From bc12f111e6ce5e6c9ae7f78c5f9f17513dd7c6e0 Mon Sep 17 00:00:00 2001 From: Mathilde Date: Wed, 26 May 2021 17:11:08 +0100 Subject: [PATCH] fix: resolve comments and todos --- src/lib/convert-issue-to-spdx.ts | 52 +++---- src/types.ts | 19 +-- .../convert-issue-to-spdx.spec.ts.snap | 10 +- test/lib/__snapshots__/index.spec.ts.snap | 144 ++++++++++-------- 4 files changed, 118 insertions(+), 107 deletions(-) diff --git a/src/lib/convert-issue-to-spdx.ts b/src/lib/convert-issue-to-spdx.ts index d7e2f61..b020cec 100644 --- a/src/lib/convert-issue-to-spdx.ts +++ b/src/lib/convert-issue-to-spdx.ts @@ -1,15 +1,15 @@ -import * as allType from '../types'; +import * as types from '../types'; function getVulnerabilityRating( - issue: allType.SnykIssue, -): allType.VulnerabilityRating[] { - const vulnerabilityRatingScore: allType.VulnerabilityRatingScore = { - base: issue.cvssScore ? issue.cvssScore.toString() : '', + issue: types.SnykIssue, +): types.VulnerabilityRating[] { + const vulnerabilityRatingScore: types.VulnerabilityRatingScore = { + base: issue.cvssScore, exploitability: issue.exploit, impact: issue.semver.vulnerable[0], }; - const vulnerabilityRating: allType.VulnerabilityRating = { + const vulnerabilityRating: types.VulnerabilityRating = { method: issue.CVSSv3 ? 'CVSS_3' : 'undefined', // must be CVSS_2, CVSS_3, OWASP_RISK or OTHER score: [vulnerabilityRatingScore], severity: issue.severity, // exploitability score of the vulnerability either None, Low, Medium, High or Critical @@ -20,14 +20,14 @@ function getVulnerabilityRating( } function getExternalReferencesRelationships( - references: allType.SnykIssueReference[], -): allType.ExternalReferencesRelationship[] { - let externalReferencesRelationship: allType.ExternalReferencesRelationship[] = []; + references: types.SnykIssueReference[], +): types.ExternalReferencesRelationship[] { + let externalReferencesRelationship: types.ExternalReferencesRelationship[] = []; externalReferencesRelationship = references ? references.map((step) => { return { - category: '', // must be either ADVISORY, ARTICLE, FIX, REPORT or OTHER. + category: undefined, // not amndatory,but should be either ADVISORY, ARTICLE, FIX, REPORT or OTHER. locator: step.url, // url }; }) @@ -37,18 +37,18 @@ function getExternalReferencesRelationships( } function getVulnerabilityExternalReferences( - issue: allType.SnykIssue, -): allType.ExternalReference[] { - const externalReference: allType.ExternalReference = { + issue: types.SnykIssue, +): types.ExternalReference[] { + const externalReference: types.ExternalReference = { externalReferencesRelationships: getExternalReferencesRelationships( issue.references, ), modified: issue.modificationTime, // YYYY-MM-DDThh:mm:ssZ published: issue.publicationTime, - withdrawn: '', // TODO I don't know where to find this one + withdrawn: undefined, // not mandatory, setting at undefined }; - const externalReferences: allType.ExternalReference[] = [externalReference]; + const externalReferences: types.ExternalReference[] = [externalReference]; return externalReferences; } @@ -58,7 +58,7 @@ function getCwes(cwe: string[]): number[] { cwes = cwe ? cwe.map((step) => { - return parseInt(step.slice(4, step.length)); + return parseInt(step.replace('CWE-', '')); }) : []; @@ -66,32 +66,32 @@ function getCwes(cwe: string[]): number[] { } function getVulnerabilityRelationship( - issue: allType.SnykIssue, -): allType.VulnerabilityRelationship[] { - const vulnerabilityAffect: allType.AffectedBy = { + issue: types.SnykIssue, +): types.VulnerabilityRelationship[] { + const vulnerabilityAffect: types.AffectedBy = { to: issue.from, type: 'AFFECTS', }; - const vulnerabilityfoundBy: allType.AffectedBy = { + const vulnerabilityfoundBy: types.AffectedBy = { to: issue.credit, type: 'FOUND_BY', }; // not mandatory, unclear what should be in here - const vulnerabilitySuppliedBy: allType.AffectedBy = { + const vulnerabilitySuppliedBy: types.AffectedBy = { to: issue.credit, type: 'SUPPLIED_BY', }; - const ratedBy: allType.RatedBy = { - cwes: getCwes(issue.cwe), + const ratedBy: types.RatedBy = { + cwes: issue.identifiers ? getCwes(issue.identifiers.CWE) : [], rating: getVulnerabilityRating(issue), - to: issue.credit, // TODO: we might need to get that one reviewed, doc is unclear + to: issue.credit, type: 'RATED_BY', }; - const relationship: allType.VulnerabilityRelationship[] = [ + const relationship: types.VulnerabilityRelationship[] = [ { affect: vulnerabilityAffect, foundBy: vulnerabilityfoundBy, @@ -103,7 +103,7 @@ function getVulnerabilityRelationship( return relationship; } -export function convertSnykIssueToSpdx(issue: any): allType.Vulnerability { +export function convertSnykIssueToSpdx(issue: any): types.Vulnerability { return { id: issue.id, name: issue.id, diff --git a/src/types.ts b/src/types.ts index a5003ac..996b6e3 100644 --- a/src/types.ts +++ b/src/types.ts @@ -70,13 +70,13 @@ export interface VulnerabilityRating { } export interface VulnerabilityRatingScore { - base: string; + base: number; exploitability: string; impact: string; } export interface ExternalReferencesRelationship { - category: string // must be either ADVISORY, ARTICLE, FIX, REPORT or OTHER. + category: string | undefined// must be either ADVISORY, ARTICLE, FIX, REPORT or OTHER. locator: string // url } @@ -135,7 +135,6 @@ export interface ProfilePackage { export interface SnykIssue { id: string; - cwe: string[]; title : string; description : string; from: string[]; @@ -149,6 +148,7 @@ export interface SnykIssue { publicationTime: string; references: SnykIssueReference[]; creationTime: string; + identifiers: SnykIssueIdentifiers; } export interface SnykIssueSemver { @@ -211,16 +211,6 @@ export interface DependencyPins { export interface PinRemediation extends UpgradeVulns { isTransitive: boolean; } -// TODO: add more as needed -// add only fields needed for conversion -export interface SnykIssue { - id: string; - title: string; - description: string; - from: string[]; - credit: string[]; - identifiers: SnykIssueIdentifiers[]; -} interface SnykIssueIdentifiers { ALTERNATIVE?: string[]; @@ -229,6 +219,3 @@ interface SnykIssueIdentifiers { NSP?: number; } -export interface SnykTestOutput { - vulnerabilities: SnykIssue[]; -} diff --git a/test/lib/__snapshots__/convert-issue-to-spdx.spec.ts.snap b/test/lib/__snapshots__/convert-issue-to-spdx.spec.ts.snap index cf5fa88..6f525f8 100644 --- a/test/lib/__snapshots__/convert-issue-to-spdx.spec.ts.snap +++ b/test/lib/__snapshots__/convert-issue-to-spdx.spec.ts.snap @@ -73,13 +73,13 @@ Upgrade \`json\` to version 2.3.0 or higher. Object { "externalReferencesRelationships": Array [ Object { - "category": "", + "category": undefined, "locator": "https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/", }, ], "modified": "2020-06-12T14:37:02.660300Z", "published": "2020-03-19T16:04:21Z", - "withdrawn": "", + "withdrawn": undefined, }, ], "id": "SNYK-RUBY-JSON-560838", @@ -100,13 +100,15 @@ Upgrade \`json\` to version 2.3.0 or higher. "type": "FOUND_BY", }, "ratedBy": Object { - "cwes": Array [], + "cwes": Array [ + 400, + ], "rating": Array [ Object { "method": "CVSS_3", "score": Array [ Object { - "base": "9.3", + "base": 9.3, "exploitability": "Not Defined", "impact": "<2.3.0", }, diff --git a/test/lib/__snapshots__/index.spec.ts.snap b/test/lib/__snapshots__/index.spec.ts.snap index d657ed2..2df1026 