Merge pull request #33 from snyk-tech-services/fix/move-vuln-dates

Fix/move vuln dates
snyk-tech-services · May 27, 2021 · cd28721 · cd28721
2 parents 9b4965f + 67256d0
commit cd28721
Show file tree

Hide file tree

Showing 5 changed files with 179 additions and 270 deletions.
diff --git a/src/lib/convert-issue-to-spdx.ts b/src/lib/convert-issue-to-spdx.ts
@@ -1,18 +1,22 @@
 import * as types from '../types';
 
+function capitalize(str: string): string {
+  return str[0].toUpperCase() + str.slice(1);
+}
+
 function getVulnerabilityRating(
   issue: types.SnykIssue,
 ): types.VulnerabilityRating[] {
   const vulnerabilityRatingScore: types.VulnerabilityRatingScore = {
     base: issue.cvssScore,
-    exploitability: issue.exploit,
-    impact: issue.semver.vulnerable[0],
+    exploitability: null,
+    impact: null,
   };
 
   const vulnerabilityRating: types.VulnerabilityRating = {
     method: issue.CVSSv3 ? 'CVSS_3' : undefined, // must be CVSS_2, CVSS_3, OWASP_RISK or OTHER
     score: [vulnerabilityRatingScore],
-    severity: issue.severity, // exploitability score of the vulnerability either None, Low, Medium, High or Critical
+    severity: capitalize(issue.severity), // exploitability score of the vulnerability either None, Low, Medium, High or Critical
     vector: issue.CVSSv3,
   };
 
@@ -22,48 +26,14 @@ function getVulnerabilityRating(
 function getExternalReferencesRelationships(
   references: types.SnykIssueReference[],
 ): types.ExternalReferencesRelationship[] {
-  let externalReferencesRelationship: types.ExternalReferencesRelationship[] =
-    [];
-
-  externalReferencesRelationship = references
-    ? references.map((step) => {
-        return {
-          category: 'ADVISORY', // not mandatory,but should be either ADVISORY, ARTICLE, FIX, REPORT or OTHER.
-          locator: step.url, // url
-        };
-      })
-    : [];
-
-  return externalReferencesRelationship;
-}
-
-function getVulnerabilityExternalReferences(
-  issue: types.SnykIssue,
-): types.ExternalReference[] {
-  const externalReference: types.ExternalReference = {
-    externalReferencesRelationships: getExternalReferencesRelationships(
-      issue.references,
-    ),
-    modified: issue.modificationTime, // YYYY-MM-DDThh:mm:ssZ
-    published: issue.publicationTime,
-    withdrawn: undefined, // not mandatory, setting at undefined
-  };
-
-  const externalReferences: types.ExternalReference[] = [externalReference];
-
-  return externalReferences;
+  return references.map((reference) => ({
+    category: 'ADVISORY', // not mandatory, but should be either ADVISORY, ARTICLE, FIX, REPORT or OTHER.
+    locator: reference.url, // url
+  }));
 }
 
-function getCwes(cwe: string[]): number[] {
-  let cwes: number[] = [];
-
-  cwes = cwe
-    ? cwe.map((step) => {
-        return parseInt(step.replace('CWE-', ''));
-      })
-    : [];
-
-  return cwes;
+function getCWES(cwe: string[]): number[] {
+  return cwe.map((step) => parseInt(step.replace('CWE-', '')));
 }
 
 function getVulnerabilityRelationship(
@@ -86,7 +56,7 @@ function getVulnerabilityRelationship(
   };
 
   const ratedBy: types.RatedBy = {
-    cwes: issue.identifiers ? getCwes(issue.identifiers.CWE) : [],
+    cwes: issue.identifiers.CWE ? getCWES(issue.identifiers.CWE) : [],
     rating: getVulnerabilityRating(issue),
     to: issue.credit,
     type: 'RATED_BY',
@@ -113,6 +83,8 @@ export function convertSnykIssueToSpdx(
     summary: issue.title,
     details: issue.description,
     relationships: getVulnerabilityRelationship(issue),
-    externalReferences: getVulnerabilityExternalReferences(issue),
+    externalReferences: getExternalReferencesRelationships(issue.references),
+    modified: issue.modificationTime, // YYYY-MM-DDThh:mm:ssZ
+    published: issue.publicationTime,
   };
 }
diff --git a/src/lib/index.ts b/src/lib/index.ts
@@ -1,5 +1,5 @@
 import 'source-map-support/register';
-import { SnykIssue, SnykTestOutput, SPDXv3, Profile } from '../types';
+import { SnykTestOutput, SPDXv3, Profile } from '../types';
 import { convertSnykIssueToSpdx } from './convert-issue-to-spdx';
 import { generateDocumentNameSpace } from './generate-document-namespace';
 export { getInputData } from './get-input-data';
@@ -18,7 +18,7 @@ export function convertSnykTestOutputToSPDX(data: SnykTestOutput): SPDXv3 {
     description: `Snyk test result for project ${data.projectName} in SPDX SBOM format`,
     created: getDate(),
     vulnerabilities: data.vulnerabilities
-      .filter((i: SnykIssue) => i.type == undefined)
-      .map((i: SnykIssue) => convertSnykIssueToSpdx(i)),
+      .filter((i) => i.type !== 'license')
+      .map((i) => convertSnykIssueToSpdx(i)),
   };
 }
diff --git a/src/types.ts b/src/types.ts
@@ -39,6 +39,9 @@ export interface Vulnerability {
   details: string; //string, multi line may include steps to reproduce, detail impact analysis or remediation guidance
   relationships: VulnerabilityRelationship[]; //field provides information about the relationships between the vulnerability and other SPDX elements.
   externalReferences?: ExternalReference[];
+  modified?: string; // YYYY-MM-DDThh:mm:ssZ
+  published?: string; // YYYY-MM-DDThh:mm:ssZ
+  withdrawn?: string; // YYYY-MM-DDThh:mm:ssZ
 }
 
 export interface VulnerabilityRelationship {
@@ -69,23 +72,18 @@ export interface VulnerabilityRating {
 }
 
 export interface VulnerabilityRatingScore {
-      base: number;
-      exploitability: string;
-      impact: string;
-  }
-  
+  base: number;
+  exploitability: string | null;
+  impact: string | null;
+}
+
 export interface ExternalReferencesRelationship {
-      category: string | undefined // must be either ADVISORY, ARTICLE, FIX, REPORT or OTHER.
-      locator: string // url
-  }
-
-export interface ExternalReference {
-  externalReferencesRelationships: ExternalReferencesRelationship[];
-  modified?: string; // YYYY-MM-DDThh:mm:ssZ
-  published?: string; // YYYY-MM-DDThh:mm:ssZ
-  withdrawn?: string; // YYYY-MM-DDThh:mm:ssZ
+  category: string | undefined; // must be either ADVISORY, ARTICLE, FIX, REPORT or OTHER.
+  locator: string; // url
 }
 
+export type ExternalReference = ExternalReferencesRelationship;
+
 export interface DefectResponse {
   id: string;
   type: string; // CANT_FIX_VULNERABILITY, INEFFECTIVE_VULNERABILITY, INVALID_MATCH_VULNERABILITY, MITIGATED_VULNERABILITY, ROLLBACK, UPDATE, WILL_NOT_FIX_VULNERABILITY, WORKAROUND_FOR_VULNERABILITY
@@ -134,21 +132,21 @@ interface ProfileVulnerability {
 
 export interface SnykIssue {
   id: string;
-  title : string;
-  description : string;
+  title: string;
+  description: string;
   from: string[];
   credit: string[];
   cvssScore: number;
   severity: string;
   CVSSv3: string;
   exploit: string;
+  type?: string; // only present on License issues
   semver: SnykIssueSemver;
   modificationTime: string;
   publicationTime: string;
   references: SnykIssueReference[];
   creationTime: string;
   identifiers: SnykIssueIdentifiers;
-  type : string | undefined;
 }
 
 export interface SnykIssueSemver {
@@ -218,4 +216,3 @@ interface SnykIssueIdentifiers {
   CVE: string[];
   NSP?: number;
 }
-
diff --git a/test/unit/lib/__snapshots__/convert-issue-to-spdx.spec.ts.snap b/test/unit/lib/__snapshots__/convert-issue-to-spdx.spec.ts.snap
@@ -71,19 +71,14 @@ Upgrade \`json\` to version 2.3.0 or higher.
 ",
   "externalReferences": Array [
     Object {
-      "externalReferencesRelationships": Array [
-        Object {
-          "category": "ADVISORY",
-          "locator": "https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/",
-        },
-      ],
-      "modified": "2020-06-12T14:37:02.660300Z",
-      "published": "2020-03-19T16:04:21Z",
-      "withdrawn": undefined,
+      "category": "ADVISORY",
+      "locator": "https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/",
     },
   ],
   "id": "SNYK-RUBY-JSON-560838",
+  "modified": "2020-06-12T14:37:02.660300Z",
   "name": "SNYK-RUBY-JSON-560838",
+  "published": "2020-03-19T16:04:21Z",
   "relationships": Array [
     Object {
       "affect": Object {
@@ -109,11 +104,11 @@ Upgrade \`json\` to version 2.3.0 or higher.
             "score": Array [
               Object {
                 "base": 9.3,
-                "exploitability": "Not Defined",
-                "impact": "<2.3.0",
+                "exploitability": null,
+                "impact": null,
               },
             ],
-            "severity": "high",
+            "severity": "High",
             "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H",
           },
         ],