guacsec · ruromero · Feb 15, 2024 · Feb 15, 2024
diff --git a/src/main/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdResponseHandler.java b/src/main/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdResponseHandler.java
@@ -83,8 +83,13 @@ private List<Issue> toIssues(String ref, ArrayNode response) {
     response.forEach(
         data -> {
           var issue = new Issue().source(Constants.OSV_NVD_PROVIDER);
+
           String cve = getTextValue(data, "cveId");
           issue.id(cve).cves(List.of(cve));
+          issue.title(getTextValue(data, "summary"));
+          if (issue.getTitle() == null || issue.getTitle().isEmpty()) {
+            issue.title(getTextValue(data, "description"));
+          }
           var metrics = data.get("metrics");
           if (metrics != null) {
             setMetrics(metrics, issue);

diff --git a/src/main/java/com/redhat/exhort/integration/report/ReportTemplate.java b/src/main/java/com/redhat/exhort/integration/report/ReportTemplate.java
@@ -54,6 +54,9 @@ public class ReportTemplate {
   @ConfigProperty(name = "report.nvd.issue.regex")
   String nvdIssuePathRegex;
 
+  @ConfigProperty(name = "report.cve.issue.regex")
+  String cveIssuePathRegex;
+
   public Map<String, Object> setVariables(
       @Body AnalysisReport report,
       @ExchangeProperty(Constants.PROVIDER_PRIVATE_DATA_PROPERTY) List<String> providerPrivateData)
@@ -66,6 +69,7 @@ public Map<String, Object> setVariables(
     params.put("nvdIssueTemplate", nvdIssuePathRegex);
     params.put("providerPrivateData", providerPrivateData);
     params.put("snykSignup", snykSignup);
+    params.put("cveIssueTemplate", cveIssuePathRegex);
 
     ObjectWriter objectWriter = new ObjectMapper().writer();
     String appData = objectWriter.writeValueAsString(params);

diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
@@ -20,6 +20,7 @@ report.snyk.issue.regex=https://security.snyk.io/vuln/__ISSUE_ID__
 report.ossindex.issue.regex=http://ossindex.sonatype.org/vulnerability/__ISSUE_ID__
 report.nvd.issue.regex=https://nvd.nist.gov/vuln/detail/__ISSUE_ID__
 report.snyk.signup.link=https://app.snyk.io/login?utm_campaign=Code-Ready-Analytics-2020&utm_source=code_ready&code_ready=FF1B53D9-57BE-4613-96D7-1D06066C38C9
+report.cve.issue.regex=https://cve.mitre.org/cgi-bin/cvename.cgi?name=__ISSUE_ID__
 
