diff --git a/pkg/compliance/bsi.go b/pkg/compliance/bsi.go index ae22ec7..a1bbbbc 100644 --- a/pkg/compliance/bsi.go +++ b/pkg/compliance/bsi.go @@ -80,7 +80,7 @@ const ( PACK_INFO SBOM_TYPE PACK_EXT_REF - SBOM_VULNERABILITES + SBOM_VULNERABILITIES SBOM_SIGNATURE ) diff --git a/pkg/compliance/bsiV2.go b/pkg/compliance/bsiV2.go index 45529b7..6700718 100644 --- a/pkg/compliance/bsiV2.go +++ b/pkg/compliance/bsiV2.go @@ -68,13 +68,13 @@ func bsiV2Vulnerabilities(doc sbom.Document) *db.Record { vuln := doc.Vulnerabilities() if vuln != nil { - vulnId := vuln.GetID() - if vulnId != "" { - result = vulnId + vulnID := vuln.GetID() + if vulnID != "" { + result = vulnID } score = 0.0 } - return db.NewRecordStmt(SBOM_VULNERABILITES, "doc", result, score, "") + return db.NewRecordStmt(SBOM_VULNERABILITIES, "doc", result, score, "") } // bsiV2SbomSignature @@ -83,15 +83,13 @@ func bsiV2SbomSignature(doc sbom.Document) *db.Record { if doc.Signature() != nil { // verify signature - // common.VerifySignature() pubKey := doc.Signature().GetPublicKey() blob := doc.Signature().GetBlob() sig := doc.Signature().GetSigValue() valid, err := common.VerifySignature(pubKey, blob, sig) if err != nil { fmt.Printf("Verification failed: %v\n", err) - result = "Verification failed" - score = 0.0 + return db.NewRecordStmt(SBOM_SIGNATURE, "doc", "Verification failed", 0.0, "") } if valid { score = 10.0 diff --git a/pkg/compliance/bsi_report.go b/pkg/compliance/bsi_report.go index ab22851..0615eab 100644 --- a/pkg/compliance/bsi_report.go +++ b/pkg/compliance/bsi_report.go @@ -45,7 +45,7 @@ var bsiSectionDetails = map[int]bsiSection{ COMP_DOWNLOAD_URL: {Title: "Additional fields components", ID: "5.3.2", Required: false, DataField: "URI of the executable form of the component"}, COMP_SOURCE_HASH: {Title: "Additional fields components", ID: "5.3.2", Required: false, DataField: "Hash value of the source code of the component"}, COMP_OTHER_UNIQ_IDS: {Title: "Additional fields components", ID: "5.3.2", Required: false, DataField: "Other unique identifiers"}, - SBOM_VULNERABILITES: {Title: "Definition of SBOM", ID: "3.1", Required: true, DataField: "vuln"}, + SBOM_VULNERABILITIES: {Title: "Definition of SBOM", ID: "3.1", Required: true, DataField: "vuln"}, SBOM_SIGNATURE: {Title: "Optional sboms fields", ID: "8.1.11", Required: false, DataField: "signature"}, } diff --git a/pkg/engine/compliance.go b/pkg/engine/compliance.go index e676242..e8a30bb 100644 --- a/pkg/engine/compliance.go +++ b/pkg/engine/compliance.go @@ -198,7 +198,11 @@ func RetrieveSignatureFromSBOM(sbomFile string) (string, string, string, error) } var sbom SBOM + + // nolint extracted_signature := "extracted_signature.bin" + + // nolint extracted_publick_key := "extracted_public_key.pem" if err := json.Unmarshal(data, &sbom); err != nil { @@ -206,44 +210,41 @@ func RetrieveSignatureFromSBOM(sbomFile string) (string, string, string, error) return "", "", "", fmt.Errorf("error unmarshalling SBOM JSON: %w", err) } - // Extract and print the signature if sbom.Signature == nil { fmt.Println("signature and public key are not present in the SBOM") return sbomFile, "", "", nil - } else { - fmt.Println("signature and public key are present in the SBOM") - - signatureValue, err := base64.StdEncoding.DecodeString(sbom.Signature.Value) - if err != nil { - return "", "", "", fmt.Errorf("Error decoding signature: %w", err) - } + } + fmt.Println("signature and public key are present in the SBOM") - if err := os.WriteFile(extracted_signature, signatureValue, 0o644); err != nil { - fmt.Println("Error writing signature to file:", err) - } - fmt.Println("Signature written to file: extracted_signature.bin") + signatureValue, err := base64.StdEncoding.DecodeString(sbom.Signature.Value) + if err != nil { + return "", "", "", fmt.Errorf("error decoding signature: %w", err) + } - // extract the public key modulus and exponent - modulus, err := base64.StdEncoding.DecodeString(sbom.Signature.PublicKey.N) - if err != nil { - return "", "", "", fmt.Errorf("Error decoding public key