diff --git a/CONVENTIONS.md b/CONVENTIONS.md index bcbbe8ab..65631f29 100644 --- a/CONVENTIONS.md +++ b/CONVENTIONS.md @@ -26,6 +26,7 @@ - **Formatter toggle**: `// fmt:off` / `// fmt:on` to disable formatting (used in Camel DSL code) - **Encoding**: UTF-8 - **Line endings**: LF, trim trailing whitespace, final newline +- **Method length**: Methods should not exceed ~40 lines of logic. When a method grows beyond this, extract cohesive blocks into well-named private helpers. Duplicated blocks across methods must always be extracted. ## Naming Conventions diff --git a/pom.xml b/pom.xml index 35b0c524..d1705f6d 100644 --- a/pom.xml +++ b/pom.xml @@ -49,7 +49,7 @@ 3.1.1 - 2.0.10 + 2.0.11 11.0.1 7.8.0 2.0.2 diff --git a/src/main/java/io/github/guacsec/trustifyda/integration/providers/trustify/TrustifyResponseHandler.java b/src/main/java/io/github/guacsec/trustifyda/integration/providers/trustify/TrustifyResponseHandler.java index 4067474d..7ca10caa 100644 --- a/src/main/java/io/github/guacsec/trustifyda/integration/providers/trustify/TrustifyResponseHandler.java +++ b/src/main/java/io/github/guacsec/trustifyda/integration/providers/trustify/TrustifyResponseHandler.java @@ -18,11 +18,13 @@ package io.github.guacsec.trustifyda.integration.providers.trustify; import java.io.IOException; +import java.net.URI; import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.Objects; import java.util.stream.Collectors; import org.apache.camel.Exchange; @@ -34,6 +36,7 @@ import com.fasterxml.jackson.databind.node.ObjectNode; import io.github.guacsec.trustifyda.api.PackageRef; +import io.github.guacsec.trustifyda.api.v5.AdvisoryInfo; import io.github.guacsec.trustifyda.api.v5.Issue; import io.github.guacsec.trustifyda.api.v5.Remediation; import io.github.guacsec.trustifyda.api.v5.RemediationCategory; @@ -131,6 +134,7 @@ private List toIssues(JsonNode response) { } var key = String.format("%s:%s", source, id); if (issuesByCveSource.containsKey(key)) { + mergeIssueData(issuesByCveSource.get(key), vuln, purlStatus); return; } var issue = new Issue().id(id).title(iTitle).source(source).cves(List.of(id)); @@ -158,6 +162,59 @@ private List getWarnings(JsonNode entryValue) { } private void setCvssData(Issue issue, JsonNode vuln, JsonNode purlStatus) { + var sd = extractScoreData(vuln, purlStatus); + + if (sd.score != null) { + issue.cvssScore(sd.score); + } + if (sd.severity != null) { + try { + issue.setSeverity(SeverityUtils.fromValue(sd.severity.toUpperCase())); + } catch (IllegalArgumentException e) { + LOGGER.infof( + "Unknown severity value: %s, falling back to score-based severity", sd.severity); + if (sd.score != null) { + issue.setSeverity(SeverityUtils.fromScore(sd.score)); + } + } + } else if (sd.score != null) { + issue.setSeverity(SeverityUtils.fromScore(sd.score)); + } + + var r = new Remediation(); + boolean hasRemediation = processVersionRange(purlStatus, r, false); + hasRemediation |= processRemediations(purlStatus, r); + + if (hasRemediation) { + issue.setRemediation(r); + } + } + + private void mergeIssueData(Issue existing, JsonNode vuln, JsonNode purlStatus) { + var sd = extractScoreData(vuln, purlStatus); + + if (sd.score != null + && (existing.getCvssScore() == null || sd.score > existing.getCvssScore())) { + existing.cvssScore(sd.score); + if (sd.severity != null) { + try { + existing.setSeverity(SeverityUtils.fromValue(sd.severity.toUpperCase())); + } catch (IllegalArgumentException e) { + existing.setSeverity(SeverityUtils.fromScore(sd.score)); + } + } else { + existing.setSeverity(SeverityUtils.fromScore(sd.score)); + } + } + + var r = ensureRemediation(existing); + processVersionRange(purlStatus, r, true); + processRemediations(purlStatus, r); + } + + private record ScoreData(Float score, String severity) {} + + private ScoreData extractScoreData(JsonNode vuln, JsonNode purlStatus) { Float score = null; String severity = null; @@ -180,56 +237,52 @@ private void setCvssData(Issue issue, JsonNode vuln, JsonNode purlStatus) { } } - if (score != null) { - issue.cvssScore(score); - } - if (severity != null) { - try { - issue.setSeverity(SeverityUtils.fromValue(severity.toUpperCase())); - } catch (IllegalArgumentException e) { - LOGGER.infof("Unknown severity value: %s, falling back to score-based severity", severity); - if (score != null) { - issue.setSeverity(SeverityUtils.fromScore(score)); - } - } - } else if (score != null) { - issue.setSeverity(SeverityUtils.fromScore(score)); - } - - var r = new Remediation(); - boolean hasRemediation = false; + return new ScoreData(score, severity); + } + private boolean processVersionRange(JsonNode purlStatus, Remediation r, boolean dedup) { var versionRange = purlStatus.get("version_range"); - if (versionRange != null && !versionRange.isNull()) { - var vr = new VersionRange(); - var schemeId = JsonUtils.getTextValue(versionRange, "version_scheme_id"); - if (schemeId != null) { - vr.versionSchemeId(schemeId); - } - var lowVersion = JsonUtils.getTextValue(versionRange, "low_version"); - if (lowVersion != null) { - vr.lowVersion(lowVersion); - } - var lowInclusive = JsonUtils.getBooleanValue(versionRange, "low_inclusive"); - if (lowInclusive != null) { - vr.lowInclusive(lowInclusive); - } - var highVersion = JsonUtils.getTextValue(versionRange, "high_version"); - var highInclusive = JsonUtils.getBooleanValue(versionRange, "high_inclusive"); - if (highVersion != null) { - vr.highVersion(highVersion); - if (highInclusive == null || !highInclusive) { + if (versionRange == null || versionRange.isNull()) { + return false; + } + var vr = new VersionRange(); + var schemeId = JsonUtils.getTextValue(versionRange, "version_scheme_id"); + if (schemeId != null) { + vr.versionSchemeId(schemeId); + } + var lowVersion = JsonUtils.getTextValue(versionRange, "low_version"); + if (lowVersion != null) { + vr.lowVersion(lowVersion); + } + var lowInclusive = JsonUtils.getBooleanValue(versionRange, "low_inclusive"); + if (lowInclusive != null) { + vr.lowInclusive(lowInclusive); + } + var highVersion = JsonUtils.getTextValue(versionRange, "high_version"); + var highInclusive = JsonUtils.getBooleanValue(versionRange, "high_inclusive"); + if (highVersion != null) { + vr.highVersion(highVersion); + if (highInclusive == null || !highInclusive) { + if (dedup) { + var fixedIn = r.getFixedIn(); + if (fixedIn == null || !fixedIn.contains(highVersion)) { + r.addFixedInItem(highVersion); + } + } else { r.addFixedInItem(highVersion); } } - if (highInclusive != null) { - vr.highInclusive(highInclusive); - } - r.addVersionRangesItem(vr); - hasRemediation = true; } + if (highInclusive != null) { + vr.highInclusive(highInclusive); + } + r.addVersionRangesItem(vr); + return true; + } + private boolean processRemediations(JsonNode purlStatus, Remediation r) { var remediations = (ArrayNode) purlStatus.get("remediations"); + var advisoryInfo = buildAdvisoryInfo(purlStatus); if (remediations != null && !remediations.isEmpty()) { remediations.forEach( rem -> { @@ -248,16 +301,90 @@ private void setCvssData(Issue issue, JsonNode vuln, JsonNode purlStatus) { } var url = JsonUtils.getTextValue(rem, "url"); if (url != null) { - info.url(url); + try { + info.url(URI.create(url)); + } catch (IllegalArgumentException e) { + LOGGER.infof("Invalid remediation URL: %s", url); + } + } + if (advisoryInfo != null) { + info.advisory(advisoryInfo); + } + if (!isDuplicateRemediation(r, info)) { + r.addRemediationsItem(info); } - r.addRemediationsItem(info); }); - hasRemediation = true; + return true; + } else { + var info = + buildRemediationInfo(purlStatus, r.getFixedIn() != null && !r.getFixedIn().isEmpty()); + if (info != null && !isDuplicateRemediation(r, info)) { + r.addRemediationsItem(info); + return true; + } } + return false; + } - if (hasRemediation) { + private boolean isDuplicateRemediation(Remediation r, RemediationInfo info) { + var existing = r.getRemediations(); + if (existing == null) { + return false; + } + return existing.stream() + .anyMatch( + e -> + Objects.equals(e.getCategory(), info.getCategory()) + && Objects.equals(e.getDetails(), info.getDetails()) + && Objects.equals( + e.getAdvisory() != null ? e.getAdvisory().getId() : null, + info.getAdvisory() != null ? info.getAdvisory().getId() : null)); + } + + private Remediation ensureRemediation(Issue issue) { + var r = issue.getRemediation(); + if (r == null) { + r = new Remediation(); issue.setRemediation(r); } + return r; + } + + private AdvisoryInfo buildAdvisoryInfo(JsonNode purlStatus) { + var advisory = purlStatus.get("advisory"); + if (advisory == null) { + return null; + } + var documentId = JsonUtils.getTextValue(advisory, "document_id"); + if (documentId == null) { + return null; + } + var info = new AdvisoryInfo().id(documentId); + var title = JsonUtils.getTextValue(advisory, "title"); + if (title != null) { + info.title(title); + } + var identifier = JsonUtils.getTextValue(advisory, "identifier"); + if (identifier != null && identifier.startsWith("http")) { + try { + info.url(URI.create(identifier)); + } catch (IllegalArgumentException e) { + LOGGER.infof("Invalid advisory URL: %s", identifier); + } + } + return info; + } + + private RemediationInfo buildRemediationInfo(JsonNode purlStatus, boolean hasFixedVersions) { + var advisoryInfo = buildAdvisoryInfo(purlStatus); + if (advisoryInfo == null) { + return null; + } + var info = new RemediationInfo().advisory(advisoryInfo); + if (hasFixedVersions) { + info.category(RemediationCategory.VENDOR_FIX); + } + return info; } private String getSource(JsonNode purlStatus) { diff --git a/src/main/java/io/github/guacsec/trustifyda/model/trustify/Vulnerability.java b/src/main/java/io/github/guacsec/trustifyda/model/trustify/Vulnerability.java index 36b93ba2..ec8d29aa 100644 --- a/src/main/java/io/github/guacsec/trustifyda/model/trustify/Vulnerability.java +++ b/src/main/java/io/github/guacsec/trustifyda/model/trustify/Vulnerability.java @@ -19,6 +19,7 @@ import java.io.IOException; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; import com.fasterxml.jackson.core.JsonParser; import com.fasterxml.jackson.databind.DeserializationContext; import com.fasterxml.jackson.databind.JsonDeserializer; @@ -28,6 +29,7 @@ import io.quarkus.runtime.annotations.RegisterForReflection; @RegisterForReflection +@JsonIgnoreProperties(ignoreUnknown = true) public class Vulnerability { private String id; diff --git a/src/test/java/io/github/guacsec/trustifyda/integration/providers/trustify/TrustifyResponseHandlerTest.java b/src/test/java/io/github/guacsec/trustifyda/integration/providers/trustify/TrustifyResponseHandlerTest.java index 161adb2f..5fdaabbe 100644 --- a/src/test/java/io/github/guacsec/trustifyda/integration/providers/trustify/TrustifyResponseHandlerTest.java +++ b/src/test/java/io/github/guacsec/trustifyda/integration/providers/trustify/TrustifyResponseHandlerTest.java @@ -29,6 +29,7 @@ import static org.mockito.Mockito.when; import java.io.IOException; +import java.net.URI; import java.util.Collections; import java.util.HashMap; import java.util.List; @@ -49,6 +50,7 @@ import io.github.guacsec.trustifyda.api.PackageRef; import io.github.guacsec.trustifyda.api.v5.Issue; import io.github.guacsec.trustifyda.api.v5.RemediationCategory; +import io.github.guacsec.trustifyda.api.v5.RemediationInfo; import io.github.guacsec.trustifyda.api.v5.Severity; import io.github.guacsec.trustifyda.integration.Constants; import io.github.guacsec.trustifyda.integration.providers.trustify.ubi.UBIRecommendation; @@ -1475,7 +1477,7 @@ void testResponseToIssuesWithRemediationUrl() throws IOException { var rem = issue.getRemediation().getRemediations().get(0); assertEquals(RemediationCategory.VENDOR_FIX, rem.getCategory()); assertEquals("Update to latest version", rem.getDetails()); - assertEquals("https://example.com/fix", rem.getUrl()); + assertEquals(URI.create("https://example.com/fix"), rem.getUrl()); } @Test @@ -1807,4 +1809,428 @@ void testResponseToIssuesSameCveDifferentSources() throws IOException { assertTrue(issues.stream().anyMatch(i -> "Red Hat Product Security".equals(i.getSource()))); assertTrue(issues.stream().anyMatch(i -> "GitHub".equals(i.getSource()))); } + + @Test + void testResponseToIssuesMergesRemediationsAcrossAffected() throws IOException { + String jsonResponse = + """ + { + "pkg:maven/org.postgresql/postgresql@42.5.0": { + "details": [ + { + "identifier": "CVE-2024-1597", + "title": "SQL Injection in PostgreSQL JDBC", + "description": "SQL injection vulnerability", + "base_score": { + "score": 9.8, + "severity": "CRITICAL" + }, + "purl_statuses": [ + { + "advisory": { + "id": "adv-1", + "document_id": "RHSA-2024:1234", + "title": "Red Hat Security