In [None]:
setupServices()

In [None]:
import io.github.cdimascio.dotenv.Dotenv
import java.nio.file.Paths

val dotenv = Dotenv.load()
val dataDir = dotenv.get("DATA_DIR").let { Paths.get(it).toFile() }.also { it.mkdirs() }
dataDir

In [None]:
import core.githubAdvisory.GhsaDataProvider
import core.projectKb.KbDataProvider
import org.koin.core.component.KoinComponent
import org.koin.core.component.get

class K: KoinComponent {
    val kbDataProvider = get<KbDataProvider>()
    val ghsaDataProvider = get<GhsaDataProvider>()
}

val k = K()

In [None]:
val statements = k.kbDataProvider.getStatements()
statements.count()

1297

In [None]:
DISPLAY(statements.filter { it.artifacts != null }.count())
DISPLAY(statements.filter { it.fixes != null }.count())
DISPLAY(statements.filter { it.artifacts != null && it.fixes != null }.count())

617
1215
535

In [None]:
val ghsaJsonData = k.ghsaDataProvider.getJsonData()
ghsaJsonData.count()

3989

In [None]:
ghsaJsonData.filter { it.affected.count() > 0 }.count()

3989

In [None]:
data class ResultDataItem(
    val cveId: String?,
    val sapKbVulnId: String?,
    val sapKbUrl: String?,
    val ghsaUrl: String?,
    val ghsaId: String?,
    val commitUrl: String?,
    val latestVulnGav: String?,
    val earliestFixedGav: String?,
    val affectedSourcePath: String?,
    val latestVulnJarPath: String?,
    val earliestFixedJarPath: String?,
    val affectedClassFilePath: String?,
    val affectedClassFileName: String?,
)

In [None]:
val kbCveToStatement = statements.groupBy { it.vulnerabilityID }.map { it.key to it.value.first() }.toMap()

In [None]:
val kbGhsaData = ghsaJsonData.map {
        val matchedCve = it.aliases.filter { kbCveToStatement.keys.contains(it) }.firstOrNull()
        if (matchedCve == null)
            return@map null
        Pair(matchedCve, it)
    }.filterNotNull()
    .map {
        Pair(it.first, Pair(it.second, kbCveToStatement[it.first]!!))        
    }.toMap()
    
kbGhsaData.count()

666

In [None]:
// ranges array in GHSA always has only 1 element (or its null)
kbGhsaData.forEach {
    it.value.first.affected.forEach {
        if (it.ranges != null && it.ranges!!.count() != 1) {
            println("should not be possible")
        }
    }
}

In [None]:
kbGhsaData.filter { 
    it.value.first.affected.any { it.ranges == null && it.versions != null }
 }.map {
     println(it.key)
     it
 }
 .count()

CVE-2019-12402
CVE-2018-10237
CVE-2021-44228
CVE-2018-1131

4

CVE-2021-44228 (log4j) records in both GHSA and SAP-KB mentions artifacts from projects other than the original apache repository. But the commits are only from apache repository. 

In [None]:
// how many records will be left if we only consider single-commit-single-affected-package?
DISPLAY("total: " + kbGhsaData.count())

DISPLAY(
    "single affected: " + kbGhsaData.filter {
        it.value.first.affected.count() == 1
    }.count()
)

DISPLAY(
    "single branch: " + kbGhsaData.filter {
        it.value.second.fixes != null && it.value.second.fixes!!.count() == 1
    }.count()
)

DISPLAY("single commit: " + kbGhsaData.filter {
    it.value.second.fixes != null && it.value.second.fixes!!.count() == 1
}.filter {
    it.value.second.fixes!!.first().commits.count() == 1
}.count())

DISPLAY("single affected & single branch: " + kbGhsaData.filter {
    it.value.second.fixes != null && it.value.second.fixes!!.count() == 1
}.filter {
    it.value.first.affected.count() == 1
}.count()
)

DISPLAY("single affected & single commit: " + kbGhsaData.filter {
    it.value.second.fixes != null && it.value.second.fixes!!.count() == 1
}.filter {
    it.value.second.fixes!!.first().commits.count() == 1
}.filter {
    it.value.first.affected.count() == 1
}
.count())

total: 666
single affected: 365
single branch: 481
single commit: 385
single affected & single branch: 305
single affected & single commit: 270

We will continue with "single affected & single commit" records

First let's investigate what actually "last_affected" means. 

In [None]:
val singularKbGhsaData = kbGhsaData.filter {
    it.value.second.fixes != null && it.value.second.fixes!!.count() == 1
}.filter {
    it.value.second.fixes!!.first().commits.count() == 1
}.filter {
    it.value.first.affected.count() == 1
}
//.filter {
//    val e = it.value.first.affected.first().ranges!!.first().events
//    val intro = e.first { it.introduced != null }.introduced
//    val lastAffected = e.firstOrNull() { it.lastAffected != null }?.lastAffected
//    val fixed = e.firstOrNull() { it.fixed != null }?.fixed
//    intro == "0"
//}
.filter {
    it.value.first.affected.first().ranges!!.first().events.any { e -> e.lastAffected != null }
}

DISPLAY(singularKbGhsaData.count())
//DISPLAY(singularKbGhsaData.toList().random())

15

It does not have a clear and coherent meaning. It seems most likely to be the last version known to be vulnerable at the time of adding the record in GHSA. 

