diff --git a/src/main/java/com/redhat/exhort/integration/Constants.java b/src/main/java/com/redhat/exhort/integration/Constants.java index d3f3da35..458e6ae1 100644 --- a/src/main/java/com/redhat/exhort/integration/Constants.java +++ b/src/main/java/com/redhat/exhort/integration/Constants.java @@ -52,6 +52,7 @@ private Constants() {} public static final String SNYK_PROVIDER = "snyk"; public static final String OSS_INDEX_PROVIDER = "oss-index"; + public static final String TRUSTIFICATION_PROVIDER = "trustification"; public static final String UNKNOWN_PROVIDER = "unknown"; public static final String MAVEN_PKG_MANAGER = "maven"; @@ -73,6 +74,7 @@ private Constants() {} public static final String SNYK_DEP_GRAPH_API_PATH = "/test/dep-graph"; public static final String SNYK_TOKEN_API_PATH = "/user/me"; public static final String OSS_INDEX_AUTH_COMPONENT_API_PATH = "/authorized/component-report"; + public static final String TRUSTIFICATION_ANALYZE_API_PATH = "/analyze"; public static final String DEFAULT_ACCEPT_MEDIA_TYPE = MediaType.APPLICATION_JSON; public static final boolean DEFAULT_VERBOSE_MODE = false; @@ -83,6 +85,7 @@ private Constants() {} { add(SNYK_PROVIDER); add(OSS_INDEX_PROVIDER); + add(TRUSTIFICATION_PROVIDER); } }); diff --git a/src/main/java/com/redhat/exhort/integration/VulnerabilityProvider.java b/src/main/java/com/redhat/exhort/integration/VulnerabilityProvider.java deleted file mode 100644 index 41f0e751..00000000 --- a/src/main/java/com/redhat/exhort/integration/VulnerabilityProvider.java +++ /dev/null @@ -1,141 +0,0 @@ -/* - * Copyright 2023 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package com.redhat.exhort.integration; - -import java.net.URISyntaxException; -import java.util.ArrayList; -import java.util.Collections; -import java.util.List; -import java.util.Map; -import java.util.function.Predicate; -import java.util.stream.Collectors; - -import org.apache.camel.Exchange; -import org.apache.camel.ExchangeProperty; -import org.apache.camel.Headers; -import org.apache.camel.util.URISupport; -import org.eclipse.microprofile.config.inject.ConfigProperty; - -import io.quarkus.runtime.annotations.RegisterForReflection; - -import jakarta.annotation.PostConstruct; -import jakarta.enterprise.context.ApplicationScoped; -import jakarta.ws.rs.ClientErrorException; - -@ApplicationScoped -@RegisterForReflection -public class VulnerabilityProvider { - - @ConfigProperty(name = "api.snyk.disabled", defaultValue = "false") - boolean snykDisabled; - - @ConfigProperty(name = "api.ossindex.disabled", defaultValue = "false") - boolean ossIndexDisabled; - - private List providers; - - @PostConstruct - public void initProviders() { - providers = - Collections.unmodifiableList( - Constants.PROVIDERS.stream() - .filter(p -> !(Constants.SNYK_PROVIDER.equals(p) && snykDisabled)) - .filter(p -> !(Constants.OSS_INDEX_PROVIDER.equals(p) && ossIndexDisabled)) - .toList()); - } - - public String get(@ExchangeProperty(Exchange.MULTICAST_INDEX) int index) { - return providers.get(index); - } - - public List getProviderEndpoints( - @ExchangeProperty(Constants.PROVIDERS_PARAM) List providers) { - return providers.stream() - .map( - p -> - switch (p) { - case Constants.SNYK_PROVIDER -> "direct:snykDepGraph"; - case Constants.OSS_INDEX_PROVIDER -> "direct:ossIndexScan"; - default -> throw new IllegalArgumentException("Unexpected provider: " + p); - }) - .collect(Collectors.toList()); - } - - public List getEnabled() { - return providers; - } - - public List getProvidersFromQueryParam(@Headers Map headers) - throws URISyntaxException { - String query = headers.get(Exchange.HTTP_QUERY); - Map props = URISupport.parseQuery(query); - List providers = getProviders(props); - if (providers == null || providers.isEmpty()) { - return getEnabled().stream().filter(p -> filterByAuthHeaders(p, headers)).toList(); - } - List missing = - providers.stream() - .filter(Predicate.not(p -> getEnabled().contains(p))) - .collect(Collectors.toList()); - if (missing.isEmpty()) { - return providers; - } - throw new ClientErrorException("Unsupported providers: " + missing, 422); - } - - @SuppressWarnings("unchecked") - private List getProviders(Map props) { - Object o = props.get(Constants.PROVIDERS_PARAM); - if (o == null) { - return null; - } - if (o instanceof String) { - return List.of((String) o); - } - if (o instanceof List) { - return (List) o; - } - throw new ClientErrorException("Unsupported providers: " + o, 422); - } - - @SuppressWarnings("unchecked") - public void addProviderPrivateData(Exchange exchange, String provider) { - List current = - (List) exchange.getProperty(Constants.PROVIDER_PRIVATE_DATA_PROPERTY); - if (current == null) { - current = List.of(provider); - } else { - current = new ArrayList<>(current); - current.add(provider); - } - exchange.setProperty( - Constants.PROVIDER_PRIVATE_DATA_PROPERTY, Collections.unmodifiableList(current)); - } - - private boolean filterByAuthHeaders(String provider, Map headers) { - if (headers == null || headers.isEmpty()) { - return true; - } - return switch (provider) { - case Constants.OSS_INDEX_PROVIDER -> headers.containsKey(Constants.OSS_INDEX_USER_HEADER) - && headers.containsKey(Constants.OSS_INDEX_TOKEN_HEADER); - default -> true; - }; - } -} diff --git a/src/main/java/com/redhat/exhort/integration/backend/ExhortIntegration.java b/src/main/java/com/redhat/exhort/integration/backend/ExhortIntegration.java index 07bb1878..abf7e257 100644 --- a/src/main/java/com/redhat/exhort/integration/backend/ExhortIntegration.java +++ b/src/main/java/com/redhat/exhort/integration/backend/ExhortIntegration.java @@ -35,9 +35,9 @@ import com.fasterxml.jackson.databind.ObjectMapper; import com.redhat.exhort.analytics.AnalyticsService; import com.redhat.exhort.integration.Constants; -import com.redhat.exhort.integration.VulnerabilityProvider; import com.redhat.exhort.integration.backend.sbom.SbomParserFactory; import com.redhat.exhort.integration.providers.ProviderAggregationStrategy; +import com.redhat.exhort.integration.providers.VulnerabilityProvider; import com.redhat.exhort.monitoring.MonitoringProcessor; import io.micrometer.core.instrument.MeterRegistry; diff --git a/src/main/java/com/redhat/exhort/integration/providers/VulnerabilityProvider.java b/src/main/java/com/redhat/exhort/integration/providers/VulnerabilityProvider.java index 1f3423d9..184dc057 100644 --- a/src/main/java/com/redhat/exhort/integration/providers/VulnerabilityProvider.java +++ b/src/main/java/com/redhat/exhort/integration/providers/VulnerabilityProvider.java @@ -50,6 +50,9 @@ public class VulnerabilityProvider { @ConfigProperty(name = "api.ossindex.disabled", defaultValue = "false") boolean ossIndexDisabled; + @ConfigProperty(name = "api.trustification.disabled", defaultValue = "false") + boolean trustificationDisabled; + private List providers; @PostConstruct @@ -59,6 +62,8 @@ public void initProviders() { Constants.PROVIDERS.stream() .filter(p -> !(Constants.SNYK_PROVIDER.equals(p) && snykDisabled)) .filter(p -> !(Constants.OSS_INDEX_PROVIDER.equals(p) && ossIndexDisabled)) + .filter( + p -> !(Constants.TRUSTIFICATION_PROVIDER.equals(p) && trustificationDisabled)) .toList()); } @@ -74,6 +79,7 @@ public List getProviderEndpoints( switch (p) { case Constants.SNYK_PROVIDER -> "direct:snykDepGraph"; case Constants.OSS_INDEX_PROVIDER -> "direct:ossIndexScan"; + case Constants.TRUSTIFICATION_PROVIDER -> "direct:trustificationAnalysis"; default -> throw new IllegalArgumentException("Unexpected provider: " + p); }) .collect(Collectors.toList()); diff --git a/src/main/java/com/redhat/exhort/integration/providers/ossindex/OssIndexIntegration.java b/src/main/java/com/redhat/exhort/integration/providers/ossindex/OssIndexIntegration.java index 933e619a..6bfe1e28 100644 --- a/src/main/java/com/redhat/exhort/integration/providers/ossindex/OssIndexIntegration.java +++ b/src/main/java/com/redhat/exhort/integration/providers/ossindex/OssIndexIntegration.java @@ -29,7 +29,7 @@ import org.eclipse.microprofile.config.inject.ConfigProperty; import com.redhat.exhort.integration.Constants; -import com.redhat.exhort.integration.VulnerabilityProvider; +import com.redhat.exhort.integration.providers.VulnerabilityProvider; import com.redhat.exhort.model.DependencyTree; import com.redhat.exhort.monitoring.MonitoringProcessor; diff --git a/src/main/java/com/redhat/exhort/integration/providers/trustification/MockTrustificationService.java b/src/main/java/com/redhat/exhort/integration/providers/trustification/MockTrustificationService.java