Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Port cyclonedx vex importer change from upstream #368

Merged
merged 1 commit into from
Oct 19, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,12 @@
*/
package org.dependencytrack.parser.cyclonedx;

import alpine.common.logging.Logger;
import org.apache.commons.lang3.StringUtils;
import org.cyclonedx.model.Bom;
import org.cyclonedx.util.BomLink;
import org.cyclonedx.util.ObjectLocator;
import org.dependencytrack.model.Analysis;
import org.dependencytrack.model.AnalysisComment;
import org.dependencytrack.model.AnalysisJustification;
import org.dependencytrack.model.AnalysisResponse;
import org.dependencytrack.model.AnalysisState;
Expand All @@ -34,47 +34,51 @@
import org.dependencytrack.parser.cyclonedx.util.ModelConverter;
import org.dependencytrack.persistence.QueryManager;
import org.dependencytrack.util.AnalysisCommentUtil;

import java.util.List;

public class CycloneDXVexImporter {

private static final Logger LOGGER = Logger.getLogger(CycloneDXVexImporter.class);
private static final String COMMENTER = "CycloneDX VEX";

public void applyVex(final QueryManager qm, final Bom bom, final Project project) {
if (bom.getVulnerabilities() == null) return;
List<org.cyclonedx.model.vulnerability.Vulnerability> auditableVulnerabilities = bom.getVulnerabilities().stream().filter(
bomVuln -> bomVuln.getSource() == null || Vulnerability.Source.isKnownSource(bomVuln.getSource().getName())
).toList();
for (org.cyclonedx.model.vulnerability.Vulnerability cdxVuln: auditableVulnerabilities) {
for (org.cyclonedx.model.vulnerability.Vulnerability cdxVuln : auditableVulnerabilities) {
if (cdxVuln.getAnalysis() == null) continue;
final List<Vulnerability> vulns = qm.getVulnerabilities(project, true);
if (vulns == null) continue;
for (final Vulnerability vuln: vulns) {
for (final Vulnerability vuln : vulns) {
// NOTE: These vulnerability objects are detached
if (shouldAuditVulnerability(cdxVuln, vuln)) {

if (cdxVuln.getAffects() == null) continue;
for (org.cyclonedx.model.vulnerability.Vulnerability.Affect affect: cdxVuln.getAffects()) {
for (org.cyclonedx.model.vulnerability.Vulnerability.Affect affect : cdxVuln.getAffects()) {
final ObjectLocator ol = new ObjectLocator(bom, affect.getRef()).locate();
if ((ol.found() && ol.isMetadataComponent()) || (!ol.found() && BomLink.isBomLink(affect.getRef()))) {
// Affects the project itself
List<Component> components = qm.getAllVulnerableComponents(project, vuln, true);
for (final Component component: components) {
for (final Component component : components) {
updateAnalysis(qm, component, vuln, cdxVuln);
}
} else if (ol.found() && ol.isComponent()) {
// Affects an individual component
final org.cyclonedx.model.Component cdxComponent = (org.cyclonedx.model.Component)ol.getObject();
final org.cyclonedx.model.Component cdxComponent = (org.cyclonedx.model.Component) ol.getObject();
final ComponentIdentity cid = new ComponentIdentity(cdxComponent);
List<Component> components = qm.matchIdentity(project, cid);
for (final Component component: components) {
for (final Component component : components) {
updateAnalysis(qm, component, vuln, cdxVuln);
}
} else if (ol.found() && ol.isService()) {
// Affects an individual service
// TODO add VEX support for services
}
}
} else {
LOGGER.warn("Analysis data for vulnerability " + cdxVuln.getId() + " will be ignored because either the source is missing or there is a source/vulnid mismatch between VEX and Dependency Track database.");
}
}
}
Expand Down Expand Up @@ -115,7 +119,7 @@ private void updateAnalysis(final QueryManager qm, final Component component, fi
AnalysisCommentUtil.makeAnalysisDetailsComment(qm, analysis, cdxVuln.getAnalysis().getDetail().trim(), COMMENTER);
}
if (cdxVuln.getAnalysis().getResponses() != null) {
for (org.cyclonedx.model.vulnerability.Vulnerability.Analysis.Response cdxRes: cdxVuln.getAnalysis().getResponses()) {
for (org.cyclonedx.model.vulnerability.Vulnerability.Analysis.Response cdxRes : cdxVuln.getAnalysis().getResponses()) {
analysisResponse = ModelConverter.convertCdxVulnAnalysisResponseToDtAnalysisResponse(cdxRes);
AnalysisCommentUtil.makeAnalysisResponseComment(qm, analysis, analysisResponse, COMMENTER);
}
Expand Down