Notes:
- During the investigation I have seen a few records with wrong package name. For example: org.apache.struts:struts-master
- There are so many records with the "introduced" field value of "0". I have cross-checked them with snyk database and they seem to be wrong. There are actual introduced versions in snyk database that is not recorded in GHSA.

OK. Let's continue with the "single affected & single commit" records without the ones that have "last_affected"

In [None]:
val singularKbGhsaData = kbGhsaData.filter {
    it.value.second.fixes != null && it.value.second.fixes!!.count() == 1
}.filter {
    it.value.second.fixes!!.first().commits.count() == 1
}.filter {
    it.value.first.affected.count() == 1
}
.filter {
    it.value.first.affected.first().ranges!!.first().events.any { e -> e.fixed != null }
}

DISPLAY(singularKbGhsaData.count())
//DISPLAY(singularKbGhsaData.toList().random())

255

In [None]:
singularKbGhsaData.map {
    object {
        val cveId = it.key
        val vulnIntroduced = it.value.first.affected.first().ranges!!.first().events.first { e -> e.introduced != null }.introduced
        val vulnFixed = it.value.first.affected.first().ranges!!.first().events.first { e -> e.fixed != null }.fixed
        val ghsaId = it.value.first.id
        val sapKbId = it.value.second.vulnerabilityID
    }
}.toDataFrame()

In [None]:
import com.fasterxml.jackson.databind.DeserializationFeature
import com.fasterxml.jackson.dataformat.xml.XmlMapper
import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty
import io.ktor.client.*
import io.ktor.client.call.*
import io.ktor.client.engine.cio.*
import io.ktor.client.plugins.*
import io.ktor.client.request.*
import kotlinx.coroutines.*

class MavenMetadata {
    lateinit var groupId: String
    lateinit var artifactId: String
    lateinit var versioning: MavenVersioning
}

class MavenVersioning {
    lateinit var latest: String
    lateinit var release: String
    lateinit var versions: List<String>
    lateinit var lastUpdated: String
}

fun packageNameToUrl(packageName: String): String {
    val parts = packageName.split(":")
    return parts[0].replace('.', '/') + "/" + parts[1]
}

val xmlMapper = XmlMapper()
xmlMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false)

val httpClient = HttpClient() {
    install(HttpTimeout) {
        requestTimeoutMillis = 120_000
    }
}

fun getVersions(packageName: String): List<String>? = runBlocking {
    val mavenRepoUrl = "https://repo1.maven.org/maven2"
    val jenkinsRepoUrl = "https://repo.jenkins-ci.org/releases"
    val result = httpClient
        .get("$mavenRepoUrl/${packageNameToUrl(packageName)}/maven-metadata.xml")
        .let {
            if (it.status.value == 200) {
                return@let it
            }
            println("http error ${it.status.value} for maven:$packageName")
            val result = httpClient.get("$jenkinsRepoUrl/${packageNameToUrl(packageName)}/maven-metadata.xml")
            result
        }.let {
            if (it.status.value == 200) {
                return@let it
            }
            println("http error ${it.status.value} for jenkins:$packageName")
            return@runBlocking null
        }

    val resultXml: String = result.body()
    try {
        val mvnMetaData = xmlMapper.readValue<MavenMetadata>(resultXml, MavenMetadata::class.java)
        val versionList = mvnMetaData.versioning.versions
        return@runBlocking versionList
    } catch (e: Exception) {
        println("parsing error for $packageName")
        throw e
    }
}

val dispatcher = Dispatchers.IO.limitedParallelism(8)

var packageToVersionList = runBlocking {
    singularKbGhsaData.map {
        async(dispatcher) {
            val packageName = it.value.first.affected.first().affectedPackage.name
            val versionList = getVersions(packageName)
            Pair(packageName, versionList)
        }
    }.awaitAll()
}.toMap()

