Merge pull request #237 from ruromero/fix-coordinates

ruromero · web-flow · commit 1217e1626b2e · 2023-12-14T13:00:09.000+01:00
fix: oss-index requires canonicalized purls
diff --git a/src/main/java/com/redhat/exhort/integration/backend/sbom/cyclonedx/CycloneDxParser.java b/src/main/java/com/redhat/exhort/integration/backend/sbom/cyclonedx/CycloneDxParser.java
@@ -59,10 +59,7 @@ protected DependencyTree buildTree(InputStream input) {
         componentPurls.putAll(
             bom.getComponents().stream()
                 .filter(c -> c.getBomRef() != null)
-                .collect(
-                    Collectors.toMap(
-                        Component::getBomRef,
-                        c -> PackageRef.builder().purl(c.getPurl()).build())));
+                .collect(Collectors.toMap(Component::getBomRef, c -> new PackageRef(c.getPurl()))));
       }
 
       if (bom.getMetadata() == null) {
diff --git a/src/main/java/com/redhat/exhort/integration/providers/ossindex/OssIndexRequestBuilder.java b/src/main/java/com/redhat/exhort/integration/providers/ossindex/OssIndexRequestBuilder.java
@@ -20,7 +20,6 @@
 
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Objects;
 
 import org.apache.camel.Body;
 import org.apache.camel.Header;
@@ -71,11 +70,9 @@ public boolean missingAuthHeaders(
 
   public String buildRequest(List<PackageRef> packages) throws JsonProcessingException {
     var coordinates = mapper.createArrayNode();
-    packages.stream()
-        .map(PackageRef::purl)
-        .filter(Objects::nonNull)
-        .forEach(purl -> coordinates.add(purl.getCoordinates()));
-
+    // oss-index don't allow qualifiers
+    // getCoordinates method is NOT idempotent!
+    packages.forEach(p -> coordinates.add(new PackageRef(p.toString()).purl().getCoordinates()));
     var root = mapper.createObjectNode().set("coordinates", coordinates);
     return mapper.writeValueAsString(root);
   }
diff --git a/src/main/java/com/redhat/exhort/integration/providers/ossindex/OssIndexResponseHandler.java b/src/main/java/com/redhat/exhort/integration/providers/ossindex/OssIndexResponseHandler.java
@@ -25,8 +25,10 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.stream.Collectors;
 
 import org.apache.camel.Body;
+import org.apache.camel.ExchangeProperty;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -37,6 +39,7 @@
 import com.redhat.exhort.api.v4.Issue;
 import com.redhat.exhort.api.v4.SeverityUtils;
 import com.redhat.exhort.config.ObjectMapperProducer;
+import com.redhat.exhort.integration.Constants;
 import com.redhat.exhort.integration.providers.ProviderResponseHandler;
 import com.redhat.exhort.model.CvssParser;
 import com.redhat.exhort.model.DependencyTree;
@@ -83,18 +86,26 @@ public ProviderResponse aggregateSplit(ProviderResponse oldExchange, ProviderRes
   }
 
   public ProviderResponse responseToIssues(
-      @Body byte[] response, String privateProviders, DependencyTree tree) throws IOException {
+      @Body byte[] response,
+      String privateProviders,
+      @ExchangeProperty(Constants.DEPENDENCY_TREE_PROPERTY) DependencyTree tree)
+      throws IOException {
     var json = (ArrayNode) mapper.readTree(response);
-    return new ProviderResponse(getIssues(json), null);
+    return new ProviderResponse(getIssues(json, tree), null);
   }
 
