-
-
Notifications
You must be signed in to change notification settings - Fork 529
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New feature: VulnDB Aliases! #3588
Conversation
In this commit, we have introduced a new feature that computes and synchronizes CVE Aliases for vulnerabilities sourced from VulnDB. By extracting paired CVE information from the nvdAdditionalInfo, we are able to set an Alias. Signed-off-by: Andres Tito <andres.tito@rohde-schwarz.com>
…y-track into VulnDB_Aliases
-Use metric.cveId if nvdAdditionalInfo() is null -There is no need to add a new column in the vulnerability table -Changes were done after a code review. -setAliases in vulndb/ModelConverter.java instead of VulnDbSyncTask. Signed-off-by: Andres Tito <andres.tito@rohde-schwarz.com>
cveId was receiving the value from source and vice versa Signed-off-by: Andres Tito <andres.tito@rohde-schwarz.com>
Signed-off-by: Andres Tito <andres.tito@rohde-schwarz.com>
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferencesYou may notice some variations in coverage metrics with the latest Coverage engine update. For more details, visit the documentation |
src/main/java/org/dependencytrack/parser/common/resolver/CveResolver.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/parser/common/resolver/CveResolver.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/parser/vulndb/ModelConverter.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/parser/vulndb/ModelConverter.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Andres Tito <andres.tito@rohde-schwarz.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @LaVibeX!
VulnDB vulnerabilities now include an Aliases function.
Description
VulnDB is an important vulnerability database that provides great benefit to Dependency Track. Although we can see the assigned CVE ID in the References section, it is not used as an alias.
This PR takes paired CVE and added as an VulnDB Alias.
![image](https://private-user-images.githubusercontent.com/52439101/317773237-431c3076-6ef8-446a-9b1c-9f496156e7b5.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk4NjA1NzksIm5iZiI6MTcxOTg2MDI3OSwicGF0aCI6Ii81MjQzOTEwMS8zMTc3NzMyMzctNDMxYzMwNzYtNmVmOC00NDZhLTliMWMtOWY0OTYxNTZlN2I1LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzAxVDE4NTc1OVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTY1ZWVlZDI4NGEyODBlMmNjMTE2ZTE3YjE1YmE1ZDM3YjU5MDFjZDMwOTlmYmQwZGJmMzJkMjBiOGY0MTkzMGYmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.SaDvAnKH003c9wRdhBXUv6iuK0mOLkm1OrdAY_SBMN4)
I am also introducing a ModelConverterTest, which is important to demonstrate the correct conversion between a VulnDB vulnerability object and a Dependency-Track vulnerability object.
Addressed Issue
This PR address the Issue #3580
Additional Details
It is important to verify that the string provided as "CVE" is correct. That is why the getValidCveId function was created and tested. Regex will match any introduced string with the correct CVE pattern.
VulnDB vulnerabilities come with two sources of information: the CVSS and nvdAdditionalInfo fields. The last source will always be preferred over the others. However, in case that field is empty, the cveId from the CVSS fields will be used.
Checklist