fix: use a combination of namespace and tracking id as document id

A CSAF document is globally unique by its namespace and tracking ID. However, so far, we only use the tracking ID. This change combines the namespace, plus a `#` character, plus the tracking it, using it as our advisory identifier. Closes: #856
trustification · Oct 2, 2024 · f542219 · f542219
1 parent 3123d2b
commit f542219
Show file tree

Hide file tree

Showing 6 changed files with 41 additions and 8 deletions.
diff --git a/modules/fundamental/src/advisory/endpoints/test.rs b/modules/fundamental/src/advisory/endpoints/test.rs
@@ -343,7 +343,7 @@ async fn upload_default_csaf_format(ctx: &TrustifyContext) -> Result<(), anyhow:
     let result: IngestResult = app.call_and_read_body_json(request).await;
     log::debug!("{result:?}");
     assert!(matches!(result.id, Id::Uuid(_)));
-    assert_eq!(result.document_id, "CVE-2023-33201");
+    assert_eq!(result.document_id, "https://www.redhat.com/#CVE-2023-33201");
 
     Ok(())
 }
@@ -421,7 +421,7 @@ async fn upload_with_labels(ctx: &TrustifyContext) -> Result<(), anyhow::Error>
     let result: IngestResult = app.call_and_read_body_json(request).await;
     log::debug!("{result:?}");
     assert!(matches!(result.id, Id::Uuid(_)));
-    assert_eq!(result.document_id, "CVE-2023-33201");
+    assert_eq!(result.document_id, "https://www.redhat.com/#CVE-2023-33201");
 
     // now check the labels
 

diff --git a/modules/fundamental/src/vulnerability/service/test.rs b/modules/fundamental/src/vulnerability/service/test.rs
@@ -226,7 +226,7 @@ async fn product_statuses(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
     let cve_advisory = vuln
         .advisories
         .iter()
-        .find(|e| e.head.head.identifier == "CVE-2023-0044");
+        .find(|e| e.head.head.identifier == "https://www.redhat.com/#CVE-2023-0044");
     assert!(cve_advisory.is_some());
     let cve_advisory = cve_advisory.unwrap();
 

diff --git a/modules/fundamental/tests/advisory/csaf/delete.rs b/modules/fundamental/tests/advisory/csaf/delete.rs
@@ -116,7 +116,10 @@ async fn delete_check_vulns(ctx: &TrustifyContext) -> anyhow::Result<()> {
         .sort_unstable_by(|a, b| a.head.modified.cmp(&b.head.modified));
     let adv1 = &purl.advisories[0];
 
-    assert_eq!(adv1.head.identifier, "CVE-2023-33201");
+    assert_eq!(
+        adv1.head.identifier,
+        "https://www.redhat.com/#CVE-2023-33201"
+    );
 
     // now check the details
 

diff --git a/modules/fundamental/tests/advisory/csaf/reingest.rs b/modules/fundamental/tests/advisory/csaf/reingest.rs
@@ -131,7 +131,10 @@ async fn change_ps_list_vulns(ctx: &TrustifyContext) -> anyhow::Result<()> {
     assert_eq!(purl.advisories.len(), 1);
     let adv = &purl.advisories[0];
 
-    assert_eq!(adv.head.identifier, "CVE-2023-33201");
+    assert_eq!(
+        adv.head.identifier,
+        "https://www.redhat.com/#CVE-2023-33201"
+    );
 
     // now check the details
 
@@ -224,8 +227,14 @@ async fn change_ps_list_vulns_all(ctx: &TrustifyContext) -> anyhow::Result<()> {
     let adv1 = &purl.advisories[0];
     let adv2 = &purl.advisories[1];
 
-    assert_eq!(adv1.head.identifier, "CVE-2023-33201");
-    assert_eq!(adv2.head.identifier, "CVE-2023-33201");
+    assert_eq!(
+        adv1.head.identifier,
+        "https://www.redhat.com/#CVE-2023-33201"
+    );
+    assert_eq!(
+        adv2.head.identifier,
+        "https://www.redhat.com/#CVE-2023-33201"
+    );
 
     // now check the details
 

diff --git a/modules/ingestor/src/service/advisory/csaf/loader.rs b/modules/ingestor/src/service/advisory/csaf/loader.rs
@@ -1,3 +1,4 @@
+use crate::service::advisory::csaf::util::gen_identifier;
 use crate::{
     graph::{
         advisory::{
@@ -88,7 +89,7 @@ impl<'g> CsafLoader<'g> {
 
         let tx = self.graph.transaction().await?;
 
-        let advisory_id = csaf.document.tracking.id.clone();
+        let advisory_id = gen_identifier(&csaf);
         let labels = labels.into().add("type", "csaf");
 
         let advisory = self

diff --git a/modules/ingestor/src/service/advisory/csaf/util.rs b/modules/ingestor/src/service/advisory/csaf/util.rs
@@ -148,3 +148,23 @@ impl<'a> ResolveProductIdCache<'a> {
         self.product_id_to_relationship.get(product_id).copied()
     }
 }
+
+pub fn gen_identifier(csaf: &Csaf) -> String {
+    // From the spec:
+    // > The combination of `/document/publisher/namespace` and `/document/tracking/id` identifies a CSAF document globally unique.
+
+    let mut file_name = String::with_capacity(csaf.document.tracking.id.len());
+
+    let mut in_sequence = false;
+    for c in csaf.document.tracking.id.chars() {
+        if c.is_ascii_alphanumeric() || c == '+' || c == '-' {
+            file_name.push(c);
+            in_sequence = false;
+        } else if !in_sequence {
+            file_name.push('_');
+            in_sequence = true;
+        }
+    }
+
+    format!("{}#{file_name}", csaf.document.publisher.namespace)
+}