new file mode 100644 index 00000000..80d9f5ae --- /dev/null +++ b/src/main/java/com/redhat/exhort/integration/providers/trustification/MockTrustificationService.java @@ -0,0 +1,49 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.integration.providers.trustification; + +import java.io.IOException; + +import org.apache.camel.Exchange; +import org.apache.camel.builder.endpoint.EndpointRouteBuilder; + +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; + +import jakarta.enterprise.context.ApplicationScoped; +import jakarta.inject.Inject; + +@ApplicationScoped +public class MockTrustificationService extends EndpointRouteBuilder { + + @Inject ObjectMapper mapper; + + @Override + public void configure() throws Exception { + rest("/v1").post("/analyze").routeId("mockTrustification").to("direct:mockresponse"); + + from(direct("mockresponse")).process(this::setBodyFromFile); + } + + private void setBodyFromFile(Exchange exchange) throws IOException { + JsonNode json = + mapper.readTree(this.getClass().getClassLoader().getResourceAsStream("tc-response.json")); + exchange.getIn().setBody(json); + } +} diff --git a/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationIntegration.java b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationIntegration.java new file mode 100644 index 00000000..29dd3f6f --- /dev/null +++ b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationIntegration.java @@ -0,0 +1,78 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.integration.providers.trustification; + +import static com.redhat.exhort.integration.Constants.TRUSTIFICATION_ANALYZE_API_PATH; + +import org.apache.camel.Exchange; +import org.apache.camel.Message; +import org.apache.camel.builder.endpoint.EndpointRouteBuilder; +import org.eclipse.microprofile.config.inject.ConfigProperty; + +import jakarta.enterprise.context.ApplicationScoped; +import jakarta.inject.Inject; +import jakarta.ws.rs.HttpMethod; +import jakarta.ws.rs.core.MediaType; + +@ApplicationScoped +public class TrustificationIntegration extends EndpointRouteBuilder { + + @ConfigProperty(name = "api.trustification.timeout", defaultValue = "60s") + String timeout; + + @Inject TrustificationResponseHandler responseHandler; + + @Override + public void configure() { + + // fmt:off + from(direct("trustificationAnalysis")) + .routeId("trustificationAnalysis") + .circuitBreaker() + .faultToleranceConfiguration() + .timeoutEnabled(true) + .timeoutDuration(timeout) + .end() + .to(direct("trustificationRequest")) + .onFallback() + .process(responseHandler::processResponseError); + + from(direct("trustificationRequest")) + .routeId("trustificationRequest") + .transform().method(TrustificationRequestBuilder.class, "build") + .process(this::processRequest) + .to(vertxHttp("{{api.trustification.host}}")) + .transform().method(TrustificationResponseHandler.class, "responseToIssues") + .transform().method(TrustificationResponseHandler.class, "buildReport"); + // fmt:on + } + + private void processRequest(Exchange exchange) { + Message message = exchange.getMessage(); + + message.removeHeader(Exchange.HTTP_PATH); + message.removeHeader(Exchange.HTTP_QUERY); + message.removeHeader(Exchange.HTTP_URI); + message.removeHeader("Accept-Encoding"); + + message.setHeader(Exchange.CONTENT_TYPE, MediaType.APPLICATION_JSON); + message.setHeader(Exchange.HTTP_PATH, TRUSTIFICATION_ANALYZE_API_PATH); + message.setHeader(Exchange.HTTP_METHOD, HttpMethod.POST); + } +} diff --git a/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationRequestBuilder.java b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationRequestBuilder.java new file mode 100644 index 00000000..155363c0 --- /dev/null +++ b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationRequestBuilder.java @@ -0,0 +1,43 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.integration.providers.trustification; + +import org.apache.camel.Body; + +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.databind.node.ArrayNode; +import com.fasterxml.jackson.databind.node.ObjectNode; +import com.redhat.exhort.config.ObjectMapperProducer; +import com.redhat.exhort.model.DependencyTree; + +import io.quarkus.runtime.annotations.RegisterForReflection; + +@RegisterForReflection +public class TrustificationRequestBuilder { + + private final ObjectMapper mapper = ObjectMapperProducer.newInstance(); + + public String build(@Body DependencyTree tree) throws JsonProcessingException { + ArrayNode purls = mapper.createArrayNode(); + tree.getAll().stream().map(p -> p.purl().getCoordinates()).forEach(purl -> purls.add(purl)); + ObjectNode obj = mapper.createObjectNode().set("purls", purls); + return mapper.writeValueAsString(obj); + } +} diff --git a/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java new file mode 100644 index 00000000..ae480997 --- /dev/null +++ b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java @@ -0,0 +1,157 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.integration.providers.trustification; + +import static com.redhat.exhort.integration.Constants.TRUSTIFICATION_PROVIDER; + +import java.io.IOException; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Optional; + +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.redhat.exhort.api.v4.Issue; +import com.redhat.exhort.api.v4.SeverityUtils; +import com.redhat.exhort.integration.providers.ProviderResponseHandler; +import com.redhat.exhort.model.CvssParser; +import com.redhat.exhort.model.DependencyTree; + +import io.quarkus.runtime.annotations.RegisterForReflection; + +import jakarta.enterprise.context.ApplicationScoped; +import jakarta.inject.Inject; + +@ApplicationScoped +@RegisterForReflection +public class TrustificationResponseHandler extends ProviderResponseHandler { + + @Inject ObjectMapper mapper; + + @Override + protected String getProviderName() { + return TRUSTIFICATION_PROVIDER; + } + + @Override + public Map> responseToIssues( + byte[] rawResponse, String privateProviders, DependencyTree tree) throws IOException { + JsonNode response = mapper.readTree(rawResponse); + Map> issuesData = new HashMap<>(); + Map cvesJson = new HashMap<>(); + response + .get("cves") + .elements() + .forEachRemaining( + cveJson -> { + String cve = cveJson.get("cveMetadata").get("cveId").asText().toUpperCase(); + cvesJson.put(cve, cveJson); + }); + response + .get("analysis") + .fields() + .forEachRemaining( + analysisEntry -> { + String ref = analysisEntry.getKey(); + if (!issuesData.containsKey(ref)) { + issuesData.put(ref, new ArrayList<>()); + } + List issues = issuesData.get(ref); + analysisEntry + .getValue() + .forEach( + analysis -> { + String vendor = analysis.get("vendor").asText(); + analysis + .get("vulnerable") + .forEach( + vulnerable -> { + var issue = newIssueFromVulnerability(vulnerable, vendor); + if (issue.getCves() != null && !issue.getCves().isEmpty()) { + completeIssueData(issue, cvesJson); + issues.add(issue); + } + }); + }); + }); + + return issuesData; + } + + private Issue newIssueFromVulnerability(JsonNode vulnerable, String vendor) { + var vulnId = vulnerable.get("id").asText().toUpperCase(); + var issue = new Issue().id(vulnId).source(vendor); + vulnerable + .get("severity") + .forEach( + severity -> { + if (severity.get("source").asText().toLowerCase().equals(vendor)) { + Double dscore = severity.get("score").asDouble(0); + issue.cvssScore(dscore.floatValue()); + } + }); + + if (isCVE(vulnId)) { + issue.addCvesItem(vulnId); + } + vulnerable + .get("aliases") + .forEach( + a -> { + String alias = a.asText(); + if (isCVE(alias)) { + issue.addCvesItem(alias.toUpperCase()); + } + ; + }); + return issue; + } + + private void completeIssueData(Issue issue, Map cvesJson) { + Optional firstCve = + issue.getCves().stream().filter(cve -> cvesJson.keySet().contains(cve)).findFirst(); + if (firstCve.isEmpty()) { + issue.unique(Boolean.TRUE); + return; + } + issue.severity(SeverityUtils.fromScore(issue.getCvssScore())); + var cveJson = cvesJson.get(firstCve.get()); + var cnaContainer = cveJson.get("containers").get("cna"); + var title = cnaContainer.get("title"); + if (title != null) { + issue.title(title.asText()); + } + var metrics = cnaContainer.get("metrics"); + if (metrics != null) { + metrics.forEach( + metric -> { + if (metric.has("cvssV3_1")) { + issue.cvss( + CvssParser.fromVectorString(metric.get("cvssV3_1").get("vectorString").asText())); + } + }); + } + } + + private boolean isCVE(String vulnerabilityId) { + return vulnerabilityId != null && vulnerabilityId.toUpperCase().startsWith("CVE-"); + } +} diff --git a/src/main/java/com/redhat/exhort/model/trustification/Affected.java b/src/main/java/com/redhat/exhort/model/trustification/Affected.java new file mode 100644 index 00000000..5cc9f7d6 --- /dev/null +++ b/src/main/java/com/redhat/exhort/model/trustification/Affected.java @@ -0,0 +1,28 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.model.trustification; + +import java.util.List; + +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonInclude.Include; +import com.fasterxml.jackson.annotation.JsonProperty; + +@JsonInclude(Include.NON_EMPTY) +public record Affected(@JsonProperty("package") String pkgName, List ranges) {} diff --git a/src/main/java/com/redhat/exhort/model/trustification/AnalyzeResponse.java b/src/main/java/com/redhat/exhort/model/trustification/AnalyzeResponse.java new file mode 100644 index 00000000..fc8f1321 --- /dev/null +++ b/src/main/java/com/redhat/exhort/model/trustification/AnalyzeResponse.java @@ -0,0 +1,30 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.model.trustification; + +import java.util.Collection; +import java.util.List; +import java.util.Map; + +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonInclude.Include; + +@JsonInclude(Include.NON_EMPTY) +public record AnalyzeResponse( + Map> affected, List vulnerabilities) {} diff --git a/src/main/java/com/redhat/exhort/model/trustification/Range.java b/src/main/java/com/redhat/exhort/model/trustification/Range.java new file mode 100644 index 00000000..9fe15242 --- /dev/null +++ b/src/main/java/com/redhat/exhort/model/trustification/Range.java @@ -0,0 +1,25 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.model.trustification; + +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonInclude.Include; + +@JsonInclude(Include.NON_EMPTY) +public record Range(VersionRange lower, VersionRange upper) {} diff --git a/src/main/java/com/redhat/exhort/model/trustification/Reference.java b/src/main/java/com/redhat/exhort/model/trustification/Reference.java new file mode 100644 index 00000000..79ae8fa4 --- /dev/null +++ b/src/main/java/com/redhat/exhort/model/trustification/Reference.java @@ -0,0 +1,25 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.model.trustification; + +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonInclude.Include; + +@JsonInclude(Include.NON_EMPTY) +public record Reference(String type, String url) {} diff --git a/src/main/java/com/redhat/exhort/model/trustification/ScoreType.java b/src/main/java/com/redhat/exhort/model/trustification/ScoreType.java new file mode 100644 index 00000000..746f2e29 --- /dev/null +++ b/src/main/java/com/redhat/exhort/model/trustification/ScoreType.java @@ -0,0 +1,32 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.model.trustification; + +public enum ScoreType { + CVSS2("cvss2"), + CVSS3("cvss3"), + CVSS4("cvss4"), + UNKNOWN("unknown"); + + final String name; + + ScoreType(String name) { + this.name = name; + } +} diff --git a/src/main/java/com/redhat/exhort/model/trustification/Severity.java b/src/main/java/com/redhat/exhort/model/trustification/Severity.java new file mode 100644 index 00000000..8a3e76a7 --- /dev/null +++ b/src/main/java/com/redhat/exhort/model/trustification/Severity.java @@ -0,0 +1,25 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.model.trustification; + +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonInclude.Include; + +@JsonInclude(Include.NON_EMPTY) +public record Severity(String additional, Float score, String source, ScoreType scoreType) {} diff --git a/src/main/java/com/redhat/exhort/model/trustification/VersionRange.java b/src/main/java/com/redhat/exhort/model/trustification/VersionRange.java new file mode 100644 index 00000000..866701ed --- /dev/null +++ b/src/main/java/com/redhat/exhort/model/trustification/VersionRange.java @@ -0,0 +1,25 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.model.trustification; + +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonInclude.Include; + +@JsonInclude(Include.NON_EMPTY) +public record VersionRange(String inclusive, String exclusive) {} diff --git a/src/main/java/com/redhat/exhort/model/trustification/Vulnerability.java b/src/main/java/com/redhat/exhort/model/trustification/Vulnerability.java new file mode 100644 index 00000000..9a66c727 --- /dev/null +++ b/src/main/java/com/redhat/exhort/model/trustification/Vulnerability.java @@ -0,0 +1,39 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.model.trustification; + +import java.util.Date; +import java.util.List; + +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonInclude.Include; + +@JsonInclude(Include.NON_EMPTY) +public record Vulnerability( + String origin, + String id, + Date modified, + Date published, + Date withdrawn, + List aliases, + List affected, + String details, + List references, + List severities, + String summary) {} diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 7f7655fa..61be0eef 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -10,6 +10,8 @@ api.snyk.host=https://app.snyk.io/api/v1 # api.snyk.timeout=10s # api.snyk.disabled=true api.ossindex.host=https://ossindex.sonatype.org/api/v3 +#api.trustification.host=https://exhort.staging.trustification.dev/api/v1 +api.trustification.host=http://localhost:8080/api/v1 report.snyk.issue.regex=https://security.snyk.io/vuln/__ISSUE_ID__?utm_medium=Partner&utm_source=RedHat&utm_campaign=Code-Ready-Analytics-2020&utm_content=vuln/__ISSUE_ID__ report.ossindex.issue.regex=http://ossindex.sonatype.org/vulnerability/__ISSUE_ID__ @@ -38,4 +40,4 @@ quarkus.index-dependency.spdx-java.artifact-id=java-spdx-library quarkus.index-dependency.exhort-api.group-id=com.redhat.ecosystemappeng quarkus.index-dependency.exhort-api.artifact-id=exhort-api-spec quarkus.camel.native.reflection.include-patterns=org.cyclonedx.model.*,com.redhat.exhort.api.*,com.redhat.exhort.api.v3.*,com.redhat.exhort.api.v4.*,org.spdx.jacksonstore.*,org.spdx.storage.listedlicense.* -# quarkus.jackson.serialization-inclusion=non-empty \ No newline at end of file +# quarkus.jackson.serialization-inclusion=non-empty diff --git a/src/main/resources/tc-response.json b/src/main/resources/tc-response.json new file mode 100644 index 00000000..f3d3a93b --- /dev/null +++ b/src/main/resources/tc-response.json @@ -0,0 +1,888 @@ +{ + "analysis": { + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1": [ + { + "vendor": "osv", + "vulnerable": [ + { + "id": "ghsa-57j2-w4cx-62h2", + "severity": [ + { + "source": "osv", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "osv", + "type": "CVSSv31", + "score": 7.5 + } + ], + "aliases": [ + "cve-2020-36518" + ] + }, + { + "id": "ghsa-jjjh-jjxp-wpff", + "severity": [ + { + "source": "osv", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "osv", + "type": "CVSSv31", + "score": 7.5 + } + ], + "aliases": [ + "cve-2022-42003" + ] + }, + { + "id": "ghsa-rgv9-q543-rqg4", + "severity": [ + { + "source": "osv", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "osv", + "type": "CVSSv31", + "score": 7.5 + } + ], + "aliases": [ + "cve-2022-42004" + ] + }, + { + "id": "ghsa-57j2-w4cx-62h2", + "severity": [], + "aliases": [] + }, + { + "id": "ghsa-jjjh-jjxp-wpff", + "severity": [], + "aliases": [] + }, + { + "id": "ghsa-rgv9-q543-rqg4", + "severity": [], + "aliases": [] + } + ], + "recommendations": [] + }, + { + "vendor": "snyk", + "vulnerable": [ + { + "id": "snyk-java-comfasterxmljacksoncore-3038424", + "severity": [ + { + "source": "Snyk", + "type": "CVSSv31", + "score": 5.900000095367432 + }, + { + "source": "NVD", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "Red Hat", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "SUSE", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "Snyk", + "type": "CVSSv31", + "score": 5.900000095367432 + }, + { + "source": "NVD", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "Red Hat", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "SUSE", + "type": "CVSSv31", + "score": 7.5 + } + ], + "aliases": [ + "cve-2022-42004", + "cwe-400" + ] + }, + { + "id": "snyk-java-comfasterxmljacksoncore-3038426", + "severity": [ + { + "source": "Snyk", + "type": "CVSSv31", + "score": 5.900000095367432 + }, + { + "source": "NVD", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "Red Hat", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "SUSE", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "Snyk", + "type": "CVSSv31", + "score": 5.900000095367432 + }, + { + "source": "NVD", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "Red