From 3dd6347000c728510130aafbb08293c68f465fc9 Mon Sep 17 00:00:00 2001 From: Ruben Romero Montes Date: Mon, 6 Nov 2023 10:05:04 +0100 Subject: [PATCH 1/5] feat: adding trustification-exhort data model Signed-off-by: Ruben Romero Montes --- .../redhat/exhort/integration/Constants.java | 3 + .../integration/VulnerabilityProvider.java | 141 ------------------ .../backend/ExhortIntegration.java | 2 +- .../providers/VulnerabilityProvider.java | 6 + .../ossindex/OssIndexIntegration.java | 2 +- .../TrustificationIntegration.java | 79 ++++++++++ .../TrustificationRequestBuilder.java | 43 ++++++ .../TrustificationResponseHandler.java | 127 ++++++++++++++++ .../exhort/model/trustification/Affected.java | 28 ++++ .../model/trustification/AnalyzeResponse.java | 30 ++++ .../exhort/model/trustification/Range.java | 25 ++++ .../model/trustification/Reference.java | 25 ++++ .../model/trustification/ScoreType.java | 32 ++++ .../exhort/model/trustification/Severity.java | 25 ++++ .../model/trustification/VersionRange.java | 25 ++++ .../model/trustification/Vulnerability.java | 39 +++++ src/main/resources/application.properties | 10 +- .../VulnerabilityProviderTest.java | 2 + 18 files changed, 500 insertions(+), 144 deletions(-) delete mode 100644 src/main/java/com/redhat/exhort/integration/VulnerabilityProvider.java create mode 100644 src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationIntegration.java create mode 100644 src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationRequestBuilder.java create mode 100644 src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java create mode 100644 src/main/java/com/redhat/exhort/model/trustification/Affected.java create mode 100644 src/main/java/com/redhat/exhort/model/trustification/AnalyzeResponse.java create mode 100644 src/main/java/com/redhat/exhort/model/trustification/Range.java create mode 100644 src/main/java/com/redhat/exhort/model/trustification/Reference.java create mode 100644 src/main/java/com/redhat/exhort/model/trustification/ScoreType.java create mode 100644 src/main/java/com/redhat/exhort/model/trustification/Severity.java create mode 100644 src/main/java/com/redhat/exhort/model/trustification/VersionRange.java create mode 100644 src/main/java/com/redhat/exhort/model/trustification/Vulnerability.java diff --git a/src/main/java/com/redhat/exhort/integration/Constants.java b/src/main/java/com/redhat/exhort/integration/Constants.java index d3f3da35..458e6ae1 100644 --- a/src/main/java/com/redhat/exhort/integration/Constants.java +++ b/src/main/java/com/redhat/exhort/integration/Constants.java @@ -52,6 +52,7 @@ private Constants() {} public static final String SNYK_PROVIDER = "snyk"; public static final String OSS_INDEX_PROVIDER = "oss-index"; + public static final String TRUSTIFICATION_PROVIDER = "trustification"; public static final String UNKNOWN_PROVIDER = "unknown"; public static final String MAVEN_PKG_MANAGER = "maven"; @@ -73,6 +74,7 @@ private Constants() {} public static final String SNYK_DEP_GRAPH_API_PATH = "/test/dep-graph"; public static final String SNYK_TOKEN_API_PATH = "/user/me"; public static final String OSS_INDEX_AUTH_COMPONENT_API_PATH = "/authorized/component-report"; + public static final String TRUSTIFICATION_ANALYZE_API_PATH = "/analyze"; public static final String DEFAULT_ACCEPT_MEDIA_TYPE = MediaType.APPLICATION_JSON; public static final boolean DEFAULT_VERBOSE_MODE = false; @@ -83,6 +85,7 @@ private Constants() {} { add(SNYK_PROVIDER); add(OSS_INDEX_PROVIDER); + add(TRUSTIFICATION_PROVIDER); } }); diff --git a/src/main/java/com/redhat/exhort/integration/VulnerabilityProvider.java b/src/main/java/com/redhat/exhort/integration/VulnerabilityProvider.java deleted file mode 100644 index 41f0e751..00000000 --- a/src/main/java/com/redhat/exhort/integration/VulnerabilityProvider.java +++ /dev/null @@ -1,141 +0,0 @@ -/* - * Copyright 2023 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package com.redhat.exhort.integration; - -import java.net.URISyntaxException; -import java.util.ArrayList; -import java.util.Collections; -import java.util.List; -import java.util.Map; -import java.util.function.Predicate; -import java.util.stream.Collectors; - -import org.apache.camel.Exchange; -import org.apache.camel.ExchangeProperty; -import org.apache.camel.Headers; -import org.apache.camel.util.URISupport; -import org.eclipse.microprofile.config.inject.ConfigProperty; - -import io.quarkus.runtime.annotations.RegisterForReflection; - -import jakarta.annotation.PostConstruct; -import jakarta.enterprise.context.ApplicationScoped; -import jakarta.ws.rs.ClientErrorException; - -@ApplicationScoped -@RegisterForReflection -public class VulnerabilityProvider { - - @ConfigProperty(name = "api.snyk.disabled", defaultValue = "false") - boolean snykDisabled; - - @ConfigProperty(name = "api.ossindex.disabled", defaultValue = "false") - boolean ossIndexDisabled; - - private List providers; - - @PostConstruct - public void initProviders() { - providers = - Collections.unmodifiableList( - Constants.PROVIDERS.stream() - .filter(p -> !(Constants.SNYK_PROVIDER.equals(p) && snykDisabled)) - .filter(p -> !(Constants.OSS_INDEX_PROVIDER.equals(p) && ossIndexDisabled)) - .toList()); - } - - public String get(@ExchangeProperty(Exchange.MULTICAST_INDEX) int index) { - return providers.get(index); - } - - public List getProviderEndpoints( - @ExchangeProperty(Constants.PROVIDERS_PARAM) List providers) { - return providers.stream() - .map( - p -> - switch (p) { - case Constants.SNYK_PROVIDER -> "direct:snykDepGraph"; - case Constants.OSS_INDEX_PROVIDER -> "direct:ossIndexScan"; - default -> throw new IllegalArgumentException("Unexpected provider: " + p); - }) - .collect(Collectors.toList()); - } - - public List getEnabled() { - return providers; - } - - public List getProvidersFromQueryParam(@Headers Map headers) - throws URISyntaxException { - String query = headers.get(Exchange.HTTP_QUERY); - Map props = URISupport.parseQuery(query); - List providers = getProviders(props); - if (providers == null || providers.isEmpty()) { - return getEnabled().stream().filter(p -> filterByAuthHeaders(p, headers)).toList(); - } - List missing = - providers.stream() - .filter(Predicate.not(p -> getEnabled().contains(p))) - .collect(Collectors.toList()); - if (missing.isEmpty()) { - return providers; - } - throw new ClientErrorException("Unsupported providers: " + missing, 422); - } - - @SuppressWarnings("unchecked") - private List getProviders(Map props) { - Object o = props.get(Constants.PROVIDERS_PARAM); - if (o == null) { - return null; - } - if (o instanceof String) { - return List.of((String) o); - } - if (o instanceof List) { - return (List) o; - } - throw new ClientErrorException("Unsupported providers: " + o, 422); - } - - @SuppressWarnings("unchecked") - public void addProviderPrivateData(Exchange exchange, String provider) { - List current = - (List) exchange.getProperty(Constants.PROVIDER_PRIVATE_DATA_PROPERTY); - if (current == null) { - current = List.of(provider); - } else { - current = new ArrayList<>(current); - current.add(provider); - } - exchange.setProperty( - Constants.PROVIDER_PRIVATE_DATA_PROPERTY, Collections.unmodifiableList(current)); - } - - private boolean filterByAuthHeaders(String provider, Map headers) { - if (headers == null || headers.isEmpty()) { - return true; - } - return switch (provider) { - case Constants.OSS_INDEX_PROVIDER -> headers.containsKey(Constants.OSS_INDEX_USER_HEADER) - && headers.containsKey(Constants.OSS_INDEX_TOKEN_HEADER); - default -> true; - }; - } -} diff --git a/src/main/java/com/redhat/exhort/integration/backend/ExhortIntegration.java b/src/main/java/com/redhat/exhort/integration/backend/ExhortIntegration.java index 07bb1878..abf7e257 100644 --- a/src/main/java/com/redhat/exhort/integration/backend/ExhortIntegration.java +++ b/src/main/java/com/redhat/exhort/integration/backend/ExhortIntegration.java @@ -35,9 +35,9 @@ import com.fasterxml.jackson.databind.ObjectMapper; import com.redhat.exhort.analytics.AnalyticsService; import com.redhat.exhort.integration.Constants; -import com.redhat.exhort.integration.VulnerabilityProvider; import com.redhat.exhort.integration.backend.sbom.SbomParserFactory; import com.redhat.exhort.integration.providers.ProviderAggregationStrategy; +import com.redhat.exhort.integration.providers.VulnerabilityProvider; import com.redhat.exhort.monitoring.MonitoringProcessor; import io.micrometer.core.instrument.MeterRegistry; diff --git a/src/main/java/com/redhat/exhort/integration/providers/VulnerabilityProvider.java b/src/main/java/com/redhat/exhort/integration/providers/VulnerabilityProvider.java index 1f3423d9..184dc057 100644 --- a/src/main/java/com/redhat/exhort/integration/providers/VulnerabilityProvider.java +++ b/src/main/java/com/redhat/exhort/integration/providers/VulnerabilityProvider.java @@ -50,6 +50,9 @@ public class VulnerabilityProvider { @ConfigProperty(name = "api.ossindex.disabled", defaultValue = "false") boolean ossIndexDisabled; + @ConfigProperty(name = "api.trustification.disabled", defaultValue = "false") + boolean trustificationDisabled; + private List providers; @PostConstruct @@ -59,6 +62,8 @@ public void initProviders() { Constants.PROVIDERS.stream() .filter(p -> !(Constants.SNYK_PROVIDER.equals(p) && snykDisabled)) .filter(p -> !(Constants.OSS_INDEX_PROVIDER.equals(p) && ossIndexDisabled)) + .filter( + p -> !(Constants.TRUSTIFICATION_PROVIDER.equals(p) && trustificationDisabled)) .toList()); } @@ -74,6 +79,7 @@ public List getProviderEndpoints( switch (p) { case Constants.SNYK_PROVIDER -> "direct:snykDepGraph"; case Constants.OSS_INDEX_PROVIDER -> "direct:ossIndexScan"; + case Constants.TRUSTIFICATION_PROVIDER -> "direct:trustificationAnalysis"; default -> throw new IllegalArgumentException("Unexpected provider: " + p); }) .collect(Collectors.toList()); diff --git a/src/main/java/com/redhat/exhort/integration/providers/ossindex/OssIndexIntegration.java b/src/main/java/com/redhat/exhort/integration/providers/ossindex/OssIndexIntegration.java index 933e619a..6bfe1e28 100644 --- a/src/main/java/com/redhat/exhort/integration/providers/ossindex/OssIndexIntegration.java +++ b/src/main/java/com/redhat/exhort/integration/providers/ossindex/OssIndexIntegration.java @@ -29,7 +29,7 @@ import org.eclipse.microprofile.config.inject.ConfigProperty; import com.redhat.exhort.integration.Constants; -import com.redhat.exhort.integration.VulnerabilityProvider; +import com.redhat.exhort.integration.providers.VulnerabilityProvider; import com.redhat.exhort.model.DependencyTree; import com.redhat.exhort.monitoring.MonitoringProcessor; diff --git a/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationIntegration.java b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationIntegration.java new file mode 100644 index 00000000..c82b642d --- /dev/null +++ b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationIntegration.java @@ -0,0 +1,79 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.integration.providers.trustification; + +import static com.redhat.exhort.integration.Constants.TRUSTIFICATION_ANALYZE_API_PATH; + +import org.apache.camel.Exchange; +import org.apache.camel.Message; +import org.apache.camel.builder.endpoint.EndpointRouteBuilder; +import org.eclipse.microprofile.config.inject.ConfigProperty; + +import jakarta.enterprise.context.ApplicationScoped; +import jakarta.inject.Inject; +import jakarta.ws.rs.HttpMethod; +import jakarta.ws.rs.core.MediaType; + +@ApplicationScoped +public class TrustificationIntegration extends EndpointRouteBuilder { + + @ConfigProperty(name = "api.trustification.timeout", defaultValue = "10s") + String timeout; + + @Inject TrustificationResponseHandler responseHandler; + + @Override + public void configure() { + + // fmt:off + from(direct("trustificationAnalysis")) + .routeId("trustificationAnalysis") + .circuitBreaker() + .faultToleranceConfiguration() + .timeoutEnabled(true) + .timeoutDuration(timeout) + .end() + .to(direct("trustificationRequest")) + .onFallback() + .process(responseHandler::processResponseError); + + from(direct("trustificationRequest")) + .routeId("trustificationRequest") + .transform().method(TrustificationRequestBuilder.class, "build") + .process(this::processRequest) + .to("log:foo?showHeaders=true") + .to(vertxHttp("{{api.trustification.host}}")) + .transform().method(TrustificationResponseHandler.class, "responseToIssues") + .transform().method(TrustificationResponseHandler.class, "buildReport"); + // fmt:on + } + + private void processRequest(Exchange exchange) { + Message message = exchange.getMessage(); + + message.removeHeader(Exchange.HTTP_PATH); + message.removeHeader(Exchange.HTTP_QUERY); + message.removeHeader(Exchange.HTTP_URI); + message.removeHeader("Accept-Encoding"); + + message.setHeader(Exchange.CONTENT_TYPE, MediaType.APPLICATION_JSON); + message.setHeader(Exchange.HTTP_PATH, TRUSTIFICATION_ANALYZE_API_PATH); + message.setHeader(Exchange.HTTP_METHOD, HttpMethod.POST); + } +} diff --git a/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationRequestBuilder.java b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationRequestBuilder.java new file mode 100644 index 00000000..98d38906 --- /dev/null +++ b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationRequestBuilder.java @@ -0,0 +1,43 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.integration.providers.trustification; + +import org.apache.camel.Body; + +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.databind.node.ArrayNode; +import com.fasterxml.jackson.databind.node.ObjectNode; +import com.redhat.exhort.config.ObjectMapperProducer; +import com.redhat.exhort.model.DependencyTree; + +import io.quarkus.runtime.annotations.RegisterForReflection; + +@RegisterForReflection +public class TrustificationRequestBuilder { + + private final ObjectMapper mapper = ObjectMapperProducer.newInstance(); + + public String build(@Body DependencyTree tree) throws JsonProcessingException { + ArrayNode purls = mapper.createArrayNode(); + tree.getAll().stream().map(p -> p.purl().canonicalize()).forEach(purl -> purls.add(purl)); + ObjectNode obj = mapper.createObjectNode().set("purls", purls); + return mapper.writeValueAsString(obj); + } +} diff --git a/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java new file mode 100644 index 00000000..b77fcdc1 --- /dev/null +++ b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java @@ -0,0 +1,127 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.integration.providers.trustification; + +import static com.redhat.exhort.integration.Constants.TRUSTIFICATION_PROVIDER; + +import java.io.IOException; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.Iterator; +import java.util.List; +import java.util.Map; +import java.util.Map.Entry; +import java.util.Optional; + +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.redhat.exhort.api.SeverityUtils; +import com.redhat.exhort.api.v4.Issue; +import com.redhat.exhort.config.ObjectMapperProducer; +import com.redhat.exhort.integration.providers.ProviderResponseHandler; +import com.redhat.exhort.model.CvssParser; +import com.redhat.exhort.model.DependencyTree; + +import io.quarkus.runtime.annotations.RegisterForReflection; + +@RegisterForReflection +public class TrustificationResponseHandler extends ProviderResponseHandler { + + private final ObjectMapper mapper = ObjectMapperProducer.newInstance(); + + private static final String CVSS3_VERSION = "cvss3"; + + @Override + protected String getProviderName() { + return TRUSTIFICATION_PROVIDER; + } + + @Override + public Map> responseToIssues( + byte[] rawResponse, String privateProviders, DependencyTree tree) throws IOException { + JsonNode response = mapper.readTree(rawResponse); + Map> vulnerabilityIds = new HashMap<>(); + response + .get("affected") + .fields() + .forEachRemaining( + e -> { + String ref = e.getKey().toUpperCase(); + if (!vulnerabilityIds.containsKey(ref)) { + vulnerabilityIds.put(e.getKey(), new ArrayList<>()); + } + List ids = vulnerabilityIds.get(ref); + e.getValue().elements().forEachRemaining(id -> ids.add(id.asText())); + }); + Map> issuesData = new HashMap<>(); + response + .get("vulnerabilities") + .elements() + .forEachRemaining( + n -> { + String vulnerabilityId = n.get("id").asText(); + Optional id = + vulnerabilityIds.entrySet().stream() + .filter(e -> e.getValue().contains(vulnerabilityId)) + .map(Entry::getKey) + .findFirst(); + if (id.isPresent()) { + List issues = issuesData.get(id.get()); + if (issues == null) { + issues = new ArrayList<>(); + issuesData.put(id.get(), issues); + } + issues.add(toIssue(id.get(), n)); + } + }); + return issuesData; + } + + private Issue toIssue(String id, JsonNode n) { + Issue i = new Issue().id(id).source(n.get("origin").asText()).title(n.get("summary").asText()); + if (isCVE(id)) { + i.addCvesItem(id); + } + n.get("aliases") + .elements() + .forEachRemaining( + alias -> { + if (isCVE(alias.asText())) { + i.addCvesItem(alias.asText()); + } + }); + Iterator severities = n.get("severities").elements(); + while (severities.hasNext()) { + JsonNode sn = severities.next(); + if (CVSS3_VERSION.equals(sn.get("type").asText())) { + i.cvssScore(sn.get("score").floatValue()) + .cvss(CvssParser.fromVectorString(sn.get("additional").asText())); + i.severity(SeverityUtils.fromScore(i.getCvssScore())); + } + } + if (i.getCves().isEmpty()) { + i.unique(Boolean.TRUE); + } + return i; + } + + private boolean isCVE(String id) { + return id.toUpperCase().startsWith("CVE-"); + } +} diff --git a/src/main/java/com/redhat/exhort/model/trustification/Affected.java b/src/main/java/com/redhat/exhort/model/trustification/Affected.java new file mode 100644 index 00000000..5cc9f7d6 --- /dev/null +++ b/src/main/java/com/redhat/exhort/model/trustification/Affected.java @@ -0,0 +1,28 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.model.trustification; + +import java.util.List; + +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonInclude.Include; +import com.fasterxml.jackson.annotation.JsonProperty; + +@JsonInclude(Include.NON_EMPTY) +public record Affected(@JsonProperty("package") String pkgName, List ranges) {} diff --git a/src/main/java/com/redhat/exhort/model/trustification/AnalyzeResponse.java b/src/main/java/com/redhat/exhort/model/trustification/AnalyzeResponse.java new file mode 100644 index 00000000..fc8f1321 --- /dev/null +++ b/src/main/java/com/redhat/exhort/model/trustification/AnalyzeResponse.java @@ -0,0 +1,30 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.model.trustification; + +import java.util.Collection; +import java.util.List; +import java.util.Map; + +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonInclude.Include; + +@JsonInclude(Include.NON_EMPTY) +public record AnalyzeResponse( + Map> affected, List vulnerabilities) {} diff --git a/src/main/java/com/redhat/exhort/model/trustification/Range.java b/src/main/java/com/redhat/exhort/model/trustification/Range.java new file mode 100644 index 00000000..9fe15242 --- /dev/null +++ b/src/main/java/com/redhat/exhort/model/trustification/Range.java @@ -0,0 +1,25 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.model.trustification; + +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonInclude.Include; + +@JsonInclude(Include.NON_EMPTY) +public record Range(VersionRange lower, VersionRange upper) {} diff --git a/src/main/java/com/redhat/exhort/model/trustification/Reference.java b/src/main/java/com/redhat/exhort/model/trustification/Reference.java new file mode 100644 index 00000000..79ae8fa4 --- /dev/null +++ b/src/main/java/com/redhat/exhort/model/trustification/Reference.java @@ -0,0 +1,25 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.model.trustification; + +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonInclude.Include; + +@JsonInclude(Include.NON_EMPTY) +public record Reference(String type, String url) {} diff --git a/src/main/java/com/redhat/exhort/model/trustification/ScoreType.java b/src/main/java/com/redhat/exhort/model/trustification/ScoreType.java new file mode 100644 index 00000000..746f2e29 --- /dev/null +++ b/src/main/java/com/redhat/exhort/model/trustification/ScoreType.java @@ -0,0 +1,32 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.model.trustification; + +public enum ScoreType { + CVSS2("cvss2"), + CVSS3("cvss3"), + CVSS4("cvss4"), + UNKNOWN("unknown"); + + final String name; + + ScoreType(String name) { + this.name = name; + } +} diff --git a/src/main/java/com/redhat/exhort/model/trustification/Severity.java b/src/main/java/com/redhat/exhort/model/trustification/Severity.java new file mode 100644 index 00000000..8a3e76a7 --- /dev/null +++ b/src/main/java/com/redhat/exhort/model/trustification/Severity.java @@ -0,0 +1,25 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.model.trustification; + +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonInclude.Include; + +@JsonInclude(Include.NON_EMPTY) +public record Severity(String additional, Float score, String source, ScoreType scoreType) {} diff --git a/src/main/java/com/redhat/exhort/model/trustification/VersionRange.java b/src/main/java/com/redhat/exhort/model/trustification/VersionRange.java new file mode 100644 index 00000000..866701ed --- /dev/null +++ b/src/main/java/com/redhat/exhort/model/trustification/VersionRange.java @@ -0,0 +1,25 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.model.trustification; + +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonInclude.Include; + +@JsonInclude(Include.NON_EMPTY) +public record VersionRange(String inclusive, String exclusive) {} diff --git a/src/main/java/com/redhat/exhort/model/trustification/Vulnerability.java b/src/main/java/com/redhat/exhort/model/trustification/Vulnerability.java new file mode 100644 index 00000000..9a66c727 --- /dev/null +++ b/src/main/java/com/redhat/exhort/model/trustification/Vulnerability.java @@ -0,0 +1,39 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.model.trustification; + +import java.util.Date; +import java.util.List; + +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonInclude.Include; + +@JsonInclude(Include.NON_EMPTY) +public record Vulnerability( + String origin, + String id, + Date modified, + Date published, + Date withdrawn, + List aliases, + List affected, + String details, + List references, + List severities, + String summary) {} diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 7f7655fa..5f69b3c8 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -5,11 +5,19 @@ project.name=${pom.name} project.version=${pom.version} project.build=${timestamp} +api.trustification.exhort.host=https://exhort.staging.trustification.dev/api/v1 + +## podman run -p 18080:8080 --rm ghcr.io/seedwing-io/swio:0.1.0-trusted +api.trustedContent.gav.host=http://swio.trusted-content:8080 +api.trustedContent.vex.host=http://tc-camel:8080 +# api.trustedContent.timeout=10s + api.snyk.token=placeholder api.snyk.host=https://app.snyk.io/api/v1 # api.snyk.timeout=10s # api.snyk.disabled=true api.ossindex.host=https://ossindex.sonatype.org/api/v3 +api.trustification.host=https://exhort.staging.trustification.dev/api/v1 report.snyk.issue.regex=https://security.snyk.io/vuln/__ISSUE_ID__?utm_medium=Partner&utm_source=RedHat&utm_campaign=Code-Ready-Analytics-2020&utm_content=vuln/__ISSUE_ID__ report.ossindex.issue.regex=http://ossindex.sonatype.org/vulnerability/__ISSUE_ID__ @@ -38,4 +46,4 @@ quarkus.index-dependency.spdx-java.artifact-id=java-spdx-library quarkus.index-dependency.exhort-api.group-id=com.redhat.ecosystemappeng quarkus.index-dependency.exhort-api.artifact-id=exhort-api-spec quarkus.camel.native.reflection.include-patterns=org.cyclonedx.model.*,com.redhat.exhort.api.*,com.redhat.exhort.api.v3.*,com.redhat.exhort.api.v4.*,org.spdx.jacksonstore.*,org.spdx.storage.listedlicense.