diff --git a/src/main/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdResponseHandler.java b/src/main/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdResponseHandler.java index ec61ecfc..348c4855 100644 --- a/src/main/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdResponseHandler.java +++ b/src/main/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdResponseHandler.java @@ -100,13 +100,15 @@ private List toIssues(String ref, ArrayNode response) { return issues; } - // Parse only V3.1 and V3.0 CVSS vectors + // Parse only V3.1, V3.0 and V2 CVSS vectors private void setMetrics(JsonNode metrics, Issue issue) { ArrayNode metricsNode = null; if (metrics.has("cvssMetricV31")) { metricsNode = (ArrayNode) metrics.get("cvssMetricV31"); } else if (metrics.has("cvssMetricV30")) { metricsNode = (ArrayNode) metrics.get("cvssMetricV30"); + } else if (metrics.has("cvssMetricV2")) { + metricsNode = (ArrayNode) metrics.get("cvssMetricV2"); } if (metricsNode == null) { return; diff --git a/src/main/java/com/redhat/exhort/model/CvssParser.java b/src/main/java/com/redhat/exhort/model/CvssParser.java index 66c2556e..fc3db4b6 100644 --- a/src/main/java/com/redhat/exhort/model/CvssParser.java +++ b/src/main/java/com/redhat/exhort/model/CvssParser.java @@ -33,6 +33,9 @@ public class CvssParser { private static final record IndexItem( BiConsumer setter, Map parameters) {} + private static final String V3_1 = "CVSS:3.1"; + private static final String V3_0 = "CVSS:3.0"; + private static final Map INDEX = new HashMap<>(); private static final Map ATTACK_VECTORS = new HashMap<>(); private static final Map ATTACK_COMPLEXITY = new HashMap<>(); @@ -44,6 +47,13 @@ private static final record IndexItem( private static final Map REMEDIATION_LEVEL = new HashMap<>(); private static final Map REPORT_CONFIDENCE = new HashMap<>(); + private static final Map INDEX_V2 = new HashMap<>(); + private static final Map AUTHENTICATION_V2 = new HashMap<>(); + private static final Map CONFIDENTIALITY_V2 = new HashMap<>(); + private static final Map EXPLOIT_CODE_MATURITY_V2 = new HashMap<>(); + private static final Map REMEDIATION_LEVEL_V2 = new HashMap<>(); + private static final Map REPORT_CONFIDENCE_V2 = new HashMap<>(); + static { INDEX.put("AV", new IndexItem((v, b) -> b.attackVector(v), ATTACK_VECTORS)); INDEX.put("AC", new IndexItem((v, b) -> b.attackComplexity(v), ATTACK_COMPLEXITY)); @@ -95,6 +105,41 @@ private static final record IndexItem( REPORT_CONFIDENCE.put("U", "Unknown"); REPORT_CONFIDENCE.put("R", "Reasonable"); REPORT_CONFIDENCE.put("C", "Confirmed"); + + INDEX_V2.put("AV", INDEX.get("AV")); + INDEX_V2.put("AC", INDEX.get("AC")); + INDEX_V2.put("Au", new IndexItem((v, b) -> b.privilegesRequired(v), AUTHENTICATION_V2)); + INDEX_V2.put("C", new IndexItem((v, b) -> b.confidentialityImpact(v), CONFIDENTIALITY_V2)); + INDEX_V2.put("I", new IndexItem((v, b) -> b.integrityImpact(v), CONFIDENTIALITY_V2)); + INDEX_V2.put("A", new IndexItem((v, b) -> b.availabilityImpact(v), CONFIDENTIALITY_V2)); + INDEX_V2.put("E", new IndexItem((v, b) -> b.exploitCodeMaturity(v), EXPLOIT_CODE_MATURITY_V2)); + INDEX_V2.put("RL", new IndexItem((v, b) -> b.remediationLevel(v), REMEDIATION_LEVEL_V2)); + INDEX_V2.put("RC", new IndexItem((v, b) -> b.reportConfidence(v), REPORT_CONFIDENCE_V2)); + + AUTHENTICATION_V2.put("M", "High"); // Multiple -> High + AUTHENTICATION_V2.put("S", "Low"); // Simple -> Low + AUTHENTICATION_V2.put("N", "None"); + + CONFIDENTIALITY_V2.put("P", "Low"); // Partial -> Low + CONFIDENTIALITY_V2.put("C", "High"); // Complete -> High + CONFIDENTIALITY_V2.put("N", "None"); + + EXPLOIT_CODE_MATURITY_V2.put("ND", "Not Defined"); + EXPLOIT_CODE_MATURITY_V2.put("U", "Unproven that exploit exists"); + EXPLOIT_CODE_MATURITY_V2.put("P", "Proof of concept code"); + EXPLOIT_CODE_MATURITY_V2.put("F", "Functional exploit exists"); + EXPLOIT_CODE_MATURITY_V2.put("H", "High"); + + REMEDIATION_LEVEL_V2.put("ND", "Not Defined"); + REMEDIATION_LEVEL_V2.put("OF", "Official fix"); + REMEDIATION_LEVEL_V2.put("TF", "Temporary fix"); + REMEDIATION_LEVEL_V2.put("W", "Workaround"); + REMEDIATION_LEVEL_V2.put("U", "Unavailable"); + + REPORT_CONFIDENCE_V2.put("ND", "Not Defined"); + REPORT_CONFIDENCE_V2.put("UC", "Unknown"); + REPORT_CONFIDENCE_V2.put("UR", "Reasonable"); + REPORT_CONFIDENCE_V2.put("C", "Confirmed"); } public static CvssVector fromVectorString(String vector) { @@ -103,10 +148,19 @@ public static CvssVector fromVectorString(String vector) { var parts = vector.split("/"); for (int i = 0; i < parts.length; i++) { var metrics = parts[i].split(":"); - if (metrics.length == 2 && INDEX.containsKey(metrics[0])) { - var item = INDEX.get(metrics[0]); - var value = item.parameters().get(metrics[1]); - item.setter().accept(value, result); + if (vector.startsWith(V3_1) || vector.startsWith(V3_0)) { + if (metrics.length == 2 && INDEX.containsKey(metrics[0])) { + var item = INDEX.get(metrics[0]); + var value = item.parameters().get(metrics[1]); + item.setter().accept(value, result); + } + } else { + // Parse CVSS 2.0 + if (metrics.length == 2 && INDEX_V2.containsKey(metrics[0])) { + var item = INDEX_V2.get(metrics[0]); + var value = item.parameters().get(metrics[1]); + item.setter().accept(value, result); + } } } diff --git a/src/test/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdResponseHandlerTest.java b/src/test/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdResponseHandlerTest.java new file mode 100644 index 00000000..e3bf7853 --- /dev/null +++ b/src/test/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdResponseHandlerTest.java @@ -0,0 +1,91 @@ +/* + * Copyright 2024 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.redhat.exhort.integration.providers.osvnvd; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import java.io.IOException; +import java.net.URISyntaxException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.util.HashMap; + +import org.junit.jupiter.api.Test; + +import com.redhat.exhort.api.PackageRef; +import com.redhat.exhort.model.DependencyTree; +import com.redhat.exhort.model.DirectDependency; + +import io.quarkus.test.junit.QuarkusTest; + +import jakarta.inject.Inject; + +@QuarkusTest +public class OsvNvdResponseHandlerTest { + + @Inject OsvNvdResponseHandler handler; + + @Test + void testVectors() throws IOException, URISyntaxException { + var providerResponse = getProviderResponse("osvnvd/maven_report.json"); + var postgresRef = + PackageRef.builder().purl("pkg:maven/org.postgresql/postgresql@42.5.0?type=jar").build(); + var jacksonRef = + PackageRef.builder() + .purl("pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1?type=jar") + .build(); + var deps = new HashMap(); + deps.put(postgresRef, new DirectDependency(postgresRef, null)); + deps.put(jacksonRef, new DirectDependency(jacksonRef, null)); + var dependencyTree = new DependencyTree(deps); + + var report = handler.responseToIssues(providerResponse, null, dependencyTree); + + assertFalse(report.issues().isEmpty()); + assertEquals(2, report.issues().size()); + var jacksonIssues = report.issues().get(jacksonRef.ref()); + assertEquals(3, jacksonIssues.size()); + + // Test V3.1 