modulus: %w", err) - } - exponent := decodeBase64URLEncodingToInt(sbom.Signature.PublicKey.E) - if exponent == 0 { - fmt.Println("Invalid public key exponent.") - } + if err := os.WriteFile(extracted_signature, signatureValue, 0o600); err != nil { + fmt.Println("Error writing signature to file:", err) + } + fmt.Println("Signature written to file: extracted_signature.bin") - // create the RSA public key - pubKey := &rsa.PublicKey{ - N: decodeBigInt(modulus), - E: int(exponent), - } + // extract the public key modulus and exponent + modulus, err := base64.StdEncoding.DecodeString(sbom.Signature.PublicKey.N) + if err != nil { + return "", "", "", fmt.Errorf("error decoding public key modulus: %w", err) + } + exponent := decodeBase64URLEncodingToInt(sbom.Signature.PublicKey.E) + if exponent == 0 { + fmt.Println("Invalid public key exponent.") + } - pubKeyPEM := publicKeyToPEM(pubKey) - if err := os.WriteFile(extracted_publick_key, pubKeyPEM, 0o644); err != nil { - fmt.Println("Error writing public key to file:", err) - } + // create the RSA public key + pubKey := &rsa.PublicKey{ + N: decodeBigInt(modulus), + E: exponent, + } + pubKeyPEM := publicKeyToPEM(pubKey) + if err := os.WriteFile(extracted_publick_key, pubKeyPEM, 0o600); err != nil { + fmt.Println("error writing public key to file:", err) } // remove the "signature" section @@ -259,7 +260,7 @@ func RetrieveSignatureFromSBOM(sbomFile string) (string, string, string, error) // save the modified SBOM to a new file without a trailing newline standaloneSBOMFile := "standalone_sbom.json" - if err := os.WriteFile(standaloneSBOMFile, bytes.TrimSuffix(normalizedSBOM.Bytes(), []byte("\n")), 0o644); err != nil { + if err := os.WriteFile(standaloneSBOMFile, bytes.TrimSuffix(normalizedSBOM.Bytes(), []byte("\n")), 0o600); err != nil { return "", "", "", fmt.Errorf("error writing standalone SBOM file: %w", err) } diff --git a/pkg/sbom/cdx.go b/pkg/sbom/cdx.go index 637f6e2..b198757 100644 --- a/pkg/sbom/cdx.go +++ b/pkg/sbom/cdx.go @@ -151,8 +151,8 @@ func (c CdxDoc) GetComposition(componentID string) string { return c.composition[componentID] } -func (s CdxDoc) Vulnerabilities() GetVulnerabilities { - return s.vuln +func (c CdxDoc) Vulnerabilities() GetVulnerabilities { + return c.vuln } func (c CdxDoc) Signature() GetSignature { @@ -237,7 +237,7 @@ func (c *CdxDoc) parseVulnerabilities() { if c.doc.Vulnerabilities != nil { for _, v := range *c.doc.Vulnerabilities { if v.ID != "" { - vuln.Id = v.ID + vuln.ID = v.ID } } c.vuln = vuln @@ -271,7 +271,7 @@ func (c *CdxDoc) parseSignature() { } // Write the signature to a file - if err := os.WriteFile("extracted_signature.bin", signatureValue, 0o644); err != nil { + if err := os.WriteFile("extracted_signature.bin", signatureValue, 0o600); err != nil { fmt.Println("Error writing signature to file:", err) return } @@ -293,12 +293,12 @@ func (c *CdxDoc) parseSignature() { // Create the RSA public key pubKey := &rsa.PublicKey{ N: decodeBigInt(modulus), - E: int(exponent), + E: exponent, } // Write the public key to a PEM file pubKeyPEM := publicKeyToPEM(pubKey) - if err := os.WriteFile("extracted_public_key.pem", pubKeyPEM, 0o644); err != nil { + if err := os.WriteFile("extracted_public_key.pem", pubKeyPEM, 0o600); err != nil { fmt.Println("Error writing public key to file:", err) return } diff --git a/pkg/sbom/spdx.go b/pkg/sbom/spdx.go index e5ed97f..1d60937 100644 --- a/pkg/sbom/spdx.go +++ b/pkg/sbom/spdx.go @@ -159,8 +159,8 @@ func (s SpdxDoc) Vulnerabilities() GetVulnerabilities { return s.vuln } -func (c SpdxDoc) Signature() GetSignature { - return c.SignatureDetail +func (s SpdxDoc) Signature() GetSignature { + return s.SignatureDetail } func (s *SpdxDoc) parse() { diff --git a/pkg/sbom/vulnerabilities.go b/pkg/sbom/vulnerabilities.go index f39f3c5..8a2b48d 100644 --- a/pkg/sbom/vulnerabilities.go +++ b/pkg/sbom/vulnerabilities.go @@ -19,9 +19,9 @@ type GetVulnerabilities interface { } type Vulnerability struct { - Id string + ID string } func (v Vulnerability) GetID() string { - return v.Id + return v.ID }