cdx: parse ignored status from cdx sbom

It's included there now
2025-09-07 15:16:23 +02:00 · 2025-09-07 15:16:23 +02:00 · 52d0d9e0e0
commit 52d0d9e0e0
parent 0273e1a700
3 changed files with 4 additions and 5 deletions
--- a/app/appstate.py
+++ b/app/appstate.py
@ -467,8 +467,6 @@ class Source:
        Also includes ignored vulnerabilities.
        """
        vulnerabilities = state.vulnerabilities.get(self.name, [])
-        for vuln in vulnerabilities:
-            vuln.ignored = vuln.id in self.pkgextra.ignore_vulnerabilities
        return sorted(vulnerabilities, key=lambda v: v.sort_key, reverse=True)

    @property
--- a/app/fetch/cdx.py
+++ b/app/fetch/cdx.py
@ -37,10 +37,14 @@ def parse_cdx(data: bytes) -> dict[str, list[Vulnerability]]:
                if version.get("status") == "unaffected" and "version" in version:
                    unaffected_versions.append(version["version"])

+        ignored_states = {"resolved", "resolved_with_pedigree", "false_positive", "not_affected"}
+        ignored = "analysis" in vuln and vuln["analysis"].get("state") in ignored_states
+
        return Vulnerability(
            id=vuln["id"],
            url=vuln["source"]["url"],
            severity=severity,
+            ignored=ignored,
            unaffected_versions=unaffected_versions)

    vuln_mapping: dict[str, list[Vulnerability]] = {}
--- a/app/pkgextra.py
+++ b/app/pkgextra.py
@ -29,9 +29,6 @@ class PkgExtraEntry(BaseModel):
    pgp_keys_url: str | None = Field(default=None)
    """A website containing which keys are used to sign releases"""

-    ignore_vulnerabilities: list[str] = Field(default_factory=list)
-    """List of CVEs or GHSAs that are either not relevant or not fixable"""
-

 class PkgExtra(BaseModel):