Advisory", + "identifier": "https://access.redhat.com/errata/RHSA-2024:1234", + "issuer": { + "id": "issuer-1", + "name": "redhat-csaf" + } + }, + "status": "affected", + "version_range": { + "version_scheme_id": "semver", + "low_version": "0", + "low_inclusive": true, + "high_version": "42.5.5", + "high_inclusive": false + }, + "remediations": [], + "scores": [ + { + "source": "cve", + "value": 9.8, + "severity": "critical" + } + ] + }, + { + "advisory": { + "id": "adv-2", + "document_id": "RHSA-2024:5678", + "title": "Red Hat Security Advisory 2", + "identifier": "https://access.redhat.com/errata/RHSA-2024:5678", + "issuer": { + "id": "issuer-1", + "name": "redhat-csaf" + } + }, + "status": "affected", + "version_range": { + "version_scheme_id": "semver", + "low_version": "0", + "low_inclusive": true, + "high_version": "42.6.1", + "high_inclusive": false + }, + "remediations": [], + "scores": [ + { + "source": "cve", + "value": 9.8, + "severity": "critical" + } + ] + } + ] + } + ], + "warnings": [] + } + } + """; + + byte[] responseBytes = jsonResponse.getBytes(); + ProviderResponse result = + handler.responseToIssues(buildExchange(responseBytes, dependencyTree)); + + PackageItem packageItem = result.pkgItems().get("pkg:maven/org.postgresql/postgresql@42.5.0"); + assertNotNull(packageItem); + List issues = packageItem.issues(); + assertEquals(1, issues.size(), "Same CVE+source should merge into one issue"); + + Issue issue = issues.get(0); + assertEquals("CVE-2024-1597", issue.getId()); + assertEquals(9.8f, issue.getCvssScore()); + assertNotNull(issue.getRemediation()); + assertEquals( + 2, issue.getRemediation().getFixedIn().size(), "Should accumulate fixedIn from both"); + assertTrue(issue.getRemediation().getFixedIn().contains("42.5.5")); + assertTrue(issue.getRemediation().getFixedIn().contains("42.6.1")); + + List remInfos = issue.getRemediation().getRemediations(); + assertNotNull(remInfos); + assertEquals(2, remInfos.size(), "Should have two advisory-linked remediations"); + } + + @Test + void testResponseToIssuesWithAdvisoryInfoAttribution() throws IOException { + String jsonResponse = + """ + { + "pkg:maven/org.postgresql/postgresql@42.5.0": { + "details": [ + { + "identifier": "CVE-2024-1597", + "title": "SQL Injection in PostgreSQL JDBC", + "description": "SQL injection vulnerability", + "base_score": { + "score": 9.8, + "severity": "CRITICAL" + }, + "purl_statuses": [ + { + "advisory": { + "id": "adv-1", + "document_id": "RHSA-2024:1234", + "title": "Red Hat Security Advisory", + "identifier": "https://access.redhat.com/errata/RHSA-2024:1234", + "issuer": { + "id": "issuer-1", + "name": "redhat-csaf" + } + }, + "status": "affected", + "version_range": { + "version_scheme_id": "semver", + "low_version": "0", + "low_inclusive": true, + "high_version": "42.5.5", + "high_inclusive": false + }, + "remediations": [], + "scores": [ + { + "source": "cve", + "value": 9.8, + "severity": "critical" + } + ] + }, + { + "advisory": { + "id": "adv-2", + "document_id": "GHSA-2024-5678", + "title": "GitHub Security Advisory", + "identifier": "GHSA-xxxx-yyyy-zzzz", + "issuer": { + "id": "issuer-2", + "name": "redhat-csaf" + } + }, + "status": "affected", + "version_range": null, + "remediations": [], + "scores": [ + { + "source": "cve", + "value": 9.8, + "severity": "critical" + } + ] + } + ] + } + ], + "warnings": [] + } + } + """; + + byte[] responseBytes = jsonResponse.getBytes(); + ProviderResponse result = + handler.responseToIssues(buildExchange(responseBytes, dependencyTree)); + + PackageItem packageItem = result.pkgItems().get("pkg:maven/org.postgresql/postgresql@42.5.0"); + assertNotNull(packageItem); + List issues = packageItem.issues(); + assertEquals(1, issues.size()); + + Issue issue = issues.get(0); + assertNotNull(issue.getRemediation()); + + List remInfos = issue.getRemediation().getRemediations(); + assertNotNull(remInfos); + assertEquals(2, remInfos.size(), "Should have two advisory-linked remediations"); + + RemediationInfo first = remInfos.get(0); + assertNotNull(first.getAdvisory()); + assertEquals("RHSA-2024:1234", first.getAdvisory().getId()); + assertEquals("Red Hat Security Advisory", first.getAdvisory().getTitle()); + assertNotNull(first.getAdvisory().getUrl()); + assertEquals( + "https://access.redhat.com/errata/RHSA-2024:1234", first.getAdvisory().getUrl().toString()); + assertEquals(RemediationCategory.VENDOR_FIX, first.getCategory()); + + RemediationInfo second = remInfos.get(1); + assertNotNull(second.getAdvisory()); + assertEquals("GHSA-2024-5678", second.getAdvisory().getId()); + assertEquals("GitHub Security Advisory", second.getAdvisory().getTitle()); + assertNull(second.getAdvisory().getUrl(), "Non-URL identifier should result in null url"); + } + + @Test + void testResponseToIssuesMergeKeepsHigherCvss() throws IOException { + String jsonResponse = + """ + { + "pkg:maven/org.postgresql/postgresql@42.5.0": { + "details": [ + { + "identifier": "CVE-2024-1597", + "title": "SQL Injection in PostgreSQL JDBC", + "description": "SQL injection vulnerability", + "base_score": null, + "purl_statuses": [ + { + "advisory": { + "id": "adv-high", + "document_id": "ADV-HIGH", + "title": "High Score Advisory", + "identifier": "https://example.com/adv-high", + "issuer": { + "id": "issuer-1", + "name": "redhat-csaf" + } + }, + "status": "affected", + "version_range": null, + "remediations": [], + "scores": [ + { + "source": "cve", + "value": 9.8, + "severity": "critical" + } + ] + }, + { + "advisory": { + "id": "adv-low", + "document_id": "ADV-LOW", + "title": "Low Score Advisory", + "identifier": "https://example.com/adv-low", + "issuer": { + "id": "issuer-1", + "name": "redhat-csaf" + } + }, + "status": "affected", + "version_range": null, + "remediations": [], + "scores": [ + { + "source": "cve", + "value": 5.0, + "severity": "medium" + } + ] + } + ] + } + ], + "warnings": [] + } + } + """; + + byte[] responseBytes = jsonResponse.getBytes(); + ProviderResponse result = + handler.responseToIssues(buildExchange(responseBytes, dependencyTree)); + + PackageItem packageItem = result.pkgItems().get("pkg:maven/org.postgresql/postgresql@42.5.0"); + assertNotNull(packageItem); + List issues = packageItem.issues(); + assertEquals(1, issues.size()); + + Issue issue = issues.get(0); + assertEquals(9.8f, issue.getCvssScore(), "Should keep the