Fixes for Programming Language Vulnerabilities and SBOM Package Maint…

…ainer Details

1. It addresses an issue with programming language vulnerabilities by ensuring that the custom information is sent, which was previously causing a bug on the Aqua side.
2. For the SBOM, it adds the package maintainer details to the results, allowing to show this information.

pkg/detector/library/driver.go

@@ -133,6 +133,7 @@ func (d *Driver) DetectVulnerabilities(pkgID, pkgName, pkgVer string) ([]types.D
 			InstalledVersion: pkgVer,
 			FixedVersion:     createFixedVersions(adv),
 			DataSource:       adv.DataSource,
+			Custom:           adv.Custom,
 		}
 		vulns = append(vulns, vuln)
 	}

pkg/detector/library/driver_test.go

@@ -182,6 +182,34 @@ func TestDriver_Detect(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "Custom data for vulnerability",
+			fixtures: []string{
+				"testdata/fixtures/go-custom-data.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			libType: ftypes.GoBinary,
+			args: args{
+				pkgName: "github.com/docker/docker",
+				pkgVer:  "23.0.14",
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "GHSA-v23v-6jw2-98fq",
+					PkgName:          "github.com/docker/docker",
+					InstalledVersion: "23.0.14",
+					FixedVersion:     "23.0.15, 26.1.5, 27.1.1, 25.0.6",
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.GHSA,
+						Name: "GitHub Security Advisory Go",
+						URL:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago",
+					},
+					Custom: map[string]interface{}{
+						"Severity": float64(2),
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/detector/library/testdata/fixtures/data-source.yaml

@@ -25,3 +25,8 @@
         ID: "ghsa"
         Name: "GitHub Security Advisory Pip"
         URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
+    - key: "go::GitHub Security Advisory Go"
+      value:
+        ID: "ghsa"
+        Name: "GitHub Security Advisory Go"
+        URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"

pkg/detector/library/testdata/fixtures/go-custom-data.yaml

@@ -0,0 +1,18 @@
+- bucket: "go::GitHub Security Advisory Go"
+  pairs:
+    - bucket: github.com/docker/docker
+      pairs:
+        - key: "GHSA-v23v-6jw2-98fq"
+          value:
+            PatchedVersions:
+              - "23.0.15"
+              - "26.1.5"
+              - "27.1.1"
+              - "25.0.6"
+            VulnerableVersions:
+              - ">=19.03.0, <23.0.15"
+              - ">=26.0.0, <26.1.5"
+              - ">=27.0.0, <27.1.1"
+              - ">=24.0.0, <25.0.6"
+            Custom:
+              Severity: 2

pkg/rpc/convert.go

@@ -71,6 +71,7 @@ func ConvertToRPCPkgs(pkgs []ftypes.Package) []*common.Package {
 			DependsOn:  pkg.DependsOn,
 			Digest:     pkg.Digest.String(),
 			Indirect:   pkg.Indirect,
+			Maintainer: pkg.Maintainer,
 		})
 	}
 	return rpcPkgs
@@ -226,6 +227,7 @@ func ConvertFromRPCPkgs(rpcPkgs []*common.Package) []ftypes.Package {
 			DependsOn:  pkg.DependsOn,
 			Digest:     digest.Digest(pkg.Digest),
 			Indirect:   pkg.Indirect,
+			Maintainer: pkg.Maintainer,
 		})
 	}
 	return pkgs

pkg/rpc/convert_test.go

@@ -183,6 +183,78 @@ func TestConvertFromRpcPkgs(t *testing.T) {
 				},
 			},
 		},
+		{
+			args: args{
+				rpcPkgs: []*common.Package{
+					{
+						Name:       "binary",
+						Version:    "4.2+dfsg",
+						Release:    "0.1+deb7u4",
+						Epoch:      0,
+						Arch:       "amd64",
+						SrcName:    "bash",
+						SrcVersion: "4.2+dfsg",
+						SrcRelease: "0.1+deb7u4",
+						SrcEpoch:   0,
+						Licenses:   []string{"GPL-3.0"},
+						Locations: []*common.Location{
+							{
+								StartLine: 10,
+								EndLine:   20,
+							},
+							{
+								StartLine: 22,
+								EndLine:   32,
+							},
+						},
+						Layer: &common.Layer{
+							Digest: "sha256:8d42b73fc1ddc2e9e66c954966f144665825e69f4ed10c66342ae7c26b38d4e4",
+							DiffId: "sha256:745d171eb8c3d69f788da3a1b053056231ad140b80be71d6869229846a1f3a77",
+						},
+						Digest:   "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2",
+						Indirect: false,
+						Identifier: &common.PkgIdentifier{
+							Uid: "63f8bef824b960e3",
+						},
+						Maintainer: "[email protected]",
+					},
+				},
+			},
+			want: []ftypes.Package{
+				{
+					Name:       "binary",
+					Version:    "4.2+dfsg",
+					Release:    "0.1+deb7u4",
+					Epoch:      0,
+					Arch:       "amd64",
+					SrcName:    "bash",
+					SrcVersion: "4.2+dfsg",
+					SrcRelease: "0.1+deb7u4",
+					SrcEpoch:   0,
+					Licenses:   []string{"GPL-3.0"},
+					Locations: []ftypes.Location{
+						{
+							StartLine: 10,
+							EndLine:   20,
+						},
+						{
+							StartLine: 22,
+							EndLine:   32,
+						},
+					},
+					Layer: ftypes.Layer{
+						Digest: "sha256:8d42b73fc1ddc2e9e66c954966f144665825e69f4ed10c66342ae7c26b38d4e4",
+						DiffID: "sha256:745d171eb8c3d69f788da3a1b053056231ad140b80be71d6869229846a1f3a77",
+					},
+					Digest:   "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2",
+					Indirect: false,
+					Identifier: ftypes.PkgIdentifier{
+						UID: "63f8bef824b960e3",
+					},
+					Maintainer: "[email protected]",
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

rpc/common/service.proto

@@ -54,6 +54,7 @@ message Package {
   string            digest      = 16;
   bool              dev         = 17;
   bool              indirect    = 18;
+  string            maintainer = 21;
 }
 
 message PkgIdentifier {