Hat", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "SUSE", + "type": "CVSSv31", + "score": 7.5 + } + ], + "aliases": [ + "cve-2022-42003", + "cwe-400" + ] + }, + { + "id": "snyk-java-comfasterxmljacksoncore-2421244", + "severity": [ + { + "source": "Snyk", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "SUSE", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "Red Hat", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "NVD", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "Snyk", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "SUSE", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "Red Hat", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "NVD", + "type": "CVSSv31", + "score": 7.5 + } + ], + "aliases": [ + "cve-2020-36518", + "cwe-400" + ] + }, + { + "id": "snyk-java-comfasterxmljacksoncore-3038424", + "severity": [], + "aliases": [] + }, + { + "id": "snyk-java-comfasterxmljacksoncore-3038426", + "severity": [], + "aliases": [] + }, + { + "id": "snyk-java-comfasterxmljacksoncore-2421244", + "severity": [], + "aliases": [] + } + ], + "recommendations": [] + } + ], + "pkg:maven/io.quarkus/quarkus-core@2.13.5.Final": [ + { + "vendor": "osv", + "vulnerable": [ + { + "id": "ghsa-3fhx-3vvg-2j84", + "severity": [ + { + "source": "osv", + "type": "CVSSv31", + "score": 6.5 + }, + { + "source": "osv", + "type": "CVSSv31", + "score": 6.5 + } + ], + "aliases": [ + "cve-2023-2974" + ] + }, + { + "id": "ghsa-3fhx-3vvg-2j84", + "severity": [], + "aliases": [] + } + ], + "recommendations": [] + } + ], + "pkg:maven/org.postgresql/postgresql@42.5.0": [ + { + "vendor": "osv", + "vulnerable": [ + { + "id": "ghsa-562r-vg33-8x8h", + "severity": [ + { + "source": "osv", + "type": "CVSSv31", + "score": 4.7 + }, + { + "source": "osv", + "type": "CVSSv31", + "score": 4.7 + } + ], + "aliases": [ + "cve-2022-41946" + ] + }, + { + "id": "ghsa-562r-vg33-8x8h", + "severity": [], + "aliases": [] + } + ], + "recommendations": [] + }, + { + "vendor": "snyk", + "vulnerable": [ + { + "id": "snyk-java-orgpostgresql-3146847", + "severity": [ + { + "source": "Snyk", + "type": "CVSSv31", + "score": 4.699999809265137 + }, + { + "source": "SUSE", + "type": "CVSSv31", + "score": 5.5 + }, + { + "source": "NVD", + "type": "CVSSv31", + "score": 5.5 + }, + { + "source": "Red Hat", + "type": "CVSSv31", + "score": 5.5 + }, + { + "source": "Snyk", + "type": "CVSSv31", + "score": 4.699999809265137 + }, + { + "source": "SUSE", + "type": "CVSSv31", + "score": 5.5 + }, + { + "source": "NVD", + "type": "CVSSv31", + "score": 5.5 + }, + { + "source": "Red Hat", + "type": "CVSSv31", + "score": 5.5 + } + ], + "aliases": [ + "cve-2022-41946", + "cwe-200", + "ghsa-562r-vg33-8x8h" + ] + }, + { + "id": "snyk-java-orgpostgresql-3146847", + "severity": [], + "aliases": [] + } + ], + "recommendations": [] + } + ] + }, + "cves": [ + { + "dataType": "CVE_RECORD", + "dataVersion": "5.0", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2020-36518", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2022-11-27T00:00:00", + "dateReserved": "2022-03-11T00:00:00", + "datePublished": "2022-03-11T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2022-11-27T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2816" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "name": "[debian-lts-announce] 20220502 [SECURITY] [DLA 2990-1] jackson-databind security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220506-0004/" + }, + { + "name": "DSA-5283", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2022/dsa-5283" + }, + { + "name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + } + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.0", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-42004", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2022-11-27T00:00:00", + "dateReserved": "2022-10-02T00:00:00", + "datePublished": "2022-10-02T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2022-11-27T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3582" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88" + }, + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490" + }, + { + "name": "GLSA-202210-21", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202210-21" + }, + { + "name": "DSA-5283", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2022/dsa-5283" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20221118-0008/" + }, + { + "name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + } + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.0", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-41946", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "assignerShortName": "GitHub_M", + "dateUpdated": "2023-01-13T00:00:00", + "dateReserved": "2022-09-30T00:00:00", + "datePublished": "2022-11-23T00:00:00" + }, + "containers": { + "cna": { + "title": "TemporaryFolder on unix-like systems does not limit access to created files in pgjdbc", + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2023-01-13T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability." + } + ], + "affected": [ + { + "vendor": "pgjdbc", + "product": "pgjdbc", + "versions": [ + { + "version": ">= 42.2.0, < 42.2.27", + "status": "affected" + }, + { + "version": "> 42.3.0, < 42.3.8", + "status": "affected" + }, + { + "version": ">= 42.4.0, < 42.4.3", + "status": "affected" + }, + { + "version": ">= 42.5.0, < 42.5.1", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h" + }, + { + "url": "https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5" + }, + { + "name": "[debian-lts-announce] 20221202 [SECURITY] [DLA 3218-1] libpgjava security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00003.html" + }, + { + "name": "FEDORA-2023-42d6ba9bd6", + "tags": [ + "vendor-advisory" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD/" + } + ], + "metrics": [ + { + "cvssV3_1": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "attackVector": "LOCAL", + "attackComplexity": "HIGH", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseScore": 4.7, + "baseSeverity": "MEDIUM" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "cweId": "CWE-200" + } + ] + }, + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-377: Insecure Temporary File", + "cweId": "CWE-377" + } + ] + } + ], + "source": { + "advisory": "GHSA-562r-vg33-8x8h", + "discovery": "UNKNOWN" + } + } + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.0", + "cveMetadata": { + "cveId": "CVE-2023-2974", + "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", + "state": "PUBLISHED", + "assignerShortName": "redhat", + "dateReserved": "2023-05-30T10:06:53.993Z", + "datePublished": "2023-07-04T13:24:29.648Z", + "dateUpdated": "2023-07-04T13:24:29.648Z" + }, + "containers": { + "cna": { + "title": "Tls protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported tls protocol", + "metrics": [ + { + "other": { + "content": { + "value": "Moderate", + "namespace": "https://access.redhat.com/security/updates/classification/" + }, + "type": "Red Hat severity rating" + } + }, + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" + }, + "format": "CVSS" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol." + } + ], + "affected": [ + { + "product": "Quarkus", + "vendor": "n/a", + "versions": [ + { + "version": "2.13.8", + "status": "unaffected" + } + ] + }, + { + "vendor": "Red Hat", + "product": "Red Hat build of Quarkus", + "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", + "defaultStatus": "unaffected", + "packageName": "quarkus-core", + "cpe": [ + "cpe:/a:redhat:quarkus:2.13" + ] + } + ], + "references": [ + { + "url": "https://access.redhat.com/errata/RHSA-2023:3809", + "name": "RHSA-2023:3809", + "tags": [ + "vendor-advisory", + "x_refsource_REDHAT" + ] + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-2974", + "tags": [ + "vdb-entry", + "x_refsource_REDHAT" + ] + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211026", + "name": "RHBZ#2211026", + "tags": [ + "issue-tracking", + "x_refsource_REDHAT" + ] + } + ], + "datePublic": "2023-06-29T00:00:00Z", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-757", + "description": "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "x_redhatCweChain": "CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + "timeline": [ + { + "lang": "en", + "time": "2023-05-30T00:00:00Z", + "value": "Reported to Red Hat." + }, + { + "lang": "en", + "time": "2023-06-29T00:00:00Z", + "value": "Made public." + } + ], + "credits": [ + { + "lang": "en", + "value": "This issue was discovered