higher CVSS score"); + assertEquals(Severity.CRITICAL, issue.getSeverity()); + } + + @Test + void testResponseToIssuesDeduplicatesIdenticalRemediationsAcrossPurlStatuses() + throws IOException { + String jsonResponse = + """ + { + "pkg:maven/org.postgresql/postgresql@42.5.0": { + "details": [ + { + "identifier": "CVE-2023-2454", + "title": "postgresql: schema_element defeats protective search_path changes", + "description": "A schema_element vulnerability", + "base_score": { + "score": 7.2, + "severity": "HIGH" + }, + "purl_statuses": [ + { + "advisory": { + "id": "adv-a", + "document_id": "CVE-2023-2454", + "title": "postgresql: schema_element defeats protective search_path changes", + "identifier": "https://www.redhat.com/#CVE-2023-2454", + "issuer": { + "id": "issuer-1", + "name": "redhat-csaf" + } + }, + "status": "affected", + "version_range": { + "version_scheme_id": "semver", + "low_version": "0", + "low_inclusive": true, + "high_version": "42.5.5", + "high_inclusive": false + }, + "remediations": [ + { + "category": "WORKAROUND", + "details": "Use a workaround" + }, + { + "category": "NO_FIX_PLANNED", + "details": "No fix is planned" + } + ], + "scores": [ + { + "source": "cve", + "value": 7.2, + "severity": "high" + } + ] + }, + { + "advisory": { + "id": "adv-b", + "document_id": "CVE-2023-2454", + "title": "postgresql: schema_element defeats protective search_path changes", + "identifier": "https://www.redhat.com/#CVE-2023-2454", + "issuer": { + "id": "issuer-1", + "name": "redhat-csaf" + } + }, + "status": "affected", + "version_range": { + "version_scheme_id": "semver", + "low_version": "0", + "low_inclusive": true, + "high_version": "42.6.1", + "high_inclusive": false + }, + "remediations": [ + { + "category": "WORKAROUND", + "details": "Use a workaround" + }, + { + "category": "NO_FIX_PLANNED", + "details": "No fix is planned" + } + ], + "scores": [ + { + "source": "cve", + "value": 7.2, + "severity": "high" + } + ] + } + ] + } + ], + "warnings": [] + } + } + """; + + byte[] responseBytes = jsonResponse.getBytes(); + ProviderResponse result = + handler.responseToIssues(buildExchange(responseBytes, dependencyTree)); + + PackageItem packageItem = result.pkgItems().get("pkg:maven/org.postgresql/postgresql@42.5.0"); + assertNotNull(packageItem); + List issues = packageItem.issues(); + assertEquals(1, issues.size(), "Same CVE+source should merge into one issue"); + + Issue issue = issues.get(0); + assertEquals("CVE-2023-2454", issue.getId()); + assertNotNull(issue.getRemediation()); + + List remInfos = issue.getRemediation().getRemediations(); + assertNotNull(remInfos); + assertEquals( + 2, + remInfos.size(), + "Should have exactly 2 unique remediations (WORKAROUND + NO_FIX_PLANNED), not 4"); + + long workaroundCount = + remInfos.stream() + .filter(r -> RemediationCategory.WORKAROUND.equals(r.getCategory())) + .count(); + long noFixCount = + remInfos.stream() + .filter(r -> RemediationCategory.NO_FIX_PLANNED.equals(r.getCategory())) + .count(); + assertEquals(1, workaroundCount, "WORKAROUND should appear exactly once"); + assertEquals(1, noFixCount, "NO_FIX_PLANNED should appear exactly once"); + + assertEquals( + 2, issue.getRemediation().getFixedIn().size(), "Should accumulate fixedIn from both"); + assertTrue(issue.getRemediation().getFixedIn().contains("42.5.5")); + assertTrue(issue.getRemediation().getFixedIn().contains("42.6.1")); + } } diff --git a/src/test/resources/__files/reports/batch_report.json b/src/test/resources/__files/reports/batch_report.json index c3adfd1b..05701020 100644 --- a/src/test/resources/__files/reports/batch_report.json +++ b/src/test/resources/__files/reports/batch_report.json @@ -30,7 +30,7 @@ "medium": 2, "low": 0, "unknown": 0, - "remediations": 2, + "remediations": 7, "recommendations": 0, "unscanned": 0 }, @@ -50,7 +50,20 @@ "cves": [ "CVE-2024-1597" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "category": "VENDOR_FIX", + "details": "Upgrade to version 42.7.2 or later", + "url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56", + "advisory": { + "id": "GHSA-24rp-q3w6-vc56", + "title": "org.postgresql:postgresql vulnerable to SQL Injection via line comment generation" + } + } + ] + } }, { "id": "CVE-2022-41946", @@ -61,7 +74,17 @@ "cves": [ "CVE-2022-41946" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "GHSA-562r-vg33-8x8h", + "title": "TemporaryFolder on unix-like systems does not limit access to created files" + } + } + ] + } } ], "highestVulnerability": { @@ -73,7 +96,20 @@ "cves": [ "CVE-2024-1597" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "category": "VENDOR_FIX", + "details": "Upgrade to version 42.7.2 or later", + "url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56", + "advisory": { + "id": "GHSA-24rp-q3w6-vc56", + "title": "org.postgresql:postgresql vulnerable to SQL Injection via line comment generation" + } + } + ] + } } } ], @@ -86,7 +122,20 @@ "cves": [ "CVE-2024-1597" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "category": "VENDOR_FIX", + "details": "Upgrade to version 42.7.2 or later", + "url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56", + "advisory": { + "id": "GHSA-24rp-q3w6-vc56", + "title": "org.postgresql:postgresql vulnerable to SQL Injection via line comment generation" + } + } + ] + } } }, { @@ -106,6 +155,14 @@ ], "unique": false, "remediation": { + "remediations": [ + { + "advisory": { + "id": "GHSA-57j2-w4cx-62h2", + "title": "Deeply nested json in jackson-databind" + } + } + ], "trustedContent": { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1.2-redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar", "status": "NotAffected", @@ -122,7 +179,20 @@ "cves": [ "CVE-2022-42003" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "category": "WORKAROUND", + "details": "Disable UNWRAP_SINGLE_VALUE_ARRAYS feature or upgrade to 2.13.4.1 or later", + "url": "https://github.com/FasterXML/jackson-databind/issues/3590", + "advisory": { + "id": "GHSA-jjjh-jjxp-wpff", + "title": "Uncontrolled Resource Consumption in Jackson-databind" + } + } + ] + } }, { "id": "CVE-2022-42004", @@ -133,7 +203,17 @@ "cves": [ "CVE-2022-42004" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "GHSA-rgv9-q543-rqg4", + "title": "Uncontrolled Resource Consumption in FasterXML jackson-databind" + } + } + ] + } } ], "highestVulnerability": { @@ -147,6 +227,14 @@ ], "unique": false, "remediation": { + "remediations": [ + { + "advisory": { + "id": "GHSA-57j2-w4cx-62h2", + "title": "Deeply nested json in jackson-databind" + } + } + ], "trustedContent": { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1.2-redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar", "status": "NotAffected", @@ -167,7 +255,17 @@ "cves": [ "CVE-2024-2700" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "GHSA-f8h5-v2vg-46rr", + "title": "quarkus-core leaks local environment variables from Quarkus namespace during application's build" + } + } + ] + } }, { "id": "CVE-2023-2974", @@ -180,6 +278,14 @@ ], "unique": false, "remediation": { + "remediations": [ + { + "advisory": { + "id": "GHSA-3fhx-3vvg-2j84", + "title": "quarkus-core vulnerable to client driven TLS cipher downgrading" + } + } + ], "trustedContent": { "ref": "pkg:maven/io.quarkus/quarkus-core@2.13.5.Final-redhat-00004?