-  private Map<String, List<Issue>> getIssues(ArrayNode response) {
+  private Map<String, List<Issue>> getIssues(ArrayNode response, DependencyTree tree) {
     Map<String, List<Issue>> reports = new HashMap<>();
+    Map<String, PackageRef> coordinates =
+        tree.getAll().stream()
+            .collect(
+                Collectors.toMap(
+                    d -> new PackageRef(d.toString()).purl().getCoordinates(), d -> d));
     response.forEach(
         n -> {
           var pkgRef = n.get("coordinates").asText();
           try {
-            var key = PackageRef.builder().purl(pkgRef).build();
+            var key = coordinates.get(pkgRef);
             List<Issue> issues = new ArrayList<>();
             var vulnerabilities = (ArrayNode) n.get("vulnerabilities");
             vulnerabilities.forEach(v -> issues.add(toIssue(v)));
diff --git a/src/test/resources/__files/reports/report_all_token.json b/src/test/resources/__files/reports/report_all_token.json
@@ -23,15 +23,15 @@
             "high": 3,
             "medium": 0,
             "low": 0,
-            "remediations": 0,
-            "recommendations": 0
+            "remediations": 1,
+            "recommendations": 2
           },
           "dependencies": [
             {
-              "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final",
+              "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final?type=jar",
               "transitive": [
                 {
-                  "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1",
+                  "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1?type=jar",
                   "issues": [
                     {
                       "id": "CVE-2020-36518",
@@ -51,7 +51,14 @@
                       "cvssScore": 7.5,
                       "severity": "HIGH",
                       "cves": ["CVE-2020-36518"],
-                      "unique": false
+                      "unique": false,
+                      "remediation": {
+                        "trustedContent": {
+                          "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4.2-redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar",
+                          "status": "NotAffected",
+                          "justification": "VulnerableCodeNotPresent"
+                        }
+                      }
                     },
                     {
                       "id": "CVE-2022-42003",
@@ -112,10 +119,18 @@
                     "cvssScore": 7.5,
                     "severity": "HIGH",
                     "cves": ["CVE-2020-36518"],
-                    "unique": false
+                    "unique": false,
+                    "remediation": {
+                      "trustedContent": {
+                        "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4.2-redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar",
+                        "status": "NotAffected",
+                        "justification": "VulnerableCodeNotPresent"
+                      }
+                    }
                   }
                 }
               ],
+              "recommendation": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.8.Final-redhat-00006?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar",
               "highestVulnerability": {
                 "id": "CVE-2020-36518",
                 "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write",
@@ -134,8 +149,19 @@
                 "cvssScore": 7.5,
                 "severity": "HIGH",
                 "cves": ["CVE-2020-36518"],
-                "unique": false
+                "unique": false,
+                "remediation": {
+                  "trustedContent": {
+                    "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4.2-redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar",
+                    "status": "NotAffected",
+                    "justification": "VulnerableCodeNotPresent"
+                  }
+                }
               }
+            },
+            {
+              "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final?type=jar",
+              "recommendation": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.8.Final-redhat-00006?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar"
             }
           ]
         }
@@ -167,15 +193,15 @@
             "high": 1,
             "medium": 3,
             "low": 0,
-            "remediations": 0,
-            "recommendations": 0
+            "remediations": 1,
+            "recommendations": 2
           },
           "dependencies": [
             {
-              "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final",
+              "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final?type=jar",
               "transitive": [
                 {
-                  "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1",
+                  "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1?type=jar",
                   "issues": [
                     {
                       "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244",
@@ -197,7 +223,12 @@
                       "cves": ["CVE-2020-36518"],
                       "unique": false,
                       "remediation": {
-                        "fixedIn": ["2.12.6.1", "2.13.2.1", "2.14.0"]
+                        "fixedIn": ["2.12.6.1", "2.13.2.1", "2.14.0"],
+                        "trustedContent": {
+                          "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4.2-redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar",
+                          "status": "NotAffected",
+                          "justification": "VulnerableCodeNotPresent"
+                        }
                       }
                     },
                     {
@@ -268,11 +299,17 @@
                     "cves": ["CVE-2020-36518"],
                     "unique": false,
                     "remediation": {
-                      "fixedIn": ["2.12.6.1", "2.13.2.1", "2.14.0"]
+                      "fixedIn": ["2.12.6.1", "2.13.2.1", "2.14.0"],
+                      "trustedContent": {
+                        "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4.2-redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar",
+                        "status": "NotAffected",
+                        "justification": "VulnerableCodeNotPresent"
+                      }
                     }
                   }
                 }
               ],
+              "recommendation": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.8.Final-redhat-00006?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar",
               "highestVulnerability": {
                 "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244",
                 "title": "Denial of Service (DoS)",
@@ -293,15 +330,20 @@
                 "cves": ["CVE-2020-36518"],
                 "unique": false,
                 "remediation": {
-                  "fixedIn": ["2.12.6.1", "2.13.2.1", "2.14.0"]
