verkada.com&gt;
diff --git a/internal/testing/testdata/exampledata/cyclonedx-vex-false-positive.json b/internal/testing/testdata/exampledata/cyclonedx-vex-false-positive.json
@@ -45,6 +45,38 @@
           ]
         }
       ]
+    },
+    {
+      "id": "CVE-2024-0004",
+      "source": {
+        "name": "NVD",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0004"
+      },
+      "ratings": [
+        {
+          "source": {
+            "name": "NVD",
+            "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator"
+          },
+          "score": 6.0,
+          "severity": "medium",
+          "method": "CVSSv31"
+        }
+      ],
+      "analysis": {
+        "state": "false_positive"
+      },
+      "affects": [
+        {
+          "ref": "urn:uuid:4e671687-395b-41f5-a30f-a58921a69b80/1#test-component-2-no-detail",
+          "versions": [
+            {
+              "version": "1.0.0",
+              "status": "unaffected"
+            }
+          ]
+        }
+      ]
     }
   ]
 }
diff --git a/internal/testing/testdata/exampledata/cyclonedx-vex-resolved-with-pedigree.json b/internal/testing/testdata/exampledata/cyclonedx-vex-resolved-with-pedigree.json
@@ -45,6 +45,38 @@
           ]
         }
       ]
+    },
+    {
+      "id": "CVE-2024-0003",
+      "source": {
+        "name": "NVD",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0003"
+      },
+      "ratings": [
+        {
+          "source": {
+            "name": "NVD",
+            "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator"
+          },
+          "score": 7.5,
+          "severity": "high",
+          "method": "CVSSv31"
+        }
+      ],
+      "analysis": {
+        "state": "resolved_with_pedigree"
+      },
+      "affects": [
+        {
+          "ref": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79/1#test-component-no-detail",
+          "versions": [
+            {
+              "version": "1.0.0",
+              "status": "affected"
+            }
+          ]
+        }
+      ]
     }
   ]
 }
diff --git a/internal/testing/testdata/testdata.go b/internal/testing/testdata/testdata.go
@@ -326,7 +326,22 @@ var (
 		StatusNotes:      "Vulnerability was falsely identified or associated with this component",
 		KnownSince:       time.Unix(0, 0).UTC(),
 	}
-	// Vulnerability specs for new test cases
+	// VexData for resolved_with_pedigree status without detail (maps to VexStatusFixed)
+	VexDataResolvedWithPedigreeNoDetail = &generated.VexStatementInputSpec{
+		Status:           generated.VexStatusFixed,
+		VexJustification: generated.VexJustificationNotProvided,
+		Statement:        "",
+		StatusNotes:      "CDX state: resolved_with_pedigree",
+		KnownSince:       time.Unix(0, 0).UTC(),
+	}
+	// VexData for false_positive status without detail (maps to VexStatusNotAffected)
+	VexDataFalsePositiveNoDetail = &generated.VexStatementInputSpec{
+		Status:           generated.VexStatusNotAffected,
+		VexJustification: generated.VexJustificationNotProvided,
+		Statement:        "",
+		StatusNotes:      "CDX state: false_positive",
+		KnownSince:       time.Unix(0, 0).UTC(),
+	}
 	VulnSpecResolvedWithPedigree = &generated.VulnerabilityInputSpec{
 		Type:            "cve",
 		VulnerabilityID: "cve-2024-0001",
@@ -335,6 +350,15 @@ var (
 		Type:            "cve",
 		VulnerabilityID: "cve-2024-0002",
 	}
+	// Vulnerability specs for no-detail test cases
+	VulnSpecResolvedWithPedigreeNoDetail = &generated.VulnerabilityInputSpec{
+		Type:            "cve",
+		VulnerabilityID: "cve-2024-0003",
+	}
+	VulnSpecFalsePositiveNoDetail = &generated.VulnerabilityInputSpec{
+		Type:            "cve",
+		VulnerabilityID: "cve-2024-0004",
+	}
 	// VulnMetadata for resolved_with_pedigree test
 	CycloneDXResolvedWithPedigreeVulnMetadata = []assembler.VulnMetadataIngest{
 		{
@@ -345,6 +369,14 @@ var (
 				Timestamp:  time.Unix(0, 0).UTC(),
 			},
 		},
+		{
+			Vulnerability: VulnSpecResolvedWithPedigreeNoDetail,
+			VulnMetadata: &generated.VulnerabilityMetadataInputSpec{
+				ScoreType:  generated.VulnerabilityScoreTypeCvssv31,
+				ScoreValue: 7.5,
+				Timestamp:  time.Unix(0, 0).UTC(),
+			},
+		},
 	}
 	// VulnMetadata for false_positive test
 	CycloneDXFalsePositiveVulnMetadata = []assembler.VulnMetadataIngest{
@@ -356,6 +388,14 @@ var (
 				Timestamp:  time.Unix(0, 0).UTC(),
 			},
 		},
+		{
+			Vulnerability: VulnSpecFalsePositiveNoDetail,
+			VulnMetadata: &generated.VulnerabilityMetadataInputSpec{
+				ScoreType:  generated.VulnerabilityScoreTypeCvssv31,
+				ScoreValue: 6.0,
+				Timestamp:  time.Unix(0, 0).UTC(),
+			},
+		},
 	}
 