by Alexander Schwartz (Red Hat)." + } + ], + "providerMetadata": { + "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", + "shortName": "redhat", + "dateUpdated": "2023-07-04T13:24:29.648Z" + } + } + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.0", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-42003", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2022-11-27T00:00:00", + "dateReserved": "2022-10-02T00:00:00", + "datePublished": "2022-10-02T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2022-11-27T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1" + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3590" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33" + }, + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020" + }, + { + "name": "GLSA-202210-21", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202210-21" + }, + { + "name": "DSA-5283", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2022/dsa-5283" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20221124-0004/" + }, + { + "name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + } + } + } + ], + "errors": [] +} \ No newline at end of file diff --git a/src/test/java/com/redhat/exhort/extensions/WiremockV3Extension.java b/src/test/java/com/redhat/exhort/extensions/WiremockV3Extension.java index 00e9ff29..49050774 100644 --- a/src/test/java/com/redhat/exhort/extensions/WiremockV3Extension.java +++ b/src/test/java/com/redhat/exhort/extensions/WiremockV3Extension.java @@ -35,11 +35,11 @@ public class WiremockV3Extension implements QuarkusTestResourceLifecycleManager @Override public Map start() { server.start(); - return Map.of( "api.snyk.host", server.baseUrl(), "api.snyk.token", SNYK_TOKEN, - "api.ossindex.host", server.baseUrl()); + "api.ossindex.host", server.baseUrl(), + "api.trustification.host", server.baseUrl()); } @Override diff --git a/src/test/java/com/redhat/exhort/integration/AbstractAnalysisTest.java b/src/test/java/com/redhat/exhort/integration/AbstractAnalysisTest.java index 605ec88f..d711b465 100644 --- a/src/test/java/com/redhat/exhort/integration/AbstractAnalysisTest.java +++ b/src/test/java/com/redhat/exhort/integration/AbstractAnalysisTest.java @@ -193,6 +193,7 @@ protected void verifySnykTokenRequest(String token) { } protected void stubAllProviders() { + stubTrustificationRequests(); stubSnykRequests(); stubOssToken(); } @@ -209,6 +210,7 @@ protected void verifyProviders( credentials.get(Constants.OSS_INDEX_USER_HEADER), credentials.get(Constants.OSS_INDEX_TOKEN_HEADER), isEmpty); + case Constants.TRUSTIFICATION_PROVIDER -> verifyTrustificationRequest(); } }); } @@ -402,9 +404,35 @@ protected void verifyOssRequest(String user, String pass, boolean isEmpty) { } } + protected void stubTrustificationRequests() { + + server.stubFor( + post(Constants.TRUSTIFICATION_ANALYZE_API_PATH) + .withHeader(Exchange.CONTENT_TYPE, equalTo(MediaType.APPLICATION_JSON)) + .withRequestBody( + equalToJson( + loadFileAsString("__files/trustification/empty_request.json"), true, false)) + .willReturn( + aResponse().withStatus(200).withBodyFile("trustification/empty_report.json"))); + + server.stubFor( + post(Constants.TRUSTIFICATION_ANALYZE_API_PATH) + .withHeader(Exchange.CONTENT_TYPE, equalTo(MediaType.APPLICATION_JSON)) + .withRequestBody( + equalToJson( + loadFileAsString("__files/trustification/maven_request.json"), true, false)) + .willReturn( + aResponse().withStatus(200).withBodyFile("trustification/maven_report.json"))); + } + + protected void verifyTrustificationRequest() { + server.verify(1, postRequestedFor(urlEqualTo(Constants.TRUSTIFICATION_ANALYZE_API_PATH))); + } + protected void verifyNoInteractions() { verifyNoInteractionsWithSnyk(); verifyNoInteractionsWithOSS(); + verifyNoInteractionsWithTrustification(); } protected void verifyNoInteractionsWithSnyk() { @@ -415,4 +443,8 @@ protected void verifyNoInteractionsWithSnyk() { protected void verifyNoInteractionsWithOSS() { server.verify(0, postRequestedFor(urlEqualTo(Constants.OSS_INDEX_AUTH_COMPONENT_API_PATH))); } + + protected void verifyNoInteractionsWithTrustification() { + server.verify(0, postRequestedFor(urlEqualTo(Constants.TRUSTIFICATION_ANALYZE_API_PATH))); + } } diff --git a/src/test/java/com/redhat/exhort/integration/AnalysisTest.java b/src/test/java/com/redhat/exhort/integration/AnalysisTest.java index 0f1eb1d0..8717094c 100644 --- a/src/test/java/com/redhat/exhort/integration/AnalysisTest.java +++ b/src/test/java/com/redhat/exhort/integration/AnalysisTest.java @@ -88,6 +88,7 @@ public void testWithInvalidPkgManagers(String sbom) { var report = given() .header(CONTENT_TYPE, getContentType(sbom)) + .queryParam(Constants.PROVIDERS_PARAM, Constants.SNYK_PROVIDER) .body(loadFileAsString(String.format("%s/unsupported-invalid-sbom.json", sbom))) .when() .post("/api/v4/analysis") @@ -114,6 +115,7 @@ public void testWithMixedPkgManagers(String sbom) { var report = given() .header(CONTENT_TYPE, getContentType(sbom)) + .queryParam(Constants.PROVIDERS_PARAM, Constants.SNYK_PROVIDER) .body(loadFileAsString(String.format("%s/unsupported-mixed-sbom.json", sbom))) .when() .post("/api/v4/analysis") @@ -141,7 +143,6 @@ public void testWithMixedPkgManagers(String sbom) { @MethodSource("emptySbomArguments") public void testEmptySbom(List providers, Map authHeaders) { stubAllProviders(); - var report = given() .header(CONTENT_TYPE, CycloneDxMediaType.APPLICATION_CYCLONEDX_JSON) @@ -175,8 +176,8 @@ public void testEmptySbom(List providers, Map authHeader private static Stream emptySbomArguments() { return Stream.of( - Arguments.of( - List.of(Constants.SNYK_PROVIDER), Collections.emptyMap(), Constants.MAVEN_PKG_MANAGER), + Arguments.of(List.of(Constants.TRUSTIFICATION_PROVIDER), Collections.emptyMap()), + Arguments.of(List.of(Constants.SNYK_PROVIDER), Collections.emptyMap()), Arguments.of(List.of(Constants.OSS_INDEX_PROVIDER), Collections.emptyMap()), Arguments.of( List.of(Constants.SNYK_PROVIDER, Constants.OSS_INDEX_PROVIDER), @@ -189,7 +190,10 @@ private static Stream emptySbomArguments() { Constants.OSS_INDEX_TOKEN_HEADER, OK_TOKEN)), Arguments.of( - List.of(Constants.SNYK_PROVIDER, Constants.OSS_INDEX_PROVIDER), + List.of( + Constants.SNYK_PROVIDER, + Constants.OSS_INDEX_PROVIDER, + Constants.TRUSTIFICATION_PROVIDER), Map.of( Constants.SNYK_TOKEN_HEADER, OK_TOKEN, @@ -198,13 +202,10 @@ private static Stream emptySbomArguments() { Constants.OSS_INDEX_TOKEN_HEADER, OK_TOKEN)), Arguments.of( - List.of(Constants.SNYK_PROVIDER, Constants.OSS_INDEX_PROVIDER), Collections.emptyMap()), - Arguments.of( - List.of(Constants.SNYK_PROVIDER, Constants.OSS_INDEX_PROVIDER), Collections.emptyMap()), - Arguments.of( - List.of(Constants.SNYK_PROVIDER, Constants.OSS_INDEX_PROVIDER), Collections.emptyMap()), - Arguments.of( - List.of(Constants.SNYK_PROVIDER, Constants.OSS_INDEX_PROVIDER), + List.of( + Constants.SNYK_PROVIDER, + Constants.OSS_INDEX_PROVIDER, + Constants.TRUSTIFICATION_PROVIDER), Collections.emptyMap())); } @@ -233,6 +234,7 @@ public void testAllWithToken() { assertJson("reports/report_all_token.json", body); verifySnykRequest(OK_TOKEN); verifyOssRequest(OK_USER, OK_TOKEN, false); + verifyTrustificationRequest(); } @Test @@ -261,11 +263,12 @@ public void testSnykWithNoToken() { @Test public void testUnauthorizedRequest() { - stubAllProviders(); + stubSnykRequests(); var report = given() .header(CONTENT_TYPE, CycloneDxMediaType.APPLICATION_CYCLONEDX_JSON) + .queryParam(Constants.PROVIDERS_PARAM, Constants.SNYK_PROVIDER) .body(loadFileAsString(String.format("%s/empty-sbom.json", CYCLONEDX))) .header("Accept", MediaType.APPLICATION_JSON) .header(Constants.SNYK_TOKEN_HEADER, INVALID_TOKEN) @@ -287,15 +290,17 @@ public void testUnauthorizedRequest() { assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), status.getCode()); verifySnykRequest(INVALID_TOKEN); + verifyNoInteractionsWithTrustification(); } @Test public void testForbiddenRequest() { - stubAllProviders(); + stubSnykRequests(); var report = given() .header(CONTENT_TYPE, CycloneDxMediaType.APPLICATION_CYCLONEDX_JSON) + .queryParam(Constants.PROVIDERS_PARAM, Constants.SNYK_PROVIDER) .body(loadFileAsString(String.format("%s/empty-sbom.json", CYCLONEDX))) .header("Accept", MediaType.APPLICATION_JSON) .header(Constants.SNYK_TOKEN_HEADER, UNAUTH_TOKEN) @@ -317,6 +322,7 @@ public void testForbiddenRequest() { assertEquals(Response.Status.FORBIDDEN.getStatusCode(), status.getCode()); verifySnykRequest(UNAUTH_TOKEN); + verifyNoInteractionsWithTrustification(); } @Test @@ -350,6 +356,7 @@ public void testSBOMJsonWithToken() { assertDependenciesReport(snykSource.getDependencies()); verifySnykRequest(OK_TOKEN); + verifyTrustificationRequest(); } @Test @@ -383,6 +390,7 @@ public void testNonVerboseJson() { assertNull(snykSource.getDependencies()); verifySnykRequest(null); + verifyTrustificationRequest(); } @Test @@ -417,6 +425,7 @@ public void testNonVerboseWithToken() { assertNull(snykSource.getDependencies()); verifySnykRequest(OK_TOKEN); + verifyTrustificationRequest(); } @ParameterizedTest @@ -443,6 +452,7 @@ public void testMultipart_HttpVersions(String version) throws IOException, Inter verifySnykRequest(OK_TOKEN); verifyOssRequest(OK_USER, OK_TOKEN, false); + verifyTrustificationRequest(); } @Test diff --git a/src/test/java/com/redhat/exhort/integration/AnalysisV3Test.java b/src/test/java/com/redhat/exhort/integration/AnalysisV3Test.java index 1e13260f..4641eb8e 100644 --- a/src/test/java/com/redhat/exhort/integration/AnalysisV3Test.java +++ b/src/test/java/com/redhat/exhort/integration/AnalysisV3Test.java @@ -199,6 +199,7 @@ public void testUnauthorizedRequest() { .body(loadFileAsString(String.format("%s/empty-sbom.json", CYCLONEDX))) .header("Accept", MediaType.APPLICATION_JSON) .header(Constants.SNYK_TOKEN_HEADER, INVALID_TOKEN) + .queryParam(Constants.PROVIDERS_PARAM, Constants.SNYK_PROVIDER) .when() .post("/api/v3/analysis") .then() @@ -228,6 +229,7 @@ public void testForbiddenRequest() { .body(loadFileAsString(String.format("%s/empty-sbom.json", CYCLONEDX))) .header("Accept", MediaType.APPLICATION_JSON) .header(Constants.SNYK_TOKEN_HEADER, UNAUTH_TOKEN) + .queryParam(Constants.PROVIDERS_PARAM, Constants.SNYK_PROVIDER) .when() .post("/api/v3/analysis") .then() diff --git a/src/test/java/com/redhat/exhort/integration/VulnerabilityProviderTest.java b/src/test/java/com/redhat/exhort/integration/VulnerabilityProviderTest.java index 6ae1087f..e043b944 100644 --- a/src/test/java/com/redhat/exhort/integration/VulnerabilityProviderTest.java +++ b/src/test/java/com/redhat/exhort/integration/VulnerabilityProviderTest.java @@ -24,6 +24,8 @@ import org.junit.jupiter.api.Test; +import com.redhat.exhort.integration.providers.VulnerabilityProvider; + import io.quarkus.test.junit.QuarkusTest; import io.quarkus.test.junit.QuarkusTestProfile; import io.quarkus.test.junit.TestProfile; @@ -38,7 +40,7 @@ public class VulnerabilityProviderTest { @Test public void test() { - var expected = new String[] {Constants.OSS_INDEX_PROVIDER}; + var expected = new String[] {Constants.OSS_INDEX_PROVIDER, Constants.TRUSTIFICATION_PROVIDER}; assertArrayEquals(expected, provider.getEnabled().toArray(new String[] {})); } diff --git a/src/test/resources/__files/reports/report_all_token.json b/src/test/resources/__files/reports/report_all_token.json index b5893fd3..cd3544da 100644 --- a/src/test/resources/__files/reports/report_all_token.json +++ b/src/test/resources/__files/reports/report_all_token.json @@ -1,668 +1,862 @@ { - "scanned": { - "total": 9, - "direct": 2, - "transitive": 7 - }, - "providers": { - "oss-index": { - "status": { - "ok": true, - "name": "oss-index", - "code": 200, - "message": "OK" - }, - "sources": { - "oss-index": { - "summary": { - "direct": 0, - "transitive": 3, - "total": 3, - "dependencies": 1, - "critical": 0, - "high": 3, - "medium": 0, - "low": 0, - "remediations": 0, - "recommendations": 0 - }, - "dependencies": [ - { - "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final", - "transitive": [ - { - "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", - "issues": [ - { - "id": "CVE-2020-36518", - "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false - }, - { - "id": "CVE-2022-42003", - "title": "[CVE-2022-42003] CWE-502: Deserialization of Untrusted Data", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2022-42003" - ], - "unique": false - }, - { - "id": "CVE-2022-42004", - "title": "[CVE-2022-42004] CWE-502: Deserialization of Untrusted Data", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2022-42004" - ], - "unique": false - } - ], - "highestVulnerability": { - "id": "CVE-2020-36518", - "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false - } - } - ], - "highestVulnerability": { - "id": "CVE-2020-36518", - "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false - } - }, - { - "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", - "transitive": [ - { - "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", - "issues": [ - { - "id": "CVE-2020-36518", - "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false - }, - { - "id": "CVE-2022-42003", - "title": "[CVE-2022-42003] CWE-502: Deserialization of Untrusted Data", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2022-42003" - ], - "unique": false - }, - { - "id": "CVE-2022-42004", - "title": "[CVE-2022-42004] CWE-502: Deserialization of Untrusted Data", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2022-42004" - ], - "unique": false - } - ], - "highestVulnerability": { - "id": "CVE-2020-36518", - "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false - } - } - ], - "highestVulnerability": { - "id": "CVE-2020-36518", - "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false - } - } - ] - } - } - }, - "snyk": { - "status": { - "ok": true, - "name": "snyk", - "code": 200, - "message": "OK" - }, - "sources": { - "snyk": { - "summary": { - "direct": 0, - "transitive": 4, - "total": 4, - "dependencies": 2, - "critical": 0, - "high": 1, - "medium": 3, - "low": 0, - "remediations": 0, - "recommendations": 0 - }, - "dependencies": [ - { - "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final", - "transitive": [ - { - "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", - "issues": [ - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "2.12.6.1", - "2.13.2.1", - "2.14.0" - ] - } - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "High", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "exploitCodeMaturity": "Proof of concept code", - "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P" - }, - "cvssScore": 5.9, - "severity": "MEDIUM", - "unique": true, - "remediation": { - "fixedIn": [ - "2.13.4" - ] - } - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "High", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "exploitCodeMaturity": "Proof of concept code", - "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P" - }, - "cvssScore": 5.9, - "severity": "MEDIUM", - "cves": [ - "CVE-2022-42003" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "2.12.7.1", - "2.13.4.2" - ] - } - } - ], - "highestVulnerability": { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "2.12.6.1", - "2.13.2.1", - "2.14.0" - ] - } - } - } - ], - "highestVulnerability": { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "2.12.6.1", - "2.13.2.1", - "2.14.0" - ] - } - } - }, - { - "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", - "transitive": [ - { - "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", - "issues": [ - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "2.12.6.1", - "2.13.2.1", - "2.14.0" - ] - } - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "High", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "exploitCodeMaturity": "Proof of concept code", - "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P" - }, - "cvssScore": 5.9, - "severity": "MEDIUM", - "unique": true, - "remediation": { - "fixedIn": [ - "2.13.4" - ] - } - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "High", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "exploitCodeMaturity": "Proof of concept code", - "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P" - }, - "cvssScore": 5.9, - "severity": "MEDIUM", - "cves": [ - "CVE-2022-42003" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "2.12.7.1", - "2.13.4.2" - ] - } - } - ], - "highestVulnerability": { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "2.12.6.1", - "2.13.2.1", - "2.14.0" - ] - } - } - }, - { - "ref": "pkg:maven/org.postgresql/postgresql@42.5.0", - "issues": [ - { - "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", - "title": "Information Exposure", - "source": "snyk", - "cvss": { - "attackVector": "Local", - "attackComplexity": "High", - "privilegesRequired": "Low", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "High", - "integrityImpact": "None", - "availabilityImpact": "None", - "cvss": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" - }, - "cvssScore": 4.7, - "severity": "MEDIUM", - "cves": [ - "CVE-2022-41946" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "42.2.27", - "42.3.8", - "42.4.3", - "42.5.1" - ] - } - } - ], - "highestVulnerability": { - "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", - "title": "Information Exposure", - "source": "snyk", - "cvss": { - "attackVector": "Local", - "attackComplexity": "High", - "privilegesRequired": "Low", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "High", - "integrityImpact": "None", - "availabilityImpact": "None", - "cvss": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" - }, - "cvssScore": 4.7, - "severity": "MEDIUM", - "cves": [ - "CVE-2022-41946" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "42.2.27", - "42.3.8", - "42.4.3", - "42.5.1" - ] - } - } - } - ], - "highestVulnerability": { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "2.12.6.1", - "2.13.2.1", - "2.14.0" - ] - } - } - } - ] - } - } - } - } + "scanned": { + "total": 9, + "direct": 2, + "transitive": 7 + }, + "providers": { + "oss-index": { + "status": { + "ok": true, + "name": "oss-index", + "code": 200, + "message": "OK" + }, + "sources": { + "oss-index": { + "summary": { + "direct": 0, + "transitive": 3, + "total": 3, + "dependencies": 1, + "critical": 0, + "high": 3, + "medium": 0, + "low": 0, + "remediations": 0, + "recommendations": 0 + }, + "dependencies": [ + { + "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final", + "transitive": [ + { + "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", + "issues": [ + { + "id": "CVE-2020-36518", + "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false + }, + { + "id": "CVE-2022-42003", + "title": "[CVE-2022-42003] CWE-502: Deserialization of Untrusted Data", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2022-42003" + ], + "unique": false + }, + { + "id": "CVE-2022-42004", + "title": "[CVE-2022-42004] CWE-502: Deserialization of Untrusted Data", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2022-42004" + ], + "unique": false + } + ], + "highestVulnerability": { + "id": "CVE-2020-36518", + "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false + } + } + ], + "highestVulnerability": { + "id": "CVE-2020-36518", + "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false + } + }, + { + "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", + "transitive": [ + { + "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", + "issues": [ + { + "id": "CVE-2020-36518", + "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false + }, + { + "id": "CVE-2022-42003", + "title": "[CVE-2022-42003] CWE-502: Deserialization of Untrusted Data", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2022-42003" + ], + "unique": false + }, + { + "id": "CVE-2022-42004", + "title": "[CVE-2022-42004] CWE-502: Deserialization of Untrusted Data", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2022-42004" + ], + "unique": false + } + ], + "highestVulnerability": { + "id": "CVE-2020-36518", + "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false + } + } + ], + "highestVulnerability": { + "id": "CVE-2020-36518", + "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false + } + } + ] + } + } + }, + "trustification": { + "status": { + "ok": true, + "name": "trustification", + "code": 200, + "message": "OK" + }, + "sources": { + "osv": { + "summary": { + "direct": 0, + "transitive": 1, + "total": 1, + "dependencies": 1, + "critical": 1, + "high": 0, + "medium": 0, + "low": 0, + "remediations": 0, + "recommendations": 0 + }, + "dependencies": [ + { + "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", + "transitive": [ + { + "ref": "pkg:maven/org.postgresql/postgresql@42.5.0", + "issues": [ + { + "id": "GHSA-562R-VG33-8X8H", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "osv", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + ], + "highestVulnerability": { + "id": "GHSA-562R-VG33-8X8H", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "osv", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + } + ], + "highestVulnerability": { + "id": "GHSA-562R-VG33-8X8H", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "osv", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + } + ] + }, + "snyk": { + "summary": { + "direct": 0, + "transitive": 1, + "total": 1, + "dependencies": 1, + "critical": 1, + "high": 0, + "medium": 0, + "low": 0, + "remediations": 0, + "recommendations": 0 + }, + "dependencies": [ + { + "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", + "transitive": [ + { + "ref": "pkg:maven/org.postgresql/postgresql@42.5.0", + "issues": [ + { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + } + ] + } + } + }, + "snyk": { + "status": { + "ok": true, + "name": "snyk", + "code": 200, + "message": "OK" + }, + "sources": { + "snyk": { + "summary": { + "direct": 0, + "transitive": 4, + "total": 4, + "dependencies": 2, + "critical": 0, + "high": 1, + "medium": 3, + "low": 0, + "remediations": 0, + "recommendations": 0 + }, + "dependencies": [ + { + "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final", + "transitive": [ + { + "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", + "issues": [ + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "2.12.6.1", + "2.13.2.1", + "2.14.0" + ] + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "High", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "exploitCodeMaturity": "Proof of concept code", + "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P" + }, + "cvssScore": 5.9, + "severity": "MEDIUM", + "unique": true, + "remediation": { + "fixedIn": [ + "2.13.4" + ] + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "High", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "exploitCodeMaturity": "Proof of concept code", + "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P" + }, + "cvssScore": 5.9, + "severity": "MEDIUM", + "cves": [ + "CVE-2022-42003" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "2.12.7.1", + "2.13.4.2" + ] + } + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "2.12.6.1", + "2.13.2.1", + "2.14.0" + ] + } + } + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "2.12.6.1", + "2.13.2.1", + "2.14.0" + ] + } + } + }, + { + "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", + "transitive": [ + { + "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", + "issues": [ + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "2.12.6.1", + "2.13.2.1", + "2.14.0" + ] + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "High", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "exploitCodeMaturity": "Proof of concept code", + "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P" + }, + "cvssScore": 5.9, + "severity": "MEDIUM", + "unique": true, + "remediation": { + "fixedIn": [ + "2.13.4" + ] + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "High", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "exploitCodeMaturity": "Proof of concept code", + "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P" + }, + "cvssScore": 5.9, + "severity": "MEDIUM", + "cves": [ + "CVE-2022-42003" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "2.12.7.1", + "2.13.4.2" + ] + } + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "2.12.6.1", + "2.13.2.1", + "2.14.0" + ] + } + } + }, + { + "ref": "pkg:maven/org.postgresql/postgresql@42.5.0", + "issues": [ + { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Information Exposure", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "High", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "MEDIUM", + "cves": [ + "CVE-2022-41946" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "42.2.27", + "42.3.8", + "42.4.3", + "42.5.1" + ] + } + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Information Exposure", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "High", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "MEDIUM", + "cves": [ + "CVE-2022-41946" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "42.2.27", + "42.3.8", + "42.4.3", + "42.5.1" + ] + } + } + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "2.12.6.1", + "2.13.2.1", + "2.14.0" + ] + } + } + } + ] + } + } + } + } } \ No newline at end of file diff --git a/src/test/resources/__files/reports/v3/report_all_token.json b/src/test/resources/__files/reports/v3/report_all_token.json index 99da1c5e..ce78a2a3 100644 --- a/src/test/resources/__files/reports/v3/report_all_token.json +++ b/src/test/resources/__files/reports/v3/report_all_token.json @@ -6,8 +6,8 @@ }, "vulnerabilities": { "direct": 0, - "total": 7, - "critical": 0, + "total": 