* -# quarkus.jackson.serialization-inclusion=non-empty \ No newline at end of file +# quarkus.jackson.serialization-inclusion=non-empty diff --git a/src/test/java/com/redhat/exhort/integration/VulnerabilityProviderTest.java b/src/test/java/com/redhat/exhort/integration/VulnerabilityProviderTest.java index 6ae1087f..5fb738e7 100644 --- a/src/test/java/com/redhat/exhort/integration/VulnerabilityProviderTest.java +++ b/src/test/java/com/redhat/exhort/integration/VulnerabilityProviderTest.java @@ -24,6 +24,8 @@ import org.junit.jupiter.api.Test; +import com.redhat.exhort.integration.providers.VulnerabilityProvider; + import io.quarkus.test.junit.QuarkusTest; import io.quarkus.test.junit.QuarkusTestProfile; import io.quarkus.test.junit.TestProfile; From 4cd4829b77301ccaf2979c307e483cb6bb24dc97 Mon Sep 17 00:00:00 2001 From: Ruben Romero Montes Date: Tue, 7 Nov 2023 18:30:28 +0100 Subject: [PATCH 2/5] feat: adding mocked trustification integration Signed-off-by: Ruben Romero Montes --- .../MockTrustificationService.java | 49 + .../TrustificationIntegration.java | 3 +- .../TrustificationRequestBuilder.java | 2 +- .../TrustificationResponseHandler.java | 143 +- src/main/resources/application.properties | 10 +- src/main/resources/tc-response.json | 280 +++ .../extensions/WiremockV3Extension.java | 4 +- .../integration/AbstractAnalysisTest.java | 32 + .../exhort/integration/AnalysisTest.java | 36 +- .../__files/reports/report_all_token.json | 1526 ++++++++++------- .../__files/trustification/empty_report.json | 5 + .../__files/trustification/empty_request.json | 3 + .../__files/trustification/maven_report.json | 132 ++ .../__files/trustification/maven_request.json | 13 + 14 files changed, 1488 insertions(+), 750 deletions(-) create mode 100644 src/main/java/com/redhat/exhort/integration/providers/trustification/MockTrustificationService.java create mode 100644 src/main/resources/tc-response.json create mode 100644 src/test/resources/__files/trustification/empty_report.json create mode 100644 src/test/resources/__files/trustification/empty_request.json create mode 100644 src/test/resources/__files/trustification/maven_report.json create mode 100644 src/test/resources/__files/trustification/maven_request.json diff --git a/src/main/java/com/redhat/exhort/integration/providers/trustification/MockTrustificationService.java b/src/main/java/com/redhat/exhort/integration/providers/trustification/MockTrustificationService.java new file mode 100644 index 00000000..80d9f5ae --- /dev/null +++ b/src/main/java/com/redhat/exhort/integration/providers/trustification/MockTrustificationService.java @@ -0,0 +1,49 @@ +/* + * Copyright 2023 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.integration.providers.trustification; + +import java.io.IOException; + +import org.apache.camel.Exchange; +import org.apache.camel.builder.endpoint.EndpointRouteBuilder; + +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; + +import jakarta.enterprise.context.ApplicationScoped; +import jakarta.inject.Inject; + +@ApplicationScoped +public class MockTrustificationService extends EndpointRouteBuilder { + + @Inject ObjectMapper mapper; + + @Override + public void configure() throws Exception { + rest("/v1").post("/analyze").routeId("mockTrustification").to("direct:mockresponse"); + + from(direct("mockresponse")).process(this::setBodyFromFile); + } + + private void setBodyFromFile(Exchange exchange) throws IOException { + JsonNode json = + mapper.readTree(this.getClass().getClassLoader().getResourceAsStream("tc-response.json")); + exchange.getIn().setBody(json); + } +} diff --git a/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationIntegration.java b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationIntegration.java index c82b642d..e48bad64 100644 --- a/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationIntegration.java +++ b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationIntegration.java @@ -33,7 +33,7 @@ @ApplicationScoped public class TrustificationIntegration extends EndpointRouteBuilder { - @ConfigProperty(name = "api.trustification.timeout", defaultValue = "10s") + @ConfigProperty(name = "api.trustification.timeout", defaultValue = "30s") String timeout; @Inject TrustificationResponseHandler responseHandler; @@ -57,7 +57,6 @@ public void configure() { .routeId("trustificationRequest") .transform().method(TrustificationRequestBuilder.class, "build") .process(this::processRequest) - .to("log:foo?showHeaders=true") .to(vertxHttp("{{api.trustification.host}}")) .transform().method(TrustificationResponseHandler.class, "responseToIssues") .transform().method(TrustificationResponseHandler.class, "buildReport"); diff --git a/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationRequestBuilder.java b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationRequestBuilder.java index 98d38906..155363c0 100644 --- a/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationRequestBuilder.java +++ b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationRequestBuilder.java @@ -36,7 +36,7 @@ public class TrustificationRequestBuilder { public String build(@Body DependencyTree tree) throws JsonProcessingException { ArrayNode purls = mapper.createArrayNode(); - tree.getAll().stream().map(p -> p.purl().canonicalize()).forEach(purl -> purls.add(purl)); + tree.getAll().stream().map(p -> p.purl().getCoordinates()).forEach(purl -> purls.add(purl)); ObjectNode obj = mapper.createObjectNode().set("purls", purls); return mapper.writeValueAsString(obj); } diff --git a/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java index b77fcdc1..6c94f18a 100644 --- a/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java +++ b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java @@ -23,29 +23,29 @@ import java.io.IOException; import java.util.ArrayList; import java.util.HashMap; -import java.util.Iterator; import java.util.List; import java.util.Map; -import java.util.Map.Entry; import java.util.Optional; import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; import com.redhat.exhort.api.SeverityUtils; import com.redhat.exhort.api.v4.Issue; -import com.redhat.exhort.config.ObjectMapperProducer; +import com.redhat.exhort.api.v4.Severity; import com.redhat.exhort.integration.providers.ProviderResponseHandler; import com.redhat.exhort.model.CvssParser; import com.redhat.exhort.model.DependencyTree; import io.quarkus.runtime.annotations.RegisterForReflection; +import jakarta.enterprise.context.ApplicationScoped; +import jakarta.inject.Inject; + +@ApplicationScoped @RegisterForReflection public class TrustificationResponseHandler extends ProviderResponseHandler { - private final ObjectMapper mapper = ObjectMapperProducer.newInstance(); - - private static final String CVSS3_VERSION = "cvss3"; + @Inject ObjectMapper mapper; @Override protected String getProviderName() { @@ -56,72 +56,99 @@ protected String getProviderName() { public Map> responseToIssues( byte[] rawResponse, String privateProviders, DependencyTree tree) throws IOException { JsonNode response = mapper.readTree(rawResponse); - Map> vulnerabilityIds = new HashMap<>(); + Map> issuesData = new HashMap<>(); + Map cvesJson = new HashMap<>(); response - .get("affected") - .fields() + .get("cves") + .elements() .forEachRemaining( - e -> { - String ref = e.getKey().toUpperCase(); - if (!vulnerabilityIds.containsKey(ref)) { - vulnerabilityIds.put(e.getKey(), new ArrayList<>()); - } - List ids = vulnerabilityIds.get(ref); - e.getValue().elements().forEachRemaining(id -> ids.add(id.asText())); + cveJson -> { + String cve = cveJson.get("id").asText().toUpperCase(); + cvesJson.put(cve, cveJson); }); - Map> issuesData = new HashMap<>(); response - .get("vulnerabilities") - .elements() + .get("analysis") + .fields() .forEachRemaining( - n -> { - String vulnerabilityId = n.get("id").asText(); - Optional id = - vulnerabilityIds.entrySet().stream() - .filter(e -> e.getValue().contains(vulnerabilityId)) - .map(Entry::getKey) - .findFirst(); - if (id.isPresent()) { - List issues = issuesData.get(id.get()); - if (issues == null) { - issues = new ArrayList<>(); - issuesData.put(id.get(), issues); - } - issues.add(toIssue(id.get(), n)); + e -> { + String ref = e.getKey(); + if (!issuesData.containsKey(ref)) { + issuesData.put(ref, new ArrayList<>()); } + List issues = issuesData.get(ref); + e.getValue() + .forEach( + analysis -> { + String vendor = analysis.get("vendor").asText(); + analysis + .get("vulnerable") + .forEach( + vulnerable -> { + String vulnId = vulnerable.get("id").asText().toUpperCase(); + Issue issue = new Issue().id(vulnId).source(vendor); + vulnerable + .get("severity") + .forEach( + severity -> { + if (severity + .get("source") + .asText() + .toLowerCase() + .equals(vendor)) { + Double dscore = severity.get("score").asDouble(0); + issue.cvssScore(dscore.floatValue()); + } + }); + + if (isCVE(vulnId)) { + issue.addCvesItem(vulnId); + } + vulnerable + .get("aliases") + .forEach( + a -> { + String alias = a.asText(); + if (isCVE(alias)) { + issue.addCvesItem(alias.toUpperCase()); + } + ; + }); + completeIssueData(issue, cvesJson); + issues.add(issue); + }); + }); }); + return issuesData; } - private Issue toIssue(String id, JsonNode n) { - Issue i = new Issue().id(id).source(n.get("origin").asText()).title(n.get("summary").asText()); - if (isCVE(id)) { - i.addCvesItem(id); + private void completeIssueData(Issue issue, Map cvesJson) { + Optional firstCve = + issue.getCves().stream().filter(cve -> cvesJson.keySet().contains(cve)).findFirst(); + if (firstCve.isEmpty()) { + issue.severity(SeverityUtils.fromScore(issue.getCvssScore())); + issue.unique(Boolean.TRUE); + return; } - n.get("aliases") - .elements() - .forEachRemaining( - alias -> { - if (isCVE(alias.asText())) { - i.addCvesItem(alias.asText()); + JsonNode cveJson = cvesJson.get(firstCve.get()); + issue.title(cveJson.get("cisaVulnerabilityName").asText()); + + cveJson + .get("metrics") + .get("cvssMetricV31") + .forEach( + metric -> { + if ("Primary".equalsIgnoreCase(metric.get("type").asText())) { + issue.cvss( + CvssParser.fromVectorString( + metric.get("cvssData").get("vectorString").asText())); + issue.severity( + Severity.fromValue(metric.get("cvssData").get("baseSeverity").asText())); } }); - Iterator severities = n.get("severities").elements(); - while (severities.hasNext()) { - JsonNode sn = severities.next(); - if (CVSS3_VERSION.equals(sn.get("type").asText())) { - i.cvssScore(sn.get("score").floatValue()) - .cvss(CvssParser.fromVectorString(sn.get("additional").asText())); - i.severity(SeverityUtils.fromScore(i.getCvssScore())); - } - } - if (i.getCves().isEmpty()) { - i.unique(Boolean.TRUE); - } - return i; } - private boolean isCVE(String id) { - return id.toUpperCase().startsWith("CVE-"); + private boolean isCVE(String vulnerabilityId) { + return vulnerabilityId != null && vulnerabilityId.toUpperCase().startsWith("CVE-"); } } diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 5f69b3c8..61be0eef 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -5,19 +5,13 @@ project.name=${pom.name} project.version=${pom.version} project.build=${timestamp} -api.trustification.exhort.host=https://exhort.staging.trustification.dev/api/v1 - -## podman run -p 18080:8080 --rm ghcr.io/seedwing-io/swio:0.1.0-trusted -api.trustedContent.gav.host=http://swio.trusted-content:8080 -api.trustedContent.vex.host=http://tc-camel:8080 -# api.trustedContent.timeout=10s - api.snyk.token=placeholder api.snyk.host=https://app.snyk.io/api/v1 # api.snyk.timeout=10s # api.snyk.disabled=true api.ossindex.host=https://ossindex.sonatype.org/api/v3 -api.trustification.host=https://exhort.staging.trustification.dev/api/v1 +#api.trustification.host=https://exhort.staging.trustification.dev/api/v1 +api.trustification.host=http://localhost:8080/api/v1 report.snyk.issue.regex=https://security.snyk.io/vuln/__ISSUE_ID__?utm_medium=Partner&utm_source=RedHat&utm_campaign=Code-Ready-Analytics-2020&utm_content=vuln/__ISSUE_ID__ report.ossindex.issue.regex=http://ossindex.sonatype.org/vulnerability/__ISSUE_ID__ diff --git a/src/main/resources/tc-response.json b/src/main/resources/tc-response.json new file mode 100644 index 00000000..b2241bdc --- /dev/null +++ b/src/main/resources/tc-response.json @@ -0,0 +1,280 @@ +{ + "analysis": { + "pkg:maven/org.postgresql/postgresql@42.5.0?type=jar": [ + { + "vendor": "snyk", + "vulnerable": [ + { + "id": "snyk-java-orgpostgresql-3146847", + "severity": [ + { + "source": "Snyk", + "type": "CVSSv31", + "score": 4.699999809265137 + }, + { + "source": "SUSE", + "type": "CVSSv31", + "score": 5.5 + }, + { + "source": "NVD", + "type": "CVSSv31", + "score": 5.5 + }, + { + "source": "Red Hat", + "type": "CVSSv31", + "score": 5.5 + } + ], + "aliases": [ + "cve-2022-41946", + "cwe-200", + "ghsa-562r-vg33-8x8h" + ] + } + ] + }, + { + "vendor": "osv", + "vulnerable": [ + { + "id": "ghsa-562r-vg33-8x8h", + "severity": [ + { + "source": "osv", + "type": "CVSSv31", + "score": 4.7 + } + ], + "aliases": [ + "cve-2022-41946" + ] + } + ] + } + ] +}, + "cves": [ + { + "id": "CVE-2022-41946", + "sourceIdentifier": "security@apache.org", + "published": "2021-12-14T19:15:07.733", + "lastModified": "2023-10-26T07:15:36.677", + "vulnStatus": "Modified", + "cisaExploitAdd": "2023-05-01", + "cisaActionDue": "2023-05-22", + "cisaRequiredAction": "Apply updates per vendor instructions.", + "cisaVulnerabilityName": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "descriptions": [ + { + "lang": "en", + "value": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default." + }, + { + "lang": "es", + "value": "Se descubri\u00F3 que la correcci\u00F3n para abordar CVE-2021-44228 en Apache Log4j versiones 2.15.0 estaba incompleta en ciertas configuraciones no predeterminadas. Esto podr\u00EDa permitir a los atacantes con control sobre los datos de entrada de Thread Context Map (MDC) cuando la configuraci\u00F3n de registro utiliza un Pattern Layout no predeterminado con un Context Lookup (por ejemplo, $${ctx:loginId}) o un Thread Context Map