Skip to content

Commit

Permalink
Fix VDR export containing non-vulnerable components
Browse files Browse the repository at this point in the history 
Co-Authored-By: Niklas <[email protected]>
  • Loading branch information
@sahibamittal @nscuro
sahibamittal and nscuro committed Oct 20, 2023
1 parent ca982da commit a980225
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 18 deletions.
7 changes: 6 additions & 1 deletion src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDXExporter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,12 @@ public Bom create(final Component component) {
return create(components, null, null, null);
}

private Bom create(final List<Component>components, final List<ServiceComponent> services, final List<Finding> findings, final Project project) {
private Bom create(List<Component>components, final List<ServiceComponent> services, final List<Finding> findings, final Project project) {
if (Variant.VDR == variant) {
components = components.stream()
.filter(component -> !component.getVulnerabilities().isEmpty())
.toList();
}
final List<org.cyclonedx.model.Component> cycloneComponents = (Variant.VEX != variant && components != null) ? components.stream().map(component -> ModelConverter.convert(qm, component)).collect(Collectors.toList()) : null;
final List<org.cyclonedx.model.Service> cycloneServices = (Variant.VEX != variant && services != null) ? services.stream().map(service -> ModelConverter.convert(qm, service)).collect(Collectors.toList()) : null;
final List<org.cyclonedx.model.vulnerability.Vulnerability> cycloneVulnerabilities = (findings != null) ? findings.stream().map(finding -> ModelConverter.convert(qm, variant, finding)).collect(Collectors.toList()) : null;
Expand Down
12 changes: 8 additions & 4 deletions src/main/java/org/dependencytrack/parser/cyclonedx/util/ModelConverter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import java.util.UUID;
import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.function.Function;
Expand Down Expand Up @@ -681,19 +682,19 @@ public static List<Dependency> generateDependencies(final Project project, final

final var dependencies = new ArrayList<Dependency>();
final var rootDependency = new Dependency(project.getUuid().toString());
rootDependency.setDependencies(convertDirectDependencies(project.getDirectDependencies()));
rootDependency.setDependencies(convertDirectDependencies(project.getDirectDependencies(), components));
dependencies.add(rootDependency);

for (final Component component : components) {
final var dependency = new Dependency(component.getUuid().toString());
dependency.setDependencies(convertDirectDependencies(component.getDirectDependencies()));
dependency.setDependencies(convertDirectDependencies(component.getDirectDependencies(), components));
dependencies.add(dependency);
}

return dependencies;
}

private static List<Dependency> convertDirectDependencies(final String directDependenciesRaw) {
private static List<Dependency> convertDirectDependencies(final String directDependenciesRaw, final List<Component> components) {
if (directDependenciesRaw == null || directDependenciesRaw.isBlank()) {
return Collections.emptyList();
}
Expand All @@ -705,7 +706,10 @@ private static List<Dependency> convertDirectDependencies(final String directDep
if (directDependenciesJson instanceof final JsonArray directDependenciesJsonArray) {
for (final JsonValue directDependency : directDependenciesJsonArray) {
if (directDependency instanceof final JsonObject directDependencyObject) {
dependencies.add(new Dependency(directDependencyObject.getString("uuid")));
final String componentUuid = directDependencyObject.getString("uuid", null);
if (componentUuid != null && components.stream().map(Component::getUuid).map(UUID::toString).anyMatch(componentUuid::equals)) {
dependencies.add(new Dependency(directDependencyObject.getString("uuid")));
}
}
}
}
Expand Down
13 changes: 0 additions & 13 deletions src/test/java/org/dependencytrack/resources/v1/BomResourceTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -540,12 +540,6 @@ public void exportProjectAsCycloneDxVdrTest() {
]
},
"components": [
{
"type": "library",
"bom-ref": "${json-unit.matches:componentWithoutVulnUuid}",
"name": "acme-lib-a",
"version": "1.0.0"
},
{
"type": "library",
"bom-ref": "${json-unit.matches:componentWithVulnUuid}",
Expand All @@ -563,16 +557,9 @@ public void exportProjectAsCycloneDxVdrTest() {
{
"ref": "${json-unit.matches:projectUuid}",
"dependsOn": [
"${json-unit.matches:componentWithoutVulnUuid}",
"${json-unit.matches:componentWithVulnAndAnalysisUuid}"
]
},
{
"ref": "${json-unit.matches:componentWithoutVulnUuid}",
"dependsOn": [
"${json-unit.matches:componentWithVulnUuid}"
]
},
{
"ref": "${json-unit.matches:componentWithVulnUuid}",
"dependsOn": []
Expand Down

0 comments on commit a980225

Please sign in to comment.