Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CONVENTIONS.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
- **Formatter toggle**: `// fmt:off` / `// fmt:on` to disable formatting (used in Camel DSL code)
- **Encoding**: UTF-8
- **Line endings**: LF, trim trailing whitespace, final newline
- **Method length**: Methods should not exceed ~40 lines of logic. When a method grows beyond this, extract cohesive blocks into well-named private helpers. Duplicated blocks across methods must always be extracted.

## Naming Conventions

Expand Down
2 changes: 1 addition & 1 deletion pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
<deploy-plugin.version>3.1.1</deploy-plugin.version>

<!-- Dependencies -->
<trustify-da-api.version>2.0.10</trustify-da-api.version>
<trustify-da-api.version>2.0.11</trustify-da-api.version>
<cyclonedx.version>11.0.1</cyclonedx.version>
<sentry.version>7.8.0</sentry.version>
<spdx.version>2.0.2</spdx.version>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,13 @@
package io.github.guacsec.trustifyda.integration.providers.trustify;

import java.io.IOException;
import java.net.URI;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;

import org.apache.camel.Exchange;
Expand All @@ -34,6 +36,7 @@
import com.fasterxml.jackson.databind.node.ObjectNode;

import io.github.guacsec.trustifyda.api.PackageRef;
import io.github.guacsec.trustifyda.api.v5.AdvisoryInfo;
import io.github.guacsec.trustifyda.api.v5.Issue;
import io.github.guacsec.trustifyda.api.v5.Remediation;
import io.github.guacsec.trustifyda.api.v5.RemediationCategory;
Expand Down Expand Up @@ -131,6 +134,7 @@ private List<Issue> toIssues(JsonNode response) {
}
var key = String.format("%s:%s", source, id);
if (issuesByCveSource.containsKey(key)) {
mergeIssueData(issuesByCveSource.get(key), vuln, purlStatus);
return;
}
var issue = new Issue().id(id).title(iTitle).source(source).cves(List.of(id));
Expand Down Expand Up @@ -158,6 +162,59 @@ private List<String> getWarnings(JsonNode entryValue) {
}

private void setCvssData(Issue issue, JsonNode vuln, JsonNode purlStatus) {
var sd = extractScoreData(vuln, purlStatus);

if (sd.score != null) {
issue.cvssScore(sd.score);
}
if (sd.severity != null) {
try {
issue.setSeverity(SeverityUtils.fromValue(sd.severity.toUpperCase()));
} catch (IllegalArgumentException e) {
LOGGER.infof(
"Unknown severity value: %s, falling back to score-based severity", sd.severity);
if (sd.score != null) {
issue.setSeverity(SeverityUtils.fromScore(sd.score));
}
}
} else if (sd.score != null) {
issue.setSeverity(SeverityUtils.fromScore(sd.score));
}

var r = new Remediation();
boolean hasRemediation = processVersionRange(purlStatus, r, false);
hasRemediation |= processRemediations(purlStatus, r);

if (hasRemediation) {
issue.setRemediation(r);
}
}

private void mergeIssueData(Issue existing, JsonNode vuln, JsonNode purlStatus) {
var sd = extractScoreData(vuln, purlStatus);

if (sd.score != null
&& (existing.getCvssScore() == null || sd.score > existing.getCvssScore())) {
existing.cvssScore(sd.score);
if (sd.severity != null) {
try {
existing.setSeverity(SeverityUtils.fromValue(sd.severity.toUpperCase()));
} catch (IllegalArgumentException e) {
existing.setSeverity(SeverityUtils.fromScore(sd.score));
}
} else {
existing.setSeverity(SeverityUtils.fromScore(sd.score));
}
}

var r = ensureRemediation(existing);
processVersionRange(purlStatus, r, true);
processRemediations(purlStatus, r);
}

private record ScoreData(Float score, String severity) {}

private ScoreData extractScoreData(JsonNode vuln, JsonNode purlStatus) {
Float score = null;
String severity = null;

Expand All @@ -180,56 +237,52 @@ private void setCvssData(Issue issue, JsonNode vuln, JsonNode purlStatus) {
}
}

if (score != null) {
issue.cvssScore(score);
}
if (severity != null) {
try {
issue.setSeverity(SeverityUtils.fromValue(severity.toUpperCase()));
} catch (IllegalArgumentException e) {
LOGGER.infof("Unknown severity value: %s, falling back to score-based severity", severity);
if (score != null) {
issue.setSeverity(SeverityUtils.fromScore(score));
}
}
} else if (score != null) {
issue.setSeverity(SeverityUtils.fromScore(score));
}

var r = new Remediation();
boolean hasRemediation = false;
return new ScoreData(score, severity);
}