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar", "status": "NotAffected", @@ -197,7 +303,17 @@ "cves": [ "CVE-2024-2700" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "GHSA-f8h5-v2vg-46rr", + "title": "quarkus-core leaks local environment variables from Quarkus namespace during application's build" + } + } + ] + } } } ], @@ -212,6 +328,14 @@ ], "unique": false, "remediation": { + "remediations": [ + { + "advisory": { + "id": "GHSA-57j2-w4cx-62h2", + "title": "Deeply nested json in jackson-databind" + } + } + ], "trustedContent": { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1.2-redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar", "status": "NotAffected", @@ -233,7 +357,7 @@ "medium": 0, "low": 0, "unknown": 0, - "remediations": 0, + "remediations": 2, "recommendations": 0, "unscanned": 0 }, @@ -253,7 +377,41 @@ "cves": [ "CVE-2024-1597" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "RHSA-2024:1797", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 2.13.9.SP2 release and security update", + "url": "https://www.redhat.com/#RHSA-2024_1797" + } + }, + { + "category": "NO_FIX_PLANNED", + "details": "Out of support scope", + "advisory": { + "id": "CVE-2024-1597", + "title": "pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE", + "url": "https://www.redhat.com/#CVE-2024-1597" + } + }, + { + "advisory": { + "id": "CVE-2024-1597", + "title": "pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE", + "url": "https://www.redhat.com/#CVE-2024-1597" + } + }, + { + "advisory": { + "id": "RHSA-2024:1662", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.2.11 release and security update", + "url": "https://www.redhat.com/#RHSA-2024_1662" + } + } + ] + } } ], "highestVulnerability": { @@ -265,7 +423,41 @@ "cves": [ "CVE-2024-1597" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "RHSA-2024:1797", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 2.13.9.SP2 release and security update", + "url": "https://www.redhat.com/#RHSA-2024_1797" + } + }, + { + "category": "NO_FIX_PLANNED", + "details": "Out of support scope", + "advisory": { + "id": "CVE-2024-1597", + "title": "pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE", + "url": "https://www.redhat.com/#CVE-2024-1597" + } + }, + { + "advisory": { + "id": "CVE-2024-1597", + "title": "pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE", + "url": "https://www.redhat.com/#CVE-2024-1597" + } + }, + { + "advisory": { + "id": "RHSA-2024:1662", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.2.11 release and security update", + "url": "https://www.redhat.com/#RHSA-2024_1662" + } + } + ] + } } } ], @@ -278,7 +470,41 @@ "cves": [ "CVE-2024-1597" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "RHSA-2024:1797", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 2.13.9.SP2 release and security update", + "url": "https://www.redhat.com/#RHSA-2024_1797" + } + }, + { + "category": "NO_FIX_PLANNED", + "details": "Out of support scope", + "advisory": { + "id": "CVE-2024-1597", + "title": "pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE", + "url": "https://www.redhat.com/#CVE-2024-1597" + } + }, + { + "advisory": { + "id": "CVE-2024-1597", + "title": "pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE", + "url": "https://www.redhat.com/#CVE-2024-1597" + } + }, + { + "advisory": { + "id": "RHSA-2024:1662", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.2.11 release and security update", + "url": "https://www.redhat.com/#RHSA-2024_1662" + } + } + ] + } } }, { @@ -296,7 +522,32 @@ "cves": [ "CVE-2024-2700" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "CVE-2024-2700", + "title": "quarkus-core: Leak of local configuration properties into Quarkus applications", + "url": "https://www.redhat.com/#CVE-2024-2700" + } + }, + { + "advisory": { + "id": "RHSA-2024:2705", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.2.12 release and security update", + "url": "https://www.redhat.com/#RHSA-2024_2705" + } + }, + { + "advisory": { + "id": "RHSA-2024:2106", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.8.4 release", + "url": "https://www.redhat.com/#RHSA-2024_2106" + } + } + ] + } } ], "highestVulnerability": { @@ -308,7 +559,32 @@ "cves": [ "CVE-2024-2700" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "CVE-2024-2700", + "title": "quarkus-core: Leak of local configuration properties into Quarkus applications", + "url": "https://www.redhat.com/#CVE-2024-2700" + } + }, + { + "advisory": { + "id": "RHSA-2024:2705", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.2.12 release and security update", + "url": "https://www.redhat.com/#RHSA-2024_2705" + } + }, + { + "advisory": { + "id": "RHSA-2024:2106", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.8.4 release", + "url": "https://www.redhat.com/#RHSA-2024_2106" + } + } + ] + } } } ], @@ -321,7 +597,32 @@ "cves": [ "CVE-2024-2700" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "CVE-2024-2700", + "title": "quarkus-core: Leak of local configuration properties into Quarkus applications", + "url": "https://www.redhat.com/#CVE-2024-2700" + } + }, + { + "advisory": { + "id": "RHSA-2024:2705", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.2.12 release and security update", + "url": "https://www.redhat.com/#RHSA-2024_2705" + } + }, + { + "advisory": { + "id": "RHSA-2024:2106", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.8.4 