Add EUVD importer

Signed-off-by: nscuro <[email protected]>

Author: nscuro

.github/workflows/update-database.yml

@@ -33,6 +33,7 @@ jobs:
     strategy:
       matrix:
         source:
+        - euvd
         - github
         - nvd
         - osv
@@ -82,7 +83,7 @@ jobs:
         echo '${{ secrets.GITHUB_TOKEN }}' | oras login ghcr.io -u github --password-stdin
     - name: Download source databases
       run: |
-        for source_name in github nvd osv; do
+        for source_name in euvd github nvd osv; do
           oras pull "ghcr.io/${GITHUB_REPOSITORY,,}/source/${source_name}:${{ inputs.database-version }}"
         done
     - name: Decompress source databases

pom.xml

@@ -23,6 +23,7 @@
         <lib.open-vulnerability-clients.version>8.0.0</lib.open-vulnerability-clients.version>
         <lib.packageurl-java.version>1.5.0</lib.packageurl-java.version>
         <lib.picocli.version>4.7.7</lib.picocli.version>
+        <lib.resilience4j.version>2.3.0</lib.resilience4j.version>
         <lib.slf4j.version>2.0.17</lib.slf4j.version>
         <lib.sqlite-jdbc.version>3.49.1.0</lib.sqlite-jdbc.version>
         <lib.versatile.version>0.12.0</lib.versatile.version>
@@ -110,6 +111,12 @@
             <version>${lib.picocli.version}</version>
         </dependency>
 
+        <dependency>
+            <groupId>io.github.resilience4j</groupId>
+            <artifactId>resilience4j-retry</artifactId>
+            <version>${lib.resilience4j.version}</version>
+        </dependency>
+
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>

src/main/java/org/dependencytrack/vulndb/source/euvd/EuvdImporter.java

@@ -0,0 +1,154 @@
+package org.dependencytrack.vulndb.source.euvd;
+
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
+import io.github.resilience4j.retry.Retry;
+import io.github.resilience4j.retry.RetryConfig;
+import io.github.resilience4j.retry.RetryRegistry;
+import org.dependencytrack.vulndb.api.Database;
+import org.dependencytrack.vulndb.api.Importer;
+import org.dependencytrack.vulndb.api.Rating;
+import org.dependencytrack.vulndb.api.Reference;
+import org.dependencytrack.vulndb.api.Source;
+import org.dependencytrack.vulndb.api.Vulnerability;
+import org.metaeffekt.core.security.cvss.CvssVector;
+import org.metaeffekt.core.security.cvss.v2.Cvss2;
+import org.metaeffekt.core.security.cvss.v3.Cvss3;
+import org.metaeffekt.core.security.cvss.v4P0.Cvss4P0;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.slf4j.MDC;
+
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.time.Duration;
+import java.util.List;
+
+import static io.github.resilience4j.core.IntervalFunction.ofExponentialRandomBackoff;
+
+public final class EuvdImporter implements Importer {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(EuvdImporter.class);
+
+    private Database database;
+    private HttpClient httpClient;
+    private ObjectMapper objectMapper;
+    private Retry retry;
+
+    @Override
+    public Source source() {
+        return new Source("euvd", "European Union Vulnerability Database", null, "https://euvd.enisa.europa.eu/");
+    }
+
+    @Override
+    public void init(final Database database) {
+        this.database = database;
+        this.httpClient = HttpClient.newHttpClient();
+        this.objectMapper = new ObjectMapper()
+                .disable(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES)
+                .registerModule(new JavaTimeModule());
+        this.retry = RetryRegistry.of(
+                        RetryConfig.<HttpResponse<?>>custom()
+                                .retryOnResult(response -> response.statusCode() == 403)
+                                .intervalFunction(ofExponentialRandomBackoff(
+                                        Duration.ofSeconds(15),
+                                        /* multiplier */ 2.0,
+                                        /* randomizationFactor */ 0.5,
+                                        Duration.ofMinutes(3)))
+                                .maxAttempts(12)
+                                .build())
+                .retry("euvd-api");
+        this.retry.getEventPublisher().onRetry(
+                event -> LOGGER.warn(
+                        "Performing retry attempt {} in {}",
+                        event.getNumberOfRetryAttempts(),
+                        event.getWaitInterval()));
+    }
+
+    @Override
+    public void runImport() throws Exception {
+        boolean hasMore;
+        int pageNumber = 0;
+        int vulnsImported = 0;
+        do {
+            final HttpResponse<byte[]> response = retry.executeCallable(
+                    () -> httpClient.send(
+                            HttpRequest.newBuilder(URI.create(
+                                            "https://euvdservices.enisa.europa.eu/api/search?size=100&page=%d".formatted(pageNumber)))
+                                    .GET()
+                                    .header("User-Agent", "github.com/DependencyTrack/vuln-db")
+                                    .build(),
+                            HttpResponse.BodyHandlers.ofByteArray()));
+            if (response.statusCode() != 200) {
+                throw new Exception("Unexpected response code: " + response.statusCode());
+            }
+
+            final var vulnsPage = objectMapper.readValue(response.body(), EuvdVulnerabilitiesPage.class);
+            final List<Vulnerability> vulns = vulnsPage.items().stream()
+                    .map(euvdVuln -> {
+                        try (var ignored = MDC.putCloseable("vulnId", euvdVuln.id())) {
+                            return convert(euvdVuln);
+                        }
+                    })
+                    .toList();
+
+            database.storeVulnerabilities(vulns);
+
+            vulnsImported += vulns.size();
+            hasMore = vulnsImported < vulnsPage.total();
+            LOGGER.info("Imported {}/{} vulnerabilities", vulnsImported, vulnsPage.total());
+        } while (hasMore);
+    }
+
+    private Vulnerability convert(final EuvdVulnerability euvdVuln) {
+        return new Vulnerability(
+                euvdVuln.id(),
+                euvdVuln.aliases(),
+                /* related */ null,
+                euvdVuln.description(),
+                /* cwes */ null,
+                getRatings(euvdVuln),
+                euvdVuln.references() != null
+                        ? euvdVuln.references().stream().map(referenceUrl -> new Reference(referenceUrl, null)).toList()
+                        : null,
+                /* matchingCriteria */ null,
+                /* createdAt */ null,
+                euvdVuln.datePublished() != null ? euvdVuln.datePublished().toInstant() : null,
+                euvdVuln.dateUpdated() != null ? euvdVuln.dateUpdated().toInstant() : null,
+                /* rejectedAt */ null);
+    }
+
+    private List<Rating> getRatings(final EuvdVulnerability euvdVuln) {
+        if (euvdVuln.baseScoreVector() == null) {
+            return null;
+        }
+
+        final CvssVector vector = CvssVector.parseVector(euvdVuln.baseScoreVector());
+        if (vector != null) {
+            final Rating.Method method = switch (vector) {
+                case Cvss2 ignored -> Rating.Method.CVSSv2;
+                case Cvss3 ignored -> Rating.Method.CVSSv3;
+                case Cvss4P0 ignored -> Rating.Method.CVSSv4;
+                default -> null;
+            };
+            if (method == null) {
+                LOGGER.warn("Unexpected CVSS type {}", vector.getClass().getName());
+            }
+
+            return List.of(
+                    new Rating(
+                            method,
+                            Rating.Severity.ofCvss(vector),
+                            vector.toString(),
+                            vector.getBaseScore()));
+        } else {
+            LOGGER.warn("Failed to parse CVSS vector {}", euvdVuln.baseScoreVector());
+        }
+
+        return null;
+    }
+
+}

