Skip to content

fix: Missing VEX status mappings for resolved_with_pedigree and false_positive #2813

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix: Missing VEX status mappings for resolved_with_pedigree and false_positive #2813

wants to merge 3 commits into from
+358 −5

Conversation

@irenaliu18
Copy link

@irenaliu18 irenaliu18 commented Nov 5, 2025
edited
Loading

Description of the PR

This PR addresses issue 2812, adding support for two missing CycloneDX 1.6 VEX (Vulnerability Exploitability eXchange) status values: resolved_with_pedigree and false_positive. These statuses were introduced in CycloneDX 1.5+ but were not previously handled by the GUAC parser, causing ingestion failures with the error "unknown vulnerability status".

GUAC currently fails to ingest CycloneDX 1.6 SBOMs containing the following VEX statuses:

  • resolved_with_pedigree - Indicates the vulnerability has been remediated with evidence provided in component pedigree
  • false_positive - Indicates the vulnerability was falsely identified or associated with the component

Unit Tests

New test cases pass:

  • Test_cyclonedxParser/valid_CycloneDX_VEX_document_with_resolved_with_pedigree_status
  • Test_cyclonedxParser/valid_CycloneDX_VEX_document_with_false_positive_status

go test ./pkg/ingestor/parser/cyclonedx/... -v

PR Checklist

  • All commits have a Developer Certificate of Origin (DCO) -- they are generated using -s flag to git commit.
  • All new changes are covered by tests
  • If GraphQL schema is changed, make generate has been run
  • If GraphQL schema is changed, GraphQL client updates/additions have been made
  • If OpenAPI spec is changed, make generate has been run
  • If ent schema is changed, make generate has been run
  • If collectsub protobuf has been changed, make proto has been run
  • All CI checks are passing (tests and formatting)
  • All dependent PRs have already been merged

funnelfiasco
funnelfiasco suggested changes Nov 5, 2025
View reviewed changes
Copy link
Collaborator

@funnelfiasco funnelfiasco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In addition to resolving the addition of a GitHub workflow, you will need to include a DCO signoff before this change can be approved.

@irenaliu18 irenaliu18 force-pushed the irenaliu/add-vex-status-mapping branch from 61aa4aa to 56a00d1 Compare November 5, 2025 17:35
@pull-request-size pull-request-size bot added size/L and removed size/S labels Nov 5, 2025
@irenaliu18 irenaliu18 changed the title Irenaliu/add vex status mapping fix: Missing VEX status mappings for resolved_with_pedigree and false_positive Nov 5, 2025
@irenaliu18 irenaliu18 marked this pull request as ready for review November 5, 2025 17:57
lumjjb
lumjjb reviewed Nov 5, 2025
View reviewed changes
Copy link
Contributor

@lumjjb lumjjb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for opening up this PR! Looks great with some minor comment!

@irenaliu18 irenaliu18 force-pushed the irenaliu/add-vex-status-mapping branch 2 times, most recently from 0201225 to 644fe18 Compare November 6, 2025 23:39
@irenaliu18 irenaliu18 requested a review from lumjjb November 7, 2025 05:25
lumjjb
lumjjb reviewed Nov 11, 2025
View reviewed changes
Copy link
Contributor

@lumjjb lumjjb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the changes, minor comment, and started the workflow for tests!

@irenaliu18 irenaliu18 force-pushed the irenaliu/add-vex-status-mapping branch from 644fe18 to 064b713 Compare November 11, 2025 19:13
@irenaliu18 irenaliu18 requested a review from lumjjb November 11, 2025 19:14
lumjjb
lumjjb approved these changes Nov 18, 2025
View reviewed changes
Copy link
Contributor

@lumjjb lumjjb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with requirement to one test for the new code path (see comment).. Thanks @irenaliu18 !

@lumjjb lumjjb requested a review from pxp928 November 18, 2025 21:13
@irenaliu18 irenaliu18 force-pushed the irenaliu/add-vex-status-mapping branch from 064b713 to c51c29d Compare November 19, 2025 17:39
pxp928
pxp928 approved these changes Nov 19, 2025
View reviewed changes
Copy link
Collaborator

@pxp928 pxp928 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thank You

funnelfiasco
funnelfiasco reviewed Nov 25, 2025
View reviewed changes
Copy link
Collaborator

@funnelfiasco funnelfiasco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clearing my change request since the issues have been addressed and the test failures are systemic.

@lumjjb
Copy link
Contributor

lumjjb commented Nov 26, 2025

I'm currently checking on which CI tests are broken we should fix/ignored (#2820) to make sure to unblock this if the failures are not caused by this PR

@lumjjb
Copy link
Contributor

lumjjb commented Dec 2, 2025

HI @irenaliu18, i fixed some of the CI checks, can you rebase and reupload the PR? and i can run the tests again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lumjjb lumjjb lumjjb approved these changes

@pxp928 pxp928 pxp928 approved these changes

+1 more reviewer

@funnelfiasco funnelfiasco funnelfiasco approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@irenaliu18 @lumjjb @funnelfiasco @pxp928