9, + "critical": 2, "high": 4, "medium": 3, "low": 0 @@ -19,6 +19,12 @@ "status": 200, "message": "OK" }, + { + "ok": true, + "provider": "trustification", + "status": 200, + "message": "OK" + }, { "ok": true, "provider": "snyk", @@ -29,7 +35,7 @@ }, "dependencies": [ { - "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", + "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final", "transitive": [ { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", @@ -149,7 +155,7 @@ } }, { - "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final", + "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", "transitive": [ { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", @@ -270,6 +276,158 @@ }, { "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", + "transitive": [ + { + "ref": "pkg:maven/org.postgresql/postgresql@42.5.0", + "issues": [ + { + "id": "GHSA-562R-VG33-8X8H", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "osv", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + ], + "highestVulnerability": { + "id": "GHSA-562R-VG33-8X8H", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "osv", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + } + ], + "highestVulnerability": { + "id": "GHSA-562R-VG33-8X8H", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "osv", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + }, + { + "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", + "transitive": [ + { + "ref": "pkg:maven/org.postgresql/postgresql@42.5.0", + "issues": [ + { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + }, + { + "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final", "transitive": [ { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", @@ -362,55 +520,6 @@ ], "unique": false } - }, - { - "ref": "pkg:maven/org.postgresql/postgresql@42.5.0", - "issues": [ - { - "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", - "title": "Information Exposure", - "source": "snyk", - "cvss": { - "attackVector": "Local", - "attackComplexity": "High", - "privilegesRequired": "Low", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "High", - "integrityImpact": "None", - "availabilityImpact": "None", - "cvss": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" - }, - "cvssScore": 4.7, - "severity": "MEDIUM", - "cves": [ - "CVE-2022-41946" - ], - "unique": false - } - ], - "highestVulnerability": { - "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", - "title": "Information Exposure", - "source": "snyk", - "cvss": { - "attackVector": "Local", - "attackComplexity": "High", - "privilegesRequired": "Low", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "High", - "integrityImpact": "None", - "availabilityImpact": "None", - "cvss": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" - }, - "cvssScore": 4.7, - "severity": "MEDIUM", - "cves": [ - "CVE-2022-41946" - ], - "unique": false - } } ], "highestVulnerability": { @@ -437,7 +546,7 @@ } }, { - "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final", + "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", "transitive": [ { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", @@ -530,6 +639,55 @@ ], "unique": false } + }, + { + "ref": "pkg:maven/org.postgresql/postgresql@42.5.0", + "issues": [ + { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Information Exposure", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "High", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "MEDIUM", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Information Exposure", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "High", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "MEDIUM", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } } ], "highestVulnerability": { diff --git a/src/test/resources/__files/trustification/empty_report.json b/src/test/resources/__files/trustification/empty_report.json new file mode 100644 index 00000000..27a4c46e --- /dev/null +++ b/src/test/resources/__files/trustification/empty_report.json @@ -0,0 +1,5 @@ +{ + "analysis": {}, + "cves": [], + "errors": [] +} \ No newline at end of file diff --git a/src/test/resources/__files/trustification/empty_request.json b/src/test/resources/__files/trustification/empty_request.json new file mode 100644 index 00000000..d06bc4a3 --- /dev/null +++ b/src/test/resources/__files/trustification/empty_request.json @@ -0,0 +1,3 @@ +{ + "purls": [] +} \ No newline at end of file diff --git a/src/test/resources/__files/trustification/maven_report.json b/src/test/resources/__files/trustification/maven_report.json new file mode 100644 index 00000000..48d01d8f --- /dev/null +++ b/src/test/resources/__files/trustification/maven_report.json @@ -0,0 +1,132 @@ +{ + "analysis": { + "pkg:maven/org.postgresql/postgresql@42.5.0": [ + { + "vendor": "snyk", + "vulnerable": [ + { + "id": "snyk-java-orgpostgresql-3146847", + "severity": [ + { + "source": "Snyk", + "type": "CVSSv31", + "score": 4.699999809265137 + }, + { + "source": "SUSE", + "type": "CVSSv31", + "score": 5.5 + }, + { + "source": "NVD", + "type": "CVSSv31", + "score": 5.5 + }, + { + "source": "Red Hat", + "type": "CVSSv31", + "score": 5.5 + } + ], + "aliases": [ + "cve-2022-41946", + "cwe-200", + "ghsa-562r-vg33-8x8h" + ] + } + ] + }, + { + "vendor": "osv", + "vulnerable": [ + { + "id": "ghsa-562r-vg33-8x8h", + "severity": [ + { + "source": "osv", + "type": "CVSSv31", + "score": 4.7 + } + ], + "aliases": [ + "cve-2022-41946" + ] + } + ] + } + ] + }, + "cves": [ + { + "id": "CVE-2022-41946", + "sourceIdentifier": "security@apache.org", + "published": "2021-12-14T19:15:07.733", + "lastModified": "2023-10-26T07:15:36.677", + "vulnStatus": "Modified", + "cisaExploitAdd": "2023-05-01", + "cisaActionDue": "2023-05-22", + "cisaRequiredAction": "Apply updates per vendor instructions.", + "cisaVulnerabilityName": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "descriptions": [ + { + "lang": "en", + "value": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default." + }, + { + "lang": "es", + "value": "Se descubri\u00F3 que la correcci\u00F3n para abordar CVE-2021-44228 en Apache Log4j versiones 2.15.0 estaba incompleta en ciertas configuraciones no predeterminadas. Esto podr\u00EDa permitir a los atacantes con control sobre los datos de entrada de Thread Context Map (MDC) cuando la configuraci\u00F3n de registro utiliza un Pattern Layout no predeterminado con un Context Lookup (por ejemplo, $${ctx:loginId}) o un Thread Context Map pattern (%X, %mdc, o %MDC) para elaborar datos de entrada maliciosos utilizando un patr\u00F3n JNDI Lookup que resulta en una fuga de informaci\u00F3n y ejecuci\u00F3n de c\u00F3digo remoto en algunos entornos y ejecuci\u00F3n de c\u00F3digo local en todos los entornos. Log4j versiones 2.16.0 (Java 8) y 2.12.2 (Java 7) solucionan este problema eliminando el soporte para los patrones de b\u00FAsqueda de mensajes y deshabilitando la funcionalidad JNDI por defecto" + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseScore": 5.5, + "baseSeverity": "CRITICAL" + }, + "exploitabilityScore": 2.2, + "impactScore": 6 + } + ], + "cvssMetricV2": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "2.0", + "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", + "accessVector": "NETWORK", + "accessComplexity": "HIGH", + "authentication": "NONE", + "confidentialityImpact": "PARTIAL", + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "baseScore": 5.1 + }, + "baseSeverity": "MEDIUM", + "exploitabilityScore": 4.9, + "impactScore": 6.4, + "acInsufInfo": false, + "obtainAllPrivilege": false, + "obtainUserPrivilege": false, + "obtainOtherPrivilege": false, + "userInteractionRequired": false + } + ] + } + } + ], + "errors": [] +} \ No newline at end of file diff --git a/src/test/resources/__files/trustification/maven_request.json b/src/test/resources/__files/trustification/maven_request.json new file mode 100644 index 00000000..d9e69957 --- /dev/null +++ b/src/test/resources/__files/trustification/maven_request.json @@ -0,0 +1,13 @@ +{ + "purls": [ + "pkg:maven/jakarta.enterprise/jakarta.enterprise.cdi-api@2.0.2", + "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final", + "pkg:maven/jakarta.interceptor/jakarta.interceptor-api@1.2.5", + "pkg:maven/io.quarkus/quarkus-narayana-jta@2.13.5.Final", + "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", + "pkg:maven/jakarta.el/jakarta.el-api@3.0.3", + "pkg:maven/org.postgresql/postgresql@42.5.0", + "pkg:maven/io.quarkus/quarkus-core@2.13.5.Final" + ] +} \ No newline at end of file