-
Notifications
You must be signed in to change notification settings - Fork 381
Expand file tree
/
Copy pathOssIndex.kt
More file actions
146 lines (124 loc) · 5.8 KB
/
OssIndex.kt
File metadata and controls
146 lines (124 loc) · 5.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
/*
* Copyright (C) 2021 The ORT Project Copyright Holders <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
* License-Filename: LICENSE
*/
package org.ossreviewtoolkit.plugins.advisors.ossindex
import java.net.URI
import java.time.Instant
import kotlin.coroutines.cancellation.CancellationException
import kotlinx.coroutines.currentCoroutineContext
import kotlinx.coroutines.ensureActive
import org.apache.logging.log4j.kotlin.logger
import org.ossreviewtoolkit.clients.ossindex.OssIndexService
import org.ossreviewtoolkit.clients.ossindex.OssIndexService.ComponentReport
import org.ossreviewtoolkit.clients.ossindex.OssIndexService.ComponentReportRequest
import org.ossreviewtoolkit.model.AdvisorDetails
import org.ossreviewtoolkit.model.AdvisorResult
import org.ossreviewtoolkit.model.AdvisorSummary
import org.ossreviewtoolkit.model.Issue
import org.ossreviewtoolkit.model.Package
import org.ossreviewtoolkit.model.vulnerabilities.Cvss2Rating
import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
import org.ossreviewtoolkit.plugins.advisors.api.AdviceProvider
import org.ossreviewtoolkit.plugins.advisors.api.AdviceProviderFactory
import org.ossreviewtoolkit.plugins.api.OrtPlugin
import org.ossreviewtoolkit.plugins.api.PluginDescriptor
import org.ossreviewtoolkit.utils.common.collectMessages
import org.ossreviewtoolkit.utils.ort.OkHttpClientHelper
/**
* The number of packages to request from Sonatype OSS Index in one request.
*/
private const val BULK_REQUEST_SIZE = 128
/**
* A wrapper for Sonatype's [OSS Index](https://www.sonatype.com/products/sonatype-guide/oss-index-users/) security
* vulnerability data.
*/
@OrtPlugin(
id = "OSSIndex",
displayName = "OSS Index",
summary = "An advisor that uses Sonatype's OSS Index to determine vulnerabilities in dependencies.",
factory = AdviceProviderFactory::class
)
class OssIndex(
override val descriptor: PluginDescriptor = OssIndexFactory.descriptor,
config: OssIndexConfiguration
) : AdviceProvider {
override val details = AdvisorDetails(descriptor.id)
private val service by lazy {
OssIndexService.create(
config.serverUrl,
config.username,
config.token.value,
OkHttpClientHelper.buildClient()
)
}
override suspend fun retrievePackageFindings(packages: Set<Package>): Map<Package, AdvisorResult> {
val startTime = Instant.now()
val purls = packages.mapNotNull { pkg -> pkg.purl.ifEmpty { null } }
val chunks = purls.chunked(BULK_REQUEST_SIZE)
val componentReports = mutableMapOf<String, ComponentReport>()
val issues = mutableListOf<Issue>()
chunks.forEachIndexed { index, chunk ->
logger.debug { "Getting report for ${chunk.size} components (chunk ${index + 1} of ${chunks.size})." }
runCatching {
val results = service.getAuthorizedComponentReport(ComponentReportRequest(chunk)).associateBy {
it.coordinates
}
componentReports += results.filterValues { it.vulnerabilities.isNotEmpty() }
}.onFailure {
if (it is CancellationException) currentCoroutineContext().ensureActive()
// Create dummy reports for all components in the chunk as the current data model does not allow to
// return issues that are not associated to any package.
componentReports += chunk.associateWith { purl ->
ComponentReport(purl, reference = "", vulnerabilities = emptyList())
}
issues += Issue(source = descriptor.displayName, message = it.collectMessages())
}
}
val endTime = Instant.now()
return packages.mapNotNullTo(mutableListOf()) { pkg ->
componentReports[pkg.purl]?.let { report ->
pkg to AdvisorResult(
details,
AdvisorSummary(startTime, endTime, issues),
vulnerabilities = report.vulnerabilities.map { it.toVulnerability() }
)
}
}.toMap()
}
/**
* Construct an [ORT Vulnerability][Vulnerability] from an [OssIndexService Vulnerability]
* [OssIndexService.Vulnerability].
*/
private fun OssIndexService.Vulnerability.toVulnerability(): Vulnerability {
// Only CVSS version 2 vectors do not contain the "CVSS:" label and version prefix.
val scoringSystem = cvssVector?.substringBefore('/', Cvss2Rating.PREFIXES.first())
val severity = VulnerabilityReference.getQualitativeRating(scoringSystem, cvssScore)?.name
val reference = VulnerabilityReference(URI(reference), scoringSystem, severity, cvssScore, cvssVector)
val references = mutableListOf(reference)
externalReferences?.mapTo(references) { reference.copy(url = URI(it)) }
return Vulnerability(
id = cve ?: displayName ?: title,
summary = title.removePrefix("[$cve]").trimStart()
.removePrefix(cwe.orEmpty()).trimStart()
.removePrefix(":").trimStart(),
description = description,
references = references
)
}
}