 ## Analytics - Segment API
 quarkus.rest-client.segment-api.url=https://api.segment.io/

diff --git a/src/main/resources/freemarker/templates/generated/main.js b/src/main/resources/freemarker/templates/generated/main.js
diff --git a/src/test/resources/__files/reports/report_all_token.json b/src/test/resources/__files/reports/report_all_token.json
@@ -215,6 +215,7 @@
                   "issues": [
                     {
                       "id": "CVE-2023-2974",
+                      "title": "quarkus-core vulnerable to client driven TLS cipher downgrading",
                       "source": "osv-nvd",
                       "cvss": {
                         "attackVector": "Network",
@@ -247,6 +248,7 @@
                   ],
                   "highestVulnerability": {
                     "id": "CVE-2023-2974",
+                    "title": "quarkus-core vulnerable to client driven TLS cipher downgrading",
                     "source": "osv-nvd",
                     "cvss": {
                       "attackVector": "Network",
@@ -282,6 +284,7 @@
                   "issues": [
                     {
                       "id": "CVE-2022-42003",
+                      "title": "Uncontrolled Resource Consumption in Jackson-databind",
                       "source": "osv-nvd",
                       "cvss": {
                         "attackVector": "Network",
@@ -309,6 +312,7 @@
                     },
                     {
                       "id": "CVE-2022-42004",
+                      "title": "Uncontrolled Resource Consumption in FasterXML jackson-databind",
                       "source": "osv-nvd",
                       "cvss": {
                         "attackVector": "Network",
@@ -336,6 +340,7 @@
                     },
                     {
                       "id": "CVE-2020-36518",
+                      "title": "Deeply nested json in jackson-databind",
                       "source": "osv-nvd",
                       "cvss": {
                         "attackVector": "Network",
@@ -367,6 +372,7 @@
                   ],
                   "highestVulnerability": {
                     "id": "CVE-2022-42003",
+                    "title": "Uncontrolled Resource Consumption in Jackson-databind",
                     "source": "osv-nvd",
                     "cvss": {
                       "attackVector": "Network",
@@ -397,6 +403,7 @@
               "recommendation": "pkg:maven/io.quarkus/[email protected]?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar",
               "highestVulnerability": {
                 "id": "CVE-2023-2974",
+                "title": "quarkus-core vulnerable to client driven TLS cipher downgrading",
                 "source": "osv-nvd",
                 "cvss": {
                   "attackVector": "Network",
@@ -435,6 +442,7 @@
                   "issues": [
                     {
                       "id": "CVE-2022-41946",
+                      "title": "TemporaryFolder on unix-like systems does not limit access to created files",
                       "source": "osv-nvd",
                       "cvss": {
                         "attackVector": "Local",
@@ -465,6 +473,7 @@
                   ],
                   "highestVulnerability": {
                     "id": "CVE-2022-41946",
+                    "title": "TemporaryFolder on unix-like systems does not limit access to created files",
                     "source": "osv-nvd",
                     "cvss": {
                       "attackVector": "Local",
@@ -497,6 +506,7 @@
               "recommendation": "pkg:maven/io.quarkus/[email protected]?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar",
               "highestVulnerability": {
                 "id": "CVE-2022-41946",
+                "title": "TemporaryFolder on unix-like systems does not limit access to created files",
                 "source": "osv-nvd",
                 "cvss": {
                   "attackVector": "Local",

diff --git a/src/test/resources/__files/reports/v3/report_all_token.json b/src/test/resources/__files/reports/v3/report_all_token.json
@@ -180,6 +180,7 @@
           "issues": [
             {
               "id": "CVE-2023-2974",
+              "title": "quarkus-core vulnerable to client driven TLS cipher downgrading",
               "source": "osv-nvd",
               "cvss": {
                 "attackVector": "Network",
@@ -209,6 +210,7 @@
           },
           "highestVulnerability": {
             "id": "CVE-2023-2974",
+            "title": "quarkus-core vulnerable to client driven TLS cipher downgrading",
             "source": "osv-nvd",
             "cvss": {
               "attackVector": "Network",
@@ -234,6 +236,7 @@
           "issues": [
             {
               "id": "CVE-2022-42003",
+              "title": "Uncontrolled Resource Consumption in Jackson-databind",
               "source": "osv-nvd",
               "cvss": {
                 "attackVector": "Network",
@@ -255,6 +258,7 @@
             },
             {
               "id": "CVE-2022-42004",
+              "title": "Uncontrolled Resource Consumption in FasterXML jackson-databind",
               "source": "osv-nvd",
               "cvss": {
                 "attackVector": "Network",
@@ -276,6 +280,7 @@
             },
             {
               "id": "CVE-2020-36518",
+              "title": "Deeply nested json in jackson-databind",
               "source": "osv-nvd",
               "cvss": {
                 "attackVector": "Network",
@@ -303,6 +308,7 @@
           },
           "highestVulnerability": {
             "id": "CVE-2022-42003",
+            "title": "Uncontrolled Resource Consumption in Jackson-databind",
             "source": "osv-nvd",
             "cvss": {
               "attackVector": "Network",
@@ -327,6 +333,7 @@
       "recommendation": "pkg:maven/io.quarkus/[email protected]?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar",
       "highestVulnerability": {
         "id": "CVE-2023-2974",
+        "title": "quarkus-core vulnerable to client driven TLS cipher downgrading",
         "source": "osv-nvd",
         "cvss": {
           "attackVector": "Network",
@@ -355,6 +362,7 @@
           "issues": [
             {
               "id": "CVE-2022-41946",
+              "title": "TemporaryFolder on unix-like systems does not limit access to created files",
               "source": "osv-nvd",
               "cvss": {
                 "attackVector": "Local",
@@ -377,6 +385,7 @@
           ],
           "highestVulnerability": {
             "id": "CVE-2022-41946",
+            "title": "TemporaryFolder on unix-like systems does not limit access to created files",
             "source": "osv-nvd",
             "cvss": {
               "attackVector": "Local",
@@ -401,6 +410,7 @@
       "recommendation": "pkg:maven/io.quarkus/[email protected]?repository_url=https%3A%2F%2Fmaven.repository.redhat.com%2Fga%2F&type=jar",
       "highestVulnerability": {
         "id": "CVE-2022-41946",
+        "title": "TemporaryFolder on unix-like systems does not limit access to created files",
         "source": "osv-nvd",
         "cvss": {
           "attackVector": "Local",

