add vuln extractors and it's tests

Author: viveksahu26

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/charmbracelet/fang v0.4.1
 	github.com/github/go-spdx/v2 v2.3.3
 	github.com/google/uuid v1.6.0
+	github.com/knqyf263/go-cpe v0.0.0-20230627041855-cb0794d06872
 	github.com/maxbrunsfeld/counterfeiter/v6 v6.12.0
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/package-url/packageurl-go v0.1.3

go.sum

@@ -73,6 +73,8 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/klauspost/compress v1.16.0 h1:iULayQNOReoYUe+1qtKOqw9CwJv3aNQu8ivo7lw1HU4=
 github.com/klauspost/compress v1.16.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/knqyf263/go-cpe v0.0.0-20230627041855-cb0794d06872 h1:snH0nDYi3kizy9vxYBhZm5KXkGt9VXdGEtr6/1SGUqY=
+github.com/knqyf263/go-cpe v0.0.0-20230627041855-cb0794d06872/go.mod h1:4cVhzV/TndScEg4xMtSo3TTz3cMFhEAvhAA4igAyXZY=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -120,6 +122,7 @@ github.com/opencontainers/runc v1.1.5 h1:L44KXEpKmfWDcS02aeGm8QNTFXTo2D+8MYGDIJ/
 github.com/opencontainers/runc v1.1.5/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg=
 github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs=
 github.com/package-url/packageurl-go v0.1.3/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

pkg/scorer/v2/extractors/common.go

@@ -19,6 +19,8 @@ import (
 
 	"github.com/interlynk-io/sbomqs/pkg/licenses"
 	"github.com/interlynk-io/sbomqs/pkg/sbom"
+	"github.com/knqyf263/go-cpe/naming"
+	purl "github.com/package-url/packageurl-go"
 )
 
 // license with "NOASSERTION" or "NONE" are considered as
@@ -107,3 +109,55 @@ func componentHasAnyRestrictive(c sbom.GetComponent) bool {
 	}
 	return false
 }
+
+func compHasAnyPURLs(c sbom.GetComponent) bool {
+	for _, p := range c.GetPurls() {
+		if isValidPURL(string(p)) {
+			return true
+		}
+	}
+	return false
+}
+
+func compHasAnyCPEs(c sbom.GetComponent) bool {
+	for _, p := range c.GetCpes() {
+		if isValidCPE(string(p)) {
+			return true
+		}
+	}
+	return false
+}
+
+func isValidPURL(s string) bool {
+	s = strings.TrimSpace(s)
+	if s == "" {
+		return false
+	}
+
+	u, err := purl.FromString(s)
+	if err != nil {
+		return false
+	}
+
+	// type and name must be present per spec
+	if strings.TrimSpace(u.Type) == "" || strings.TrimSpace(u.Name) == "" {
+		return false
+	}
+	return true
+}
+
+func isValidCPE(s string) bool {
+	ls := strings.TrimSpace(s)
+	low := strings.ToLower(ls)
+
+	switch {
+	case strings.HasPrefix(low, "cpe:2.3:"):
+		_, err := naming.UnbindFS(ls)
+		return err == nil
+	case strings.HasPrefix(low, "cpe:/"):
+		_, err := naming.UnbindURI(ls)
+		return err == nil
+	default:
+		return false
+	}
+}

pkg/scorer/v2/extractors/structural.go

@@ -0,0 +1,15 @@
+// Copyright 2025 Interlynk.io
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package extractors

pkg/scorer/v2/extractors/vulnerability.go

@@ -0,0 +1,58 @@
+// Copyright 2025 Interlynk.io
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package extractors
+
+import (
+	"github.com/interlynk-io/sbomqs/pkg/sbom"
+	"github.com/interlynk-io/sbomqs/pkg/scorer/v2/config"
+	"github.com/interlynk-io/sbomqs/pkg/scorer/v2/formulae"
+	"github.com/samber/lo"
+)
+
+// CompWithPURL check for PURLs
+func CompWithPURL(doc sbom.Document) config.FeatureScore {
+	comps := doc.Components()
+	if len(comps) == 0 {
+		return formulae.ScoreNA()
+	}
+
+	have := lo.CountBy(comps, func(c sbom.GetComponent) bool {
+		return compHasAnyPURLs(c)
+	})
+
+	return config.FeatureScore{
+		Score:  formulae.PerComponentScore(have, len(comps)),
+		Desc:   formulae.CompDescription(have, len(comps), "PURLs"),
+		Ignore: false,
+	}
+}
+
+// CompWithCPE: percentage of components that have at least one syntactically valid CPE 2.3.
+func CompWithCPE(doc sbom.Document) config.FeatureScore {
+	comps := doc.Components()
+	if len(comps) == 0 {
+		return formulae.ScoreNA()
+	}
+
+	have := lo.CountBy(comps, func(c sbom.GetComponent) bool {
+		return compHasAnyCPEs(c)
+	})
+
+	return config.FeatureScore{
+		Score:  formulae.PerComponentScore(have, len(comps)),
+		Desc:   formulae.CompDescription(have, len(comps), "CPEs"),
+		Ignore: false,
+	}
+}