pattern (%X, %mdc, o %MDC) para elaborar datos de entrada maliciosos utilizando un patr\u00F3n JNDI Lookup que resulta en una fuga de informaci\u00F3n y ejecuci\u00F3n de c\u00F3digo remoto en algunos entornos y ejecuci\u00F3n de c\u00F3digo local en todos los entornos. Log4j versiones 2.16.0 (Java 8) y 2.12.2 (Java 7) solucionan este problema eliminando el soporte para los patrones de b\u00FAsqueda de mensajes y deshabilitando la funcionalidad JNDI por defecto" + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseScore": 9, + "baseSeverity": "CRITICAL" + }, + "exploitabilityScore": 2.2, + "impactScore": 6 + } + ], + "cvssMetricV2": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "2.0", + "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", + "accessVector": "NETWORK", + "accessComplexity": "HIGH", + "authentication": "NONE", + "confidentialityImpact": "PARTIAL", + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "baseScore": 5.1 + }, + "baseSeverity": "MEDIUM", + "exploitabilityScore": 4.9, + "impactScore": 6.4, + "acInsufInfo": false, + "obtainAllPrivilege": false, + "obtainUserPrivilege": false, + "obtainOtherPrivilege": false, + "userInteractionRequired": false + } + ] + }, + "references": [ + { + "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4", + "source": "security@apache.org", + "tags": [ + "Mailing List", + "Mitigation", + "Third Party Advisory" + ] + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3", + "source": "security@apache.org", + "tags": [ + "Mailing List", + "Third Party Advisory" + ] + }, + { + "url": "http://www.openwall.com/lists/oss-security/2021/12/18/1", + "source": "security@apache.org", + "tags": [ + "Mailing List", + "Third Party Advisory" + ] + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf", + "source": "security@apache.org", + "tags": [ + "Third Party Advisory" + ] + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf", + "source": "security@apache.org", + "tags": [ + "Third Party Advisory" + ] + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf", + "source": "security@apache.org", + "tags": [ + "Third Party Advisory" + ] + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf", + "source": "security@apache.org", + "tags": [ + "Third Party Advisory" + ] + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/", + "source": "security@apache.org" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/", + "source": "security@apache.org" + }, + { + "url": "https://logging.apache.org/log4j/2.x/security.html", + "source": "security@apache.org", + "tags": [ + "Mitigation", + "Release Notes", + "Vendor Advisory" + ] + }, + { + "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032", + "source": "security@apache.org", + "tags": [ + "Third Party Advisory" + ] + }, + { + "url": "https://security.gentoo.org/glsa/202310-16", + "source": "security@apache.org" + }, + { + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd", + "source": "security@apache.org", + "tags": [ + "Third Party Advisory" + ] + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228", + "source": "security@apache.org", + "tags": [ + "Not Applicable" + ] + }, + { + "url": "https://www.debian.org/security/2021/dsa-5022", + "source": "security@apache.org", + "tags": [ + "Third Party Advisory" + ] + }, + { + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html", + "source": "security@apache.org", + "tags": [ + "Third Party Advisory" + ] + }, + { + "url": "https://www.kb.cert.org/vuls/id/930724", + "source": "security@apache.org", + "tags": [ + "Third Party Advisory", + "US Government Resource" + ] + }, + { + "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html", + "source": "security@apache.org", + "tags": [ + "Third Party Advisory" + ] + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html", + "source": "security@apache.org", + "tags": [ + "Third Party Advisory" + ] + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html", + "source": "security@apache.org", + "tags": [ + "Patch", + "Third Party Advisory" + ] + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html", + "source": "security@apache.org", + "tags": [ + "Third Party Advisory" + ] + } + ] + } + ], + "errors": [] +} \ No newline at end of file diff --git a/src/test/java/com/redhat/exhort/extensions/WiremockV3Extension.java b/src/test/java/com/redhat/exhort/extensions/WiremockV3Extension.java index 00e9ff29..49050774 100644 --- a/src/test/java/com/redhat/exhort/extensions/WiremockV3Extension.java +++ b/src/test/java/com/redhat/exhort/extensions/WiremockV3Extension.java @@ -35,11 +35,11 @@ public class WiremockV3Extension implements QuarkusTestResourceLifecycleManager @Override public Map start() { server.start(); - return Map.of( "api.snyk.host", server.baseUrl(), "api.snyk.token", SNYK_TOKEN, - "api.ossindex.host", server.baseUrl()); + "api.ossindex.host", server.baseUrl(), + "api.trustification.host", server.baseUrl()); } @Override diff --git a/src/test/java/com/redhat/exhort/integration/AbstractAnalysisTest.java b/src/test/java/com/redhat/exhort/integration/AbstractAnalysisTest.java index 605ec88f..d711b465 100644 --- a/src/test/java/com/redhat/exhort/integration/AbstractAnalysisTest.java +++ b/src/test/java/com/redhat/exhort/integration/AbstractAnalysisTest.java @@ -193,6 +193,7 @@ protected void verifySnykTokenRequest(String token) { } protected void stubAllProviders() { + stubTrustificationRequests(); stubSnykRequests(); stubOssToken(); } @@ -209,6 +210,7 @@ protected void verifyProviders( credentials.get(Constants.OSS_INDEX_USER_HEADER), credentials.get(Constants.OSS_INDEX_TOKEN_HEADER), isEmpty); + case Constants.TRUSTIFICATION_PROVIDER -> verifyTrustificationRequest(); } }); } @@ -402,9 +404,35 @@ protected void verifyOssRequest(String user, String pass, boolean isEmpty) { } } + protected void stubTrustificationRequests() { + + server.stubFor( + post(Constants.TRUSTIFICATION_ANALYZE_API_PATH) + .withHeader(Exchange.CONTENT_TYPE, equalTo(MediaType.APPLICATION_JSON)) + .withRequestBody( + equalToJson( + loadFileAsString("__files/trustification/empty_request.json"), true, false)) + .willReturn( + aResponse().withStatus(200).withBodyFile("trustification/empty_report.json"))); + + server.stubFor( + post(Constants.TRUSTIFICATION_ANALYZE_API_PATH) + .withHeader(Exchange.CONTENT_TYPE, equalTo(MediaType.APPLICATION_JSON)) + .withRequestBody( + equalToJson( + loadFileAsString("__files/trustification/maven_request.json"), true, false)) + .willReturn( + aResponse().withStatus(200).withBodyFile("trustification/maven_report.json"))); + } + + protected void verifyTrustificationRequest() { + server.verify(1, postRequestedFor(urlEqualTo(Constants.TRUSTIFICATION_ANALYZE_API_PATH))); + } + protected void verifyNoInteractions() { verifyNoInteractionsWithSnyk(); verifyNoInteractionsWithOSS(); + verifyNoInteractionsWithTrustification(); } protected void verifyNoInteractionsWithSnyk() { @@ -415,4 +443,8 @@ protected void verifyNoInteractionsWithSnyk() { protected void verifyNoInteractionsWithOSS() { server.verify(0, postRequestedFor(urlEqualTo(Constants.OSS_INDEX_AUTH_COMPONENT_API_PATH))); } + + protected void verifyNoInteractionsWithTrustification() { + server.verify(0, postRequestedFor(urlEqualTo(Constants.TRUSTIFICATION_ANALYZE_API_PATH))); + } } diff --git a/src/test/java/com/redhat/exhort/integration/AnalysisTest.java b/src/test/java/com/redhat/exhort/integration/AnalysisTest.java index 0f1eb1d0..8717094c 100644 --- a/src/test/java/com/redhat/exhort/integration/AnalysisTest.java +++ b/src/test/java/com/redhat/exhort/integration/AnalysisTest.java @@ -88,6 +88,7 @@ public void testWithInvalidPkgManagers(String sbom) { var report = given() .header(CONTENT_TYPE, getContentType(sbom)) + .queryParam(Constants.PROVIDERS_PARAM, Constants.SNYK_PROVIDER) .body(loadFileAsString(String.format("%s/unsupported-invalid-sbom.json", sbom))) .when() .post("/api/v4/analysis") @@ -114,6 +115,7 @@ public void testWithMixedPkgManagers(String sbom) { var report = given() .header(CONTENT_TYPE, getContentType(sbom)) + .queryParam(Constants.PROVIDERS_PARAM, Constants.SNYK_PROVIDER) .body(loadFileAsString(String.format("%s/unsupported-mixed-sbom.json", sbom))) .when() .post("/api/v4/analysis") @@ -141,7 +143,6 @@ public void testWithMixedPkgManagers(String sbom) { @MethodSource("emptySbomArguments") public void testEmptySbom(List providers, Map authHeaders) { stubAllProviders(); - var report = given() .header(CONTENT_TYPE, CycloneDxMediaType.APPLICATION_CYCLONEDX_JSON) @@ -175,8 +176,8 @@ public void testEmptySbom(List providers, Map authHeader private static Stream emptySbomArguments() { return Stream.of( - Arguments.of( - List.of(Constants.SNYK_PROVIDER), Collections.emptyMap(), Constants.MAVEN_PKG_MANAGER), + Arguments.of(List.of(Constants.TRUSTIFICATION_PROVIDER), Collections.emptyMap()), + Arguments.of(List.of(Constants.SNYK_PROVIDER), Collections.emptyMap()), Arguments.of(List.of(Constants.OSS_INDEX_PROVIDER), Collections.emptyMap()), Arguments.of( List.of(Constants.SNYK_PROVIDER, Constants.OSS_INDEX_PROVIDER), @@ -189,7 +190,10 @@ private static Stream emptySbomArguments() { Constants.OSS_INDEX_TOKEN_HEADER, OK_TOKEN)), Arguments.of( - List.of(Constants.SNYK_PROVIDER, Constants.OSS_INDEX_PROVIDER), + List.of( + Constants.SNYK_PROVIDER, + Constants.OSS_INDEX_PROVIDER, + Constants.TRUSTIFICATION_PROVIDER), Map.of( Constants.SNYK_TOKEN_HEADER, OK_TOKEN, @@ -198,13 +202,10 @@ private static Stream emptySbomArguments() { Constants.OSS_INDEX_TOKEN_HEADER, OK_TOKEN)), Arguments.of( - List.of(Constants.SNYK_PROVIDER, Constants.OSS_INDEX_PROVIDER), Collections.emptyMap()), - Arguments.of( - List.of(Constants.SNYK_PROVIDER, Constants.OSS_INDEX_PROVIDER), Collections.emptyMap()), - Arguments.of( - List.of(Constants.SNYK_PROVIDER, Constants.OSS_INDEX_PROVIDER), Collections.emptyMap()), - Arguments.of( - List.of(Constants.SNYK_PROVIDER, Constants.OSS_INDEX_PROVIDER), + List.of( + Constants.SNYK_PROVIDER, + Constants.OSS_INDEX_PROVIDER, + Constants.TRUSTIFICATION_PROVIDER), Collections.emptyMap())); } @@ -233,6 +234,7 @@ public void testAllWithToken() { assertJson("reports/report_all_token.json", body); verifySnykRequest(OK_TOKEN); verifyOssRequest(OK_USER, OK_TOKEN, false); + verifyTrustificationRequest(); } @Test @@ -261,11 +263,12 @@ public void testSnykWithNoToken() { @Test public void testUnauthorizedRequest() { - stubAllProviders(); + stubSnykRequests(); var report = given() .header(CONTENT_TYPE, CycloneDxMediaType.APPLICATION_CYCLONEDX_JSON) + .queryParam(Constants.PROVIDERS_PARAM, Constants.SNYK_PROVIDER) .body(loadFileAsString(String.format("%s/empty-sbom.json", CYCLONEDX))) .header("Accept", MediaType.APPLICATION_JSON) .header(Constants.SNYK_TOKEN_HEADER, INVALID_TOKEN) @@ -287,15 +290,17 @@ public void testUnauthorizedRequest() { assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), status.getCode()); verifySnykRequest(INVALID_TOKEN); + verifyNoInteractionsWithTrustification(); } @Test public void testForbiddenRequest() { - stubAllProviders(); + stubSnykRequests(); var report = given() .header(CONTENT_TYPE, CycloneDxMediaType.APPLICATION_CYCLONEDX_JSON) + .queryParam(Constants.PROVIDERS_PARAM, Constants.SNYK_PROVIDER) .body(loadFileAsString(String.format("%s/empty-sbom.json", CYCLONEDX))) .header("Accept", MediaType.APPLICATION_JSON) .header(Constants.SNYK_TOKEN_HEADER, UNAUTH_TOKEN) @@ -317,6 +322,7 @@ public void testForbiddenRequest() { assertEquals(Response.Status.FORBIDDEN.getStatusCode(), status.getCode()); verifySnykRequest(UNAUTH_TOKEN); + verifyNoInteractionsWithTrustification(); } @Test @@ -350,6 +356,7 @@ public void testSBOMJsonWithToken() { assertDependenciesReport(snykSource.getDependencies()); verifySnykRequest(OK_TOKEN); + verifyTrustificationRequest(); } @Test @@ -383,6 +390,7 @@ public void testNonVerboseJson() { assertNull(snykSource.getDependencies()); verifySnykRequest(null); + verifyTrustificationRequest(); } @Test @@ -417,6 +425,7 @@ public void testNonVerboseWithToken() { assertNull(snykSource.getDependencies()); verifySnykRequest(OK_TOKEN); + verifyTrustificationRequest(); } @ParameterizedTest @@ -443,6 +452,7 @@ public void testMultipart_HttpVersions(String version) throws IOException, Inter verifySnykRequest(OK_TOKEN); verifyOssRequest(OK_USER, OK_TOKEN, false); + verifyTrustificationRequest(); } @Test diff --git a/src/test/resources/__files/reports/report_all_token.json b/src/test/resources/__files/reports/report_all_token.json index b5893fd3..cd3544da 100644 --- a/src/test/resources/__files/reports/report_all_token.json +++ b/src/test/resources/__files/reports/report_all_token.json @@ -1,668 +1,862 @@ { - "scanned": { - "total": 9, - "direct": 2, - "transitive": 7 - }, - "providers": { - "oss-index": { - "status": { - "ok": true, - "name": "oss-index", - "code": 200, - "message": "OK" - }, - "sources": { - "oss-index": { - "summary": { - "direct": 0, - "transitive": 3, - "total": 3, - "dependencies": 1, - "critical": 0, - "high": 3, - "medium": 0, - "low": 0, - "remediations": 0, - "recommendations": 0 - }, - "dependencies": [ - { - "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final", - "transitive": [ - { - "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", - "issues": [ - { - "id": "CVE-2020-36518", - "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false - }, - { - "id": "CVE-2022-42003", - "title": "[CVE-2022-42003] CWE-502: Deserialization of Untrusted Data", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2022-42003" - ], - "unique": false - }, - { - "id": "CVE-2022-42004", - "title": "[CVE-2022-42004] CWE-502: Deserialization of Untrusted Data", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2022-42004" - ], - "unique": false - } - ], - "highestVulnerability": { - "id": "CVE-2020-36518", - "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false - } - } - ], - "highestVulnerability": { - "id": "CVE-2020-36518", - "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false - } - }, - { - "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", - "transitive": [ - { - "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", - "issues": [ - { - "id": "CVE-2020-36518", - "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false - }, - { - "id": "CVE-2022-42003", - "title": "[CVE-2022-42003] CWE-502: Deserialization of Untrusted Data", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2022-42003" - ], - "unique": false - }, - { - "id": "CVE-2022-42004", - "title": "[CVE-2022-42004] CWE-502: Deserialization of Untrusted Data", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2022-42004" - ], - "unique": false - } - ], - "highestVulnerability": { - "id": "CVE-2020-36518", - "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false - } - } - ], - "highestVulnerability": { - "id": "CVE-2020-36518", - "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", - "source": "oss-index", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false - } - } - ] - } - } - }, - "snyk": { - "status": { - "ok": true, - "name": "snyk", - "code": 200, - "message": "OK" - }, - "sources": { - "snyk": { - "summary": { - "direct": 0, - "transitive": 4, - "total": 4, - "dependencies": 2, - "critical": 0, - "high": 1, - "medium": 3, - "low": 0, - "remediations": 0, - "recommendations": 0 - }, - "dependencies": [ - { - "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final", - "transitive": [ - { - "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", - "issues": [ - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "2.12.6.1", - "2.13.2.1", - "2.14.0" - ] - } - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "High", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "exploitCodeMaturity": "Proof of concept code", - "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P" - }, - "cvssScore": 5.9, - "severity": "MEDIUM", - "unique": true, - "remediation": { - "fixedIn": [ - "2.13.4" - ] - } - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "High", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "exploitCodeMaturity": "Proof of concept code", - "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P" - }, - "cvssScore": 5.9, - "severity": "MEDIUM", - "cves": [ - "CVE-2022-42003" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "2.12.7.1", - "2.13.4.2" - ] - } - } - ], - "highestVulnerability": { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "2.12.6.1", - "2.13.2.1", - "2.14.0" - ] - } - } - } - ], - "highestVulnerability": { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "2.12.6.1", - "2.13.2.1", - "2.14.0" - ] - } - } - }, - { - "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", - "transitive": [ - { - "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", - "issues": [ - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "2.12.6.1", - "2.13.2.1", - "2.14.0" - ] - } - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "High", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "exploitCodeMaturity": "Proof of concept code", - "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P" - }, - "cvssScore": 5.9, - "severity": "MEDIUM", - "unique": true, - "remediation": { - "fixedIn": [ - "2.13.4" - ] - } - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "High", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "exploitCodeMaturity": "Proof of concept code", - "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P" - }, - "cvssScore": 5.9, - "severity": "MEDIUM", - "cves": [ - "CVE-2022-42003" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "2.12.7.1", - "2.13.4.2" - ] - } - } - ], - "highestVulnerability": { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "2.12.6.1", - "2.13.2.1", - "2.14.0" - ] - } - } - }, - { - "ref": "pkg:maven/org.postgresql/postgresql@42.5.0", - "issues": [ - { - "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", - "title": "Information Exposure", - "source": "snyk", - "cvss": { - "attackVector": "Local", - "attackComplexity": "High", - "privilegesRequired": "Low", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "High", - "integrityImpact": "None", - "availabilityImpact": "None", - "cvss": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" - }, - "cvssScore": 4.7, - "severity": "MEDIUM", - "cves": [ - "CVE-2022-41946" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "42.2.27", - "42.3.8", - "42.4.3", - "42.5.1" - ] - } - } - ], - "highestVulnerability": { - "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", - "title": "Information Exposure", - "source": "snyk", - "cvss": { - "attackVector": "Local", - "attackComplexity": "High", - "privilegesRequired": "Low", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "High", - "integrityImpact": "None", - "availabilityImpact": "None", - "cvss": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" - }, - "cvssScore": 4.7, - "severity": "MEDIUM", - "cves": [ - "CVE-2022-41946" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "42.2.27", - "42.3.8", - "42.4.3", - "42.5.1" - ] - } - } - } - ], - "highestVulnerability": { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", - "title": "Denial of Service (DoS)", - "source": "snyk", - "cvss": { - "attackVector": "Network", - "attackComplexity": "Low", - "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "None", - "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": [ - "CVE-2020-36518" - ], - "unique": false, - "remediation": { - "fixedIn": [ - "2.12.6.1", - "2.13.2.1", - "2.14.0" - ] - } - } - } - ] - } - } - } - } + "scanned": { + "total": 9, + "direct": 2, + "transitive": 7 + }, + "providers": { + "oss-index": { + "status": { + "ok": true, + "name": "oss-index", + "code": 200, + "message": "OK" + }, + "sources": { + "oss-index": { + "summary": { + "direct": 0, + "transitive": 3, + "total": 3, + "dependencies": 1, + "critical": 0, + "high": 3, + "medium": 0, + "low": 0, + "remediations": 0, + "recommendations": 0 + }, + "dependencies": [ + { + "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final", + "transitive": [ + { + "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", + "issues": [ + { + "id": "CVE-2020-36518", + "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false + }, + { + "id": "CVE-2022-42003", + "title": "[CVE-2022-42003] CWE-502: Deserialization of Untrusted Data", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2022-42003" + ], + "unique": false + }, + { + "id": "CVE-2022-42004", + "title": "[CVE-2022-42004] CWE-502: Deserialization of Untrusted Data", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2022-42004" + ], + "unique": false + } + ], + "highestVulnerability": { + "id": "CVE-2020-36518", + "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false + } + } + ], + "highestVulnerability": { + "id": "CVE-2020-36518", + "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false + } + }, + { + "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", + "transitive": [ + { + "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", + "issues": [ + { + "id": "CVE-2020-36518", + "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false + }, + { + "id": "CVE-2022-42003", + "title": "[CVE-2022-42003] CWE-502: Deserialization of Untrusted Data", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2022-42003" + ], + "unique": false + }, + { + "id": "CVE-2022-42004", + "title": "[CVE-2022-42004] CWE-502: Deserialization of Untrusted Data", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2022-42004" + ], + "unique": false + } + ], + "highestVulnerability": { + "id": "CVE-2020-36518", + "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false + } + } + ], + "highestVulnerability": { + "id": "CVE-2020-36518", + "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write", + "source": "oss-index", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false + } + } + ] + } + } + }, + "trustification": { + "status": { + "ok": true, + "name": "trustification", + "code": 200, + "message": "OK" + }, + "sources": { + "osv": { + "summary": { + "direct": 0, + "transitive": 1, + "total": 1, + "dependencies": 1, + "critical": 1, + "high": 0, + "medium": 0, + "low": 0, + "remediations": 0, + "recommendations": 0 + }, + "dependencies": [ + { + "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", + "transitive": [ + { + "ref": "pkg:maven/org.postgresql/postgresql@42.5.0", + "issues": [ + { + "id": "GHSA-562R-VG33-8X8H", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "osv", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + ], + "highestVulnerability": { + "id": "GHSA-562R-VG33-8X8H", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "osv", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + } + ], + "highestVulnerability": { + "id": "GHSA-562R-VG33-8X8H", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "osv", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + } + ] + }, + "snyk": { + "summary": { + "direct": 0, + "transitive": 1, + "total": 1, + "dependencies": 1, + "critical": 1, + "high": 0, + "medium": 0, + "low": 0, + "remediations": 0, + "recommendations": 0 + }, + "dependencies": [ + { + "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", + "transitive": [ + { + "ref": "pkg:maven/org.postgresql/postgresql@42.5.0", + "issues": [ + { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + } + ] + } + } + }, + "snyk": { + "status": { + "ok": true, + "name": "snyk", + "code": 200, + "message": "OK" + }, + "sources": { + "snyk": { + "summary": { + "direct": 0, + "transitive": 4, + "total": 4, + "dependencies": 2, + "critical": 0, + "high": 1, + "medium": 3, + "low": 0, + "remediations": 0, + "recommendations": 0 + }, + "dependencies": [ + { + "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final", + "transitive": [ + { + "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", + "issues": [ + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "2.12.6.1", + "2.13.2.1", + "2.14.0" + ] + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "High", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "exploitCodeMaturity": "Proof of concept code", + "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P" + }, + "cvssScore": 5.9, + "severity": "MEDIUM", + "unique": true, + "remediation": { + "fixedIn": [ + "2.13.4" + ] + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "High", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "exploitCodeMaturity": "Proof of concept code", + "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P" + }, + "cvssScore": 5.9, + "severity": "MEDIUM", + "cves": [ + "CVE-2022-42003" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "2.12.7.1", + "2.13.4.2" + ] + } + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "2.12.6.1", + "2.13.2.1", + "2.14.0" + ] + } + } + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "2.12.6.1", + "2.13.2.1", + "2.14.0" + ] + } + } + }, + { + "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", + "transitive": [ + { + "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", + "issues": [ + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "2.12.6.1", + "2.13.2.1", + "2.14.0" + ] + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "High", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "exploitCodeMaturity": "Proof of concept