feat(sbom): add evidence for all products

Duplicate paths in all_product_data to add evidence paths in SBOM for
all products including ones with no CVEs

Signed-off-by: Fabrice Fontaine <[email protected]>

Author: ffontaine

cve_bin_tool/cli.py

@@ -1169,8 +1169,8 @@ def main(argv=None):
                     else:
                         # In no-scan mode, still populate all_product_data for display
                         if product_info not in cve_scanner.all_product_data:
-                            cve_scanner.all_product_data[product_info] = 0
-                        cve_scanner.all_product_data[product_info] = 0
+                            cve_scanner.all_product_data[product_info]["cves_total"] = 0
+                        cve_scanner.all_product_data[product_info]["cves_total"] = 0
             total_files = version_scanner.total_scanned_files
             LOGGER.info(f"Total files: {total_files}")
 

cve_bin_tool/cve_scanner.py

@@ -62,7 +62,7 @@ def __init__(
         self.products_without_cve = 0
         self.all_cve_data = defaultdict(lambda: {"cves": [], "paths": set()})
         self.all_cve_version_info = dict()
-        self.all_product_data = dict()
+        self.all_product_data = defaultdict(lambda: {"cves_total": 0, "paths": set()})
 
     def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
         """Get CVEs against a specific version of a product.
@@ -81,22 +81,23 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
             # In no-scan mode, just populate the product data without CVE scanning
             if product_info not in self.all_product_data:
                 self.logger.debug(f"Add product {product_info} (no-scan mode)")
-                self.all_product_data[product_info] = 0
+                self.all_product_data[product_info]["cves_total"] = 0
 
             # Also populate all_cve_data with empty CVE list and paths
             if product_info not in self.all_cve_data:
                 self.all_cve_data[product_info] = {"cves": [], "paths": set()}
 
             # Update paths
             self.all_cve_data[product_info]["paths"] |= set(triage_data["paths"])
+            self.all_product_data[product_info]["paths"] |= set(triage_data["paths"])
             return
 
         if product_info.vendor == "UNKNOWN":
             # Add product
             if product_info not in self.all_product_data:
                 self.logger.debug(f"Add product {product_info}")
                 # Number of CVEs is 0
-                self.all_product_data[product_info] = 0
+                self.all_product_data[product_info]["cves_total"] = 0
             return
 
         if product_info in self.all_cve_data:
@@ -396,7 +397,10 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
             )
 
         if product_info not in self.all_product_data:
-            self.all_product_data[product_info] = len(cves)
+            self.all_product_data[product_info]["cves_total"] = len(cves)
+
+        # Update paths
+        self.all_product_data[product_info]["paths"] |= set(triage_data["paths"])
 
     def filter_triage_data(self):
         """

cve_bin_tool/output_engine/__init__.py

@@ -601,7 +601,7 @@ def output_pdf(
                 products_with_cves = list(map(lambda x: x[1], all_cve_data))
                 for product_data in all_product_data:
                     if (
-                        all_product_data[product_data] == 0
+                        all_product_data[product_data]["cves_total"] == 0
                         and product_data.product not in products_with_cves
                     ):
                         product_entry = [

cve_bin_tool/output_engine/console.py

@@ -158,7 +158,7 @@ def _output_console_nowrap(
                     if color is None and count > 0:
                         color = summary_color[severity.split("-")[0]]
 
-            if all_product_data[product_data] != 0 or no_scan:
+            if all_product_data[product_data]["cves_total"] != 0 or no_scan:
                 if no_scan:
                     latest_stable_version = "NA"
                 elif offline:
@@ -185,7 +185,9 @@ def _output_console_nowrap(
                             Text.styled(str(count), color),
                         ]
                     cells += [
-                        Text.styled(str(all_product_data[product_data]), color),
+                        Text.styled(
+                            str(all_product_data[product_data]["cves_total"]), color
+                        ),
                     ]
                 table.add_row(*cells)
     # Print the table to the console
@@ -373,7 +375,7 @@ def validate_cell_length(cell_name, cell_type):
 
         for product_data in all_product_data:
             if (
-                all_product_data[product_data] == 0
+                all_product_data[product_data]["cves_total"] == 0
                 and product_data.product not in products_with_cves
             ):
                 cells = [

cve_bin_tool/sbom_manager/generate.py

@@ -110,10 +110,10 @@ def generate_sbom(self) -> None:
                 and product_data.vendor == "unknown"
             ):
                 # In no-scan mode, we still want to include path information if available
-                if self.all_cve_data.get(product_data) and self.all_cve_data[
+                if self.all_product_data.get(product_data) and self.all_product_data[
                     product_data
                 ].get("paths"):
-                    for path in self.all_cve_data[product_data]["paths"]:
+                    for path in self.all_product_data[product_data]["paths"]:
                         with open(path.split()[0], "rb") as f:
                             file_data = f.read()
                         sha256_hash = hashlib.sha256(file_data)