fix: cyclonedx import of grype scan results

Author: dervoeti

backend/application/import_observations/parsers/cyclone_dx/parser.py

@@ -117,7 +117,7 @@ def get_observations(self, data: dict, product: Product, branch: Optional[Branch
             payload = base64.b64decode(cosign_output["payload"]).decode("utf-8")
             sbom_data = json.loads(payload)["predicate"]
 
-        self.components = self._get_components(sbom_data or data)
+        self.components = self._get_components(data, sbom_data)
         self.dependencies = self._get_dependencies(sbom_data or data)
         observations = self._create_observations(data)
 
@@ -163,7 +163,7 @@ def _add_license_component_evidence(
         evidence.append(dumps(component.json))
         license_component.unsaved_evidences.append(evidence)
 
-    def _get_components(self, data: dict) -> dict[str, Component]:
+    def _get_components(self, data: dict, sbom_data: Optional[dict] = None) -> dict[str, Component]:
         components_dict = {}
         components_list: list[Component] = []
 
@@ -175,6 +175,15 @@ def _get_components(self, data: dict) -> dict[str, Component]:
             components = self._get_sbom_component_with_subs(sbom_component)
             components_list.extend(components)
 
+        # The scan report (e.g. Grype) and the attested SBOM (Trivy) use different bom-refs for the
+        # same package, so the vulnerabilities reference refs that only exist in the scan report.
+        # Merge both component sets so those refs resolve, while still keeping the richer SBOM
+        # components for dependency relations and license/location enrichment.
+        if sbom_data:
+            components_list.extend(self._get_root_component_with_subs(sbom_data))
+            for sbom_component in sbom_data.get("components", []):
+                components_list.extend(self._get_sbom_component_with_subs(sbom_component))
+
         for component in components_list:
             components_dict[component.bom_ref] = component
 

backend/unittests/import_observations/parsers/cyclone_dx/test_parser.py

@@ -1,5 +1,8 @@
+import base64
+import json
 from os import path
 from unittest import TestCase
+from unittest.mock import MagicMock, patch
 
 from application.core.models import Product
 from application.core.types import Severity
@@ -8,6 +11,41 @@
 
 
 class TestCycloneDXParser(TestCase):
+    def test_grype_observations_kept_when_sbom_attestation_resolves(self):
+        # The scan report (Grype) and the attested SBOM (Trivy) use different bom-refs for the same
+        # package. When the cosign attestation lookup succeeds, the SBOM components must be *merged*
+        # with the scan components, not replace them. Otherwise the vulnerabilities reference refs
+        # that only exist in the scan report, no component is found, and every observation is
+        # silently dropped.
+        attested_sbom = {
+            "bomFormat": "CycloneDX",
+            "metadata": {"component": {"bom-ref": "sbom-only-ref", "type": "container", "name": "x"}},
+            "components": [
+                {
+                    "bom-ref": "sbom-only-ref",
+                    "type": "library",
+                    "name": "sbom-only-package",
+                    "version": "1.0.0",
+                    "purl": "pkg:generic/sbom-only-package@1.0.0",
+                }
+            ],
+            "dependencies": [],
+        }
+        payload = base64.b64encode(json.dumps({"predicate": attested_sbom}).encode()).decode()
+        cosign_result = MagicMock(returncode=0, stdout=json.dumps({"payload": payload}).encode())
+
+        with open(path.dirname(__file__) + "/files/grype.json") as testfile:
+            parser, parser_instance, data = detect_parser(testfile)
+
+            with patch(
+                "application.import_observations.parsers.cyclone_dx.parser.subprocess.run",
+                return_value=cosign_result,
+            ):
+                observations, scanner = parser_instance.get_observations(data, Product(name="product"), None)
+
+            self.assertEqual("grype / 0.59.1", scanner)
+            self.assertEqual(8, len(observations))
+
     def test_grype_no_bom_link(self):
         with open(path.dirname(__file__) + "/files/grype.json") as testfile:
             parser, parser_instance, data = detect_parser(testfile)