From 197fad054ccbf51d80375bab950f0fa5d7c2af55 Mon Sep 17 00:00:00 2001 From: nscuro Date: Mon, 9 Sep 2024 13:37:19 +0200 Subject: [PATCH] Fix `cwes` missing from project/component vulnerability responses Regression of https://github.com/DependencyTrack/hyades-apiserver/pull/886 Signed-off-by: nscuro --- .../persistence/jdbi/VulnerabilityDao.java | 6 +- .../v1/VulnerabilityResourceTest.java | 91 +++++++++++++++++++ 2 files changed, 94 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/dependencytrack/persistence/jdbi/VulnerabilityDao.java b/src/main/java/org/dependencytrack/persistence/jdbi/VulnerabilityDao.java index 68fa6b71f..b9785ca6b 100644 --- a/src/main/java/org/dependencytrack/persistence/jdbi/VulnerabilityDao.java +++ b/src/main/java/org/dependencytrack/persistence/jdbi/VulnerabilityDao.java @@ -104,7 +104,7 @@ record AffectedProjectListRow( @SqlQuery(/* language=InjectedFreeMarker */ """ <#-- @ftlvariable name="apiFilterParameter" type="String" --> SELECT "V"."ID", "V"."CREATED", "V"."CVSSV2BASESCORE", "V"."CVSSV2VECTOR", "V"."CVSSV3BASESCORE", "V"."CVSSV3VECTOR" - , "V"."CWES", "V"."DESCRIPTION", "V"."DETAIL", "V"."PATCHEDVERSIONS", "V"."PUBLISHED", "V"."RECOMMENDATION", "V"."REFERENCES" + , STRING_TO_ARRAY("V"."CWES", ',') AS "CWES", "V"."DESCRIPTION", "V"."DETAIL", "V"."PATCHEDVERSIONS", "V"."PUBLISHED", "V"."RECOMMENDATION", "V"."REFERENCES" , "V"."SEVERITY", "V"."SOURCE", "V"."TITLE", "V"."UPDATED", "V"."UUID", "V"."VULNID", "V"."VULNERABLEVERSIONS", "V"."OWASPRRVECTOR" , "EPSS"."SCORE" , "EPSS"."PERCENTILE" @@ -156,7 +156,7 @@ record AffectedProjectCountRow( @SqlQuery(/* language=InjectedFreeMarker */ """ <#-- @ftlvariable name="apiFilterParameter" type="String" --> SELECT DISTINCT "V"."ID", "V"."CREATED", "V"."CVSSV2BASESCORE", "V"."CVSSV2VECTOR", "V"."CVSSV3BASESCORE", "V"."CVSSV3VECTOR" - , "V"."CWES", "V"."DESCRIPTION", "V"."DETAIL", "V"."PATCHEDVERSIONS", "V"."PUBLISHED", "V"."RECOMMENDATION", "V"."REFERENCES" + , STRING_TO_ARRAY("V"."CWES", ',') AS "CWES", "V"."DESCRIPTION", "V"."DETAIL", "V"."PATCHEDVERSIONS", "V"."PUBLISHED", "V"."RECOMMENDATION", "V"."REFERENCES" , "V"."SEVERITY", "V"."SOURCE", "V"."TITLE", "V"."UPDATED", "V"."UUID", "V"."VULNID", "V"."VULNERABLEVERSIONS", "V"."OWASPRRVECTOR" , "EPSS"."SCORE" , "EPSS"."PERCENTILE" @@ -187,7 +187,7 @@ record AffectedProjectCountRow( @SqlQuery(""" SELECT distinct "C"."ID", "C"."NAME", - "C"."AUTHOR", + "C"."AUTHOR", "C"."BLAKE2B_256", "C"."BLAKE2B_384", "C"."BLAKE2B_512", diff --git a/src/test/java/org/dependencytrack/resources/v1/VulnerabilityResourceTest.java b/src/test/java/org/dependencytrack/resources/v1/VulnerabilityResourceTest.java index d756b1874..9d38c2e35 100644 --- a/src/test/java/org/dependencytrack/resources/v1/VulnerabilityResourceTest.java +++ b/src/test/java/org/dependencytrack/resources/v1/VulnerabilityResourceTest.java @@ -75,6 +75,16 @@ public void getVulnerabilitiesByComponentUuidTest() throws Exception { "source": "INTERNAL", "description": "Description 1", "severity": "CRITICAL", + "cwe": { + "cweId": 123, + "name": "Write-what-where Condition" + }, + "cwes": [ + { + "cweId": 123, + "name": "Write-what-where Condition" + } + ], "uuid": "${json-unit.any-string}", "affectedProjectCount": 1, "affectedActiveProjectCount": 1, @@ -85,6 +95,16 @@ public void getVulnerabilitiesByComponentUuidTest() throws Exception { "source": "INTERNAL", "description": "Description 