Handle Debian release versions

Signed-off-by: nscuro <[email protected]>

Author: nscuro

README.md

@@ -82,7 +82,7 @@ docker run -it --rm \
   -v "$(pwd):/workspace" \
   -w '/workspace' \
   ghcr.io/dependencytrack/vuln-db:snapshot \
-  scan --database=all.sqlite bom.json
+  scan --ensure-indexes --database=all.sqlite bom.json
 ```
 
 ## Data model

src/main/java/org/dependencytrack/vulndb/cli/ScanCommand.java

@@ -35,6 +35,9 @@ public class ScanCommand implements Callable<Integer> {
     @Option(names = {"-d", "--database"})
     Path databaseFilePath;
 
+    @Option(names = {"-i", "--ensure-indexes"})
+    boolean ensureIndexes;
+
     @Parameters
     Path bomFilePath;
 
@@ -44,15 +47,31 @@ public Integer call() throws Exception {
                 .create("jdbc:sqlite:%s".formatted(databaseFilePath))
                 .installPlugin(new SQLitePlugin());
 
+        if (ensureIndexes) {
+            jdbi.useHandle(handle -> {
+                handle.execute("""
+                        create index if not exists matching_criteria_purl_ns_idx
+                            on matching_criteria(purl_type, purl_namespace, purl_name)
+                         where purl_namespace is not null;
+                        """);
+
+                handle.execute("""
+                        create index if not exists matching_criteria_purl_idx
+                            on matching_criteria(purl_type, purl_name)
+                         where purl_namespace is null;
+                        """);
+            });
+        }
+
         final byte[] bomBytes = Files.readAllBytes(bomFilePath);
         final Bom bom = BomParserFactory.createParser(bomBytes).parse(bomBytes);
 
         try (final Handle handle = jdbi.open()) {
             // TODO: Consider metadata.component, nested components etc.
 
             for (final Component component : bom.getComponents()) {
-                final Set<String> vulnIds = scan(handle, component);
-                if (!vulnIds.isEmpty()) {
+                final Set<MatchMetadata> matches = scan(handle, component);
+                if (!matches.isEmpty()) {
                     String componentName = component.getName();
                     if (component.getGroup() != null) {
                         componentName = component.getGroup() + "/" + componentName;
@@ -62,7 +81,14 @@ public Integer call() throws Exception {
                     }
 
                     // TODO: Move reporting to the very end.
-                    System.out.println(componentName + ": " + vulnIds.stream().sorted().toList());
+                    System.out.println(componentName + ":");
+                    for (final MatchMetadata match : matches) {
+                        System.out.println("- %s\n  Matched range: %s\n  Source: %s".formatted(
+                                match.vulnId(),
+                                match.criteriaVers(),
+                                match.criteriaSource()));
+                    }
+                    System.out.println();
                 }
             }
         }
@@ -74,10 +100,16 @@ public Integer call() throws Exception {
         return 0;
     }
 
-    private Set<String> scan(
+    private record MatchMetadata(
+            String vulnId,
+            String criteriaSource,
+            String criteriaVers) {
+    }
+
+    private Set<MatchMetadata> scan(
             final Handle handle,
             final Component component) throws MalformedPackageURLException, CpeParsingException {
-        final var affectedVulnIds = new HashSet<String>();
+        final var affectedVulnIds = new HashSet<MatchMetadata>();
 
         if (component.getCpe() != null) {
             final var cpe = CpeParser.parse(component.getCpe());
@@ -99,9 +131,31 @@ private Set<String> scan(
 
                 final Vers vers = Vers.parse(criteriaRecord.versions());
                 if (vers.contains(purl.getVersion())) {
-                    // TODO: Check additional criteria.
+                    // Handle cases where a Debian vulnerability only apply to specific
+                    // releases of Debian. Note that this requires both the criteria, as well
+                    // as the package to declare a Debian release version.
+                    // It can't be reliably deduced from package versions or vers ranges alone.
+                    // TODO: For the love of god make this less atrocious.
+                    if (purl.getType().equals(PackageURL.StandardTypes.DEBIAN)
+                        && purl.getQualifiers() != null
+                        && purl.getQualifiers().containsKey("distro")
+                        && purl.getQualifiers().get("distro").startsWith("debian-")
+                        && "debian-version".equals(criteriaRecord.additionalCriteriaType())) {
+                        final String distroVersion = purl.getQualifiers().get("distro").replaceFirst("^debian-", "");
+                        if (!distroVersion.startsWith(new String(criteriaRecord.additionalCriteria()))) {
+                            System.out.println(
+                                    "Discarding range %s due to Debian version mismatch (package=%s, criteria=%s)".formatted(
+                                            criteriaRecord.versions(), distroVersion, new String(criteriaRecord.additionalCriteria())));
+                            continue;
+                        }
+                    }
+
+                    // TODO: Check more additional criteria types.
 
-                    affectedVulnIds.add(criteriaRecord.vulnId());
+                    affectedVulnIds.add(new MatchMetadata(
+                            criteriaRecord.vulnId(),
+                            criteriaRecord.sourceName(),
+                            criteriaRecord.versions()));
                 }
             }
         }

src/main/java/org/dependencytrack/vulndb/source/osv/OsvImporter.java

@@ -177,6 +177,14 @@ private void processAdvisory(final OsvAdvisory advisory) {
                     } catch (IOException e) {
                         LOGGER.warn("Failed to serialize go-imports {}", imports, e);
                     }
+                } else if (affected.pkg().ecosystem().toLowerCase().startsWith("debian")) {
+                    final String[] ecosystemParts = affected.pkg().ecosystem().split(":", 2);
+                    if (ecosystemParts.length == 2) {
+                        // TODO: Should be a JSON object to make it less ambiguous.
+                        // TODO: Can this be generalized? Do we need this for RedHat etc. too?
+                        additionalCriteria = ecosystemParts[1].trim().getBytes();
+                        additionalCriteriaType = "debian-version";
+                    }
                 }
 
                 if (affected.ranges() != null) {

src/main/resources/cleanup.sql

@@ -2,6 +2,7 @@ drop table if exists matching_criteria;
 drop table if exists vuln_reference;
 drop table if exists vuln_rating;
 drop table if exists vuln_alias;
+drop table if exists vuln_related;
 drop table if exists vuln_data;
 drop table if exists vuln;
 drop table if exists source_metadata;