src/main/java/org/dependencytrack/vulndb/source/euvd/EuvdVulnerabilitiesPage.java

@@ -0,0 +1,6 @@
+package org.dependencytrack.vulndb.source.euvd;
+
+import java.util.List;
+
+public record EuvdVulnerabilitiesPage(List<EuvdVulnerability> items, int total) {
+}

src/main/java/org/dependencytrack/vulndb/source/euvd/EuvdVulnerability.java

@@ -0,0 +1,19 @@
+package org.dependencytrack.vulndb.source.euvd;
+
+import com.fasterxml.jackson.annotation.JsonFormat;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+
+import java.time.ZonedDateTime;
+import java.util.List;
+
+public record EuvdVulnerability(
+        String id,
+        String description,
+        @JsonFormat(shape = JsonFormat.Shape.STRING, pattern = "MMM d, yyyy, h:m:s a", locale = "en_US", timezone = /* TODO */ "UTC") ZonedDateTime datePublished,
+        @JsonFormat(shape = JsonFormat.Shape.STRING, pattern = "MMM d, yyyy, h:m:s a", locale = "en_US", timezone = /* TODO */ "UTC") ZonedDateTime dateUpdated,
+        Double baseScore,
+        String baseScoreVersion,
+        String baseScoreVector,
+        @JsonDeserialize(using = NewlineDelimitedListDeserializer.class) List<String> aliases,
+        @JsonDeserialize(using = NewlineDelimitedListDeserializer.class) List<String> references) {
+}

src/main/java/org/dependencytrack/vulndb/source/euvd/NewlineDelimitedListDeserializer.java

@@ -0,0 +1,19 @@
+package org.dependencytrack.vulndb.source.euvd;
+
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JsonDeserializer;
+
+import java.io.IOException;
+import java.util.List;
+
+public final class NewlineDelimitedListDeserializer extends JsonDeserializer<List<String>> {
+
+    @Override
+    public List<String> deserialize(
+            final JsonParser jsonParser,
+            final DeserializationContext deserializationContext) throws IOException {
+        return jsonParser.readValueAs(String.class).lines().toList();
+    }
+
+}

src/main/resources/META-INF/services/org.dependencytrack.vulndb.api.Importer

@@ -1,3 +1,4 @@
+org.dependencytrack.vulndb.source.euvd.EuvdImporter
 org.dependencytrack.vulndb.source.github.GitHubImporter
 org.dependencytrack.vulndb.source.nvd.NvdImporter
 org.dependencytrack.vulndb.source.osv.OsvImporter