Merge pull request #15 from CycloneDX/fix-vuln

mrutkows · web-flow · commit 3240de6b8f74 · 2023-04-05T23:54:10.000-05:00
Fix column names for vulnerability command
diff --git a/README.md b/README.md
@@ -790,10 +790,7 @@ This command will extract basic vulnerability report data from an SBOM that has
 
 #### Where flag filtering
 
-In addition a `where` filter flag can be supplied to only include results where values match supplied regex.  Supported keys for the `where` filter include the following column names in the report (i.e., `id`, `bom-ref`, `created`
-`published`, `updated`, `rejected` and `description`).
-
-**Note**: filtering using `source.name` and `source.url` are coming soon
+In addition a `where` filter flag can be supplied to only include results where values match supplied regex.  Supported keys for the `where` filter include the following column names in the report (i.e., `id`, `bom-ref`, `source-name`, `source-url`, `created`, `published`, `updated`, `rejected` and `description`).
 
 #### Format flag
 
@@ -814,7 +811,7 @@ Currently, all `vulnerability list` command results are sorted by vulnerability
 ```
 
 ```bash
-id              bom-ref  source.url  source.name                                      created                   published                 updated                   rejected  description
+id              bom-ref  source-name  source-url                                      created                   published                 updated                   rejected  description
 --              -------  ----------  -----------                                      -------                   ---------                 -------                   --------  -----------
 CVE-2020-25649           NVD         https://nvd.nist.gov/vuln/detail/CVE-2020-25649  2020-12-03T00:00:00.000Z  2020-12-03T00:00:00.000Z  2023-02-02T00:00:00.000Z            com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.  Affected versions of this package are vulnerable to XML External Entity (XXE) Injection.
 CVE-2022-42003           NVD         https://nvd.nist.gov/vuln/detail/CVE-2022-42003  2022-10-02T00:00:00.000Z  2022-10-02T00:00:00.000Z  2022-10-02T00:00:00.000Z            In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
@@ -828,7 +825,7 @@ CVE-2022-42004           NVD         https://nvd.nist.gov/vuln/detail/CVE-2022-4
 ```
 
 ```bash
-id              bom-ref  source.url  source.name                                      created                   published                 updated                   rejected  description
+id              bom-ref  source-name  source-url                                      created                   published                 updated                   rejected  description
 --              -------  ----------  -----------                                      -------                   ---------                 -------                   --------  -----------
 CVE-2020-25649           NVD         https://nvd.nist.gov/vuln/detail/CVE-2020-25649  2020-12-03T00:00:00.000Z  2020-12-03T00:00:00.000Z  2023-02-02T00:00:00.000Z            com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.  Affected versions of this package are vulnerable to XML External Entity (XXE) Injection.
 ```
diff --git a/cmd/vulnerability.go b/cmd/vulnerability.go
@@ -56,8 +56,8 @@ const (
 var VULNERABILITY_LIST_TITLES = []string{
 	VULN_FILTER_KEY_ID,
 	VULN_FILTER_KEY_BOM_REF,
-	VULN_FILTER_KEY_SOURCE_URL,
 	VULN_FILTER_KEY_SOURCE_NAME,
+	VULN_FILTER_KEY_SOURCE_URL,
 	VULN_FILTER_KEY_CREATED,
 	VULN_FILTER_KEY_PUBLISHED,
 	VULN_FILTER_KEY_UPDATED,
diff --git a/cmd/vulnerability_test.go b/cmd/vulnerability_test.go
@@ -326,3 +326,35 @@ func TestVulnListTextCdx14WhereClauseDescContains(t *testing.T) {
 
 	innerTestVulnList(t, testInfo)
 }
+
+func TestVulnListTextCdx14WhereClauseSourceNameNVD(t *testing.T) {
+	TEST_INPUT_WHERE_CLAUSE := "source-name=NVD"
+	TEST_OUTPUT_CONTAINS := "NVD"
+	TEST_OUTPUT_LINES := 5
+
+	testInfo := NewVulnTestInfo(
+		TEST_VULN_CDX_1_3_EXAMPLE_1_BOM_VEX,
+		FORMAT_TEXT,
+		TEST_INPUT_WHERE_CLAUSE,
+		TEST_OUTPUT_CONTAINS,
+		TEST_OUTPUT_LINES,
+		nil)
+
+	innerTestVulnList(t, testInfo)
+}
+
+func TestVulnListTextCdx14WhereClauseSourceUrlCVE2022(t *testing.T) {
+	TEST_INPUT_WHERE_CLAUSE := "source-url=CVE-2022"
+	TEST_OUTPUT_CONTAINS := "CVE-2022"
+	TEST_OUTPUT_LINES := 4
+
+	testInfo := NewVulnTestInfo(
+		TEST_VULN_CDX_1_3_EXAMPLE_1_BOM_VEX,
+		FORMAT_TEXT,
+		TEST_INPUT_WHERE_CLAUSE,
+		TEST_OUTPUT_CONTAINS,
+		TEST_OUTPUT_LINES,
+		nil)
+
+	innerTestVulnList(t, testInfo)
+}
diff --git a/docs/demo.md b/docs/demo.md
@@ -624,10 +624,7 @@ This command will extract basic vulnerability report data from an SBOM that has
 
 #### Where flag filtering
 
-In addition a `where` filter flag can be supplied to only include results where values match supplied regex.  Supported keys for the `where` filter include the following column names in the report (i.e., `id`, `bom-ref`, `created`
-`published`, `updated`, `rejected` and `description`).
-
-**Note**: filtering using `source.name` and `source.url` are coming soon
+In addition a `where` filter flag can be supplied to only include results where values match supplied regex.  Supported keys for the `where` filter include the following column names in the report (i.e., `id`, `bom-ref`, `source-name`, `source-url`, `created`, `published`, `updated`, `rejected` and `description`).
 
 #### Format flag
 
@@ -648,7 +645,7 @@ Currently, all `vulnerability list` command results are sorted by vulnerability
 ```
 
 ```bash
-id              bom-ref  source.url  source.name                                      created                   published                 updated                   rejected  description
+id              bom-ref  source-name  source-url                                      created                   published                 updated                   rejected  description
 --              -------  ----------  -----------                                      -------                   ---------                 -------                   --------  -----------
 CVE-2020-25649           NVD         https://nvd.nist.gov/vuln/detail/CVE-2020-25649  2020-12-03T00:00:00.000Z  2020-12-03T00:00:00.000Z  2023-02-02T00:00:00.000Z            com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.  Affected versions of this package are vulnerable to XML External Entity (XXE) Injection.
 CVE-2022-42003           NVD         https://nvd.nist.gov/vuln/detail/CVE-2022-42003  2022-10-02T00:00:00.000Z  2022-10-02T00:00:00.000Z  2022-10-02T00:00:00.000Z            In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
@@ -662,7 +659,7 @@ CVE-2022-42004           NVD         https://nvd.nist.gov/vuln/detail/CVE-2022-4
 ```
 
 ```bash
-id              bom-ref  source.url  source.name                                      created                   published                 updated                   rejected  description
+id              bom-ref  source-name  source-url                                      created                   published                 updated                   rejected  description
 --              -------  ----------  -----------                                      -------                   ---------                 -------                   --------  -----------
 CVE-2020-25649           NVD         https://nvd.nist.gov/vuln/detail/CVE-2020-25649  2020-12-03T00:00:00.000Z  2020-12-03T00:00:00.000Z  2023-02-02T00:00:00.000Z            com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.  Affected versions of this package are vulnerable to XML External Entity (XXE) Injection.
 ```
