Add a custom deserializer for the Vulnerability class

With the changes on the data structures to store vulnerabilities, older ORT results can no longer be deserialized. To fix this, add a custom deserializer, which can handle both the old and the new format of vulnerability information. Signed-off-by: Oliver Heger <[email protected]>
oss-review-toolkit · Apr 8, 2021 · 778a44d · 778a44d
1 parent 174402b
commit 778a44d
Show file tree

Hide file tree

Showing 4 changed files with 12,603 additions and 0 deletions.
diff --git a/model/src/main/kotlin/Vulnerability.kt b/model/src/main/kotlin/Vulnerability.kt
@@ -19,12 +19,22 @@
 
 package org.ossreviewtoolkit.model
 
+import com.fasterxml.jackson.core.JsonParser
+import com.fasterxml.jackson.databind.DeserializationContext
+import com.fasterxml.jackson.databind.JsonNode
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize
+import com.fasterxml.jackson.databind.deser.std.StdDeserializer
+import com.fasterxml.jackson.module.kotlin.jacksonTypeRef
+
+import java.net.URI
+
 /**
  * Base model for all vulnerability providers supported by the advisor.
  *
  * This class stores the information about a single vulnerability, which may have been retrieved from multiple
  * vulnerability providers. For each source of information a [VulnerabilityReference] is contained.
  */
+@JsonDeserialize(using = VulnerabilityDeserializer::class)
 data class Vulnerability(
     /**
      * The ID of a vulnerability. Most likely a CVE identifier.
@@ -94,3 +104,26 @@ data class Vulnerability(
         }
     }
 }
+
+/**
+ * A custom deserializer to support the deserialization of [Vulnerability] instances using an older format, in which
+ * detailed information was embedded into the class rather than externalized in [VulnerabilityReference] objects.
+ */
+private class VulnerabilityDeserializer : StdDeserializer<Vulnerability>(Vulnerability::class.java) {
+    override fun deserialize(p: JsonParser, ctx: DeserializationContext): Vulnerability {
+        val vulnerabilityNode = p.codec.readTree<JsonNode>(p)
+        val id = vulnerabilityNode["id"].textValue()
+
+        return if (vulnerabilityNode["references"] != null) {
+            val references = jsonMapper.convertValue(
+                vulnerabilityNode["references"], jacksonTypeRef<List<VulnerabilityReference>>()
+            )
+            Vulnerability(id, references)
+        } else {
+            val severity = vulnerabilityNode["severity"].floatValue()
+            val uri = vulnerabilityNode["url"].textValue()
+            val reference = VulnerabilityReference(URI(uri), null, severity.toString())
+            Vulnerability(id, listOf(reference))
+        }
+    }
+}