com.metaeffekt.artifact.enrichment.configurations.VulnerabilityAssessmentDashboardEnrichmentConfiguration Maven / Gradle / Ivy
/*
* Copyright 2021-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.metaeffekt.artifact.enrichment.configurations;
import com.metaeffekt.artifact.analysis.utils.StringUtils;
import com.metaeffekt.artifact.analysis.vulnerability.enrichment.filter.FilterAttribute;
import com.metaeffekt.artifact.analysis.vulnerability.enrichment.vulnerabilitystatus.VulnerabilityStatus;
import com.metaeffekt.artifact.enrichment.validation.InventoryValidationEnrichment;
import com.metaeffekt.artifact.enrichment.validation.VulnerabilityInventoryValidator;
import com.metaeffekt.mirror.contents.store.AdvisoryTypeIdentifier;
import com.metaeffekt.mirror.contents.vulnerability.Vulnerability;
import lombok.Getter;
import org.json.JSONArray;
import org.json.JSONObject;
import org.metaeffekt.core.inventory.processor.configuration.ProcessConfiguration;
import org.metaeffekt.core.inventory.processor.configuration.ProcessMisconfiguration;
import org.metaeffekt.core.inventory.processor.model.Artifact;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.File;
import java.util.*;
import java.util.stream.Collectors;
public class VulnerabilityAssessmentDashboardEnrichmentConfiguration extends ProcessConfiguration {
private final static Logger LOG = LoggerFactory.getLogger(VulnerabilityAssessmentDashboardEnrichmentConfiguration.class);
@Getter
private int maximumVulnerabilitiesPerDashboardCount = Integer.MAX_VALUE;
private String vulnerabilityIncludeFilter = null;
private FilterAttribute vulnerabilityIncludeFilterAttribute = null;
@Getter
private int maximumCpeForTimelinesPerVulnerability = Integer.MAX_VALUE;
@Getter
private int maximumVulnerabilitiesPerTimeline = Integer.MAX_VALUE;
@Getter
private int maximumVersionsPerTimeline = Integer.MAX_VALUE;
@Getter
private int maximumTimeSpentOnTimelines = Integer.MAX_VALUE;
@Getter
private int maximumTimeSpentPerTimeline = Integer.MAX_VALUE;
@Getter
private boolean vulnerabilityTimelinesGlobalEnabled = true;
@Getter
private boolean vulnerabilityTimelineHideIrrelevantVersions = true;
@Getter
private boolean failOnVulnerabilityWithoutSpecifiedRisk = true;
@Getter
private boolean failOnUnreviewedAdvisories = true;
@Getter
private File svgDirectory;
@Getter
private VulnerabilityCvssSvgChartInterpolationMethod vulnerabilitySvgChartInterpolationMethod = VulnerabilityCvssSvgChartInterpolationMethod.BASE_METRICS;
@Getter
private final List detailLevels = new ArrayList<>();
/**
* Represents a {@link List}<{@link Map}<{@link String}, {@link String}>>.
* The key "name" is mandatory and can optionally be combined with an "implementation" value. If the implementation
* is not specified, the name will be used as the implementation. Each list entry represents a single advisory type.
*
* Whether to fail if there are security advisories from certain providers that are not listed as reviewed in the
* status YAML files (reviewed
).
*
* Example:
*
* [{"name":"CERT_FR"},
* {"name":"CERT_SEI"},
* {"name":"RHSA","implementation":"CSAF"}]
*
* WARNING: This property is currently not implemented due to a lack of interest in this functionality.
* It should probably be moved to the {@link InventoryValidationEnrichment} as a
* {@link VulnerabilityInventoryValidator}.
