Add fix availability information to DB schema (#2862)

* add fix availability information to DB schema

Signed-off-by: Alex Goodman <[email protected]>

* update json schemas

Signed-off-by: Alex Goodman <[email protected]>

* fix linting

Signed-off-by: Alex Goodman <[email protected]>

* revert vuln schema change

Signed-off-by: Alex Goodman <[email protected]>

---------

Signed-off-by: Alex Goodman <[email protected]>

Author: wagoodman

cmd/grype/cli/commands/internal/dbsearch/versions.go

@@ -2,13 +2,14 @@ package dbsearch
 
 const (
 	// MatchesSchemaVersion is the schema version for the `db search` command
-	MatchesSchemaVersion = "1.0.3"
+	MatchesSchemaVersion = "1.1.0"
 
 	// MatchesSchemaVersion Changelog:
 	// 1.0.0 - Initial schema 🎉
 	// 1.0.1 - Add KEV and EPSS data to vulnerability matches
 	// 1.0.2 - Add v5 namespace emulation for affected packages
 	// 1.0.3 - Add severity string field to vulnerability object
+	// 1.1.0 - Add fix available date information to vulnerability range object. This removes existing unused git-commit and date fields from the schema, but is a non-breaking change.
 
 	// VulnerabilitiesSchemaVersion is the schema version for the `db search vuln` command
 	VulnerabilitiesSchemaVersion = "1.0.3"

grype/db/v6/blobs.go

@@ -182,16 +182,39 @@ func (f Fix) String() string {
 
 // FixDetail is additional information about a fix, such as commit details and patch URLs.
 type FixDetail struct {
-	// GitCommit is the identifier for the Git commit associated with the fix.
-	GitCommit string `json:"git_commit,omitempty"`
-
-	// Timestamp is the date and time when the fix was committed.
-	Timestamp *time.Time `json:"timestamp,omitempty"`
+	// Available indicates when the fix information became available and how it was obtained.
+	Available *FixAvailability `json:"available,omitempty"`
 
 	// References contains URLs or identifiers for additional resources on the fix.
 	References []Reference `json:"references,omitempty"`
 }
 
+type FixAvailability struct {
+	// Date is the date and time when fix information became available. Note: this might not be when the fix was created, committed or merged.
+	Date *time.Time `json:"date,omitempty"`
+
+	// Kind describes how this date was obtained (e.g. advisory, release, commit, PR, issue, first-observed-record)
+	Kind string `json:"kind,omitempty"`
+}
+
+func (f FixAvailability) MarshalJSON() ([]byte, error) {
+	type Alias FixAvailability
+	aux := &struct {
+		Date *string `json:"date,omitempty"`
+		*Alias
+	}{
+		Alias: (*Alias)(&f),
+	}
+
+	// the JSON marshaller should interpret the time.Time as a Date, not a timestamp
+	if f.Date != nil {
+		dateStr := f.Date.Format("2006-01-02")
+		aux.Date = &dateStr
+	}
+
+	return json.Marshal(aux)
+}
+
 // AffectedVersion defines the versioning format and constraints.
 type AffectedVersion struct {
 	// Type specifies the versioning system used (e.g., "semver", "rpm").

grype/db/v6/db.go

@@ -21,16 +21,18 @@ const (
 	ModelVersion = 6
 
 	// Revision indicates how many changes have been introduced which **may** prevent interaction with some historical data
-	Revision = 0
+	Revision = 1
 
 	// Addition indicates how many changes have been introduced that are compatible with all historical data
-	Addition = 3
+	Addition = 0
 
 	// v6 model changelog:
 	// 6.0.0: Initial version 🎉
 	// 6.0.1: Add CISA KEV to VulnerabilityDecorator store
 	// 6.0.2: Add EPSS to VulnerabilityDecorator store
 	// 6.0.3: Add channel column to OperatingSystem model
+	// 6.1.0: Add Fix availability information to AffectedPackageBlob.AffectedRange.Fix.Detail.
+	//        Existing git commit and timestamp information was removed (as it was unused)
 )
 
 const (

grype/presenter/models/vulnerability.go

@@ -16,8 +16,14 @@ type Vulnerability struct {
 }
 
 type Fix struct {
-	Versions []string `json:"versions"`
-	State    string   `json:"state"`
+	Versions  []string      `json:"versions"`
+	State     string        `json:"state"`
+	Available *FixAvailable `json:"available,omitempty"`
+}
+
+type FixAvailable struct {
+	Date string `json:"date"`
+	Kind string `json:"kind"`
 }
 
 type Advisory struct {
@@ -49,14 +55,26 @@ func NewVulnerability(vuln vulnerability.Vulnerability, metadata *vulnerability.
 	return Vulnerability{
 		VulnerabilityMetadata: NewVulnerabilityMetadata(vuln.ID, vuln.Namespace, metadata),
 		Fix: Fix{
-			Versions: sortVersions(fixedInVersions, versionFormat),
-			State:    string(vuln.Fix.State),
+			Versions:  sortVersions(fixedInVersions, versionFormat),
+			State:     string(vuln.Fix.State),
+			Available: getFixAvailable(vuln.Fix.Available),
 		},
 		Advisories: advisories,
 		Risk:       metadata.RiskScore(),
 	}
 }
 
+func getFixAvailable(fixAvailable *vulnerability.FixAvailable) *FixAvailable {
+	if fixAvailable == nil {
+		return nil
+	}
+
+	return &FixAvailable{
+		Date: fixAvailable.Date.Format("2006-01-02"), // just extract the date
+		Kind: fixAvailable.Kind,
+	}
+}
+
 func sortVersions(fixedVersions []string, format version.Format) []string {
 	if len(fixedVersions) <= 1 {
 		return fixedVersions

grype/vex/csaf/implementation_test.go

@@ -1,13 +1,13 @@
 package csaf
 
 import (
-	"github.com/google/go-cmp/cmp"
-	"github.com/stretchr/testify/require"
 	"slices"
 	"testing"
 
 	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	"github.com/anchore/grype/grype/match"
 	"github.com/anchore/grype/grype/pkg"

grype/vulnerability/fix.go

@@ -1,5 +1,7 @@
 package vulnerability
 
+import "time"
+
 type FixState string
 
 const (
@@ -19,8 +21,14 @@ func AllFixStates() []FixState {
 }
 
 type Fix struct {
-	Versions []string
-	State    FixState
+	Versions  []string
+	State     FixState
+	Available *FixAvailable
+}
+
+type FixAvailable struct {
+	Date time.Time
+	Kind string
 }
 
 func (f FixState) String() string {