private boolean processVersionRange(JsonNode purlStatus, Remediation r, boolean dedup) {
var versionRange = purlStatus.get("version_range");
if (versionRange != null && !versionRange.isNull()) {
var vr = new VersionRange();
var schemeId = JsonUtils.getTextValue(versionRange, "version_scheme_id");
if (schemeId != null) {
vr.versionSchemeId(schemeId);
}
var lowVersion = JsonUtils.getTextValue(versionRange, "low_version");
if (lowVersion != null) {
vr.lowVersion(lowVersion);
}
var lowInclusive = JsonUtils.getBooleanValue(versionRange, "low_inclusive");
if (lowInclusive != null) {
vr.lowInclusive(lowInclusive);
}
var highVersion = JsonUtils.getTextValue(versionRange, "high_version");
var highInclusive = JsonUtils.getBooleanValue(versionRange, "high_inclusive");
if (highVersion != null) {
vr.highVersion(highVersion);
if (highInclusive == null || !highInclusive) {
if (versionRange == null || versionRange.isNull()) {
return false;
}
var vr = new VersionRange();
var schemeId = JsonUtils.getTextValue(versionRange, "version_scheme_id");
if (schemeId != null) {
vr.versionSchemeId(schemeId);
}
var lowVersion = JsonUtils.getTextValue(versionRange, "low_version");
if (lowVersion != null) {
vr.lowVersion(lowVersion);
}
var lowInclusive = JsonUtils.getBooleanValue(versionRange, "low_inclusive");
if (lowInclusive != null) {
vr.lowInclusive(lowInclusive);
}
var highVersion = JsonUtils.getTextValue(versionRange, "high_version");
var highInclusive = JsonUtils.getBooleanValue(versionRange, "high_inclusive");
if (highVersion != null) {
vr.highVersion(highVersion);
if (highInclusive == null || !highInclusive) {
if (dedup) {
var fixedIn = r.getFixedIn();
if (fixedIn == null || !fixedIn.contains(highVersion)) {
r.addFixedInItem(highVersion);
}
} else {
r.addFixedInItem(highVersion);
}
}
if (highInclusive != null) {
vr.highInclusive(highInclusive);
}
r.addVersionRangesItem(vr);
hasRemediation = true;
}
if (highInclusive != null) {
vr.highInclusive(highInclusive);
}
r.addVersionRangesItem(vr);
return true;
}

private boolean processRemediations(JsonNode purlStatus, Remediation r) {
var remediations = (ArrayNode) purlStatus.get("remediations");
var advisoryInfo = buildAdvisoryInfo(purlStatus);
if (remediations != null && !remediations.isEmpty()) {
remediations.forEach(
rem -> {
Expand All @@ -248,16 +301,90 @@ private void setCvssData(Issue issue, JsonNode vuln, JsonNode purlStatus) {
}
var url = JsonUtils.getTextValue(rem, "url");
if (url != null) {
info.url(url);
try {
info.url(URI.create(url));
} catch (IllegalArgumentException e) {
LOGGER.infof("Invalid remediation URL: %s", url);
}
}
if (advisoryInfo != null) {
info.advisory(advisoryInfo);
}
if (!isDuplicateRemediation(r, info)) {
r.addRemediationsItem(info);
}
r.addRemediationsItem(info);
});
hasRemediation = true;
return true;
} else {
var info =
buildRemediationInfo(purlStatus, r.getFixedIn() != null && !r.getFixedIn().isEmpty());
if (info != null && !isDuplicateRemediation(r, info)) {
r.addRemediationsItem(info);
return true;
}
}
return false;
}

if (hasRemediation) {
private boolean isDuplicateRemediation(Remediation r, RemediationInfo info) {
var existing = r.getRemediations();
if (existing == null) {
return false;
}
return existing.stream()
.anyMatch(
e ->
Objects.equals(e.getCategory(), info.getCategory())
&& Objects.equals(e.getDetails(), info.getDetails())
&& Objects.equals(
e.getAdvisory() != null ? e.getAdvisory().getId() : null,
info.getAdvisory() != null ? info.getAdvisory().getId() : null));
}

private Remediation ensureRemediation(Issue issue) {
var r = issue.getRemediation();
if (r == null) {
r = new Remediation();
issue.setRemediation(r);
}
return r;
}

private AdvisoryInfo buildAdvisoryInfo(JsonNode purlStatus) {
var advisory = purlStatus.get("advisory");
if (advisory == null) {
return null;
}
var documentId = JsonUtils.getTextValue(advisory, "document_id");
if (documentId == null) {
return null;
}
var info = new AdvisoryInfo().id(documentId);
var title = JsonUtils.getTextValue(advisory, "title");
if (title != null) {
info.title(title);
}
var identifier = JsonUtils.getTextValue(advisory, "identifier");
if (identifier != null && identifier.startsWith("http")) {
try {
info.url(URI.create(identifier));
} catch (IllegalArgumentException e) {
LOGGER.infof("Invalid advisory URL: %s", identifier);
}
}
return info;
}

private RemediationInfo buildRemediationInfo(JsonNode purlStatus, boolean hasFixedVersions) {
var advisoryInfo = buildAdvisoryInfo(purlStatus);
if (advisoryInfo == null) {
return null;
}
var info = new RemediationInfo().advisory(advisoryInfo);
if (hasFixedVersions) {
info.category(RemediationCategory.VENDOR_FIX);
}
return info;
}

private String getSource(JsonNode purlStatus) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@

import java.io.IOException;

import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.databind.DeserializationContext;
import com.fasterxml.jackson.databind.JsonDeserializer;
Expand All @@ -28,6 +29,7 @@
import io.quarkus.runtime.annotations.RegisterForReflection;

@RegisterForReflection
@JsonIgnoreProperties(ignoreUnknown = true)
public class Vulnerability {

private String id;
Expand Down
Loading
Loading