From e665687cb82d7cb8e643034309bcc5fcb0f70b58 Mon Sep 17 00:00:00 2001 From: Frank Viernau Date: Wed, 29 Jan 2025 09:02:10 +0100 Subject: [PATCH] fix(black-duck): Properly parse vector and scoring system from CVSS2 The resulting `vector` parsed from a given CVSS2 data structure accidentally kept surrounding braces. Furthermore, extracting the `scoringSystem` via `substringBefore('/')` gave wrong results, because a CVSS2 vector does not have such a scoring system prefix at all, but contains slashes, see also the diff in `CVE-2015-3996-parsed.yml`. Signed-off-by: Frank Viernau --- .../black-duck/src/main/kotlin/BlackDuck.kt | 22 +++++++++++++-- .../src/test/assets/CVE-2015-3996-parsed.yml | 28 +++++++++---------- 2 files changed, 33 insertions(+), 17 deletions(-) diff --git a/plugins/advisors/black-duck/src/main/kotlin/BlackDuck.kt b/plugins/advisors/black-duck/src/main/kotlin/BlackDuck.kt index 87e5c3c15cc99..f312c1d026a76 100644 --- a/plugins/advisors/black-duck/src/main/kotlin/BlackDuck.kt +++ b/plugins/advisors/black-duck/src/main/kotlin/BlackDuck.kt @@ -19,6 +19,8 @@ package org.ossreviewtoolkit.plugins.advisors.blackduck +import com.blackduck.integration.blackduck.api.generated.component.VulnerabilityCvss2View +import com.blackduck.integration.blackduck.api.generated.component.VulnerabilityCvss3View import com.blackduck.integration.blackduck.api.generated.view.OriginView import com.blackduck.integration.blackduck.api.generated.view.VulnerabilityView @@ -42,6 +44,7 @@ import org.ossreviewtoolkit.model.Package import org.ossreviewtoolkit.model.Severity import org.ossreviewtoolkit.model.createAndLogIssue import org.ossreviewtoolkit.model.vulnerabilities.Cvss2Rating +import org.ossreviewtoolkit.model.vulnerabilities.Cvss3Rating import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference import org.ossreviewtoolkit.plugins.api.OrtPlugin @@ -199,9 +202,10 @@ class BlackDuck( internal fun VulnerabilityView.toOrtVulnerability(): Vulnerability { val referenceUris = setOf(meta.href.uri(), *meta.links.map { it.href.uri() }.toTypedArray()) - val vector = cvss3?.vector ?: cvss2?.vector - // Only CVSS version 2 vectors do not contain the "CVSS:" label and version prefix - val scoringSystem = vector?.substringBefore('/', Cvss2Rating.PREFIXES.first()) + + val (scoringSystem, vector) = cvss3?.getScoringSystemAndVector() + ?: cvss2?.getScoringSystemAndVector() + ?: null to null val references = referenceUris.map { uri -> VulnerabilityReference( @@ -220,6 +224,18 @@ internal fun VulnerabilityView.toOrtVulnerability(): Vulnerability { ) } +private fun VulnerabilityCvss3View.getScoringSystemAndVector(): Pair { + val scoringSystem = vector.substringBefore('/', "").takeUnless { it.isEmpty() } + ?: Cvss3Rating.PREFIXES.first() + return scoringSystem to vector +} + +private fun VulnerabilityCvss2View.getScoringSystemAndVector(): Pair { + val scoringSystem = Cvss2Rating.PREFIXES.first() + val parsedVector = vector.removeSurrounding("(", ")") + return scoringSystem to parsedVector +} + private val OriginView.identifier get() = "$externalNamespace:$externalId" private fun Map>.getSummary(): String = diff --git a/plugins/advisors/black-duck/src/test/assets/CVE-2015-3996-parsed.yml b/plugins/advisors/black-duck/src/test/assets/CVE-2015-3996-parsed.yml index 9c8222b6e37c5..eb8d36dd4f730 100644 --- a/plugins/advisors/black-duck/src/test/assets/CVE-2015-3996-parsed.yml +++ b/plugins/advisors/black-duck/src/test/assets/CVE-2015-3996-parsed.yml @@ -7,37 +7,37 @@ description: "The default AFSecurityPolicy.validatesDomainName configuration for \ to spoof SSL servers via an arbitrary valid certificate." references: - url: "https://zeiss.app.blackduck.com/api/vulnerabilities/CVE-2015-3996" - scoring_system: "(AV:N" + scoring_system: "CVSS2" severity: "MEDIUM" score: 4.3 - vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)" + vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N" - url: "https://zeiss.app.blackduck.com/api/cwes/CWE-254" - scoring_system: "(AV:N" + scoring_system: "CVSS2" severity: "MEDIUM" score: 4.3 - vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)" + vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N" - url: "http://www.securityfocus.com/bid/76242" - scoring_system: "(AV:N" + scoring_system: "CVSS2" severity: "MEDIUM" score: 4.3 - vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)" + vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N" - url: "https://github.com/AFNetworking/AFNetworking/issues/2619" - scoring_system: "(AV:N" + scoring_system: "CVSS2" severity: "MEDIUM" score: 4.3 - vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)" + vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N" - url: "https://github.com/AFNetworking/AFNetworking/releases/tag/2.5.3" - scoring_system: "(AV:N" + scoring_system: "CVSS2" severity: "MEDIUM" score: 4.3 - vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)" + vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N" - url: "https://owncloud.org/security/advisory/?id=oc-sa-2015-012" - scoring_system: "(AV:N" + scoring_system: "CVSS2" severity: "MEDIUM" score: 4.3 - vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)" + vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N" - url: "https://nvd.nist.gov/vuln/detail/CVE-2015-3996" - scoring_system: "(AV:N" + scoring_system: "CVSS2" severity: "MEDIUM" score: 4.3 - vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)" + vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N"