+                  "fixedIn": ["2.12.6.1", "2.13.2.1", "2.14.0"],
+                  "trustedContent": {
+                    "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4.2-redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar",
+                    "status": "NotAffected",
+                    "justification": "VulnerableCodeNotPresent"
+                  }
                 }
               }
             },
             {
-              "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final",
+              "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final?type=jar",
               "transitive": [
                 {
-                  "ref": "pkg:maven/org.postgresql/postgresql@42.5.0",
+                  "ref": "pkg:maven/org.postgresql/postgresql@42.5.0?type=jar",
                   "issues": [
                     {
                       "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847",
@@ -352,6 +394,7 @@
                   }
                 }
               ],
+              "recommendation": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.8.Final-redhat-00006?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar",
               "highestVulnerability": {
                 "id": "SNYK-JAVA-ORGPOSTGRESQL-3146847",
                 "title": "Information Exposure",
diff --git a/src/test/resources/__files/reports/v3/report_all_token.json b/src/test/resources/__files/reports/v3/report_all_token.json
@@ -6,18 +6,18 @@
     },
     "vulnerabilities": {
       "direct": 0,
-      "total": 4,
+      "total": 7,
       "critical": 0,
-      "high": 1,
+      "high": 4,
       "medium": 3,
       "low": 0
     },
     "providerStatuses": [
       {
-        "ok": false,
+        "ok": true,
         "provider": "oss-index",
-        "status": 401,
-        "message": "Unauthorized: Verify the provided credentials are valid."
+        "status": 200,
+        "message": "OK"
       },
       {
         "ok": true,
@@ -34,6 +34,128 @@
     ]
   },
   "dependencies": [
+    {
+      "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final?type=jar",
+      "transitive": [
+        {
+          "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1?type=jar",
+          "issues": [
+            {
+              "id": "CVE-2020-36518",
+              "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write",
+              "source": "oss-index",
+              "cvss": {
+                "attackVector": "Network",
+                "attackComplexity": "Low",
+                "privilegesRequired": "None",
+                "userInteraction": "None",
+                "scope": "Unchanged",
+                "confidentialityImpact": "None",
+                "integrityImpact": "None",
+                "availabilityImpact": "High",
+                "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+              },
+              "cvssScore": 7.5,
+              "severity": "HIGH",
+              "cves": ["CVE-2020-36518"],
+              "unique": false
+            },
+            {
+              "id": "CVE-2022-42003",
+              "title": "[CVE-2022-42003] CWE-502: Deserialization of Untrusted Data",
+              "source": "oss-index",
+              "cvss": {
+                "attackVector": "Network",
+                "attackComplexity": "Low",
+                "privilegesRequired": "None",
+                "userInteraction": "None",
+                "scope": "Unchanged",
+                "confidentialityImpact": "None",
+                "integrityImpact": "None",
+                "availabilityImpact": "High",
+                "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+              },
+              "cvssScore": 7.5,
+              "severity": "HIGH",
+              "cves": ["CVE-2022-42003"],
+              "unique": false
+            },
+            {
+              "id": "CVE-2022-42004",
+              "title": "[CVE-2022-42004] CWE-502: Deserialization of Untrusted Data",
+              "source": "oss-index",
+              "cvss": {
+                "attackVector": "Network",
+                "attackComplexity": "Low",
+                "privilegesRequired": "None",
+                "userInteraction": "None",
+                "scope": "Unchanged",
+                "confidentialityImpact": "None",
+                "integrityImpact": "None",
+                "availabilityImpact": "High",
+                "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+              },
+              "cvssScore": 7.5,
+              "severity": "HIGH",
+              "cves": ["CVE-2022-42004"],
+              "unique": false
+            }
+          ],
+          "remediations": {
+            "CVE-2020-36518": {
+              "issueRef": "CVE-2020-36518",
+              "mavenPackage": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4.2-redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar",
+              "productStatus": "NotAffected"
+            }
+          },
+          "highestVulnerability": {
+            "id": "CVE-2020-36518",
+            "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write",
+            "source": "oss-index",
+            "cvss": {
+              "attackVector": "Network",
+              "attackComplexity": "Low",
+              "privilegesRequired": "None",
+              "userInteraction": "None",
+              "scope": "Unchanged",
+              "confidentialityImpact": "None",
+              "integrityImpact": "None",
+              "availabilityImpact": "High",
+              "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+            },
+            "cvssScore": 7.5,
+            "severity": "HIGH",
+            "cves": ["CVE-2020-36518"],
+            "unique": false
+          }
+        }
+      ],
+      "recommendation": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.8.Final-redhat-00006?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar",
+      "highestVulnerability": {
+        "id": "CVE-2020-36518",
+        "title": "[CVE-2020-36518] CWE-787: Out-of-bounds Write",
+        "source": "oss-index",
+        "cvss": {
+          "attackVector": "Network",
+          "attackComplexity": "Low",
+          "privilegesRequired": "None",
+          "userInteraction": "None",
+          "scope": "Unchanged",
+          "confidentialityImpact": "None",
+          "integrityImpact": "None",
+          "availabilityImpact": "High",
+          "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+        },
+        "cvssScore": 7.5,
+        "severity": "HIGH",
+        "cves": ["CVE-2020-36518"],
+        "unique": false
+      }
+    },
+    {
+      "ref": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.5.Final?type=jar",
+      "recommendation": "pkg:maven/io.quarkus/quarkus-jdbc-postgresql@2.13.8.Final-redhat-00006?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar"
+    },
     {
       "ref": "pkg:maven/io.quarkus/quarkus-hibernate-orm@2.13.5.Final?type=jar",
       "transitive": [
