Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor NVD and OSV parsing logic to fix incorrect version range parsing #756

Merged
merged 14 commits into from
Aug 27, 2023
Merged

Refactor NVD and OSV parsing logic to fix incorrect version range parsing #756

merged 14 commits into from
Aug 27, 2023

Conversation

nscuro
Copy link
Member

@nscuro nscuro commented Aug 16, 2023
edited

Note
Corresponding API server changes were made in DependencyTrack/hyades-apiserver#277

Fixes #733
Fixes #731

@nscuro nscuro changed the title Issue 733 Refactor NVD parsing logic to fix incorrect version range parsing Aug 16, 2023
@nscuro nscuro force-pushed the issue-733 branch 4 times, most recently from f426199 to c470b85 Compare August 17, 2023 12:08
@nscuro nscuro mentioned this pull request Aug 21, 2023
Open
@nscuro nscuro mentioned this pull request Aug 21, 2023
Merged
2 tasks
@nscuro nscuro marked this pull request as ready for review August 21, 2023 14:48
@nscuro
Use UUIDv5 to generate BOM refs for CVEs
a2c9d93 
Partly addresses #750

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Use UUIDv5 to generate BOM refs for OSV vulnerabilities
3bf1713 
Partly addresses #750

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Use UUIDv5 to generate BOM refs for GHSA vulnerabilities
988b1ed 
Partly addresses #750

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Add FIXMEs for issues that need addressing
52aa157 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Fix test failure caused by #750 being fixed...
428c55e 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Revisit NVD parsing logic
a9eed6c 
Taking inspiration from how the Open Vulnerability Project is doing it (https://github.com/jeremylong/Open-Vulnerability-Project/blob/main/open-vulnerability-store/src/main/java/io/github/jeremylong/openvulnerability/VulnerabilityTransformer.java#L202-L316), and how vanilla Dependency-Track does it (https://github.com/DependencyTrack/dependency-track/blob/master/src/main/java/org/dependencytrack/parser/nvd/NvdParser.java#L238-L269).

Also fixed population of affected versions in the BOV.

Fixes #733

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Ensure source and scoring method are set properly for GitHub Advisories
7949aaf 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Fix duplicated affects nodes for GitHub Advisories
fab4bff 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Handle duplicate CPEs
63999f8 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Allow wildcard ranges from NVD; API server will ignore them
fa854af 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Fix invalid vers ranges produced from OSV; Handle more OSV edge cases
85e7196 
Partially addresses #760

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Fix OsvMirrorTest
881d2ef 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Add tests to ensure that internal scanner is treating wildcards as ex…
8687c12 
…pected

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Add more tests; Handle CVE ratings from sources other than the NVD
8eb12ac 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro nscuro changed the title Refactor NVD parsing logic to fix incorrect version range parsing Refactor NVD and OSV parsing logic to fix incorrect version range parsing Aug 22, 2023
@sonarcloud
Copy link

sonarcloud bot commented Aug 22, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 7 Code Smells

84.4% 84.4% Coverage
0.0% 0.0% Duplication

@nscuro nscuro added the defect Something isn't working label Aug 27, 2023
@nscuro nscuro merged commit 90ca5ff into main Aug 27, 2023
12 checks passed
@nscuro nscuro deleted the issue-733 branch August 27, 2023 20:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@VithikaS VithikaS VithikaS approved these changes

Assignees
No one assigned
Labels
defect Something isn't working
Projects
None yet
Milestone
No milestone
2 participants
@nscuro @VithikaS