Extend vulnerability model to support multiple sources #3823
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
KorSin
suggested changes
Mar 29, 2021
oheger-bosch
force-pushed
the
oheger-bosch/advisor/vulnerable_code_bulk_api
branch
from
6242747
to
ad01500
Compare
KorSin
suggested changes
Mar 29, 2021
sschuberth
requested changes
Mar 29, 2021
oheger-bosch
force-pushed
the
oheger-bosch/advisor/vulnerable_code_bulk_api
branch
from
ad01500
to
6e792b6
Compare
oheger-bosch
force-pushed
the
oheger-bosch/advisor/vulnerable_code_bulk_api
branch
from
6e792b6
to
c8cc47d
Compare
sschuberth
requested changes
Mar 30, 2021
oheger-bosch
force-pushed
the
oheger-bosch/advisor/vulnerable_code_bulk_api
branch
from
c8cc47d
to
055aa8f
Compare
sschuberth
reviewed
Mar 30, 2021
| .map { | ||
| Vulnerability( | ||
| it.cveId.orEmpty(), | ||
| listOf(VulnerabilityReference(URI(it.url), null, (it.cvss ?: SEVERITY_UNDEFINED).toString())) |
There was a problem hiding this comment.
I believe what we really should do here instead of
(it.cvss ?: SEVERITY_UNDEFINED).toString())
is
it.cvss?.toString() ?: UNKNOWN_SEVERITY
and introduce const UNKNOWN_SEVERITY = "Unknown" to VulnerabilityReference. But that can be done later when touching this code anyway for the bulk-fetch implementation.
sschuberth
previously approved these changes
Mar 30, 2021
|
I have added one more commit to add a custom deserializer for the |
KorSin
previously approved these changes
Mar 31, 2021
sschuberth
requested changes
Apr 7, 2021
oheger-bosch
force-pushed
the
oheger-bosch/advisor/vulnerable_code_bulk_api
branch
from
9e8c206
to
67af3a4
Compare
|
Removed breaking-change label. With the custom deserializer for vulnerabilities, this is no longer a breaking change. |
oheger-bosch
force-pushed
the
oheger-bosch/advisor/vulnerable_code_bulk_api
branch
from
67af3a4
to
25fa967
Compare
When querying vulnerability information from multiple providers information about a single vulnerability can be found at different sources. To represent such a source and the information it contains, introduce a new data class. In a later commit, the Vulnerability class will be given a list of these references. Signed-off-by: Oliver Heger <[email protected]>
oheger-bosch
force-pushed
the
oheger-bosch/advisor/vulnerable_code_bulk_api
branch
from
25fa967
to
ee6a225
Compare
sschuberth
requested changes
Apr 8, 2021
According to the NexusIQ documentation [1], the scoring system used by vulnerabilities is either CVSS2 or CVSS3; the concrete one is determined by the prefix of the reference of a vulnerability. Add a function to obtain the scoring system based on this reference. This information is needed to provide additional data for vulnerabilities as supported by the extended data model of the advisor. [1] https://guides.sonatype.com/iqserver/technical-guides/sonatype-vuln-data/#how-is-a-vulnerability-score-severity-calculated Signed-off-by: Oliver Heger <[email protected]>
The Vulnerability data class now stores a list of VulnerabilityReferences containing the information from different sources. Adapt the existing advisor implementations accordingly. Note that at this stage, there is no implementation that actually returns multiple references for a single vulnerability; but this is going to change for VulnerableCode. Signed-off-by: Oliver Heger <[email protected]>
With the changes on the data structures to store vulnerabilities, older ORT results can no longer be deserialized. To fix this, add a custom deserializer, which can handle both the old and the new format of vulnerability information. Signed-off-by: Oliver Heger <[email protected]>
oheger-bosch
force-pushed
the
oheger-bosch/advisor/vulnerable_code_bulk_api
branch
from
ee6a225
to
778a44d
Compare
sschuberth
approved these changes
Apr 8, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR prepares the full integration of VulnerableCode as an advisor.
VulnerableCode supports multiple sources of vulnerability information. Each vulnerability has a list of references to the sources from which information has been drawn. To represent this, the PR extends the data model accordingly.
Note that this is only a change of the data model, but the VulnerableCode advisor implementation is not yet updated to actually populate this data model.