DISPLAY(packageToVersionList.count())
DISPLAY(packageToVersionList.filter { it.value == null }.count())
DISPLAY(packageToVersionList.filter { it.value != null }.map { it.value!!.count() }.sum())
packageToVersionList = packageToVersionList.filter { it.value != null }

last output:
http error 404 for maven:com.github.blynkkk:blynk-server
http error 404 for jenkins:com.github.blynkkk:blynk-server
http error 404 for maven:org.jenkins-ci.plugins:script-security
http error 404 for maven:org.jenkins-ci.plugins:dynatrace-dashboard
http error 404 for maven:org.jenkins-ci.plugins:workflow-remote-loader
http error 404 for maven:org.jenkins-ci.plugins:dynatrace-dashboard
http error 404 for maven:org.jenkins-ci.main:jenkins-core
http error 404 for maven:org.jenkins-ci.plugins:git
http error 404 for maven:org.jenkins-ci.plugins:script-security
http error 404 for maven:io.jenkins.blueocean:blueocean
http error 404 for maven:org.apache.kafka:kafka
http error 404 for jenkins:org.apache.kafka:kafka
http error 404 for maven:io.jenkins.blueocean:blueocean
http error 404 for maven:org.jenkins-ci.plugins:mailer
http error 404 for maven:org.xwiki.platform:xwiki-platform-web
http error 404 for maven:com.walmartlabs.concord.docker:concord-common
http error 404 for jenkins:org.xwiki.platform:xwiki-platform-web

167
4
14477

only 4 errors!
in total we have 14474 versions for 167 packages

In [None]:
// it will return the same version if it is the final version
// it will return null if the version is not found in the version list
// it assumes that the packageName exists in packageToVersionList
fun getNextVersion(packageName: String, version: String): String? {
    val versionList = packageToVersionList[packageName]!!
    val versionIndex = versionList.indexOf(version)
    if (versionIndex == -1) return null
    if (versionIndex == versionList.count() - 1) return version
    return versionList[versionIndex + 1] 
}

fun getPrevVersion(packageName: String, version: String): String? {
    val versionList = 
        try {
            packageToVersionList[packageName]!!
        } catch (e: Exception) {
            println("$packageName not in the version list!")            
            throw e
        }
    val versionIndex = versionList.indexOf(version)
    if (versionIndex == -1) return null
    if (versionIndex == 0) return version
    return versionList[versionIndex - 1]
}

In [None]:
singularKbGhsaData
    .filter {
        val pkgName = it.value.first.affected.first().affectedPackage.name
        packageToVersionList.keys.contains(pkgName)
    }
    .map {
        val fixedVer = it.value.first.affected.first().ranges!!.first().events.first { it.fixed != null }.fixed!!
        val latestVulnVer = getPrevVersion(it.value.first.affected.first().affectedPackage.name, fixedVer)
        if (latestVulnVer != null && latestVulnVer == fixedVer) {
            println("latestVulnVer == fixedVer for ${it.value.first.affected.first().affectedPackage.name}")
        }
        latestVulnVer
    }.filter {
        it == null
    }.count()

47 packages version are not found in the version list from maven
204 records left

In [None]:
import org.apache.commons.csv.CSVFormat

data class InterimResult1(
    val cveId: String,
    val ghsaId: String,
    val packageName: String,
    val vulnIntroduced: String,
    val latestVulnVersion: String,
    val vulnFixed: String,
    val fixCommitRepo: String,
    val fixCommitHash: String,
)

val interimResult =
    singularKbGhsaData
        .filter {
            val pkgName = it.value.first.affected.first().affectedPackage.name
            packageToVersionList.keys.contains(pkgName)
        }
        .map {
            val fixedVer = it.value.first.affected.first().ranges!!.first().events.first { it.fixed != null }.fixed!!
            val latestVulnVer = getPrevVersion(it.value.first.affected.first().affectedPackage.name, fixedVer)
            if (latestVulnVer == null || latestVulnVer == fixedVer)
                return@map null

            val fixCommit = it.value.second.fixes!!.first().commits.first()

            InterimResult1(
                cveId = it.key,
                vulnIntroduced = it.value.first.affected.first().ranges!!.first().events.first { e -> e.introduced != null }.introduced!!,
                vulnFixed = it.value.first.affected.first().ranges!!.first().events.first { e -> e.fixed != null }.fixed!!,
                ghsaId = it.value.first.id,
                latestVulnVersion = latestVulnVer,
                fixCommitRepo = fixCommit.repository.let { it.replace(Regex("\\.git$"), "") },
                fixCommitHash = fixCommit.id,
                packageName = it.value.first.affected.first().affectedPackage.name,
            )
        }.filterNotNull()
        .toList()

DISPLAY(interimResult.count())
//interimResult.toDataFrame().writeCSV(dataDir.resolve("interim").also { it.mkdirs() }.resolve("interim_result.1.tsv"), format = CSVFormat.DEFAULT.withDelimiter('\t'))

204

In [None]:
val interimResultMap = interimResult
    .groupBy {
        it.cveId
    }.map {
        it.key to it.value.first()
    }.toMap()
interimResultMap.count()

204

In [None]:
import kotlin.io.path.exists

val sourceChanges = k.kbDataProvider.getSourceChanges()
    .filter { interimResultMap.containsKey(it.cveId) }
    .filterNot { it.beforeDir.exists() && it.afterDir.exists() }
    .toList()

DISPLAY(sourceChanges.count())
DISPLAY(sourceChanges.random())

73

There are 73 records that do not have source changes.
I download the patches from remote git repositories in the next notebook.  