Skip to content

Commit 70088eb

Browse files
ruromeroruromero
committed
feat: update trustification-exhort integration with updated data model
Signed-off-by: Ruben Romero Montes <[email protected]>
1 parent 779d8c1 commit 70088eb

File tree

3 files changed

+934
-323
lines changed

3 files changed

+934
-323
lines changed

src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationIntegration.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@
3333
@ApplicationScoped
3434
public class TrustificationIntegration extends EndpointRouteBuilder {
3535

36-
@ConfigProperty(name = "api.trustification.timeout", defaultValue = "30s")
36+
@ConfigProperty(name = "api.trustification.timeout", defaultValue = "60s")
3737
String timeout;
3838

3939
@Inject TrustificationResponseHandler responseHandler;

src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationResponseHandler.java

Lines changed: 55 additions & 52 deletions
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,6 @@
3131
import com.fasterxml.jackson.databind.ObjectMapper;
3232
import com.redhat.exhort.api.SeverityUtils;
3333
import com.redhat.exhort.api.v4.Issue;
34-
import com.redhat.exhort.api.v4.Severity;
3534
import com.redhat.exhort.integration.providers.ProviderResponseHandler;
3635
import com.redhat.exhort.model.CvssParser;
3736
import com.redhat.exhort.model.DependencyTree;
@@ -63,89 +62,93 @@ public Map<String, List<Issue>> responseToIssues(
6362
.elements()
6463
.forEachRemaining(
6564
cveJson -> {
66-
String cve = cveJson.get("id").asText().toUpperCase();
65+
String cve = cveJson.get("cveMetadata").get("cveId").asText().toUpperCase();
6766
cvesJson.put(cve, cveJson);
6867
});
6968
response
7069
.get("analysis")
7170
.fields()
7271
.forEachRemaining(
73-
e -> {
74-
String ref = e.getKey();
72+
analysisEntry -> {
73+
String ref = analysisEntry.getKey();
7574
if (!issuesData.containsKey(ref)) {
7675
issuesData.put(ref, new ArrayList<>());
7776
}
7877
List<Issue> issues = issuesData.get(ref);
79-
e.getValue()
78+
analysisEntry
79+
.getValue()
8080
.forEach(
8181
analysis -> {
8282
String vendor = analysis.get("vendor").asText();
8383
analysis
8484
.get("vulnerable")
8585
.forEach(
8686
vulnerable -> {
87-
String vulnId = vulnerable.get("id").asText().toUpperCase();
88-
Issue issue = new Issue().id(vulnId).source(vendor);
89-
vulnerable
90-
.get("severity")
91-
.forEach(
92-
severity -> {
93-
if (severity
94-
.get("source")
95-
.asText()
96-
.toLowerCase()
97-
.equals(vendor)) {
98-
Double dscore = severity.get("score").asDouble(0);
99-
issue.cvssScore(dscore.floatValue());
100-
}
101-
});
102-
103-
if (isCVE(vulnId)) {
104-
issue.addCvesItem(vulnId);
87+
var issue = newIssueFromVulnerability(vulnerable, vendor);
88+
if (issue.getCves() != null && !issue.getCves().isEmpty()) {
89+
completeIssueData(issue, cvesJson);
90+
issues.add(issue);
10591
}
106-
vulnerable
107-
.get("aliases")
108-
.forEach(
109-
a -> {
110-
String alias = a.asText();
111-
if (isCVE(alias)) {
112-
issue.addCvesItem(alias.toUpperCase());
113-
}
114-
;
115-
});
116-
completeIssueData(issue, cvesJson);
117-
issues.add(issue);
11892
});
11993
});
12094
});
12195

12296
return issuesData;
12397
}
12498

99+
private Issue newIssueFromVulnerability(JsonNode vulnerable, String vendor) {
100+
var vulnId = vulnerable.get("id").asText().toUpperCase();
101+
var issue = new Issue().id(vulnId).source(vendor);
102+
vulnerable
103+
.get("severity")
104+
.forEach(
105+
severity -> {
106+
if (severity.get("source").asText().toLowerCase().equals(vendor)) {
107+
Double dscore = severity.get("score").asDouble(0);
108+
issue.cvssScore(dscore.floatValue());
109+
}
110+
});
111+
112+
if (isCVE(vulnId)) {
113+
issue.addCvesItem(vulnId);
114+
}
115+
vulnerable
116+
.get("aliases")
117+
.forEach(
118+
a -> {
119+
String alias = a.asText();
120+
if (isCVE(alias)) {
121+
issue.addCvesItem(alias.toUpperCase());
122+
}
123+
;
124+
});
125+
return issue;
126+
}
127+
125128
private void completeIssueData(Issue issue, Map<String, JsonNode> cvesJson) {
126129
Optional<String> firstCve =
127130
issue.getCves().stream().filter(cve -> cvesJson.keySet().contains(cve)).findFirst();
128131
if (firstCve.isEmpty()) {
129-
issue.severity(SeverityUtils.fromScore(issue.getCvssScore()));
130132
issue.unique(Boolean.TRUE);
131133
return;
132134
}
133-
JsonNode cveJson = cvesJson.get(firstCve.get());
134-
issue.title(cveJson.get("cisaVulnerabilityName").asText());
135-
136-
cveJson
137-
.get("metrics")
138-
.get("cvssMetricV31")
139-
.forEach(
140-
metric -> {
141-
if ("Primary".equalsIgnoreCase(metric.get("type").asText())) {
142-
issue.cvss(
143-
CvssParser.fromVectorString(
144-
metric.get("cvssData").get("vectorString").asText()));
145-
issue.severity(
146-
Severity.fromValue(metric.get("cvssData").get("baseSeverity").asText()));
147-
}
148-
});
135+
issue.severity(SeverityUtils.fromScore(issue.getCvssScore()));
136+
var cveJson = cvesJson.get(firstCve.get());
137+
var cnaContainer = cveJson.get("containers").get("cna");
138+
var title = cnaContainer.get("title");
139+
if (title != null) {
140+
issue.title(title.asText());
141+
}
142+
var metrics = cnaContainer.get("metrics");
143+
if (metrics != null) {
144+
metrics.forEach(
145+
metric -> {
146+
if (metric.has("cvssV3_1")) {
147+
issue.cvss(
148+
CvssParser.fromVectorString(metric.get("cvssV3_1").get("vectorString").asText()));
149+
}
150+
});
151+
}
149152
}
150153

151154
private boolean isCVE(String vulnerabilityId) {

0 commit comments

Comments
 (0)