release", + "url": "https://www.redhat.com/#RHSA-2024_2106" + } + } + ] + } } } ] diff --git a/src/test/resources/__files/reports/pypi_report.json b/src/test/resources/__files/reports/pypi_report.json index 07b328f8..15fb3f6b 100644 --- a/src/test/resources/__files/reports/pypi_report.json +++ b/src/test/resources/__files/reports/pypi_report.json @@ -1,129 +1,137 @@ { - "scanned": { - "total": 2, - "direct": 2, - "transitive": 0 - }, - "providers": { - "trustify": { - "status": { - "ok": true, - "name": "trustify", - "code": 200, - "message": "OK", - "warnings": { - - } - }, - "sources": { - "osv-github": { - "summary": { - "direct": 1, - "transitive": 0, - "total": 1, - "dependencies": 1, - "critical": 0, - "high": 0, - "medium": 1, - "low": 0, - "unknown": 0, - "remediations": 0, - "recommendations": 2, - "unscanned": 0 - }, - "dependencies": [ - { - "ref": "pkg:pypi/requests@2.31.0", - "issues": [ - { - "id": "CVE-2024-35195", - "title": "Requests Session object does not verify requests after making first request with verify=False", - "source": "osv-github", - "cvssScore": 5.6, - "severity": "MEDIUM", - "cves": [ - "CVE-2024-35195" - ], - "unique": false, - "remediation": { - "trustedContent": { - "ref": "pkg:pypi/requests@2.31.0?repository_url=https%3A%2F%2Fpackages.redhat.com%2Ftrusted-libraries%2Fpython" - } - } - } - ], - "transitive": [ - - ], - "recommendation": "pkg:pypi/requests@2.31.0?repository_url=https%3A%2F%2Fpackages.redhat.com%2Ftrusted-libraries%2Fpython", - "highestVulnerability": { - "id": "CVE-2024-35195", - "title": "Requests Session object does not verify requests after making first request with verify=False", - "source": "osv-github", - "cvssScore": 5.6, - "severity": "MEDIUM", - "cves": [ - "CVE-2024-35195" - ], - "unique": false, - "remediation": { - "trustedContent": { - "ref": "pkg:pypi/requests@2.31.0?repository_url=https%3A%2F%2Fpackages.redhat.com%2Ftrusted-libraries%2Fpython" - } - } - } - }, - { - "ref": "pkg:pypi/flask@3.0.0", - "recommendation": "pkg:pypi/flask@3.0.0?repository_url=https%3A%2F%2Fpackages.redhat.com%2Ftrusted-libraries%2Fpython" + "scanned": { + "total": 2, + "direct": 2, + "transitive": 0 + }, + "providers": { + "trustify": { + "status": { + "ok": true, + "name": "trustify", + "code": 200, + "message": "OK", + "warnings": {} + }, + "sources": { + "osv-github": { + "summary": { + "direct": 1, + "transitive": 0, + "total": 1, + "dependencies": 1, + "critical": 0, + "high": 0, + "medium": 1, + "low": 0, + "unknown": 0, + "remediations": 1, + "recommendations": 2, + "unscanned": 0 + }, + "dependencies": [ + { + "ref": "pkg:pypi/requests@2.31.0", + "issues": [ + { + "id": "CVE-2024-35195", + "title": "Requests Session object does not verify requests after making first request with verify=False", + "source": "osv-github", + "cvssScore": 5.6, + "severity": "MEDIUM", + "cves": [ + "CVE-2024-35195" + ], + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "GHSA-9wx4-h78v-vm56", + "title": "Requests Session object does not verify requests after making first request with verify=False" } - ] + } + ], + "trustedContent": { + "ref": "pkg:pypi/requests@2.31.0?repository_url=https%3A%2F%2Fpackages.redhat.com%2Ftrusted-libraries%2Fpython" + } + } } - }, - "recommendations": { - "trusted-libraries": { - "summary": { - "total": 2 - }, - "dependencies": [ - { - "ref": "pkg:pypi/requests@2.31.0", - "recommendation": "pkg:pypi/requests@2.31.0?repository_url=https%3A%2F%2Fpackages.redhat.com%2Ftrusted-libraries%2Fpython" - }, - { - "ref": "pkg:pypi/flask@3.0.0", - "recommendation": "pkg:pypi/flask@3.0.0?repository_url=https%3A%2F%2Fpackages.redhat.com%2Ftrusted-libraries%2Fpython" - } - ] + ], + "transitive": [], + "recommendation": "pkg:pypi/requests@2.31.0?repository_url=https%3A%2F%2Fpackages.redhat.com%2Ftrusted-libraries%2Fpython", + "highestVulnerability": { + "id": "CVE-2024-35195", + "title": "Requests Session object does not verify requests after making first request with verify=False", + "source": "osv-github", + "cvssScore": 5.6, + "severity": "MEDIUM", + "cves": [ + "CVE-2024-35195" + ], + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "GHSA-9wx4-h78v-vm56", + "title": "Requests Session object does not verify requests after making first request with verify=False" + } + } + ], + "trustedContent": { + "ref": "pkg:pypi/requests@2.31.0?repository_url=https%3A%2F%2Fpackages.redhat.com%2Ftrusted-libraries%2Fpython" + } } + } + }, + { + "ref": "pkg:pypi/flask@3.0.0", + "recommendation": "pkg:pypi/flask@3.0.0?repository_url=https%3A%2F%2Fpackages.redhat.com%2Ftrusted-libraries%2Fpython" } + ] } - }, - "licenses": [ - { - "status": { - "ok": false, - "name": "deps.dev", - "code": 504, - "message": "Request timed out", - "warnings": { - - } - }, - "summary": { - "total": 0, - "concluded": 0, - "permissive": 0, - "weakCopyleft": 0, - "strongCopyleft": 0, - "unknown": 0, - "deprecated": 0, - "osiApproved": 0, - "fsfLibre": 0 + }, + "recommendations": { + "trusted-libraries": { + "summary": { + "total": 2 + }, + "dependencies": [ + { + "ref": "pkg:pypi/requests@2.31.0", + "recommendation": "pkg:pypi/requests@2.31.0?repository_url=https%3A%2F%2Fpackages.redhat.com%2Ftrusted-libraries%2Fpython" }, - "packages": { - + { + "ref": "pkg:pypi/flask@3.0.0", + "recommendation": "pkg:pypi/flask@3.0.0?repository_url=https%3A%2F%2Fpackages.redhat.com%2Ftrusted-libraries%2Fpython" } + ] } - ] -} \ No newline at end of file + } + } + }, + "licenses": [ + { + "status": { + "ok": false, + "name": "deps.dev", + "code": 504, + "message": "Request timed out", + "warnings": {} + }, + "summary": { + "total": 0, + "concluded": 0, + "permissive": 0, + "weakCopyleft": 0, + "strongCopyleft": 0, + "unknown": 0, + "deprecated": 0, + "osiApproved": 0, + "fsfLibre": 0 + }, + "packages": {} + } + ] +} diff --git a/src/test/resources/__files/reports/report.json b/src/test/resources/__files/reports/report.json index 60c754f1..7b1b8a95 100644 --- a/src/test/resources/__files/reports/report.json +++ b/src/test/resources/__files/reports/report.json @@ -29,7 +29,7 @@ "medium": 2, "low": 0, "unknown": 0, - "remediations": 2, + "remediations": 7, "recommendations": 0, "unscanned": 0 }, @@ -49,7 +49,20 @@ "cves": [ "CVE-2024-1597" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "category": "VENDOR_FIX", + "details": "Upgrade to version 