100644 --- a/test/lib/__snapshots__/index.spec.ts.snap +++ b/test/lib/__snapshots__/index.spec.ts.snap @@ -74,13 +74,13 @@ Upgrade \`json\` to version 2.3.0 or higher. Object { "externalReferencesRelationships": Array [ Object { - "category": "", + "category": undefined, "locator": "https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/", }, ], "modified": "2020-06-12T14:37:02.660300Z", "published": "2020-03-19T16:04:21Z", - "withdrawn": "", + "withdrawn": undefined, }, ], "id": "SNYK-RUBY-JSON-560838", @@ -101,13 +101,15 @@ Upgrade \`json\` to version 2.3.0 or higher. "type": "FOUND_BY", }, "ratedBy": Object { - "cwes": Array [], + "cwes": Array [ + 400, + ], "rating": Array [ Object { "method": "CVSS_3", "score": Array [ Object { - "base": "9.3", + "base": 9.3, "exploitability": "Not Defined", "impact": "<2.3.0", }, @@ -143,13 +145,13 @@ Affected versions of this gem are vulnerable to arbitrary command executions due Object { "externalReferencesRelationships": Array [ Object { - "category": "", + "category": undefined, "locator": "http://rubysec.com/advisories/OSVDB-108579", }, ], "modified": "2019-05-30T11:55:49.846131Z", "published": "2014-06-29T21:00:00Z", - "withdrawn": "", + "withdrawn": undefined, }, ], "id": "SNYK-RUBY-LYNX-20160", @@ -170,13 +172,15 @@ Affected versions of this gem are vulnerable to arbitrary command executions due "type": "FOUND_BY", }, "ratedBy": Object { - "cwes": Array [], + "cwes": Array [ + 77, + ], "rating": Array [ Object { "method": "CVSS_3", "score": Array [ Object { - "base": "5.6", + "base": 5.6, "exploitability": "Not Defined", "impact": ">= 0", }, @@ -212,13 +216,13 @@ Affected versions of this gem are vulnerable due to a flaw in \`command/basic.rb Object { "externalReferencesRelationships": Array [ Object { - "category": "", + "category": undefined, "locator": "http://rubysec.com/advisories/CVE-2014-5002", }, ], "modified": "2019-05-30T11:55:50.567117Z", "published": "2014-06-29T21:00:00Z", - "withdrawn": "", + "withdrawn": undefined, }, ], "id": "SNYK-RUBY-LYNX-20161", @@ -239,13 +243,15 @@ Affected versions of this gem are vulnerable due to a flaw in \`command/basic.rb "type": "FOUND_BY", }, "ratedBy": Object { - "cwes": Array [], + "cwes": Array [ + 200, + ], "rating": Array [ Object { "method": "CVSS_3", "score": Array [ Object { - "base": "7.8", + "base": 7.8, "exploitability": "Not Defined", "impact": ">= 0", }, @@ -290,21 +296,21 @@ Upgrade \`django\` to version 2.2.19, 3.0.13, 3.1.7 or higher. Object { "externalReferencesRelationships": Array [ Object { - "category": "", + "category": undefined, "locator": "https://www.djangoproject.com/weblog/2021/feb/19/security-releases/", }, Object { - "category": "", + "category": undefined, "locator": "https://github.com/django/django/commit/be8237c7cce24b06aabde0b97afce98ddabbe3b6", }, Object { - "category": "", + "category": undefined, "locator": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/", }, ], "modified": "2021-02-19T15:54:22.876737Z", "published": "2021-02-19T15:54:23.197747Z", - "withdrawn": "", + "withdrawn": undefined, }, ], "id": "SNYK-PYTHON-DJANGO-1076802", @@ -325,13 +331,15 @@ Upgrade \`django\` to version 2.2.19, 3.0.13, 3.1.7 or higher. "type": "FOUND_BY", }, "ratedBy": Object { - "cwes": Array [], + "cwes": Array [ + 444, + ], "rating": Array [ Object { "method": "CVSS_3", "score": Array [ Object { - "base": "5.9", + "base": 5.9, "exploitability": "Not Defined", "impact": "[2.2,2.2.19)", }, @@ -402,29 +410,29 @@ Upgrade \`django\` to version 2.2.20, 3.0.14, 3.1.8 or higher. Object { "externalReferencesRelationships": Array [ Object { - "category": "", + "category": undefined, "locator": "https://github.com/django/django/commit/2820fd1be5dfccbf1216c3845fad8580502473e1", }, Object { - "category": "", + "category": undefined, "locator": "https://github.com/django/django/commit/4036d62bda0e9e9f6172943794b744a454ca49c2", }, Object { - "category": "", + "category": undefined, "locator": "https://github.com/django/django/commit/cca0d98118cccf9ae0c6dcf2d6c57fc50469fbf0", }, Object { - "category": "", + "category": undefined, "locator": "https://github.com/django/django/commit/d4d800ca1addc4141e03c5440a849bb64d1582cd", }, Object { - "category": "", + "category": undefined, "locator": "https://github.com/django/django/commit/e7fba62248f604c76da4f23dcf1db4a57b0808ea", }, ], "modified": "2021-04-06T13:57:02.213825Z", "published": "2021-04-06T13:57:02.482219Z", - "withdrawn": "", + "withdrawn": undefined, }, ], "id": "SNYK-PYTHON-DJANGO-1090612", @@ -445,13 +453,15 @@ Upgrade \`django\` to version 2.2.20, 3.0.14, 3.1.8 or higher. "type": "FOUND_BY", }, "ratedBy": Object { - "cwes": Array [], + "cwes": Array [ + 22, + ], "rating": Array [ Object { "method": "CVSS_3", "score": Array [ Object { - "base": "3.7", + "base": 3.7, "exploitability": "Not Defined", "impact": "[2.2, 2.2.20)", }, @@ -519,17 +529,17 @@ Upgrade \`django\` to version 2.2.21, 3.1.9, 3.2.1 or higher. Object { "externalReferencesRelationships": Array [ Object { - "category": "", + "category": undefined, "locator": "https://www.djangoproject.com/weblog/2021/may/04/security-releases/", }, Object { - "category": "", + "category": undefined, "locator": "https://github.com/django/django/commit/c98f446c188596d4ba6de71d1b77b4a6c5c2a007", }, ], "modified": "2021-05-04T14:45:09.894750Z", "published": "2021-05-04T14:45:10.137628Z", - "withdrawn": "", + "withdrawn": undefined, }, ], "id": "SNYK-PYTHON-DJANGO-1279042", @@ -550,13 +560,15 @@ Upgrade \`django\` to version 2.2.21, 3.1.9, 3.2.1 or higher. "type": "FOUND_BY", }, "ratedBy": Object { - "cwes": Array [], + "cwes": Array [ + 22, + ], "rating": Array [ Object { "method": "CVSS_3", "score": Array [ Object { - "base": "3.3", + "base": 3.3, "exploitability": "Not Defined", "impact": "[, 2.2.21)", }, @@ -599,25 +611,25 @@ Upgrade \`django\` to version 3.2.2, 3.1.10, 2.2.22 or higher. Object { "externalReferencesRelationships": Array [ Object { - "category": "", + "category": undefined, "locator": "https://www.djangoproject.com/weblog/2021/may/06/security-releases/", }, Object { - "category": "", + "category": undefined, "locator": "https://github.com/django/django/commit/e1e81aa1c4427411e3c68facdd761229ffea6f6f", }, Object { - "category": "", + "category": undefined, "locator": "https://github.com/django/django/pull/14360", }, Object { - "category": "", + "category": undefined, "locator": "https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1804086.html", }, ], "modified": "2021-05-06T15:41:43.922301Z", "published": "2021-05-06T15:41:44.175836Z", - "withdrawn": "", + "withdrawn": undefined, }, ], "id": "SNYK-PYTHON-DJANGO-1290072", @@ -638,13 +650,15 @@ Upgrade \`django\` to version 3.2.2, 3.1.10, 2.2.22 or higher. "type": "FOUND_BY", }, "ratedBy": Object { - "cwes": Array [], + "cwes": Array [ + 644, + ], "rating": Array [ Object { "method": "CVSS_3", "score": Array [ Object { - "base": "7.3", + "base": 7.3, "exploitability": "Not Defined", "impact": "[3.2,3.2.2)", }, @@ -752,17 +766,17 @@ Upgrade \`jinja2\` to version 2.11.3 or higher. Object { "externalReferencesRelationships": Array [ Object { - "category": "", + "category": undefined, "locator": "https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20", }, Object { - "category": "", + "category": undefined, "locator": "https://github.com/pallets/jinja/pull/1343", }, ], "modified": "2021-02-01T19:52:16.877030Z", "published": "2021-02-01T19:52:17Z", - "withdrawn": "", + "withdrawn": undefined, }, ], "id": "SNYK-PYTHON-JINJA2-1012994", @@ -783,13 +797,15 @@ Upgrade \`jinja2\` to version 2.11.3 or higher. "type": "FOUND_BY", }, "ratedBy": Object { - "cwes": Array [], + "cwes": Array [ + 400, + ], "rating": Array [ Object { "method": "CVSS_3", "score": Array [ Object { - "base": "5.3", + "base": 5.3, "exploitability": "Proof of Concept", "impact": "[,2.11.3)", }, @@ -827,13 +843,13 @@ Upgrade \`jinja2\` to version 2.10.1 or higher. Object { "externalReferencesRelationships": Array [ Object { - "category": "", + "category": undefined, "locator": "https://palletsprojects.com/blog/jinja-2-10-1-released", }, ], "modified": "2020-06-12T14:36:55.661596Z", "published": "2019-04-07T00:42:43Z", - "withdrawn": "", + "withdrawn": undefined, }, ], "id": "SNYK-PYTHON-JINJA2-174126", @@ -854,13 +870,15 @@ Upgrade \`jinja2\` to version 2.10.1 or higher. "type": "FOUND_BY", }, "ratedBy": Object { - "cwes": Array [], + "cwes": Array [ + 265, + ], "rating": Array [ Object { "method": "CVSS_3", "score": Array [ Object { - "base": "6", + "base": 6, "exploitability": "Not Defined", "impact": "[,2.10.1)", }, @@ -902,29 +920,29 @@ FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary direc Object { "externalReferencesRelationships": Array [ Object { - "category": "", + "category": undefined, "locator": "https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7", }, Object { - "category": "", + "category": undefined, "locator": "https://github.com/mitsuhiko/jinja2/pull/292", }, Object { - "category": "", + "category": undefined, "locator": "https://github.com/mitsuhiko/jinja2/pull/296", }, Object { - "category": "", + "category": undefined, "locator": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0012", }, Object { - "category": "", + "category": undefined, "locator": "https://bugzilla.redhat.com/show_bug.cgi?id=1051421", }, ], "modified": "2019-02-17T08:46:41.648104Z", "published": "2014-01-18T05:33:40.101000Z", - "withdrawn": "", + "withdrawn": undefined, }, ], "id": "SNYK-PYTHON-JINJA2-40250", @@ -945,13 +963,15 @@ FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary direc "type": "FOUND_BY", }, "ratedBy": Object { - "cwes": Array [], + "cwes": Array [ + 264, + ], "rating": Array [ Object { "method": "CVSS_3", "score": Array [ Object { - "base": "5.3", + "base": 5.3, "exploitability": "Not Defined", "impact": "[2.7.2]", }, @@ -989,13 +1009,13 @@ Upgrade \`jinja2\` to version 2.8.1 or higher. Object { "externalReferencesRelationships": Array [ Object { - "category": "", + "category": undefined, "locator": "https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16", }, ], "modified": "2020-06-12T14:36:58.461729Z", "published": "2019-07-30T13:11:16Z", - "withdrawn": "", + "withdrawn": undefined, }, ], "id": "SNYK-PYTHON-JINJA2-455616", @@ -1016,13 +1036,15 @@ Upgrade \`jinja2\` to version 2.8.1 or higher. "type": "FOUND_BY", }, "ratedBy": Object { - "cwes": Array [], + "cwes": Array [ + 234, + ], "rating": Array [ Object { "method": "CVSS_3", "score": Array [ Object { - "base": "8.6", + "base": 8.6, "exploitability": "Not Defined", "impact": "[2.5, 2.8.1)", }, @@ -1053,7 +1075,7 @@ Upgrade \`jinja2\` to version 2.8.1 or higher. "externalReferencesRelationships": Array [], "modified": undefined, "published": "2021-05-23T11:15:36.845Z", - "withdrawn": "", + "withdrawn": undefined, }, ], "id": "snyk:lic:pip:pytz:MIT", @@ -1079,7 +1101,7 @@ Upgrade \`jinja2\` to version 2.8.1 or higher. "method": "undefined", "score": Array [ Object { - "base": "", + "base": undefined, "exploitability": undefined, "impact": "[2005a,)", },