Merge pull request #368 from DependencyTrack/port-changes-to-cycloned…

…x-vex-importer Port cyclonedx vex importer change from upstream
DependencyTrack · Oct 19, 2023 · 98ba9a8 · 98ba9a8
2 parents 457b12b + cc8fc94
commit 98ba9a8
Showing 1 changed file with 12 additions and 8 deletions.
diff --git a/src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDXVexImporter.java b/src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDXVexImporter.java
@@ -18,12 +18,12 @@
  */
 package org.dependencytrack.parser.cyclonedx;
 
+import alpine.common.logging.Logger;
 import org.apache.commons.lang3.StringUtils;
 import org.cyclonedx.model.Bom;
 import org.cyclonedx.util.BomLink;
 import org.cyclonedx.util.ObjectLocator;
 import org.dependencytrack.model.Analysis;
-import org.dependencytrack.model.AnalysisComment;
 import org.dependencytrack.model.AnalysisJustification;
 import org.dependencytrack.model.AnalysisResponse;
 import org.dependencytrack.model.AnalysisState;
@@ -34,47 +34,51 @@
 import org.dependencytrack.parser.cyclonedx.util.ModelConverter;
 import org.dependencytrack.persistence.QueryManager;
 import org.dependencytrack.util.AnalysisCommentUtil;
+
 import java.util.List;
 
 public class CycloneDXVexImporter {
 
+    private static final Logger LOGGER = Logger.getLogger(CycloneDXVexImporter.class);
     private static final String COMMENTER = "CycloneDX VEX";
 
     public void applyVex(final QueryManager qm, final Bom bom, final Project project) {
         if (bom.getVulnerabilities() == null) return;
         List<org.cyclonedx.model.vulnerability.Vulnerability> auditableVulnerabilities = bom.getVulnerabilities().stream().filter(
                 bomVuln -> bomVuln.getSource() == null || Vulnerability.Source.isKnownSource(bomVuln.getSource().getName())
         ).toList();
-        for (org.cyclonedx.model.vulnerability.Vulnerability cdxVuln: auditableVulnerabilities) {
+        for (org.cyclonedx.model.vulnerability.Vulnerability cdxVuln : auditableVulnerabilities) {
             if (cdxVuln.getAnalysis() == null) continue;
             final List<Vulnerability> vulns = qm.getVulnerabilities(project, true);
             if (vulns == null) continue;
-            for (final Vulnerability vuln: vulns) {
+            for (final Vulnerability vuln : vulns) {
                 // NOTE: These vulnerability objects are detached
                 if (shouldAuditVulnerability(cdxVuln, vuln)) {
 
                     if (cdxVuln.getAffects() == null) continue;
-                    for (org.cyclonedx.model.vulnerability.Vulnerability.Affect affect: cdxVuln.getAffects()) {
+                    for (org.cyclonedx.model.vulnerability.Vulnerability.Affect affect : cdxVuln.getAffects()) {
                         final ObjectLocator ol = new ObjectLocator(bom, affect.getRef()).locate();
                         if ((ol.found() && ol.isMetadataComponent()) || (!ol.found() && BomLink.isBomLink(affect.getRef()))) {
                             // Affects the project itself
                             List<Component> components = qm.getAllVulnerableComponents(project, vuln, true);
-                            for (final Component component: components) {
+                            for (final Component component : components) {
                                 updateAnalysis(qm, component, vuln, cdxVuln);
                             }
                         } else if (ol.found() && ol.isComponent()) {
                             // Affects an individual component
-                            final org.cyclonedx.model.Component cdxComponent = (org.cyclonedx.model.Component)ol.getObject();
+                            final org.cyclonedx.model.Component cdxComponent = (org.cyclonedx.model.Component) ol.getObject();
                             final ComponentIdentity cid = new ComponentIdentity(cdxComponent);
                             List<Component> components = qm.matchIdentity(project, cid);
-                            for (final Component component: components) {
+                            for (final Component component : components) {
                                 updateAnalysis(qm, component, vuln, cdxVuln);
                             }
                         } else if (ol.found() && ol.isService()) {
                             // Affects an individual service
                             // TODO add VEX support for services
                         }
                     }
+                } else {
+                    LOGGER.warn("Analysis data for vulnerability " + cdxVuln.getId() + " will be ignored because either the source is missing or there is a source/vulnid mismatch between VEX and Dependency Track database.");
                 }
             }
         }
@@ -115,7 +119,7 @@ private void updateAnalysis(final QueryManager qm, final Component component, fi
             AnalysisCommentUtil.makeAnalysisDetailsComment(qm, analysis, cdxVuln.getAnalysis().getDetail().trim(), COMMENTER);
         }
         if (cdxVuln.getAnalysis().getResponses() != null) {
-            for (org.cyclonedx.model.vulnerability.Vulnerability.Analysis.Response cdxRes: cdxVuln.getAnalysis().getResponses()) {
+            for (org.cyclonedx.model.vulnerability.Vulnerability.Analysis.Response cdxRes : cdxVuln.getAnalysis().getResponses()) {
                 analysisResponse = ModelConverter.convertCdxVulnAnalysisResponseToDtAnalysisResponse(cdxRes);
                 AnalysisCommentUtil.makeAnalysisResponseComment(qm, analysis, analysisResponse, COMMENTER);
             }