[ingestion/data-quality issue] Missing VEX status mappings for resolved_with_pedigree and false_positive #2812
Description
Describe the bug
GUAC v1.0.1 fails to ingest CycloneDX 1.6 SBOMs containing resolved_with_pedigree VEX status:
"emit error: unable to ingest document: unable to ingest doc tree: unknown vulnerability status resolved_with_pedigree"
The vexStatusMap in pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go only includes 4 of 6 valid CycloneDX 1.5+ ImpactAnalysisState values.
Current Code:
var vexStatusMap = map[cdx.ImpactAnalysisState]model.VexStatus{
cdx.IASResolved: model.VexStatusFixed,
cdx.IASExploitable: model.VexStatusAffected,
cdx.IASInTriage: model.VexStatusUnderInvestigation,
cdx.IASNotAffected: model.VexStatusNotAffected,
}
Reference:
- CycloneDX 1.5+ specification defines 6 valid ImpactAnalysisState values:
resolved,resolved_with_pedigree,exploitable,in_triage,false_positive,not_affected
To Reproduce
Steps to reproduce the behavior:
- Download sample SBOM file with
resolved_with_pedigreestatus (see sample file below) - Use GUAC v1.0.1 to ingest the SBOM:
guacone collect files test-resolved-with-pedigree.json
--gql-addr=http://localhost:8080/query
--csub-addr=localhost:2782
3. Observe the error:unknown vulnerability status resolved_with_pedigree
4. Repeat with test-false-positive.json
`
Expected behavior
GUAC ingestion should succeed with valid cyclondx 1.6 sboms
GUAC version
GUAC binary v1.0.1
Ingested document(s)
test-resolved-with-pedigree.json
test-false-positive.json
Additional context
- This affects real-world SBOMs from tools like Timesys Vigiles that export CycloneDX 1.6 format
- The cyclonedx-go library (v0.9.2) used by GUAC supports these constants, but GUAC's parser doesn't map them