diff --git a/ui/src/api/report.ts b/ui/src/api/report.ts
@@ -6,6 +6,7 @@ export interface AppData {
   ossIssueTemplate: string;
   snykIssueTemplate: string;
   nvdIssueTemplate: string;
+  cveIssueTemplate: string;
   snykSignup: string;
 }
 

diff --git a/ui/src/components/VulnerabilityIdLink.tsx b/ui/src/components/VulnerabilityIdLink.tsx
@@ -0,0 +1,12 @@
+import { Vulnerability } from '../api/report';
+import { cveLink } from '../utils/utils';
+import { useAppContext } from '../App';
+
+export const VulnerabilityIdLink = ({ vulnerability }: { vulnerability: Vulnerability }) => {
+  const appContext = useAppContext();
+  return (
+    <a href={cveLink(vulnerability.id, appContext)} target="_blank" rel="noreferrer">
+      {vulnerability.id}
+    </a>
+  );
+};
diff --git a/ui/src/components/VulnerabilityRow.tsx b/ui/src/components/VulnerabilityRow.tsx
@@ -1,12 +1,13 @@
-import {Td, Tr} from '@patternfly/react-table';
-import {DependencyLink} from './DependencyLink';
-import {RemediationLink} from './RemediationLink';
-import {VulnerabilityLink} from './VulnerabilityLink';
-import {VulnerabilityScore} from './VulnerabilityScore';
-import {VulnerabilitySeverityLabel} from './VulnerabilitySeverityLabel';
-import {usePrivateIssueHelper} from "../hooks/usePrivateDataHelper";
-import {hasRemediations, VulnerabilityItem} from "../api/report";
-import {useAppContext} from '../App';
+import { Td, Tr } from '@patternfly/react-table';
+import { DependencyLink } from './DependencyLink';
+import { RemediationLink } from './RemediationLink';
+import { VulnerabilityLink } from './VulnerabilityLink';
+import { VulnerabilityScore } from './VulnerabilityScore';
+import { VulnerabilitySeverityLabel } from './VulnerabilitySeverityLabel';
+import { usePrivateIssueHelper } from "../hooks/usePrivateDataHelper";
+import { hasRemediations, VulnerabilityItem } from "../api/report";
+import { useAppContext } from '../App';
+import { VulnerabilityIdLink } from './VulnerabilityIdLink';
 
 interface VulnerabilityRowProps {
   item: VulnerabilityItem;
@@ -38,7 +39,7 @@ export const VulnerabilityRow: React.FC<VulnerabilityRowProps> = ({item, provide
         <>
           <Td>
             {ids.map((id, index) => (
-              <p key={index}>{id}</p>
+              <p key={index}><VulnerabilityIdLink vulnerability={item.vulnerability}/></p>
             ))}
           </Td>
           <Td>{item.vulnerability.title}</Td>