code", + "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P" + }, + "cvssScore": 5.9, + "severity": "MEDIUM", + "unique": true, + "remediation": { + "fixedIn": [ + "2.13.4" + ] + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "High", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "exploitCodeMaturity": "Proof of concept code", + "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P" + }, + "cvssScore": 5.9, + "severity": "MEDIUM", + "cves": [ + "CVE-2022-42003" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "2.12.7.1", + "2.13.4.2" + ] + } + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "2.12.6.1", + "2.13.2.1", + "2.14.0" + ] + } + } + }, + { + "ref": "pkg:maven/org.postgresql/postgresql@42.5.0", + "issues": [ + { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Information Exposure", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "High", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "MEDIUM", + "cves": [ + "CVE-2022-41946" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "42.2.27", + "42.3.8", + "42.4.3", + "42.5.1" + ] + } + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Information Exposure", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "High", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "MEDIUM", + "cves": [ + "CVE-2022-41946" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "42.2.27", + "42.3.8", + "42.4.3", + "42.5.1" + ] + } + } + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "title": "Denial of Service (DoS)", + "source": "snyk", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2020-36518" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "2.12.6.1", + "2.13.2.1", + "2.14.0" + ] + } + } + } + ] + } + } + } + } } \ No newline at end of file diff --git a/src/test/resources/__files/trustification/empty_report.json b/src/test/resources/__files/trustification/empty_report.json new file mode 100644 index 00000000..27a4c46e --- /dev/null +++ b/src/test/resources/__files/trustification/empty_report.json @@ -0,0 +1,5 @@ +{ + "analysis": {}, + "cves": [], + "errors": [] +} \ No newline at end of file diff --git a/src/test/resources/__files/trustification/empty_request.json b/src/test/resources/__files/trustification/empty_request.json new file mode 100644 index 00000000..d06bc4a3 --- /dev/null +++ b/src/test/resources/__files/trustification/empty_request.json @@ -0,0 +1,3 @@ +{ + "purls": [] +} \ No newline at end of file diff --git a/src/test/resources/__files/trustification/maven_report.json b/src/test/resources/__files/trustification/maven_report.json new file mode 100644 index 00000000..48d01d8f --- /dev/null +++ b/src/test/resources/__files/trustification/maven_report.json @@ -0,0 +1,132 @@ +{ + "analysis": { + "pkg:maven/org.postgresql/postgresql@42.5.0": [ + { + "vendor": "snyk", + "vulnerable": [ + { + "id": "snyk-java-orgpostgresql-3146847", + "severity": [ + { + "source": "Snyk", + "type": "CVSSv31", + "score": 4.699999809265137 + }, + { + "source": "SUSE", + "type": "CVSSv31", + "score": 5.5 + }, + { + "source": "NVD", + "type": "CVSSv31", + "score": 5.5 + }, + { + "source": "Red Hat", + "type": "CVSSv31", + "score": 5.5 + } + ], + "aliases": [ + "cve-2022-41946", + "cwe-200", + "ghsa-562r-vg33-8x8h" + ] + } + ] + }, + { + "vendor": "osv", + "vulnerable": [ + { + "id": "ghsa-562r-vg33-8x8h", + "severity": [ + { + "source": "osv", + "type": "CVSSv31", + "score": 4.7 + } + ], + "aliases": [ + "cve-2022-41946" + ] + } + ] + } + ] + }, + "cves": [ + { + "id": "CVE-2022-41946", + "sourceIdentifier": "security@apache.org", + "published": "2021-12-14T19:15:07.733", + "lastModified": "2023-10-26T07:15:36.677", + "vulnStatus": "Modified", + "cisaExploitAdd": "2023-05-01", + "cisaActionDue": "2023-05-22", + "cisaRequiredAction": "Apply updates per vendor instructions.", + "cisaVulnerabilityName": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "descriptions": [ + { + "lang": "en", + "value": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default." + }, + { + "lang": "es", + "value": "Se descubri\u00F3 que la correcci\u00F3n para abordar CVE-2021-44228 en Apache Log4j versiones 2.15.0 estaba incompleta en ciertas configuraciones no predeterminadas. Esto podr\u00EDa permitir a los atacantes con control sobre los datos de entrada de Thread Context Map (MDC) cuando la configuraci\u00F3n de registro utiliza un Pattern Layout no predeterminado con un Context Lookup (por ejemplo, $${ctx:loginId}) o un Thread Context Map pattern (%X, %mdc, o %MDC) para elaborar datos de entrada maliciosos utilizando un patr\u00F3n JNDI Lookup que resulta en una fuga de informaci\u00F3n y ejecuci\u00F3n de c\u00F3digo remoto en algunos entornos y ejecuci\u00F3n de c\u00F3digo local en todos los entornos. Log4j versiones 2.16.0 (Java 8) y 2.12.2 (Java 7) solucionan este problema eliminando el soporte para los patrones de b\u00FAsqueda de mensajes y deshabilitando la funcionalidad JNDI por defecto" + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseScore": 5.5, + "baseSeverity": "CRITICAL" + }, + "exploitabilityScore": 2.2, + "impactScore": 6 + } + ], + "cvssMetricV2": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "2.0", + "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", + "accessVector": "NETWORK", + "accessComplexity": "HIGH", + "authentication": "NONE", + "confidentialityImpact": "PARTIAL", + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL", + "baseScore": 5.1 + }, + "baseSeverity": "MEDIUM", + "exploitabilityScore": 4.9, + "impactScore": 6.4, + "acInsufInfo": false, + "obtainAllPrivilege": false, + "obtainUserPrivilege": false, + "obtainOtherPrivilege": false, + "userInteractionRequired": false + } + ] + } + } + ], + "errors": [] +} \ No newline at end of file diff --git a/src/test/resources/__files/trustification/maven_request.json b/src/test/resources/__files/trustification/maven_request.json new file mode 100644 index 00000000..d9e69957 --- /dev/null +++ b/src/test/resources/__files/trustification/maven_request.json @@ -0,0 +1,13 @@ +{ + "purls": [ + "pkg:maven/jakarta.enterprise/jakarta.enterprise.cdi-api@2.0.2", + "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final", + "pkg:maven/jakarta.interceptor/jakarta.interceptor-api@1.2.5", + "pkg:maven/io.quarkus/quarkus-narayana-jta@2.13.5.Final", + "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", + "pkg:maven/jakarta.el/jakarta.el-api@3.0.3", + "pkg:maven/org.postgresql/postgresql@42.5.0", + "pkg:maven/io.quarkus/quarkus-core@2.13.5.Final" + ] +} \ No newline at end of file From 779d8c19d4158fd8865e665b027b47977c23c5d2 Mon Sep 17 00:00:00 2001 From: Ruben Romero Montes Date: Tue, 7 Nov 2023 22:01:57 +0100 Subject: [PATCH 3/5] feat: update non-html tests Signed-off-by: Ruben Romero Montes --- .../exhort/integration/AnalysisV3Test.java | 2 + .../VulnerabilityProviderTest.java | 2 +- .../__files/reports/v3/report_all_token.json | 266 ++++++++++++++---- 3 files changed, 215 insertions(+), 55 deletions(-) diff --git a/src/test/java/com/redhat/exhort/integration/AnalysisV3Test.java b/src/test/java/com/redhat/exhort/integration/AnalysisV3Test.java index 1e13260f..4641eb8e 100644 --- a/src/test/java/com/redhat/exhort/integration/AnalysisV3Test.java +++ b/src/test/java/com/redhat/exhort/integration/AnalysisV3Test.java @@ -199,6 +199,7 @@ public void testUnauthorizedRequest() { .body(loadFileAsString(String.format("%s/empty-sbom.json", CYCLONEDX))) .header("Accept", MediaType.APPLICATION_JSON) .header(Constants.SNYK_TOKEN_HEADER, INVALID_TOKEN) + .queryParam(Constants.PROVIDERS_PARAM, Constants.SNYK_PROVIDER) .when() .post("/api/v3/analysis") .then() @@ -228,6 +229,7 @@ public void testForbiddenRequest() { .body(loadFileAsString(String.format("%s/empty-sbom.json", CYCLONEDX))) .header("Accept", MediaType.APPLICATION_JSON) .header(Constants.SNYK_TOKEN_HEADER, UNAUTH_TOKEN) + .queryParam(Constants.PROVIDERS_PARAM, Constants.SNYK_PROVIDER) .when() .post("/api/v3/analysis") .then() diff --git a/src/test/java/com/redhat/exhort/integration/VulnerabilityProviderTest.java b/src/test/java/com/redhat/exhort/integration/VulnerabilityProviderTest.java index 5fb738e7..e043b944 100644 --- a/src/test/java/com/redhat/exhort/integration/VulnerabilityProviderTest.java +++ b/src/test/java/com/redhat/exhort/integration/VulnerabilityProviderTest.java @@ -40,7 +40,7 @@ public class VulnerabilityProviderTest { @Test public void test() { - var expected = new String[] {Constants.OSS_INDEX_PROVIDER}; + var expected = new String[] {Constants.OSS_INDEX_PROVIDER, Constants.TRUSTIFICATION_PROVIDER}; assertArrayEquals(expected, provider.getEnabled().toArray(new String[] {})); } diff --git a/src/test/resources/__files/reports/v3/report_all_token.json b/src/test/resources/__files/reports/v3/report_all_token.json index 99da1c5e..ce78a2a3 100644 --- a/src/test/resources/__files/reports/v3/report_all_token.json +++ b/src/test/resources/__files/reports/v3/report_all_token.json @@ -6,8 +6,8 @@ }, "vulnerabilities": { "direct": 0, - "total": 7, - "critical": 0, + "total": 9, + "critical": 2, "high": 4, "medium": 3, "low": 0 @@ -19,6 +19,12 @@ "status": 200, "message": "OK" }, + { + "ok": true, + "provider": "trustification", + "status": 200, + "message": "OK" + }, { "ok": true, "provider": "snyk", @@ -29,7 +35,7 @@ }, "dependencies": [ { - "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", + "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final", "transitive": [ { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", @@ -149,7 +155,7 @@ } }, { - "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final", + "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", "transitive": [ { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", @@ -270,6 +276,158 @@ }, { "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", + "transitive": [ + { + "ref": "pkg:maven/org.postgresql/postgresql@42.5.0", + "issues": [ + { + "id": "GHSA-562R-VG33-8X8H", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "osv", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + ], + "highestVulnerability": { + "id": "GHSA-562R-VG33-8X8H", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "osv", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + } + ], + "highestVulnerability": { + "id": "GHSA-562R-VG33-8X8H", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "osv", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + }, + { + "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", + "transitive": [ + { + "ref": "pkg:maven/org.postgresql/postgresql@42.5.0", + "issues": [ + { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + }, + { + "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final", "transitive": [ { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", @@ -362,55 +520,6 @@ ], "unique": false } - }, - { - "ref": "pkg:maven/org.postgresql/postgresql@42.5.0", - "issues": [ - { - "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", - "title": "Information Exposure", - "source": "snyk", - "cvss": { - "attackVector": "Local", - "attackComplexity": "High", - "privilegesRequired": "Low", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "High", - "integrityImpact": "None", - "availabilityImpact": "None", - "cvss": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" - }, - "cvssScore": 4.7, - "severity": "MEDIUM", - "cves": [ - "CVE-2022-41946" - ], - "unique": false - } - ], - "highestVulnerability": { - "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", - "title": "Information Exposure", - "source": "snyk", - "cvss": { - "attackVector": "Local", - "attackComplexity": "High", - "privilegesRequired": "Low", - "userInteraction": "None", - "scope": "Unchanged", - "confidentialityImpact": "High", - "integrityImpact": "None", - "availabilityImpact": "None", - "cvss": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" - }, - "cvssScore": 4.7, - "severity": "MEDIUM", - "cves": [ - "CVE-2022-41946" - ], - "unique": false - } } ], "highestVulnerability": { @@ -437,7 +546,7 @@ } }, { - "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final", + "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final", "transitive": [ { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1", @@ -530,6 +639,55 @@ ], "unique": false } + }, + { + "ref": "pkg:maven/org.postgresql/postgresql@42.5.0", + "issues": [ + { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Information Exposure", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "High", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "MEDIUM", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } + ], + "highestVulnerability": { + "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847", + "title": "Information