42.7.2 or later", + "url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56", + "advisory": { + "id": "GHSA-24rp-q3w6-vc56", + "title": "org.postgresql:postgresql vulnerable to SQL Injection via line comment generation" + } + } + ] + } }, { "id": "CVE-2022-41946", @@ -60,7 +73,17 @@ "cves": [ "CVE-2022-41946" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "GHSA-562r-vg33-8x8h", + "title": "TemporaryFolder on unix-like systems does not limit access to created files" + } + } + ] + } } ], "highestVulnerability": { @@ -72,7 +95,20 @@ "cves": [ "CVE-2024-1597" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "category": "VENDOR_FIX", + "details": "Upgrade to version 42.7.2 or later", + "url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56", + "advisory": { + "id": "GHSA-24rp-q3w6-vc56", + "title": "org.postgresql:postgresql vulnerable to SQL Injection via line comment generation" + } + } + ] + } } } ], @@ -85,7 +121,20 @@ "cves": [ "CVE-2024-1597" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "category": "VENDOR_FIX", + "details": "Upgrade to version 42.7.2 or later", + "url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56", + "advisory": { + "id": "GHSA-24rp-q3w6-vc56", + "title": "org.postgresql:postgresql vulnerable to SQL Injection via line comment generation" + } + } + ] + } } }, { @@ -105,6 +154,14 @@ ], "unique": false, "remediation": { + "remediations": [ + { + "advisory": { + "id": "GHSA-57j2-w4cx-62h2", + "title": "Deeply nested json in jackson-databind" + } + } + ], "trustedContent": { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1.2-redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar", "status": "NotAffected", @@ -121,7 +178,20 @@ "cves": [ "CVE-2022-42003" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "category": "WORKAROUND", + "details": "Disable UNWRAP_SINGLE_VALUE_ARRAYS feature or upgrade to 2.13.4.1 or later", + "url": "https://github.com/FasterXML/jackson-databind/issues/3590", + "advisory": { + "id": "GHSA-jjjh-jjxp-wpff", + "title": "Uncontrolled Resource Consumption in Jackson-databind" + } + } + ] + } }, { "id": "CVE-2022-42004", @@ -132,7 +202,17 @@ "cves": [ "CVE-2022-42004" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "GHSA-rgv9-q543-rqg4", + "title": "Uncontrolled Resource Consumption in FasterXML jackson-databind" + } + } + ] + } } ], "highestVulnerability": { @@ -146,6 +226,14 @@ ], "unique": false, "remediation": { + "remediations": [ + { + "advisory": { + "id": "GHSA-57j2-w4cx-62h2", + "title": "Deeply nested json in jackson-databind" + } + } + ], "trustedContent": { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1.2-redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar", "status": "NotAffected", @@ -166,7 +254,17 @@ "cves": [ "CVE-2024-2700" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "GHSA-f8h5-v2vg-46rr", + "title": "quarkus-core leaks local environment variables from Quarkus namespace during application's build" + } + } + ] + } }, { "id": "CVE-2023-2974", @@ -179,6 +277,14 @@ ], "unique": false, "remediation": { + "remediations": [ + { + "advisory": { + "id": "GHSA-3fhx-3vvg-2j84", + "title": "quarkus-core vulnerable to client driven TLS cipher downgrading" + } + } + ], "trustedContent": { "ref": "pkg:maven/io.quarkus/quarkus-core@2.13.5.Final-redhat-00004?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar", "status": "NotAffected", @@ -196,7 +302,17 @@ "cves": [ "CVE-2024-2700" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "GHSA-f8h5-v2vg-46rr", + "title": "quarkus-core leaks local environment variables from Quarkus namespace during application's build" + } + } + ] + } } } ], @@ -211,6 +327,14 @@ ], "unique": false, "remediation": { + "remediations": [ + { + "advisory": { + "id": "GHSA-57j2-w4cx-62h2", + "title": "Deeply nested json in jackson-databind" + } + } + ], "trustedContent": { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1.2-redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar", "status": "NotAffected", @@ -232,7 +356,7 @@ "medium": 0, "low": 0, "unknown": 0, - "remediations": 0, + "remediations": 2, "recommendations": 0, "unscanned": 0 }, @@ -252,7 +376,41 @@ "cves": [ "CVE-2024-1597" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "RHSA-2024:1797", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 2.13.9.SP2 release and security update", + "url": "https://www.redhat.com/#RHSA-2024_1797" + } + }, + { + "category": "NO_FIX_PLANNED", + "details": "Out of support scope", + "advisory": { + "id": "CVE-2024-1597", + "title": "pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE", + "url": "https://www.redhat.com/#CVE-2024-1597" + } + }, + { + "advisory": { + "id": "CVE-2024-1597", + "title": "pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE", + "url": "https://www.redhat.com/#CVE-2024-1597" + } + }, + { + "advisory": { + "id": "RHSA-2024:1662", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.2.11 release and security update", + "url": "https://www.redhat.com/#RHSA-2024_1662" + } + } + ] + } } ], "highestVulnerability": { @@ -264,7 +422,41 @@ "cves": [ "CVE-2024-1597" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "RHSA-2024:1797", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 2.13.9.SP2 release and security update", + "url": "https://www.redhat.com/#RHSA-2024_1797" + } + }, + { + "category": "NO_FIX_PLANNED", + "details": "Out of support scope", + "advisory": { + "id": "CVE-2024-1597", + "title": "pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE", + "url": "https://www.redhat.com/#CVE-2024-1597" + } + }, + { + "advisory": { + "id": "CVE-2024-1597", + "title": "pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE", + "url": "https://www.redhat.com/#CVE-2024-1597" + } + }, + { + "advisory": { + "id": "RHSA-2024:1662", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.2.11 release and security update", + "url": "https://www.redhat.com/#RHSA-2024_1662" + } + } + ] + } } } ], @@ -277,7 +469,41 @@ "cves": [ "CVE-2024-1597" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "RHSA-2024:1797", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 2.13.9.SP2 release and security update", + "url": "https://www.redhat.com/#RHSA-2024_1797" + } + }, + { + "category": "NO_FIX_PLANNED", + "details": "Out of support