diff --git a/ui/src/mocks/reportMixed.mock.ts b/ui/src/mocks/reportMixed.mock.ts
@@ -4711,4 +4711,5 @@ export const reportMixed: AppData = {
   snykIssueTemplate: 'https://security.snyk.io/vuln/__ISSUE_ID__',
   nvdIssueTemplate: 'https://nvd.nist.gov/vuln/detail/__ISSUE_ID__',
   snykSignup: 'https://app.snyk.io/login',
+  cveIssueTemplate: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=__ISSUE_ID__'
 };
diff --git a/ui/src/mocks/reportWithError.mock.ts b/ui/src/mocks/reportWithError.mock.ts
@@ -31,4 +31,5 @@ export const errorReport: AppData = {
   snykIssueTemplate: 'https://security.snyk.io/vuln/__ISSUE_ID__',
   nvdIssueTemplate: 'https://nvd.nist.gov/vuln/detail/__ISSUE_ID__',
   snykSignup: 'https://app.snyk.io/login',
+  cveIssueTemplate: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=__ISSUE_ID__'
 };
diff --git a/ui/src/mocks/reportWithForbidden.mock.ts b/ui/src/mocks/reportWithForbidden.mock.ts
@@ -31,4 +31,5 @@ export const forbiddenReport: AppData = {
   snykIssueTemplate: 'https://security.snyk.io/vuln/__ISSUE_ID__',
   nvdIssueTemplate: 'https://nvd.nist.gov/vuln/detail/__ISSUE_ID__',
   snykSignup: 'https://app.snyk.io/login',
+  cveIssueTemplate: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=__ISSUE_ID__'
 };
diff --git a/ui/src/mocks/reportWithToken.mock.ts b/ui/src/mocks/reportWithToken.mock.ts
@@ -438,4 +438,5 @@ export const withTokenReport: AppData = {
   snykIssueTemplate: 'https://security.snyk.io/vuln/__ISSUE_ID__',
   nvdIssueTemplate: 'https://nvd.nist.gov/vuln/detail/__ISSUE_ID__',
   snykSignup: 'https://app.snyk.io/login',
+  cveIssueTemplate: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=__ISSUE_ID__'
 };
diff --git a/ui/src/mocks/reportWithUnauthenticated.mock.ts b/ui/src/mocks/reportWithUnauthenticated.mock.ts
@@ -300,4 +300,5 @@ export const unauthenticatedReport: AppData = {
   snykIssueTemplate: 'https://security.snyk.io/vuln/__ISSUE_ID__',
   nvdIssueTemplate: 'https://nvd.nist.gov/vuln/detail/__ISSUE_ID__',
   snykSignup: 'https://app.snyk.io/login',
+  cveIssueTemplate: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=__ISSUE_ID__'
 };
diff --git a/ui/src/mocks/reportWithUnauthorized.mock.ts b/ui/src/mocks/reportWithUnauthorized.mock.ts
@@ -31,4 +31,5 @@ export const unauthorizedReport: AppData = {
   snykIssueTemplate: 'https://security.snyk.io/vuln/__ISSUE_ID__',
   nvdIssueTemplate: 'https://nvd.nist.gov/vuln/detail/__ISSUE_ID__',
   snykSignup: 'https://app.snyk.io/login',
+  cveIssueTemplate: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=__ISSUE_ID__'
 };
diff --git a/ui/src/mocks/reportWithoutToken.mock.ts b/ui/src/mocks/reportWithoutToken.mock.ts
@@ -386,4 +386,5 @@ export const withoutTokenReport: AppData = {
   snykIssueTemplate: 'https://security.snyk.io/vuln/__ISSUE_ID__',
   nvdIssueTemplate: 'https://nvd.nist.gov/vuln/detail/__ISSUE_ID__',
   snykSignup: 'https://app.snyk.io/login',
+  cveIssueTemplate: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=__ISSUE_ID__'
 };
diff --git a/ui/src/utils/utils.ts b/ui/src/utils/utils.ts
@@ -114,6 +114,10 @@ export const issueLink = (provider: string, issueId: string, appData: AppData) =
   }
 };
 
+export const cveLink = (issueId: string, appData: AppData) => {
+  return appData.cveIssueTemplate.replace(ISSUE_PLACEHOLDER, issueId);
+}
+
 export const uppercaseFirstLetter = (val: string) => {
   return val.toLowerCase().replace(/./, (c) => c.toUpperCase());
 };