Exposure", + "source": "snyk", + "cvss": { + "attackVector": "Local", + "attackComplexity": "High", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cvss": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "cvssScore": 4.7, + "severity": "MEDIUM", + "cves": [ + "CVE-2022-41946" + ], + "unique": false + } } ], "highestVulnerability": { From 70088eb75669fe02a7a3035eafb871d2692550e6 Mon Sep 17 00:00:00 2001 From: Ruben Romero Montes Date: Thu, 9 Nov 2023 17:45:00 +0100 Subject: [PATCH 4/5] feat: update trustification-exhort integration with updated data model Signed-off-by: Ruben Romero Montes --- .../TrustificationIntegration.java | 2 +- .../TrustificationResponseHandler.java | 107 +- src/main/resources/tc-response.json | 1148 +++++++++++++---- 3 files changed, 934 insertions(+), 323 deletions(-) diff --git a/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationIntegration.java b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationIntegration.java index e48bad64..29dd3f6f 100644 --- a/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationIntegration.java +++ b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationIntegration.java @@ -33,7 +33,7 @@ @ApplicationScoped public class TrustificationIntegration extends EndpointRouteBuilder { - @ConfigProperty(name = "api.trustification.timeout", defaultValue = "30s") + @ConfigProperty(name = "api.trustification.timeout", defaultValue = "60s") String timeout; @Inject TrustificationResponseHandler responseHandler; diff --git a/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java index 6c94f18a..c98811d3 100644 --- a/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java +++ b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java @@ -31,7 +31,6 @@ import com.fasterxml.jackson.databind.ObjectMapper; import com.redhat.exhort.api.SeverityUtils; import com.redhat.exhort.api.v4.Issue; -import com.redhat.exhort.api.v4.Severity; import com.redhat.exhort.integration.providers.ProviderResponseHandler; import com.redhat.exhort.model.CvssParser; import com.redhat.exhort.model.DependencyTree; @@ -63,20 +62,21 @@ public Map> responseToIssues( .elements() .forEachRemaining( cveJson -> { - String cve = cveJson.get("id").asText().toUpperCase(); + String cve = cveJson.get("cveMetadata").get("cveId").asText().toUpperCase(); cvesJson.put(cve, cveJson); }); response .get("analysis") .fields() .forEachRemaining( - e -> { - String ref = e.getKey(); + analysisEntry -> { + String ref = analysisEntry.getKey(); if (!issuesData.containsKey(ref)) { issuesData.put(ref, new ArrayList<>()); } List issues = issuesData.get(ref); - e.getValue() + analysisEntry + .getValue() .forEach( analysis -> { String vendor = analysis.get("vendor").asText(); @@ -84,37 +84,11 @@ public Map> responseToIssues( .get("vulnerable") .forEach( vulnerable -> { - String vulnId = vulnerable.get("id").asText().toUpperCase(); - Issue issue = new Issue().id(vulnId).source(vendor); - vulnerable - .get("severity") - .forEach( - severity -> { - if (severity - .get("source") - .asText() - .toLowerCase() - .equals(vendor)) { - Double dscore = severity.get("score").asDouble(0); - issue.cvssScore(dscore.floatValue()); - } - }); - - if (isCVE(vulnId)) { - issue.addCvesItem(vulnId); + var issue = newIssueFromVulnerability(vulnerable, vendor); + if (issue.getCves() != null && !issue.getCves().isEmpty()) { + completeIssueData(issue, cvesJson); + issues.add(issue); } - vulnerable - .get("aliases") - .forEach( - a -> { - String alias = a.asText(); - if (isCVE(alias)) { - issue.addCvesItem(alias.toUpperCase()); - } - ; - }); - completeIssueData(issue, cvesJson); - issues.add(issue); }); }); }); @@ -122,30 +96,59 @@ public Map> responseToIssues( return issuesData; } + private Issue newIssueFromVulnerability(JsonNode vulnerable, String vendor) { + var vulnId = vulnerable.get("id").asText().toUpperCase(); + var issue = new Issue().id(vulnId).source(vendor); + vulnerable + .get("severity") + .forEach( + severity -> { + if (severity.get("source").asText().toLowerCase().equals(vendor)) { + Double dscore = severity.get("score").asDouble(0); + issue.cvssScore(dscore.floatValue()); + } + }); + + if (isCVE(vulnId)) { + issue.addCvesItem(vulnId); + } + vulnerable + .get("aliases") + .forEach( + a -> { + String alias = a.asText(); + if (isCVE(alias)) { + issue.addCvesItem(alias.toUpperCase()); + } + ; + }); + return issue; + } + private void completeIssueData(Issue issue, Map cvesJson) { Optional firstCve = issue.getCves().stream().filter(cve -> cvesJson.keySet().contains(cve)).findFirst(); if (firstCve.isEmpty()) { - issue.severity(SeverityUtils.fromScore(issue.getCvssScore())); issue.unique(Boolean.TRUE); return; } - JsonNode cveJson = cvesJson.get(firstCve.get()); - issue.title(cveJson.get("cisaVulnerabilityName").asText()); - - cveJson - .get("metrics") - .get("cvssMetricV31") - .forEach( - metric -> { - if ("Primary".equalsIgnoreCase(metric.get("type").asText())) { - issue.cvss( - CvssParser.fromVectorString( - metric.get("cvssData").get("vectorString").asText())); - issue.severity( - Severity.fromValue(metric.get("cvssData").get("baseSeverity").asText())); - } - }); + issue.severity(SeverityUtils.fromScore(issue.getCvssScore())); + var cveJson = cvesJson.get(firstCve.get()); + var cnaContainer = cveJson.get("containers").get("cna"); + var title = cnaContainer.get("title"); + if (title != null) { + issue.title(title.asText()); + } + var metrics = cnaContainer.get("metrics"); + if (metrics != null) { + metrics.forEach( + metric -> { + if (metric.has("cvssV3_1")) { + issue.cvss( + CvssParser.fromVectorString(metric.get("cvssV3_1").get("vectorString").asText())); + } + }); + } } private boolean isCVE(String vulnerabilityId) { diff --git a/src/main/resources/tc-response.json b/src/main/resources/tc-response.json index b2241bdc..f3d3a93b 100644 --- a/src/main/resources/tc-response.json +++ b/src/main/resources/tc-response.json @@ -1,280 +1,888 @@ { - "analysis": { - "pkg:maven/org.postgresql/postgresql@42.5.0?type=jar": [ - { - "vendor": "snyk", - "vulnerable": [ - { - "id": "snyk-java-orgpostgresql-3146847", - "severity": [ - { - "source": "Snyk", - "type": "CVSSv31", - "score": 4.699999809265137 - }, - { - "source": "SUSE", - "type": "CVSSv31", - "score": 5.5 - }, - { - "source": "NVD", - "type": "CVSSv31", - "score": 5.5 - }, - { - "source": "Red Hat", - "type": "CVSSv31", - "score": 5.5 - } - ], - "aliases": [ - "cve-2022-41946", - "cwe-200", - "ghsa-562r-vg33-8x8h" - ] - } - ] - }, - { - "vendor": "osv", - "vulnerable": [ - { - "id": "ghsa-562r-vg33-8x8h", - "severity": [ - { - "source": "osv", - "type": "CVSSv31", - "score": 4.7 - } - ], - "aliases": [ - "cve-2022-41946" - ] - } - ] - } - ] -}, - "cves": [ - { - "id": "CVE-2022-41946", - "sourceIdentifier": "security@apache.org", - "published": "2021-12-14T19:15:07.733", - "lastModified": "2023-10-26T07:15:36.677", - "vulnStatus": "Modified", - "cisaExploitAdd": "2023-05-01", - "cisaActionDue": "2023-05-22", - "cisaRequiredAction": "Apply updates per vendor instructions.", - "cisaVulnerabilityName": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability", - "descriptions": [ - { - "lang": "en", - "value": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default." - }, - { - "lang": "es", - "value": "Se descubri\u00F3 que la correcci\u00F3n para abordar CVE-2021-44228 en Apache Log4j versiones 2.15.0 estaba incompleta en ciertas configuraciones no predeterminadas. Esto podr\u00EDa permitir a los atacantes con control sobre los datos de entrada de Thread Context Map (MDC) cuando la configuraci\u00F3n de registro utiliza un Pattern Layout no predeterminado con un Context Lookup (por ejemplo, $${ctx:loginId}) o un Thread Context Map pattern (%X, %mdc, o %MDC) para elaborar datos de entrada maliciosos utilizando un patr\u00F3n JNDI Lookup que resulta en una fuga de informaci\u00F3n y ejecuci\u00F3n de c\u00F3digo remoto en algunos entornos y ejecuci\u00F3n de c\u00F3digo local en todos los entornos. Log4j versiones 2.16.0 (Java 8) y 2.12.2 (Java 7) solucionan este problema eliminando el soporte para los patrones de b\u00FAsqueda de mensajes y deshabilitando la funcionalidad JNDI por defecto" - } + "analysis": { + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1": [ + { + "vendor": "osv", + "vulnerable": [ + { + "id": "ghsa-57j2-w4cx-62h2", + "severity": [ + { + "source": "osv", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "osv", + "type": "CVSSv31", + "score": 7.5 + } + ], + "aliases": [ + "cve-2020-36518" + ] + }, + { + "id": "ghsa-jjjh-jjxp-wpff", + "severity": [ + { + "source": "osv", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "osv", + "type": "CVSSv31", + "score": 7.5 + } + ], + "aliases": [ + "cve-2022-42003" + ] + }, + { + "id": "ghsa-rgv9-q543-rqg4", + "severity": [ + { + "source": "osv", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "osv", + "type": "CVSSv31", + "score": 7.5 + } + ], + "aliases": [ + "cve-2022-42004" + ] + }, + { + "id": "ghsa-57j2-w4cx-62h2", + "severity": [], + "aliases": [] + }, + { + "id": "ghsa-jjjh-jjxp-wpff", + "severity": [], + "aliases": [] + }, + { + "id": "ghsa-rgv9-q543-rqg4", + "severity": [], + "aliases": [] + } + ], + "recommendations": [] + }, + { + "vendor": "snyk", + "vulnerable": [ + { + "id": "snyk-java-comfasterxmljacksoncore-3038424", + "severity": [ + { + "source": "Snyk", + "type": "CVSSv31", + "score": 5.900000095367432 + }, + { + "source": "NVD", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "Red Hat", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "SUSE", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "Snyk", + "type": "CVSSv31", + "score": 5.900000095367432 + }, + { + "source": "NVD", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "Red Hat", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "SUSE", + "type": "CVSSv31", + "score": 7.5 + } + ], + "aliases": [ + "cve-2022-42004", + "cwe-400" + ] + }, + { + "id": "snyk-java-comfasterxmljacksoncore-3038426", + "severity": [ + { + "source": "Snyk", + "type": "CVSSv31", + "score": 5.900000095367432 + }, + { + "source": "NVD", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "Red Hat", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "SUSE", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "Snyk", + "type": "CVSSv31", + "score": 5.900000095367432 + }, + { + "source": "NVD", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "Red Hat", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "SUSE", + "type": "CVSSv31", + "score": 7.5 + } + ], + "aliases": [ + "cve-2022-42003", + "cwe-400" + ] + }, + { + "id": "snyk-java-comfasterxmljacksoncore-2421244", + "severity": [ + { + "source": "Snyk", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "SUSE", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "Red Hat", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "NVD", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "Snyk", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "SUSE", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "Red Hat", + "type": "CVSSv31", + "score": 7.5 + }, + { + "source": "NVD", + "type": "CVSSv31", + "score": 7.5 + } + ], + "aliases": [ + "cve-2020-36518", + "cwe-400" + ] + }, + { + "id": "snyk-java-comfasterxmljacksoncore-3038424", + "severity": [], + "aliases": [] + }, + { + "id": "snyk-java-comfasterxmljacksoncore-3038426", + "severity": [], + "aliases": [] + }, + { + "id": "snyk-java-comfasterxmljacksoncore-2421244", + "severity": [], + "aliases": [] + } + ], + "recommendations": [] + } ], - "metrics": { - "cvssMetricV31": [ + "pkg:maven/io.quarkus/quarkus-core@2.13.5.Final": [ { - "source": "nvd@nist.gov", - "type": "Primary", - "cvssData": { - "version": "3.1", - "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", - "attackVector": "NETWORK", - "attackComplexity": "HIGH", - "privilegesRequired": "NONE", - "userInteraction": "NONE", - "scope": "CHANGED", - "confidentialityImpact": "HIGH", - "integrityImpact": "HIGH", - "availabilityImpact": "HIGH", - "baseScore": 9, - "baseSeverity": "CRITICAL" - }, - "exploitabilityScore": 2.2, - "impactScore": 6 + "vendor": "osv", + "vulnerable": [ + { + "id": "ghsa-3fhx-3vvg-2j84", + "severity": [ + { + "source": "osv", + "type": "CVSSv31", + "score": 6.5 + }, + { + "source": "osv", + "type": "CVSSv31", + "score": 6.5 + } + ], + "aliases": [ + "cve-2023-2974" + ] + }, + { + "id": "ghsa-3fhx-3vvg-2j84", + "severity": [], + "aliases": [] + } + ], + "recommendations": [] } - ], - "cvssMetricV2": [ + ], + "pkg:maven/org.postgresql/postgresql@42.5.0": [ { - "source": "nvd@nist.gov", - "type": "Primary", - "cvssData": { - "version": "2.0", - "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", - "accessVector": "NETWORK", - "accessComplexity": "HIGH", - "authentication": "NONE", - "confidentialityImpact": "PARTIAL", - "integrityImpact": "PARTIAL", - "availabilityImpact": "PARTIAL", - "baseScore": 5.1 - }, - "baseSeverity": "MEDIUM", - "exploitabilityScore": 4.9, - "impactScore": 6.4, - "acInsufInfo": false, - "obtainAllPrivilege": false, - "obtainUserPrivilege": false, - "obtainOtherPrivilege": false, - "userInteractionRequired": false + "vendor": "osv", + "vulnerable": [ + { + "id": "ghsa-562r-vg33-8x8h", + "severity": [ + { + "source": "osv", + "type": "CVSSv31", + "score": 4.7 + }, + { + "source": "osv", + "type": "CVSSv31", + "score": 4.7 + } + ], + "aliases": [ + "cve-2022-41946" + ] + }, + { + "id": "ghsa-562r-vg33-8x8h", + "severity": [], + "aliases": [] + } + ], + "recommendations": [] + }, + { + "vendor": "snyk", + "vulnerable": [ + { + "id": "snyk-java-orgpostgresql-3146847", + "severity": [ + { + "source": "Snyk", + "type": "CVSSv31", + "score": 4.699999809265137 + }, + { + "source": "SUSE", + "type": "CVSSv31", + "score": 5.5 + }, + { + "source": "NVD", + "type": "CVSSv31", + "score": 5.5 + }, + { + "source": "Red Hat", + "type": "CVSSv31", + "score": 5.5 + }, + { + "source": "Snyk", + "type": "CVSSv31", + "score": 4.699999809265137 + }, + { + "source": "SUSE", + "type": "CVSSv31", + "score": 5.5 + }, + { + "source": "NVD", + "type": "CVSSv31", + "score": 5.5 + }, + { + "source": "Red Hat", + "type": "CVSSv31", + "score": 5.5 + } + ], + "aliases": [ + "cve-2022-41946", + "cwe-200", + "ghsa-562r-vg33-8x8h" + ] + }, + { + "id": "snyk-java-orgpostgresql-3146847", + "severity": [], + "aliases": [] + } + ], + "recommendations": [] } - ] - }, - "references": [ - { - "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4", - "source": "security@apache.org", - "tags": [ - "Mailing List", - "Mitigation", - "Third Party Advisory" - ] - }, - { - "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3", - "source": "security@apache.org", - "tags": [ - "Mailing List", - "Third Party Advisory" - ] - }, - { - "url": "http://www.openwall.com/lists/oss-security/2021/12/18/1", - "source": "security@apache.org", - "tags": [ - "Mailing List", - "Third Party Advisory" - ] - }, - { - "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf", - "source": "security@apache.org", - "tags": [ - "Third Party Advisory" - ] - }, - { - "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf", - "source": "security@apache.org", - "tags": [ - "Third Party Advisory" - ] - }, - { - "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf", - "source": "security@apache.org", - "tags": [ - "Third Party Advisory" - ] - }, - { - "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf", - "source": "security@apache.org", - "tags": [ - "Third Party Advisory" - ] - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/", - "source": "security@apache.org" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/", - "source": "security@apache.org" - }, - { - "url": "https://logging.apache.org/log4j/2.x/security.html", - "source": "security@apache.org", - "tags": [ - "Mitigation", - "Release Notes", - "Vendor Advisory" - ] - }, - { - "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032", - "source": "security@apache.org", - "tags": [ - "Third Party Advisory" - ] - }, - { - "url": "https://security.gentoo.org/glsa/202310-16", - "source": "security@apache.org" - }, - { - "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd", - "source": "security@apache.org", - "tags": [ - "Third Party Advisory" - ] - }, - { - "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228", - "source": "security@apache.org", - "tags": [ - "Not Applicable" - ] - }, - { - "url": "https://www.debian.org/security/2021/dsa-5022", - "source": "security@apache.org", - "tags": [ - "Third Party Advisory" - ] - }, - { - "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html", - "source": "security@apache.org", - "tags": [ - "Third Party Advisory" - ] - }, - { - "url": "https://www.kb.cert.org/vuls/id/930724", - "source": "security@apache.org", - "tags": [ - "Third Party Advisory", - "US Government Resource" - ] - }, - { - "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html", - "source": "security@apache.org", - "tags": [ - "Third Party Advisory" - ] - }, - { - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html", - "source": "security@apache.org", - "tags": [ - "Third Party Advisory" - ] - }, - { - "url": "https://www.oracle.com/security-alerts/cpujan2022.html", - "source": "security@apache.org", - "tags": [ - "Patch", - "Third Party Advisory" - ] - }, - { - "url": "https://www.oracle.com/security-alerts/cpujul2022.html", - "source": "security@apache.org", - "tags": [ - "Third Party Advisory" - ] - } ] - } + }, + "cves": [ + { + "dataType": "CVE_RECORD", + "dataVersion": "5.0", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2020-36518", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2022-11-27T00:00:00", + "dateReserved": "2022-03-11T00:00:00", + "datePublished": "2022-03-11T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2022-11-27T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2816" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "name": "[debian-lts-announce] 20220502 [SECURITY] [DLA 2990-1] jackson-databind security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220506-0004/" + }, + { + "name": "DSA-5283", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2022/dsa-5283" + }, + { + "name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + } + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.0", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-42004", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2022-11-27T00:00:00", + "dateReserved": "2022-10-02T00:00:00", + "datePublished": "2022-10-02T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2022-11-27T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3582" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88" + }, + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490" + }, + { + "name": "GLSA-202210-21", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202210-21" + }, + { + "name": "DSA-5283", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2022/dsa-5283" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20221118-0008/" + }, + { + "name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + } + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.0", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-41946", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "assignerShortName": "GitHub_M", + "dateUpdated": "2023-01-13T00:00:00", + "dateReserved": "2022-09-30T00:00:00", + "datePublished": "2022-11-23T00:00:00" + }, + "containers": { + "cna": { + "title": "TemporaryFolder on unix-like systems does not limit access to created files in pgjdbc", + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2023-01-13T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability." + } + ], + "affected": [ + { + "vendor": "pgjdbc", + "product": "pgjdbc", + "versions": [ + { + "version": ">= 42.2.0, < 42.2.27", + "status": "affected" + }, + { + "version": "> 42.3.0, < 42.3.8", + "status": "affected" + }, + { + "version": ">= 42.4.0, < 42.4.3", + "status": "affected" + }, + { + "version": ">= 42.5.0, < 42.5.1", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h" + }, + { + "url": "https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5" + }, + { + "name": "[debian-lts-announce] 20221202 [SECURITY] [DLA 3218-1] libpgjava security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00003.html" + }, + { + "name": "FEDORA-2023-42d6ba9bd6", + "tags": [ + "vendor-advisory" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD/" + } + ], + "metrics": [ + { + "cvssV3_1": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "attackVector": "LOCAL", + "attackComplexity": "HIGH", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseScore": 4.7, + "baseSeverity": "MEDIUM" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "cweId": "CWE-200" + } + ] + }, + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-377: Insecure Temporary File", + "cweId": "CWE-377" + } + ] + } + ], + "source": { + "advisory": "GHSA-562r-vg33-8x8h", + "discovery": "UNKNOWN" + } + } + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.0", + "cveMetadata": { + "cveId": "CVE-2023-2974", + "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", + "state": "PUBLISHED", + "assignerShortName": "redhat", + "dateReserved": "2023-05-30T10:06:53.993Z", + "datePublished": "2023-07-04T13:24:29.648Z", + "dateUpdated": "2023-07-04T13:24:29.648Z" + }, + "containers": { + "cna": { + "title": "Tls protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported tls protocol", + "metrics": [ + { + "other": { + "content": { + "value": "Moderate", + "namespace": "https://access.redhat.com/security/updates/classification/" + }, + "type": "Red Hat severity rating" + } + }, + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" + }, + "format": "CVSS" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol." + } + ], + "affected": [ + { + "product": "Quarkus", + "vendor": "n/a", + "versions": [ + { + "version": "2.13.8", + "status": "unaffected" + } + ] + }, + { + "vendor": "Red Hat", + "product": "Red Hat build of Quarkus", + "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", + "defaultStatus": "unaffected", + "packageName": "quarkus-core", + "cpe": [ + "cpe:/a:redhat:quarkus:2.13" + ] + } + ], + "references": [ + { + "url": "https://access.redhat.com/errata/RHSA-2023:3809", + "name": "RHSA-2023:3809", + "tags": [ + "vendor-advisory", + "x_refsource_REDHAT" + ] + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-2974", + "tags": [ + "vdb-entry", + "x_refsource_REDHAT" + ] + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211026", + "name": "RHBZ#2211026", + "tags": [ + "issue-tracking", + "x_refsource_REDHAT" + ] + } + ], + "datePublic": "2023-06-29T00:00:00Z", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-757", + "description": "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "x_redhatCweChain": "CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + "timeline": [ + { + "lang": "en", + "time": "2023-05-30T00:00:00Z", + "value": "Reported to Red Hat." + }, + { + "lang": "en", + "time": "2023-06-29T00:00:00Z", + "value": "Made public." + } + ], + "credits": [ + { + "lang": "en", + "value": "This issue was discovered by Alexander Schwartz (Red Hat)." + } + ], + "providerMetadata": { + "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", + "shortName": "redhat", + "dateUpdated": "2023-07-04T13:24:29.648Z" + } + } + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.0", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-42003", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2022-11-27T00:00:00", + "dateReserved": "2022-10-02T00:00:00", + "datePublished": "2022-10-02T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2022-11-27T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1" + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3590" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33" + }, + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020" + }, + { + "name": "GLSA-202210-21", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202210-21" + }, + { + "name": "DSA-5283", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2022/dsa-5283" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20221124-0004/" + }, + { + "name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + } + } + } ], "errors": [] } \ No newline at end of file From c825b4e4c9c70d01dcbb983cd9668a3d0c4a4901 Mon Sep 17 00:00:00 2001 From: Ruben Romero Montes Date: Wed, 29 Nov 2023 12:52:33 +0100 Subject: [PATCH 5/5] chore(deps): update missing reference to SeverityUtils Signed-off-by: Ruben Romero Montes --- .../providers/trustification/TrustificationResponseHandler.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java index c98811d3..ae480997 100644 --- a/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java +++ b/src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java @@ -29,8 +29,8 @@ import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; -import com.redhat.exhort.api.SeverityUtils; import com.redhat.exhort.api.v4.Issue; +import com.redhat.exhort.api.v4.SeverityUtils; import com.redhat.exhort.integration.providers.ProviderResponseHandler; import com.redhat.exhort.model.CvssParser; import com.redhat.exhort.model.DependencyTree;