fix: Missing VEX status mappings for resolved_with_pedigree and false_positive

[irenaliu18]

Description of the PR

This PR addresses issue 2812, adding support for two missing CycloneDX 1.6 VEX (Vulnerability Exploitability eXchange) status values: resolved_with_pedigree and false_positive. These statuses were introduced in CycloneDX 1.5+ but were not previously handled by the GUAC parser, causing ingestion failures with the error "unknown vulnerability status".

GUAC currently fails to ingest CycloneDX 1.6 SBOMs containing the following VEX statuses:

• resolved_with_pedigree - Indicates the vulnerability has been remediated with evidence provided in component pedigree
• false_positive - Indicates the vulnerability was falsely identified or associated with the component

Unit Tests

New test cases pass:

• Test_cyclonedxParser/valid_CycloneDX_VEX_document_with_resolved_with_pedigree_status
• Test_cyclonedxParser/valid_CycloneDX_VEX_document_with_false_positive_status

go test ./pkg/ingestor/parser/cyclonedx/... -v

PR Checklist

• All commits have a Developer Certificate of Origin (DCO) -- they are generated using -s flag to git commit.
• All new changes are covered by tests
• If GraphQL schema is changed, make generate has been run
• If GraphQL schema is changed, GraphQL client updates/additions have been made
• If OpenAPI spec is changed, make generate has been run
• If ent schema is changed, make generate has been run
• If collectsub protobuf has been changed, make proto has been run
• All CI checks are passing (tests and formatting)
• All dependent PRs have already been merged

[funnelfiasco]

In addition to resolving the addition of a GitHub workflow, you will need to include a DCO signoff before this change can be approved.

[lumjjb]

Thanks for opening up this PR! Looks great with some minor comment!

[lumjjb]

May be missing something but it seems like the status note inclusion may be missing in the parser_cyclonedx change?

[irenaliu18]

If I'm understanding correctly, the StatusNotes extraction is already handled in parser_cyclonedx.go lines 582-592. I think the code extracts StatusNotes from vulnerability.Analysis.Detail for analysis states, including resolved_with_pedigree and false_positive.

[lumjjb]

Hey Irene, ah sorry i didn't realize this was in the "Details" field in the test, i thought that was a derivation of the status notes from the ENUM.

Along that line of thinking I am thinking if it would be possible to add status notes here about the enum if "Details" is empty? So that we don't lose that bit of information if it is not already captured within Details?..

i.e. if Details is empty we can include StatusNotes as "CDX state: false_positive", or "CDX state: resolved_with_pedigree" since the bit would be lost otherwise?

wdyt?

[irenaliu18]

Thats a good idea! I've added your suggestion to the code.