 	topLevelPkg, _     = asmhelpers.PurlToPkg("pkg:guac/cdx/ABC")
@@ -387,7 +427,7 @@ var (
 			HasSBOM: &model.HasSBOMInputSpec{
 				Uri:        "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
 				Algorithm:  "sha256",
-				Digest:     "a9e5e5fcc0939b4e9ddf74a5863ff577bef9bbf8086d99a4dafb8154c451b56f",
+				Digest:     "32981b0c4f87df9243c0e9b8a9600f2e19aae0c0cb76122edfe4a54ef59b9d48",
 				KnownSince: parseRfc3339("2024-01-15T10:30:00Z"),
 			},
 		},
@@ -400,22 +440,25 @@ var (
 			HasSBOM: &model.HasSBOMInputSpec{
 				Uri:        "urn:uuid:4e671687-395b-41f5-a30f-a58921a69b80",
 				Algorithm:  "sha256",
-				Digest:     "738690dd4acaf82b417072354ee631a20a50453278053b558770c6f65906f11d",
+				Digest:     "0731373583749ae046d0992e9b417d4b2960f75d7a979c72fd0b7a258566d520",
 				KnownSince: parseRfc3339("2024-01-15T10:30:00Z"),
 			},
 		},
 	}
 	// Predicates for resolved_with_pedigree test
-	// The affects ref is "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79/1#test-component"
-	// The parser splits on "#" and uses "test-component" as pkdIdentifier
-	// Then creates PURL as pkg:guac/pkg/test-component@1.0.0 using guacCDXPkgPurl
 	resolvedWithPedigreePkg, _             = asmhelpers.PurlToPkg("pkg:guac/pkg/test-component@1.0.0")
+	resolvedWithPedigreeNoDetailPkg, _     = asmhelpers.PurlToPkg("pkg:guac/pkg/test-component-no-detail@1.0.0")
 	CycloneDXResolvedWithPedigreeVexIngest = []assembler.VexIngest{
 		{
 			Pkg:           resolvedWithPedigreePkg,
 			Vulnerability: VulnSpecResolvedWithPedigree,
 			VexData:       VexDataResolvedWithPedigree,
 		},
+		{
+			Pkg:           resolvedWithPedigreeNoDetailPkg,
+			Vulnerability: VulnSpecResolvedWithPedigreeNoDetail,
+			VexData:       VexDataResolvedWithPedigreeNoDetail,
+		},
 	}
 	CycloneDXResolvedWithPedigreePredicates = assembler.IngestPredicates{
 		HasSBOM:      HasSBOMVexResolvedWithPedigree,
@@ -424,22 +467,24 @@ var (
 		// Note: No CertifyVuln because status is Fixed (not Affected/UnderInvestigation)
 	}
 	// Predicates for false_positive test
-	// The affects ref is "urn:uuid:4e671687-395b-41f5-a30f-a58921a69b80/1#test-component-2"
-	// The parser splits on "#" and uses "test-component-2" as pkdIdentifier
-	// Then creates PURL as pkg:guac/pkg/test-component-2@1.0.0 using guacCDXPkgPurl
 	falsePositivePkg, _             = asmhelpers.PurlToPkg("pkg:guac/pkg/test-component-2@1.0.0")
+	falsePositiveNoDetailPkg, _     = asmhelpers.PurlToPkg("pkg:guac/pkg/test-component-2-no-detail@1.0.0")
 	CycloneDXFalsePositiveVexIngest = []assembler.VexIngest{
 		{
 			Pkg:           falsePositivePkg,
 			Vulnerability: VulnSpecFalsePositive,
 			VexData:       VexDataFalsePositive,
 		},
+		{
+			Pkg:           falsePositiveNoDetailPkg,
+			Vulnerability: VulnSpecFalsePositiveNoDetail,
+			VexData:       VexDataFalsePositiveNoDetail,
+		},
 	}
 	CycloneDXFalsePositivePredicates = assembler.IngestPredicates{
 		HasSBOM:      HasSBOMVexFalsePositive,
 		VulnMetadata: CycloneDXFalsePositiveVulnMetadata,
 		Vex:          CycloneDXFalsePositiveVexIngest,
-		// Note: No CertifyVuln because status is NotAffected (not Affected/UnderInvestigation)
 	}
 
 	// DSSE/SLSA Testdata
diff --git a/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go b/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go
@@ -579,6 +579,8 @@ func (c *cyclonedxParser) getVulnerabilities(ctx context.Context) error {
 			vd.KnownSince = publishedTime
 			vd.Statement = vulnerability.Description
 
+			// Extract StatusNotes from analysis detail field.
+			// This applies to all analysis states including resolved_with_pedigree and false_positive.
 			if vulnerability.Analysis.Detail != "" {
 				vd.StatusNotes = vulnerability.Analysis.Detail
 			} else if vulnerability.Analysis.Response != nil {
@@ -587,7 +589,14 @@ func (c *cyclonedxParser) getVulnerabilities(ctx context.Context) error {
 					response = append(response, string(res))
 				}
 				vd.StatusNotes = strings.Join(response, ",")
-			} else {
+			} else if vulnerability.Analysis.State != cdx.IASResolved &&
+				vulnerability.Analysis.State != cdx.IASExploitable &&
+				vulnerability.Analysis.State != cdx.IASInTriage &&
+				vulnerability.Analysis.State != cdx.IASNotAffected {
+				// Only preserve the CDX state enum information if it's not one of the original 4 states, since those provide additional context beyond what's already captured in vd.Status
+				// Original states: IASResolved, IASExploitable, IASInTriage, IASNotAffected
+				vd.StatusNotes = fmt.Sprintf("CDX state: %s", string(vulnerability.Analysis.State))
+			} else if vulnerability.Detail != "" {
 				vd.StatusNotes = vulnerability.Detail
 			}
 		} else {