2", "severity": "HIGH", + "cwe": { + "cweId": 321, + "name": "Use of Hard-coded Cryptographic Key" + }, + "cwes": [ + { + "cweId": 321, + "name": "Use of Hard-coded Cryptographic Key" + } + ], "uuid": "${json-unit.any-string}", "affectedProjectCount": 1, "affectedActiveProjectCount": 1, @@ -123,6 +143,16 @@ public void getVulnerabilitiesByComponentUuidIncludeSuppressedTest() { "source": "INTERNAL", "description": "Description 1", "severity": "CRITICAL", + "cwe": { + "cweId": 123, + "name": "Write-what-where Condition" + }, + "cwes": [ + { + "cweId": 123, + "name": "Write-what-where Condition" + } + ], "uuid": "${json-unit.any-string}", "affectedProjectCount": 1, "affectedActiveProjectCount": 1, @@ -133,6 +163,16 @@ public void getVulnerabilitiesByComponentUuidIncludeSuppressedTest() { "source": "INTERNAL", "description": "Description 2", "severity": "HIGH", + "cwe": { + "cweId": 321, + "name": "Use of Hard-coded Cryptographic Key" + }, + "cwes": [ + { + "cweId": 321, + "name": "Use of Hard-coded Cryptographic Key" + } + ], "uuid": "${json-unit.any-string}", "affectedProjectCount": 1, "affectedActiveProjectCount": 1, @@ -167,6 +207,16 @@ public void getVulnerabilitiesByProjectTest() throws Exception { "source": "INTERNAL", "description": "Description 1", "severity": "CRITICAL", + "cwe": { + "cweId": 123, + "name": "Write-what-where Condition" + }, + "cwes": [ + { + "cweId": 123, + "name": "Write-what-where Condition" + } + ], "components": [ { "name": "Component 1", @@ -188,6 +238,16 @@ public void getVulnerabilitiesByProjectTest() throws Exception { "source": "INTERNAL", "description": "Description 2", "severity": "HIGH", + "cwe": { + "cweId": 321, + "name": "Use of Hard-coded Cryptographic Key" + }, + "cwes": [ + { + "cweId": 321, + "name": "Use of Hard-coded Cryptographic Key" + } + ], "components": [ { "name": "Component 1", @@ -209,6 +269,20 @@ public void getVulnerabilitiesByProjectTest() throws Exception { "source": "INTERNAL", "description": "Description 4", "severity": "LOW", + "cwe": { + "cweId": 123, + "name": "Write-what-where Condition" + }, + "cwes": [ + { + "cweId": 123, + "name": "Write-what-where Condition" + }, + { + "cweId": 321, + "name": "Use of Hard-coded Cryptographic Key" + } + ], "components": [ { "name": "Component 2", @@ -267,6 +341,20 @@ public void getVulnerabilitiesByProjectIncludeProjectSuppressedTest() throws Exc "source": "INTERNAL", "description": "Description 4", "severity": "LOW", + "cwe": { + "cweId": 123, + "name": "Write-what-where Condition" + }, + "cwes": [ + { + "cweId": 123, + "name": "Write-what-where Condition" + }, + { + "cweId": 321, + "name": "Use of Hard-coded Cryptographic Key" + } + ], "components": [ { "name": "Component 2", @@ -1003,6 +1091,7 @@ private class SampleData { v1.setSource(Vulnerability.Source.INTERNAL); v1.setSeverity(Severity.CRITICAL); v1.setDescription("Description 1"); + v1.setCwes(List.of(123)); vs1 = new VulnerableSoftware(); qm.persist(vs1); @@ -1014,6 +1103,7 @@ private class SampleData { v2.setSource(Vulnerability.Source.INTERNAL); v2.setSeverity(Severity.HIGH); v2.setDescription("Description 2"); + v2.setCwes(List.of(321)); v3 = new Vulnerability(); v3.setVulnId("INT-3"); @@ -1026,6 +1116,7 @@ private class SampleData { v4.setSource(Vulnerability.Source.INTERNAL); v4.setSeverity(Severity.LOW); v4.setDescription("Description 4"); + v4.setCwes(List.of(123, 321)); v5 = new Vulnerability(); v5.setVulnId("INT-5");