fix: merge related fixes

Author: dervoeti

backend/application/commons/migrations/0016_merge_20250328_1143.py

@@ -0,0 +1,14 @@
+# Generated by Django 5.1.5 on 2025-03-28 10:43
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('commons', '0013_merge_20241028_1602'),
+        ('commons', '0015_settings_exploit_information_max_age_years_and_more'),
+    ]
+
+    operations = [
+    ]

backend/application/core/migrations/0070_merge_20250328_1143.py

@@ -0,0 +1,14 @@
+# Generated by Django 5.1.5 on 2025-03-28 10:43
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0061_observation_cve_found_in_and_more'),
+        ('core', '0069_merge_20250120_2305'),
+    ]
+
+    operations = [
+    ]

backend/application/import_observations/parsers/cyclone_dx/dependencies.py

@@ -1,6 +1,7 @@
 from collections import defaultdict
+import logging
 
-from application.import_observations.parsers.cyclone_dx.types import Component
+from application.import_observations.parsers.cyclone_dx.parser import Component
 
 logger = logging.getLogger("secobserve.import_observations.cyclone_dx.dependencies")
 

backend/application/import_observations/parsers/cyclone_dx/parser.py

@@ -64,7 +64,7 @@ def check_format(self, data: Any) -> bool:
             return True
         return False
 
-    def get_observations(self, data: dict) -> list[Observation]:
+    def get_observations(self, data: dict, product: Product, branch: Optional[Branch]) -> list[Observation]:
         self.metadata = self._get_metadata(data)
         sbom_data = None
 
@@ -236,48 +236,6 @@ def _create_observations(  # pylint: disable=too-many-locals
         if not sbom_data:
             sbom_data = data
 
-        dependencies = sbom_data.get("dependencies", [])
-
-        reverse_dep_map = defaultdict(list)
-        for entry in dependencies:
-            for dep in entry.get("dependsOn", []):
-                reverse_dep_map[dep].append(
-                    entry["ref"]
-                )  # Add a relation from the dependency it's "parent"
-
-        relevant_components = set()
-        for vulnerability in data.get("vulnerabilities", []):
-            for affected in vulnerability.get("affects", []):
-                ref = affected.get("ref")
-                if ref:
-                    component = self.components.get(ref)
-                    if component:
-                        relevant_components.add(component.bom_ref)
-
-        dependency_paths: dict[str, list[str]] = defaultdict(list)
-
-        # Get all paths from the root components in the dependency tree to the relevant components
-        for relevant_component in relevant_components:
-            stack: list[tuple[str, Optional[str]]] = [(relevant_component, None)]
-            visited = set()
-            if relevant_component not in dependency_paths:
-                dependency_paths[relevant_component] = []
-            while stack:
-                current, previous = stack.pop()
-                if not current:
-                    continue
-
-                if previous:
-                    path = f"{self._translate_component(current)} --> {self._translate_component(previous)}"
-                    if path not in dependency_paths[relevant_component]:
-                        dependency_paths[relevant_component].append(path)
-                if current in visited:
-                    continue
-                visited.add(current)
-                if current in reverse_dep_map:
-                    for parent in reverse_dep_map[current]:
-                        stack.append((parent, current))
-
         for vulnerability in data.get("vulnerabilities", []):
             vulnerability_id = vulnerability.get("id")
             cvss3_score, cvss3_vector = self._get_cvss(vulnerability, 3)
@@ -309,7 +267,7 @@ def _create_observations(  # pylint: disable=too-many-locals
                             #     dependency_paths,
                             #     self.dependencies
                             # )
-                            self._get_component_dependencies(
+                            observation_component_dependencies = self._get_component_dependencies(
                                 component.bom_ref, self.components, self.dependencies
                             )
                             component_dependencies_cache[component.bom_ref] = observation_component_dependencies

backend/application/vex/services/csaf_generator_component.py

@@ -95,6 +95,7 @@ def _create_component(component_name_version: str, purl: Optional[str], cpe: Opt
     product_identification_helper = None
     if purl:  # or cpe:
         purl = purl if purl else None
+        # Temporary disabled, because Rust crate for CSAF export does not support CPE
         # cpe = cpe if cpe else None
         product_identification_helper = CSAFProductIdentificationHelper(purl=purl, cpe=cpe)