Skip to content

fix: avoid duplicated CVE recommendations #301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 5, 2024
Merged

fix: avoid duplicated CVE recommendations #301

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion src/main/java/com/redhat/exhort/integration/trustedcontent/TcResponseHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
import com.redhat.exhort.model.trustedcontent.Recommendations;
import com.redhat.exhort.model.trustedcontent.TcRecommendation;
import com.redhat.exhort.model.trustedcontent.TrustedContentResponse;
import com.redhat.exhort.model.trustedcontent.Vulnerability;

import io.quarkus.runtime.annotations.RegisterForReflection;

Expand All @@ -53,6 +54,10 @@
@RegisterForReflection
public class TcResponseHandler extends ProviderResponseHandler {

// Other values are Affected and UnderInvestigation
// see https://www.cisa.gov/sites/default/files/2023-01/VEX_Status_Justification_Jun22.pdf
private static final List<String> FIXED_STATUSES = List.of("NotAffected", "Fixed");

@Inject ObjectMapper mapper;

@ConfigProperty(name = "trustedcontent.recommended.ubi")
Expand Down Expand Up @@ -91,7 +96,7 @@ private IndexedRecommendation aggregateRecommendations(List<TcRecommendation> re
recommendations.stream()
.map(TcRecommendation::vulnerabilities)
.flatMap(List::stream)
.collect(Collectors.toMap(v -> v.getId().toUpperCase(), v -> v)));
.collect(Collectors.toMap(v -> v.getId().toUpperCase(), v -> v, this::filterFixed)));
}

private PackageRef getHighestRemediationRecommendation(List<TcRecommendation> tcRecommendations) {
Expand Down Expand Up @@ -138,4 +143,11 @@ public ProviderResponse responseToIssues(
byte[] response, String privateProviders, DependencyTree tree) throws IOException {
throw new UnsupportedOperationException("Not yet implemented");
}

private Vulnerability filterFixed(Vulnerability a, Vulnerability b) {
if (!FIXED_STATUSES.contains(a.getStatus())) {
return a;
}
return b;
}
}
7 changes: 6 additions & 1 deletion src/test/resources/__files/trustedcontent/simple.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
"vulnerabilities": [
{
"id": "cve-2020-36518",
"status": "NotAffected",
"status": "Affected",
"justification": "VulnerableCodeNotPresent"
}
]
Expand All @@ -40,6 +40,11 @@
"id": "cve-2023-44487",
"status": "NotAffected",
"justification": "VulnerableCodeNotPresent"
},
{
"id": "cve-2020-36518",
"status": "NotAffected",
"justification": "VulnerableCodeNotPresent"
}
]
},
Expand Down