ROX-29531: include advisory in output

stackrox-container-image-scanner/src/main/java/com/stackrox/jenkins/plugins/data/CVE.java

@@ -20,6 +20,8 @@ public class CVE {
     private final boolean fixable;
     private final String link;
     private final String severity;
+    private final String advisory;
+    private final String advisoryLink;
 
     public CVE(String packageName, String packageVersion, @Nonnull StorageEmbeddedVulnerability vulnerability) {
         this(
@@ -30,7 +32,9 @@ public CVE(String packageName, String packageVersion, @Nonnull StorageEmbeddedVu
                 packageVersion,
                 !Strings.isNullOrEmpty(vulnerability.getFixedBy()),
                 vulnerability.getLink(),
-                SeverityUtil.prettySeverity(vulnerability.getSeverity())
+                SeverityUtil.prettySeverity(vulnerability.getSeverity()),
+                vulnerability.getAdvisory() != null ? vulnerability.getAdvisory().getName() : null,
+                vulnerability.getAdvisory() != null ? vulnerability.getAdvisory().getLink() : null
         );
     }
 }

stackrox-container-image-scanner/src/main/java/com/stackrox/jenkins/plugins/report/ReportGenerator.java

@@ -22,7 +22,7 @@
 
 public class ReportGenerator {
 
-    private static final String[] CVES_HEADER = {"COMPONENT", "VERSION", "CVE", "SEVERITY", "FIXABLE", "CVSS SCORE", "SCORE TYPE", "LINK"};
+    private static final String[] CVES_HEADER = {"COMPONENT", "VERSION", "CVE", "SEVERITY", "FIXABLE", "CVSS SCORE", "SCORE TYPE", "LINK", "ADVISORY", "ADVISORY LINK"};
     private static final String[] VIOLATED_POLICIES_HEADER = {"POLICY", "SEVERITY", "DESCRIPTION", "VIOLATION", "REMEDIATION", "ENFORCED"};
     private static final String CVES_FILENAME = "cves.csv";
     private static final String POLICY_VIOLATIONS_FILENAME = "policyViolations.csv";
@@ -54,7 +54,9 @@ private static void generateReport(FilePath reportsDir, ImageCheckResults result
                         cve.isFixable(),
                         cve.getCvssScore(),
                         cve.getScoreType(),
-                        cve.getLink()
+                        cve.getLink(),
+                        cve.getAdvisory(),
+                        cve.getAdvisoryLink()
                 ));
             }
         }

stackrox-container-image-scanner/src/main/java/com/stackrox/jenkins/plugins/services/ServiceException.java

@@ -7,7 +7,7 @@
 import com.google.gson.JsonSyntaxException;
 
 import com.stackrox.invoker.ApiException;
-import com.stackrox.model.RuntimeError;
+import com.stackrox.model.GooglerpcStatus;
 
 public class ServiceException extends IOException {
 
@@ -23,7 +23,7 @@ public static ServiceException fromApiException(String ownMessage, ApiException
         String responseBody = apiException.getResponseBody();
         if (!Strings.isNullOrEmpty(responseBody)) {
             try {
-                RuntimeError error = GSON.fromJson(responseBody, RuntimeError.class);
+                GooglerpcStatus error = GSON.fromJson(responseBody, GooglerpcStatus.class);
                 if (!Strings.isNullOrEmpty(error.getMessage())) {
                     messageBuilder.append(String.format(" Error: %s", error.getMessage()));
                 }

stackrox-container-image-scanner/src/main/webapp/js/renderTables.js

@@ -22,6 +22,13 @@ function renderCVETable(tableId, cves) {
                                                }
                     },
                     { title: 'FIXABLE', data : 'fixable' },
+                    { title: 'ADVISORY',mData : function (data, type, dataToSet) {
+                                                    if (!data.hasOwnProperty('advisory')) {
+                                                        return "-"
+                                                    }
+                                                    return `<a target="_blank" href="${data.advisoryLink}">${data.advisory}</a>`;
+                                               }
+                    },
                 ],
         columnDefs: [
                       {

stackrox-container-image-scanner/src/test/java/com/stackrox/jenkins/plugins/report/ReportGeneratorTest.java

@@ -36,6 +36,7 @@
 import com.stackrox.jenkins.plugins.data.CVE;
 import com.stackrox.jenkins.plugins.data.ImageCheckResults;
 import com.stackrox.jenkins.plugins.data.PolicyViolation;
+import com.stackrox.model.StorageAdvisory;
 import com.stackrox.model.StorageEmbeddedVulnerability;
 import com.stackrox.model.StoragePolicy;
 