scope", + "advisory": { + "id": "CVE-2024-1597", + "title": "pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE", + "url": "https://www.redhat.com/#CVE-2024-1597" + } + }, + { + "advisory": { + "id": "CVE-2024-1597", + "title": "pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE", + "url": "https://www.redhat.com/#CVE-2024-1597" + } + }, + { + "advisory": { + "id": "RHSA-2024:1662", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.2.11 release and security update", + "url": "https://www.redhat.com/#RHSA-2024_1662" + } + } + ] + } } }, { @@ -295,7 +521,32 @@ "cves": [ "CVE-2024-2700" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "CVE-2024-2700", + "title": "quarkus-core: Leak of local configuration properties into Quarkus applications", + "url": "https://www.redhat.com/#CVE-2024-2700" + } + }, + { + "advisory": { + "id": "RHSA-2024:2705", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.2.12 release and security update", + "url": "https://www.redhat.com/#RHSA-2024_2705" + } + }, + { + "advisory": { + "id": "RHSA-2024:2106", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.8.4 release", + "url": "https://www.redhat.com/#RHSA-2024_2106" + } + } + ] + } } ], "highestVulnerability": { @@ -307,7 +558,32 @@ "cves": [ "CVE-2024-2700" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "CVE-2024-2700", + "title": "quarkus-core: Leak of local configuration properties into Quarkus applications", + "url": "https://www.redhat.com/#CVE-2024-2700" + } + }, + { + "advisory": { + "id": "RHSA-2024:2705", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.2.12 release and security update", + "url": "https://www.redhat.com/#RHSA-2024_2705" + } + }, + { + "advisory": { + "id": "RHSA-2024:2106", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.8.4 release", + "url": "https://www.redhat.com/#RHSA-2024_2106" + } + } + ] + } } } ], @@ -320,7 +596,32 @@ "cves": [ "CVE-2024-2700" ], - "unique": false + "unique": false, + "remediation": { + "remediations": [ + { + "advisory": { + "id": "CVE-2024-2700", + "title": "quarkus-core: Leak of local configuration properties into Quarkus applications", + "url": "https://www.redhat.com/#CVE-2024-2700" + } + }, + { + "advisory": { + "id": "RHSA-2024:2705", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.2.12 release and security update", + "url": "https://www.redhat.com/#RHSA-2024_2705" + } + }, + { + "advisory": { + "id": "RHSA-2024:2106", + "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.8.4 release", + "url": "https://www.redhat.com/#RHSA-2024_2106" + } + } + ] + } } } ] @@ -333,20 +634,24 @@ }, "dependencies": [ { - "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final?type=jar", - "recommendation": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final-redhat-00004?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar" + "ref": "pkg:maven/jakarta.el/jakarta.el-api@3.0.3?type=jar", + "recommendation": "pkg:maven/jakarta.el/jakarta.el-api@3.0.3.redhat-00002?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar" + }, + { + "ref": "pkg:maven/jakarta.enterprise/jakarta.enterprise.cdi-api@2.0.2?type=jar", + "recommendation": "pkg:maven/jakarta.enterprise/jakarta.enterprise.cdi-api@2.0.2.redhat-00004?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar" }, { "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final?type=jar", "recommendation": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final-redhat-00004?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar" }, { - "ref": "pkg:maven/jakarta.el/jakarta.el-api@3.0.3?type=jar", - "recommendation": "pkg:maven/jakarta.el/jakarta.el-api@3.0.3.redhat-00002?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar" + "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final?type=jar", + "recommendation": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final-redhat-00004?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar" }, { - "ref": "pkg:maven/jakarta.enterprise/jakarta.enterprise.cdi-api@2.0.2?type=jar", - "recommendation": "pkg:maven/jakarta.enterprise/jakarta.enterprise.cdi-api@2.0.2.redhat-00004?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar" + "ref": "pkg:maven/org.postgresql/postgresql@42.5.0?type=jar", + "recommendation": "pkg:maven/org.postgresql/postgresql@42.5.0.redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar" }, { "ref": "pkg:maven/io.quarkus/quarkus-narayana-jta@2.13.5.Final?type=jar", @@ -360,10 +665,6 @@ "ref": "pkg:maven/jakarta.interceptor/jakarta.interceptor-api@1.2.5?type=jar", "recommendation": "pkg:maven/jakarta.interceptor/jakarta.interceptor-api@1.2.5.redhat-00003?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar" }, - { - "ref": "pkg:maven/org.postgresql/postgresql@42.5.0?type=jar", - "recommendation": "pkg:maven/org.postgresql/postgresql@42.5.0.redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar" - }, { "ref": "pkg:maven/io.quarkus/quarkus-core@2.13.5.Final?type=jar", "recommendation": "pkg:maven/io.quarkus/quarkus-core@2.13.5.Final-redhat-00004?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar" diff --git a/src/test/resources/__files/trustify/maven_report.json b/src/test/resources/__files/trustify/maven_report.json index ac4b9a55..fd417e6e 100644 --- a/src/test/resources/__files/trustify/maven_report.json +++ b/src/test/resources/__files/trustify/maven_report.json @@ -65,7 +65,13 @@ }, "status": "affected", "version_range": null, - "remediations": [] + "remediations": [ + { + "category": "workaround", + "details": "Disable UNWRAP_SINGLE_VALUE_ARRAYS feature or upgrade to 2.13.4.1 or later", + "url": "https://github.com/FasterXML/jackson-databind/issues/3590" + } + ] } ] }, @@ -342,7 +348,13 @@ }, "status": "affected", "version_range": null, - "remediations": [] + "remediations": [ + { + "category": "no_fix_planned", + "details": "Out of support scope", + "url": null + } + ] }, { "advisory": { @@ -359,7 +371,13 @@ }, "status": "affected", "version_range": null, - "remediations": [] + "remediations": [ + { + "category": "no_fix_planned", + "details": "Out of support scope", + "url": null + } + ] }, { "advisory": { @@ -441,7 +459,13 @@ }, "status": "affected", "version_range": null, - "remediations": [] + "remediations": [ + { + "category": "vendor_fix", + "details": "Upgrade to version 42.7.2 or later", + "url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56" + } + ] }, { "advisory": {