github.com/google/osv-scalibr@v0.4.1/binary/proto/package_vuln.go

github.com/google/osv-scalibr@v0.4.1/binary/proto/package_vuln.go (about)

     1  // Copyright 2025 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package proto
    16  
    17  import (
    18  	"fmt"
    19  
    20  	"github.com/google/osv-scalibr/extractor"
    21  	"github.com/google/osv-scalibr/inventory"
    22  	"github.com/google/osv-scalibr/inventory/vex"
    23  
    24  	spb "github.com/google/osv-scalibr/binary/proto/scan_result_go_proto"
    25  )
    26  
    27  // PackageVulnToProto converts a PackageVuln struct to proto.
    28  func PackageVulnToProto(v *inventory.PackageVuln, pkgToID map[*extractor.Package]string) (*spb.PackageVuln, error) {
    29  	if v == nil {
    30  		return nil, nil
    31  	}
    32  
    33  	var pkgID string
    34  	var ok bool
    35  	if v.Package != nil {
    36  		pkgID, ok = pkgToID[v.Package]
    37  		if !ok {
    38  			return nil, fmt.Errorf("%v package %q version %q not found in pkgToID map", v.Package.Ecosystem().String(), v.Package.Name, v.Package.Version)
    39  		}
    40  	}
    41  
    42  	var exps []*spb.FindingExploitabilitySignal
    43  	for _, exp := range v.ExploitabilitySignals {
    44  		expProto := FindingVEXToProto(exp)
    45  		exps = append(exps, expProto)
    46  	}
    47  
    48  	return &spb.PackageVuln{
    49  		Vuln:                  v.Vulnerability,
    50  		PackageId:             pkgID,
    51  		Plugins:               v.Plugins,
    52  		ExploitabilitySignals: exps,
    53  	}, nil
    54  }
    55  
    56  // PackageVulnToStruct converts a PackageVuln proto into the equivalent go struct.
    57  func PackageVulnToStruct(v *spb.PackageVuln, idToPkg map[string]*extractor.Package) (*inventory.PackageVuln, error) {
    58  	if v == nil {
    59  		return nil, nil
    60  	}
    61  
    62  	if v.GetPackageId() == "" {
    63  		return nil, fmt.Errorf("package ID is empty for PackageVuln %+v", v)
    64  	}
    65  
    66  	pkg, ok := idToPkg[v.GetPackageId()]
    67  	if !ok {
    68  		return nil, fmt.Errorf("package with ID %q not found in idToPkg map", v.GetPackageId())
    69  	}
    70  
    71  	var exps []*vex.FindingExploitabilitySignal
    72  	for _, exp := range v.GetExploitabilitySignals() {
    73  		expStruct := FindingVEXToStruct(exp)
    74  		exps = append(exps, expStruct)
    75  	}
    76  
    77  	return &inventory.PackageVuln{
    78  		Vulnerability:         v.GetVuln(),
    79  		Package:               pkg,
    80  		Plugins:               v.GetPlugins(),
    81  		ExploitabilitySignals: exps,
    82  	}, nil
    83  }