Skip to content

Fix when getting Vaadin analysis to also check the affected dependency group, name and version #157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Fix when getting Vaadin analysis to also check the affected dependency group, name and version #157

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b2791d5
Fix when getting Vaadin analysis to also check the affected dependenc…
tamasmak Dec 6, 2023
c981b9e
Merge branch 'main' into fix/fix/check-dep-group-name-version
tamasmak Dec 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 45 additions & 11 deletions appsec-kit-backend/src/main/java/com/vaadin/appsec/backend/AppSecDTOProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@

import org.apache.maven.artifact.versioning.ArtifactVersion;
import org.apache.maven.artifact.versioning.DefaultArtifactVersion;
import org.apache.maven.artifact.versioning.InvalidVersionSpecificationException;
import org.apache.maven.artifact.versioning.VersionRange;
import org.commonmark.node.Node;
import org.commonmark.parser.Parser;
import org.commonmark.renderer.html.HtmlRenderer;
Expand Down Expand Up @@ -405,26 +407,58 @@ private String getVulnerabilityId(OpenSourceVulnerability vulnerability) {
}

private Optional<AffectedVersion> getAffectedVersion(
Vulnerability vulnerabilityDTO) {
String vulnerabilityId = vulnerabilityDTO.getIdentifier();
VulnerabilityDetails vulnerability = AppSecService.getInstance()
.getVulnerabilityAnalysis().getVulnerabilities()
.get(vulnerabilityId);
if (vulnerability == null) {
Vulnerability vulnDTO) {
// Gets the vulnerability details provided in the vulnerability analysis
String vulnId = vulnDTO.getIdentifier();
VulnerabilityDetails vulnDetails = AppSecService.getInstance()
.getVulnerabilityAnalysis().getVulnerabilities().get(vulnId);
if (vulnDetails == null) {
return Optional.empty();
}

Dependency dependency = vulnerabilityDTO.getDependency();
String parentBomRef = dependency.getParentBomRef();
String groupAndName = dependency.getEcosystem() == Ecosystem.MAVEN
// Checks if the affected dependency's group and name equals to the
// provided dependency's group and name in the vulnerability analysis
com.vaadin.appsec.backend.model.analysis.Dependency analysisDep = vulnDetails
.getDependency();
Dependency vulnDep = vulnDTO.getDependency();
String analysisDepGroupAndName = analysisDep.getName();
String vulnDepGroupAndName = AppSecUtils.getDepGroupAndName(vulnDep);
if (!analysisDepGroupAndName.equals(vulnDepGroupAndName)) {
return Optional.empty();
}

// Checks if the affected dependency's version equals to the provided
// dependency's version in the vulnerability analysis
DefaultArtifactVersion vulnDepVersion = new DefaultArtifactVersion(
vulnDep.getVersion());
List<String> affectedVersions = analysisDep.getAffectedVersions();
boolean isAffected = affectedVersions.stream().map(affectedVersion -> {
try {
return VersionRange.createFromVersionSpec(affectedVersion);
} catch (InvalidVersionSpecificationException e) {
throw new AppSecException(
"Failed to parse vulnerability analysis dependency affected versions",
e);
}
}).anyMatch(range -> range.containsVersion(vulnDepVersion));
if (!isAffected) {
return Optional.empty();
}

// Gets the assessment provided in the vulnerability analysis for the
// affected dependency's parent
String parentBomRef = vulnDep.getParentBomRef();
String parentGroupAndName = vulnDep.getEcosystem() == Ecosystem.MAVEN
? AppSecUtils.bomRefToMavenGroupAndName(parentBomRef)
: AppSecUtils.bomRefToNpmGroupAndName(parentBomRef);
Assessment assessment = vulnerability.getAssessments()
.get(groupAndName);
Assessment assessment = vulnDetails.getAssessments()
.get(parentGroupAndName);
if (assessment == null) {
return Optional.empty();
}

// Checks if the affected dependency's parent version is within the
// range provided in the vulnerability analysis
return assessment.getAffectedVersions().values().stream().filter(
v -> v.isInRange(AppSecUtils.bomRefToVersion(parentBomRef)))
.findFirst();
Expand Down