refactor: cbt-actions triage-process

intel · Aug 14, 2024 · d81c229 · d81c229
1 parent 5508c55
commit d81c229
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 21 deletions.
diff --git a/README.md b/README.md
@@ -42,9 +42,9 @@ NOTE: To mention multiple directories, use comma as a separator and don't includ
 
 **Optional** Valid SBOM formats are tag, json, yaml. (default: json)
 
-### `triage_input_file`
+### `vex_file`
 
-**Optional** Provide input filename for triage data. The supported format is CycloneDX VEX. Find more information [here](https://github.com/intel/cve-bin-tool#providing-triage-input).
+**Optional** Provide input filename for triage data. The supported format is CycloneDX VEX, OpenVEX and CSAF. Find more information [here](https://github.com/intel/cve-bin-tool#providing-triage-input).
 
 ### `filter_triage`
 

diff --git a/action.yml b/action.yml
@@ -28,7 +28,7 @@ inputs:
     required: false
     default: false
     description: 'Split security alerts based on source file.'
-  triage_input_file:
+  vex_file:
     required: false
     description: 'Provide input filename for triage data.'
   filter_triage:
@@ -62,7 +62,7 @@ runs:
         --sbom-type '${{ inputs.sbom_type }}'
         --sbom-format '${{ inputs.sbom_format }}'
         --alerts-based-on-file '${{inputs.alerts_based_on_file}}'
-        --triage-input-file '${{ inputs.triage_input_file }}'
+        --vex-file '${{ inputs.vex_file }}'
         --filter-triage '${{inputs.filter_triage}}'
       shell: bash
     - uses: actions/upload-artifact@v4

diff --git a/src/cve_bin_tool.py b/src/cve_bin_tool.py
@@ -25,14 +25,15 @@ def update_db(self, nvd_api_key):
     def scan(
         self,
         dir,
+        filter_triage=False,
         scan_mode="repo-only",
         formats=[],
         output=None,
         exclude=None,
         sbom_type=None,
         sbom_format="json",
         sbom_output="SBOM.json",
-        triage_input_file=None,
+        vex_file=None,
     ):
         json_data = []
         captured_output = ""
@@ -63,9 +64,11 @@ def scan(
                 command.append(sbom_format)
                 command.append("--sbom-output")
                 command.append(sbom_output)
-            if triage_input_file and Path(triage_input_file).exists():
-                command.append("--triage-input-file")
-                command.append(triage_input_file)
+            if vex_file and Path(vex_file).exists():
+                command.append("--vex-file")
+                command.append(vex_file)
+            if filter_triage:
+                command.append("--filter-triage")
             captured_output += subprocess.run(
                 command, capture_output=True, text=True
             ).stdout

diff --git a/src/generate_sarif.py b/src/generate_sarif.py
@@ -19,14 +19,12 @@ def __init__(
         html_file_path,
         available_fixes,
         alerts_based_on_file,
-        filter_triage,
     ) -> None:
         self.repository = repository
         self.action_run_id = action_run_id
         self.available_fixes = available_fixes
         self.json_file_path = Path(json_file_path).absolute()
         self.alerts_based_on_file = alerts_based_on_file
-        self.filter_triage = filter_triage
         self.sarif_file = {}
         self.vulnerabilities = []
         self.load_sample_sarif_file()
@@ -88,12 +86,6 @@ def extract_vulnerablities_from_json(self):
         with open(self.json_file_path) as fp:
             vulnerabilities = json.load(fp)
         for vulnerability in vulnerabilities:
-            # Check if filter_triage is enabled and remarks are notaffected or falsepositive
-            if self.filter_triage and vulnerability["remarks"].lower() in [
-                "notaffected",
-                "falsepositive",
-            ]:
-                continue
             filename = vulnerability["paths"].split(" contains ")[0]
             version_tag = f'{vulnerability["product"]}_{vulnerability["version"]}'
             if not self.alerts_based_on_file:

diff --git a/src/scanner.py b/src/scanner.py
@@ -67,7 +67,7 @@ def main():
         required=False,
     )
     parser.add_argument(
-        "--triage-input-file",
+        "--vex-file",
         help="Provide input filename for triage data.",
         required=False,
     )
@@ -115,7 +115,8 @@ def main():
         sbom_type=args.sbom_type,
         sbom_format=args.sbom_format,
         sbom_output=f"{args.sbom_output}.{output_extension}",
-        triage_input_file=args.triage_input_file,
+        vex_file=args.vex_file,
+        filter_triage=args.filter_triage,
     )
 
     gen_sarif = GenerateSarif(
@@ -125,7 +126,6 @@ def main():
         html_file_path=f"{args.html_pdf_output}.html",
         available_fixes=available_fixes,
         alerts_based_on_file=args.alerts_based_on_file == "true",
-        filter_triage=args.filter_triage,
     )
     gen_sarif.write_file(
         output_file=args.sarif_output,

diff --git a/test/test_generate_sarif.py b/test/test_generate_sarif.py
@@ -46,7 +46,6 @@ def test_generate_sarif_with_no_vulnerablities(self):
             html_file_path=non_existant_html_file,
             available_fixes={},
             alerts_based_on_file=True,
-            filter_triage=False,
         )
         sarif_generator.write_file(self.tmp_dir / "output.sarif")
         with open(self.tmp_dir / "output.sarif") as fd:
@@ -79,7 +78,6 @@ def test_generate_sarif_with_vulnerablities(self):
             html_file_path=blank_html,
             available_fixes={},
             alerts_based_on_file=True,
-            filter_triage=False,
         )
         sarif_generator.write_file(self.tmp_dir / "output.sarif")
         with open(self.tmp_dir / "output.sarif") as fd: