Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New feature: VulnDB Aliases! #3588

Merged
merged 6 commits into from
Apr 7, 2024
Merged

New feature: VulnDB Aliases! #3588

merged 6 commits into from
Apr 7, 2024

Conversation

LaVibeX
Copy link
Contributor

@LaVibeX LaVibeX commented Mar 28, 2024

VulnDB vulnerabilities now include an Aliases function.

Description

VulnDB is an important vulnerability database that provides great benefit to Dependency Track. Although we can see the assigned CVE ID in the References section, it is not used as an alias.

This PR takes paired CVE and added as an VulnDB Alias.
image

I am also introducing a ModelConverterTest, which is important to demonstrate the correct conversion between a VulnDB vulnerability object and a Dependency-Track vulnerability object.

Addressed Issue

This PR address the Issue #3580

Additional Details

It is important to verify that the string provided as "CVE" is correct. That is why the getValidCveId function was created and tested. Regex will match any introduced string with the correct CVE pattern.

VulnDB vulnerabilities come with two sources of information: the CVSS and nvdAdditionalInfo fields. The last source will always be preferred over the others. However, in case that field is empty, the cveId from the CVSS fields will be used.

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have added corresponding update logic
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

@LaVibeX
Introducing Alias feature to VulnDB vulnerabilities
621f1a6 
In this commit, we have introduced a new feature that computes
and synchronizes CVE Aliases for vulnerabilities sourced from VulnDB.
By extracting paired CVE information from the nvdAdditionalInfo, we are able
to set an Alias.

Signed-off-by: Andres Tito <andres.tito@rohde-schwarz.com>
@LaVibeX
Merge branch 'master' of https://github.com/DependencyTrack/dependenc…
eb8ba13 
…y-track into VulnDB_Aliases
@LaVibeX
No need to add new column in vulnerability table
f624876 
-Use metric.cveId if nvdAdditionalInfo() is null
-There is no need to add a new column in the vulnerability table
-Changes were done after a code review.
-setAliases in vulndb/ModelConverter.java instead of VulnDbSyncTask.

Signed-off-by: Andres Tito <andres.tito@rohde-schwarz.com>
@LaVibeX
mapping problem in CVSS3 metrics
ee452ae 
cveId was receiving the value from source and vice versa

Signed-off-by: Andres Tito <andres.tito@rohde-schwarz.com>
@LaVibeX
Add tests for ModelConverter and CveResolver
1360c68 
Signed-off-by: Andres Tito <andres.tito@rohde-schwarz.com>
@codacy-production Codacy Production
Copy link

codacy-production bot commented Mar 28, 2024
edited
Loading

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation Diff coverage
+0.44% (target: -1.00%) 100.00% (target: 70.00%)
Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (b764bc4) 21606 16001 74.06%
Head commit (65f13b6) 21649 (+43) 16128 (+127) 74.50% (+0.44%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#3588) 28 28 100.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

You may notice some variations in coverage metrics with the latest Coverage engine update. For more details, visit the documentation

@nscuro nscuro added enhancement New feature or request integration/vulndb Related to the VulnDB integration labels Apr 2, 2024
@nscuro nscuro added this to the 4.11 milestone Apr 2, 2024
@LaVibeX
Changes and suggestions by nscuro
65f13b6 
Signed-off-by: Andres Tito <andres.tito@rohde-schwarz.com>
@LaVibeX LaVibeX requested a review from nscuro April 3, 2024 13:17
nscuro
nscuro approved these changes Apr 7, 2024
View reviewed changes
Copy link
Member

@nscuro nscuro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @LaVibeX!

@nscuro nscuro merged commit cbe0547 into DependencyTrack:master Apr 7, 2024
12 checks passed
@nscuro nscuro mentioned this pull request Apr 29, 2024
Closed
2 tasks
@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 8, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@nscuro nscuro nscuro approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request integration/vulndb Related to the VulnDB integration
Projects
None yet
Milestone
4.11
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@LaVibeX @nscuro