@@ -92,7 +93,10 @@ void testGenerateReportForResultsWritesReportsForEveryImageInSeparatedDirectory(
                                         .severity(IMPORTANT_VULNERABILITY_SEVERITY)
                                         .cvss(9.8F)
                                         .scoreVersion(V3)
-                                        .link("https://security-tracker.debian.org/tracker/CVE-2015-5224")),
+                                        .link("https://security-tracker.debian.org/tracker/CVE-2015-5224")
+                                        .advisory(new StorageAdvisory()
+                                                .name("DSA-SOMETHING")
+                                                .link("https://advisory.com"))),
                                 new CVE("gcc-4.8", "4.8.4-1", new StorageEmbeddedVulnerability()
                                         .cve("CVE-2017-11671")
                                         .severity(MODERATE_VULNERABILITY_SEVERITY)
@@ -105,7 +109,10 @@ void testGenerateReportForResultsWritesReportsForEveryImageInSeparatedDirectory(
                                         .cvss(6.5F)
                                         .scoreVersion(V3)
                                         .link("https://security-tracker.debian.org/tracker/CVE-2016-3189")
-                                        .fixedBy("1.0.6-8"))
+                                        .fixedBy("1.0.6-8")
+                                        .advisory(new StorageAdvisory()
+                                                .name("DSA-SOMETHING-ELSE")
+                                                .link("https://advisory.com")))
                         ),
                         ImmutableList.of(
                                 new PolicyViolation(new StoragePolicy()
@@ -123,7 +130,10 @@ void testGenerateReportForResultsWritesReportsForEveryImageInSeparatedDirectory(
                                         .severity(LOW_VULNERABILITY_SEVERITY)
                                         .cvss(5.8F)
                                         .scoreVersion(V2)
-                                        .link("https://security-tracker.debian.org/tracker/CVE-2007-6755")),
+                                        .link("https://security-tracker.debian.org/tracker/CVE-2007-6755")
+                                        .advisory(new StorageAdvisory()
+                                                .name("DSA-SOMETHING")
+                                                .link("https://advisory.com"))),
                                 new CVE(null, null, new StorageEmbeddedVulnerability()
                                         .cve("CVE-MISSING-DATA")
                                         .scoreVersion(null)

stackrox-container-image-scanner/src/test/resources/report/jenkins.lts/cves.csv

@@ -1,4 +1,4 @@
-COMPONENT,VERSION,CVE,SEVERITY,FIXABLE,CVSS SCORE,SCORE TYPE,LINK
-util-linux,2.25.2-6,CVE-2015-5224,IMPORTANT,false,9.8,V3,https://security-tracker.debian.org/tracker/CVE-2015-5224
-gcc-4.8,4.8.4-1,CVE-2017-11671,MODERATE,false,4.0,V3,https://security-tracker.debian.org/tracker/CVE-2017-11671
-bzip2,1.0.6-7,CVE-2016-3189,LOW,true,6.5,V3,https://security-tracker.debian.org/tracker/CVE-2016-3189
+COMPONENT,VERSION,CVE,SEVERITY,FIXABLE,CVSS SCORE,SCORE TYPE,LINK,ADVISORY,ADVISORY LINK
+util-linux,2.25.2-6,CVE-2015-5224,IMPORTANT,false,9.8,V3,https://security-tracker.debian.org/tracker/CVE-2015-5224,DSA-SOMETHING,https://advisory.com
+gcc-4.8,4.8.4-1,CVE-2017-11671,MODERATE,false,4.0,V3,https://security-tracker.debian.org/tracker/CVE-2017-11671,-,-
+bzip2,1.0.6-7,CVE-2016-3189,LOW,true,6.5,V3,https://security-tracker.debian.org/tracker/CVE-2016-3189,DSA-SOMETHING-ELSE,https://advisory.com

stackrox-container-image-scanner/src/test/resources/report/nginx.latest/cves.csv

@@ -1,3 +1,3 @@
-COMPONENT,VERSION,CVE,SEVERITY,FIXABLE,CVSS SCORE,SCORE TYPE,LINK
-openssl,1.1.1d-0+deb10u7,CVE-2007-6755,LOW,false,5.8,V2,https://security-tracker.debian.org/tracker/CVE-2007-6755
--,-,CVE-MISSING-DATA,UNKNOWN,false,0.0,-,-
+COMPONENT,VERSION,CVE,SEVERITY,FIXABLE,CVSS SCORE,SCORE TYPE,LINK,ADVISORY,ADVISORY LINK
+openssl,1.1.1d-0+deb10u7,CVE-2007-6755,LOW,false,5.8,V2,https://security-tracker.debian.org/tracker/CVE-2007-6755,DSA-SOMETHING,https://advisory.com
+-,-,CVE-MISSING-DATA,UNKNOWN,false,0.0,-,-,-,-

stackrox-container-image-scanner/src/test/resources/report_with_no_issues/mis-spelled.lts/cves.csv

@@ -1 +1 @@
-COMPONENT,VERSION,CVE,SEVERITY,FIXABLE,CVSS SCORE,SCORE TYPE,LINK
+COMPONENT,VERSION,CVE,SEVERITY,FIXABLE,CVSS SCORE,SCORE TYPE,LINK,ADVISORY,ADVISORY LINK