vector. + var issue = + jacksonIssues.stream().filter(i -> i.getCves().contains("CVE-2022-42004")).findFirst(); + assertTrue(issue.isPresent()); + assertEquals(7.5f, issue.get().getCvssScore()); + assertEquals("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", issue.get().getCvss().getCvss()); + + // Test V3.0 vector. + issue = jacksonIssues.stream().filter(i -> i.getCves().contains("CVE-2022-42003")).findFirst(); + assertTrue(issue.isPresent()); + assertEquals(7.5f, issue.get().getCvssScore()); + assertEquals("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", issue.get().getCvss().getCvss()); + + // Test V2.0 vector. + issue = jacksonIssues.stream().filter(i -> i.getCves().contains("CVE-2020-36518")).findFirst(); + assertTrue(issue.isPresent()); + assertEquals(5.0f, issue.get().getCvssScore()); + assertEquals("AV:N/AC:L/Au:N/C:N/I:N/A:P", issue.get().getCvss().getCvss()); + } + + private byte[] getProviderResponse(String fileName) throws IOException, URISyntaxException { + return Files.readAllBytes( + Path.of(this.getClass().getClassLoader().getResource("__files/" + fileName).toURI())); + } +} diff --git a/src/test/java/com/redhat/exhort/model/CvssParserTest.java b/src/test/java/com/redhat/exhort/model/CvssParserTest.java index c2369975..da562bdc 100644 --- a/src/test/java/com/redhat/exhort/model/CvssParserTest.java +++ b/src/test/java/com/redhat/exhort/model/CvssParserTest.java @@ -28,7 +28,9 @@ public class CvssParserTest { private static final String[] INPUTS = { "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L/E:U/RL:U/RC:R" + "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L/E:U/RL:U/RC:R", + "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L/E:U/RL:U/RC:R", }; private static final CvssVector[] EXPECTATIONS = { @@ -58,9 +60,48 @@ public class CvssParserTest { }; @Test - void testVectors() { + void testVectorsV3() { for (int i = 0; i < INPUTS.length; i++) { - assertEquals(EXPECTATIONS[i], CvssParser.fromVectorString(INPUTS[i]), "Failed: " + INPUTS[i]); + var expectation = EXPECTATIONS[i % 2].cvss(INPUTS[i]); + assertEquals(expectation, CvssParser.fromVectorString(INPUTS[i]), "Failed: " + INPUTS[i]); + } + } + + private static final String[] INPUTS_V2 = { + "AV:N/AC:L/Au:N/C:N/I:N/A:P", "AV:A/AC:H/Au:S/C:P/I:P/A:C" + }; + + private static final CvssVector[] EXPECTATIONS_V2 = { + new CvssVector() + .attackVector("Network") + .attackComplexity("Low") + .privilegesRequired("None") + .confidentialityImpact("None") + .integrityImpact("None") + .availabilityImpact("Low") + .userInteraction(null) + .scope(null) + .cvss(INPUTS_V2[0]), + new CvssVector() + .attackVector("Adjacent Network") + .attackComplexity("High") + .privilegesRequired("Low") + .confidentialityImpact("Low") + .integrityImpact("Low") + .availabilityImpact("High") + .userInteraction(null) + .scope(null) + .exploitCodeMaturity(null) + .remediationLevel(null) + .reportConfidence(null) + .cvss(INPUTS_V2[1]) + }; + + @Test + void testVectorsV2() { + for (int i = 0; i < INPUTS_V2.length; i++) { + assertEquals( + EXPECTATIONS_V2[i], CvssParser.fromVectorString(INPUTS_V2[i]), "Failed: " + INPUTS_V2[i]); } } } diff --git a/src/test/resources/__files/osvnvd/maven_report.json b/src/test/resources/__files/osvnvd/maven_report.json index fc3d6639..1de47dec 100644 --- a/src/test/resources/__files/osvnvd/maven_report.json +++ b/src/test/resources/__files/osvnvd/maven_report.json @@ -408,28 +408,6 @@ } ], "metrics": { - "cvssMetricV31": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "cvssData": { - "version": "3.1", - "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "attackVector": "NETWORK", - "attackComplexity": "LOW", - "privilegesRequired": "NONE", - "userInteraction": "NONE", - "scope": "UNCHANGED", - "confidentialityImpact": "NONE", - "integrityImpact": "NONE", - "availabilityImpact": "HIGH", - "baseScore": 7.5, - "baseSeverity": "HIGH" - }, - "exploitabilityScore": 3.9, - "impactScore": 3.6 - } - ], "cvssMetricV2": [ { "source": "nvd@nist.gov", @@ -635,13 +613,13 @@ } ], "metrics": { - "cvssMetricV31": [ + "cvssMetricV30": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { - "version": "3.1", - "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.0", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", diff --git a/src/test/resources/__files/reports/report_all_token.json b/src/test/resources/__files/reports/report_all_token.json index 2129b989..b0b79364 100644 --- a/src/test/resources/__files/reports/report_all_token.json +++ b/src/test/resources/__files/reports/report_all_token.json @@ -50,7 +50,9 @@ }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2020-36518"], + "cves": [ + "CVE-2020-36518" + ], "unique": false, "remediation": { "trustedContent": { @@ -77,7 +79,9 @@ }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2022-42003"], + "cves": [ + "CVE-2022-42003" + ], "unique": false }, { @@ -97,7 +101,9 @@ }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2022-42004"], + "cves": [ + "CVE-2022-42004" + ], "unique": false } ], @@ -118,7 +124,9 @@ }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2020-36518"], + "cves": [ + "CVE-2020-36518" + ], "unique": false, "remediation": { "trustedContent": { @@ -148,7 +156,9 @@ }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2020-36518"], + "cves": [ + "CVE-2020-36518" + ], "unique": false, "remediation": { "trustedContent": { @@ -190,8 +200,8 @@ "total": 5, "dependencies": 3, "critical": 0, - "high": 4, - "medium": 1, + "high": 3, + "medium": 2, "low": 0, "remediations": 2, "recommendations": 2 @@ -219,10 +229,14 @@ }, "cvssScore": 8.1, "severity": "HIGH", - "cves": ["CVE-2023-2974"], + "cves": [ + "CVE-2023-2974" + ], "unique": false, "remediation": { - "fixedIn": ["2.16.8.Final"], + "fixedIn": [ + "2.16.8.Final" + ], "trustedContent": { "ref": "pkg:maven/io.quarkus/quarkus-core@2.13.8.Final-redhat-00006?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar", "status": "NotAffected", @@ -247,10 +261,14 @@ }, "cvssScore": 8.1, "severity": "HIGH", - "cves": ["CVE-2023-2974"], + "cves": [ + "CVE-2023-2974" + ], "unique": false, "remediation": { - "fixedIn": ["2.16.8.Final"], + "fixedIn": [ + "2.16.8.Final" + ], "trustedContent": { "ref": "pkg:maven/io.quarkus/quarkus-core@2.13.8.Final-redhat-00006?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar", "status": "NotAffected", @@ -263,7 +281,7 @@ "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1?type=jar", "issues": [ { - "id": "CVE-2020-36518", + "id": "CVE-2022-42003", "source": "osv-nvd", "cvss": { "attackVector": "Network", @@ -274,23 +292,23 @@ "confidentialityImpact": "None", "integrityImpact": "None", "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + "cvss": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2020-36518"], + "cves": [ + "CVE-2022-42003" + ], "unique": false, "remediation": { - "fixedIn": ["2.13.2.1", "2.12.6.1"], - "trustedContent": { - "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4.2-redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar", - "status": "NotAffected", - "justification": "VulnerableCodeNotPresent" - } + "fixedIn": [ + "2.12.7.1", + "2.13.4.2" + ] } }, { - "id": "CVE-2022-42003", + "id": "CVE-2022-42004", "source": "osv-nvd", "cvss": { "attackVector": "Network", @@ -305,37 +323,50 @@ }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2022-42003"], + "cves": [ + "CVE-2022-42004" + ], "unique": false, "remediation": { - "fixedIn": ["2.12.7.1", "2.13.4.2"] + "fixedIn": [ + "2.12.7.1", + "2.13.4" + ] } }, { - "id": "CVE-2022-42004", + "id": "CVE-2020-36518", "source": "osv-nvd", "cvss": { "attackVector": "Network", "attackComplexity": "Low", "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", "confidentialityImpact": "None", "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + "availabilityImpact": "Low", + "cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:P" }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": ["CVE-2022-42004"], + "cvssScore": 5.0, + "severity": "MEDIUM", + "cves": [ + "CVE-2020-36518" + ], "unique": false, "remediation": { - "fixedIn": ["2.12.7.1", "2.13.4"] + "fixedIn": [ + "2.13.2.1", + "2.12.6.1" + ], + "trustedContent": { + "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4.2-redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar", + "status": "NotAffected", + "justification": "VulnerableCodeNotPresent" + } } } ], "highestVulnerability": { - "id": "CVE-2020-36518", + "id": "CVE-2022-42003", "source": "osv-nvd", "cvss": { "attackVector": "Network", @@ -346,19 +377,19 @@ "confidentialityImpact": "None", "integrityImpact": "None", "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + "cvss": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2020-36518"], + "cves": [ + "CVE-2022-42003" + ], "unique": false, "remediation": { - "fixedIn": ["2.13.2.1", "2.12.6.1"], - "trustedContent": { - "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4.2-redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar", - "status": "NotAffected", - "justification": "VulnerableCodeNotPresent" - } + "fixedIn": [ + "2.12.7.1", + "2.13.4.2" + ] } } } @@ -380,10 +411,14 @@ }, "cvssScore": 8.1, "severity": "HIGH", - "cves": ["CVE-2023-2974"], + "cves": [ + "CVE-2023-2974" + ], "unique": false, "remediation": { - "fixedIn": ["2.16.8.Final"], + "fixedIn": [ + "2.16.8.Final" + ], "trustedContent": { "ref": "pkg:maven/io.quarkus/quarkus-core@2.13.8.Final-redhat-00006?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar", "status": "NotAffected", @@ -414,10 +449,17 @@ }, "cvssScore": 5.5, "severity": "MEDIUM", - "cves": ["CVE-2022-41946"], + "cves": [ + "CVE-2022-41946" + ], "unique": false, "remediation": { - "fixedIn": ["42.2.27", "42.3.8", "42.4.3", "42.5.1"] + "fixedIn": [ + "42.2.27", + "42.3.8", + "42.4.3", + "42.5.1" + ] } } ], @@ -437,10 +479,17 @@ }, "cvssScore": 5.5, "severity": "MEDIUM", - "cves": ["CVE-2022-41946"], + "cves": [ + "CVE-2022-41946" + ], "unique": false, "remediation": { - "fixedIn": ["42.2.27", "42.3.8", "42.4.3", "42.5.1"] + "fixedIn": [ + "42.2.27", + "42.3.8", + "42.4.3", + "42.5.1" + ] } } } @@ -462,10 +511,17 @@ }, "cvssScore": 5.5, "severity": "MEDIUM", - "cves": ["CVE-2022-41946"], + "cves": [ + "CVE-2022-41946" + ], "unique": false, "remediation": { - "fixedIn": ["42.2.27", "42.3.8", "42.4.3", "42.5.1"] + "fixedIn": [ + "42.2.27", + "42.3.8", + "42.4.3", + "42.5.1" + ] } } } @@ -518,10 +574,16 @@ }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2020-36518"], + "cves": [ + "CVE-2020-36518" + ], "unique": false, "remediation": { - "fixedIn": ["2.12.6.1", "2.13.2.1", "2.14.0"], + "fixedIn": [ + "2.12.6.1", + "2.13.2.1", + "2.14.0" + ], "trustedContent": { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4.2-redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar", "status": "NotAffected", @@ -549,7 +611,9 @@ "severity": "MEDIUM", "unique": true, "remediation": { - "fixedIn": ["2.13.4"] + "fixedIn": [ + "2.13.4" + ] } }, { @@ -570,10 +634,15 @@ }, "cvssScore": 5.9, "severity": "MEDIUM", - "cves": ["CVE-2022-42003"], + "cves": [ + "CVE-2022-42003" + ], "unique": false, "remediation": { - "fixedIn": ["2.12.7.1", "2.13.4.2"] + "fixedIn": [ + "2.12.7.1", + "2.13.4.2" + ] } } ], @@ -594,10 +663,16 @@ }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2020-36518"], + "cves": [ + "CVE-2020-36518" + ], "unique": false, "remediation": { - "fixedIn": ["2.12.6.1", "2.13.2.1", "2.14.0"], + "fixedIn": [ + "2.12.6.1", + "2.13.2.1", + "2.14.0" + ], "trustedContent": { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4.2-redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar", "status": "NotAffected", @@ -625,10 +700,16 @@ }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2020-36518"], + "cves": [ + "CVE-2020-36518" + ], "unique": false, "remediation": { - "fixedIn": ["2.12.6.1", "2.13.2.1", "2.14.0"], + "fixedIn": [ + "2.12.6.1", + "2.13.2.1", + "2.14.0" + ], "trustedContent": { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4.2-redhat-00001?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar", "status": "NotAffected", @@ -660,10 +741,17 @@ }, "cvssScore": 4.7, "severity": "MEDIUM", - "cves": ["CVE-2022-41946"], + "cves": [ + "CVE-2022-41946" + ], "unique": false, "remediation": { - "fixedIn": ["42.2.27", "42.3.8", "42.4.3", "42.5.1"] + "fixedIn": [ + "42.2.27", + "42.3.8", + "42.4.3", + "42.5.1" + ] } } ], @@ -684,10 +772,17 @@ }, "cvssScore": 4.7, "severity": "MEDIUM", - "cves": ["CVE-2022-41946"], + "cves": [ + "CVE-2022-41946" + ], "unique": false, "remediation": { - "fixedIn": ["42.2.27", "42.3.8", "42.4.3", "42.5.1"] + "fixedIn": [ + "42.2.27", + "42.3.8", + "42.4.3", + "42.5.1" + ] } } } @@ -710,10 +805,17 @@ }, "cvssScore": 4.7, "severity": "MEDIUM", - "cves": ["CVE-2022-41946"], + "cves": [ + "CVE-2022-41946" + ], "unique": false, "remediation": { - "fixedIn": ["42.2.27", "42.3.8", "42.4.3", "42.5.1"] + "fixedIn": [ + "42.2.27", + "42.3.8", + "42.4.3", + "42.5.1" + ] } } } @@ -722,4 +824,4 @@ } } } -} +} \ No newline at end of file diff --git a/src/test/resources/__files/reports/v3/report_all_token.json b/src/test/resources/__files/reports/v3/report_all_token.json index f4450927..f0699fe5 100644 --- a/src/test/resources/__files/reports/v3/report_all_token.json +++ b/src/test/resources/__files/reports/v3/report_all_token.json @@ -8,8 +8,8 @@ "direct": 0, "total": 12, "critical": 0, - "high": 8, - "medium": 4, + "high": 7, + "medium": 5, "low": 0 }, "providerStatuses": [ @@ -63,7 +63,9 @@ }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2020-36518"], + "cves": [ + "CVE-2020-36518" + ], "unique": false }, { @@ -83,7 +85,9 @@ }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2022-42003"], + "cves": [ + "CVE-2022-42003" + ], "unique": false }, { @@ -103,7 +107,9 @@ }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2022-42004"], + "cves": [ + "CVE-2022-42004" + ], "unique": false } ], @@ -131,7 +137,9 @@ }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2020-36518"], + "cves": [ + "CVE-2020-36518" + ], "unique": false } } @@ -154,7 +162,9 @@ }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2020-36518"], + "cves": [ + "CVE-2020-36518" + ], "unique": false } }, @@ -184,7 +194,9 @@ }, "cvssScore": 8.1, "severity": "HIGH", - "cves": ["CVE-2023-2974"], + "cves": [ + "CVE-2023-2974" + ], "unique": false } ], @@ -211,7 +223,9 @@ }, "cvssScore": 8.1, "severity": "HIGH", - "cves": ["CVE-2023-2974"], + "cves": [ + "CVE-2023-2974" + ], "unique": false } }, @@ -219,7 +233,7 @@ "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1?type=jar", "issues": [ { - "id": "CVE-2020-36518", + "id": "CVE-2022-42003", "source": "osv-nvd", "cvss": { "attackVector": "Network", @@ -230,15 +244,17 @@ "confidentialityImpact": "None", "integrityImpact": "None", "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + "cvss": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2020-36518"], + "cves": [ + "CVE-2022-42003" + ], "unique": false }, { - "id": "CVE-2022-42003", + "id": "CVE-2022-42004", "source": "osv-nvd", "cvss": { "attackVector": "Network", @@ -253,26 +269,28 @@ }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2022-42003"], + "cves": [ + "CVE-2022-42004" + ], "unique": false }, { - "id": "CVE-2022-42004", + "id": "CVE-2020-36518", "source": "osv-nvd", "cvss": { "attackVector": "Network", "attackComplexity": "Low", "privilegesRequired": "None", - "userInteraction": "None", - "scope": "Unchanged", "confidentialityImpact": "None", "integrityImpact": "None", - "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + "availabilityImpact": "Low", + "cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:P" }, - "cvssScore": 7.5, - "severity": "HIGH", - "cves": ["CVE-2022-42004"], + "cvssScore": 5.0, + "severity": "MEDIUM", + "cves": [ + "CVE-2020-36518" + ], "unique": false } ], @@ -284,7 +302,7 @@ } }, "highestVulnerability": { - "id": "CVE-2020-36518", + "id": "CVE-2022-42003", "source": "osv-nvd", "cvss": { "attackVector": "Network", @@ -295,11 +313,13 @@ "confidentialityImpact": "None", "integrityImpact": "None", "availabilityImpact": "High", - "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + "cvss": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2020-36518"], + "cves": [ + "CVE-2022-42003" + ], "unique": false } } @@ -321,7 +341,9 @@ }, "cvssScore": 8.1, "severity": "HIGH", - "cves": ["CVE-2023-2974"], + "cves": [ + "CVE-2023-2974" + ], "unique": false } }, @@ -347,7 +369,9 @@ }, "cvssScore": 5.5, "severity": "MEDIUM", - "cves": ["CVE-2022-41946"], + "cves": [ + "CVE-2022-41946" + ], "unique": false } ], @@ -367,7 +391,9 @@ }, "cvssScore": 5.5, "severity": "MEDIUM", - "cves": ["CVE-2022-41946"], + "cves": [ + "CVE-2022-41946" + ], "unique": false } } @@ -389,7 +415,9 @@ }, "cvssScore": 5.5, "severity": "MEDIUM", - "cves": ["CVE-2022-41946"], + "cves": [ + "CVE-2022-41946" + ], "unique": false } }, @@ -416,7 +444,9 @@ }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2020-36518"], + "cves": [ + "CVE-2020-36518" + ], "unique": false }, { @@ -457,7 +487,9 @@ }, "cvssScore": 5.9, "severity": "MEDIUM", - "cves": ["CVE-2022-42003"], + "cves": [ + "CVE-2022-42003" + ], "unique": false } ], @@ -485,7 +517,9 @@ }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2020-36518"], + "cves": [ + "CVE-2020-36518" + ], "unique": false } } @@ -508,7 +542,9 @@ }, "cvssScore": 7.5, "severity": "HIGH", - "cves": ["CVE-2020-36518"], + "cves": [ + "CVE-2020-36518" + ], "unique": false } }, @@ -535,7 +571,9 @@ }, "cvssScore": 4.7, "severity": "MEDIUM", - "cves": ["CVE-2022-41946"], + "cves": [ + "CVE-2022-41946" + ], "unique": false } ], @@ -556,7 +594,9 @@ }, "cvssScore": 4.7, "severity": "MEDIUM", - "cves": ["CVE-2022-41946"], + "cves": [ + "CVE-2022-41946" + ], "unique": false } } @@ -579,9 +619,11 @@ }, "cvssScore": 4.7, "severity": "MEDIUM", - "cves": ["CVE-2022-41946"], + "cves": [ + "CVE-2022-41946" + ], "unique": false } } ] -} +} \ No newline at end of file