*/
private String failOnUnreviewedAdvisoriesTypes = new JSONArray().toString();
@Getter
private File outputDashboardFile = null;
@Deprecated
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setMinimumVulnerabilityIncludeScore(double minimumVulnerabilityIncludeScore) {
LOG.warn("The minimumVulnerabilityIncludeScore [{}] is deprecated. Please use the security configuration includeScoreThreshold instead.", minimumVulnerabilityIncludeScore);
return this;
}
@Deprecated
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setInsignificantThreshold(double insignificantThreshold) {
LOG.error("The insignificantThreshold [{}] is deprecated. Please use the security configuration insignificantThreshold instead.", insignificantThreshold);
return this;
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setMaximumVulnerabilitiesPerDashboardCount(int maximumVulnerabilitiesPerDashboardCount) {
this.maximumVulnerabilitiesPerDashboardCount = maximumVulnerabilitiesPerDashboardCount;
return this;
}
public FilterAttribute getVulnerabilityIncludeFilterAttribute() {
if (this.vulnerabilityIncludeFilterAttribute == null && StringUtils.hasText(this.vulnerabilityIncludeFilter)) {
this.vulnerabilityIncludeFilterAttribute = FilterAttribute.fromString(this.vulnerabilityIncludeFilter);
}
return this.vulnerabilityIncludeFilterAttribute;
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setVulnerabilityIncludeFilter(String vulnerabilityIncludeFilter) {
this.vulnerabilityIncludeFilter = vulnerabilityIncludeFilter;
if (this.vulnerabilityIncludeFilterAttribute == null && StringUtils.hasText(this.vulnerabilityIncludeFilter)) {
this.vulnerabilityIncludeFilterAttribute = FilterAttribute.fromString(this.vulnerabilityIncludeFilter);
}
return this;
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setMaximumCpeForTimelinesPerVulnerability(int maximumCpeForTimelinesPerVulnerability) {
this.maximumCpeForTimelinesPerVulnerability = maximumCpeForTimelinesPerVulnerability;
return this;
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setMaximumVulnerabilitiesPerTimeline(int maximumVulnerabilitiesPerTimeline) {
this.maximumVulnerabilitiesPerTimeline = maximumVulnerabilitiesPerTimeline;
return this;
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setMaximumVersionsPerTimeline(int maximumVersionsPerTimeline) {
this.maximumVersionsPerTimeline = maximumVersionsPerTimeline;
return this;
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setMaximumTimeSpentOnTimelines(int maximumTimeSpentOnTimelines) {
this.maximumTimeSpentOnTimelines = maximumTimeSpentOnTimelines;
return this;
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setMaximumTimeSpentPerTimeline(int maximumTimeSpentPerTimeline) {
this.maximumTimeSpentPerTimeline = maximumTimeSpentPerTimeline;
return this;
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setVulnerabilityTimelinesGlobalEnabled(boolean vulnerabilityTimelinesGlobalEnabled) {
this.vulnerabilityTimelinesGlobalEnabled = vulnerabilityTimelinesGlobalEnabled;
return this;
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setVulnerabilityTimelineHideIrrelevantVersions(boolean vulnerabilityTimelineHideIrrelevantVersions) {
this.vulnerabilityTimelineHideIrrelevantVersions = vulnerabilityTimelineHideIrrelevantVersions;
return this;
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setFailOnVulnerabilityWithoutSpecifiedRisk(boolean failOnVulnerabilityWithoutSpecifiedRisk) {
this.failOnVulnerabilityWithoutSpecifiedRisk = failOnVulnerabilityWithoutSpecifiedRisk;
return this;
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setFailOnUnreviewedAdvisories(boolean failOnUnreviewedAdvisories) {
this.failOnUnreviewedAdvisories = failOnUnreviewedAdvisories;
return this;
}
public List> getFailOnUnreviewedAdvisoriesTypes() {
return AdvisorPeriodicEnrichmentConfiguration.parseAdvisoryProviders(failOnUnreviewedAdvisoriesTypes);
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setFailOnUnreviewedAdvisoriesTypes(JSONArray failOnUnreviewedAdvisoriesTypes) {
this.failOnUnreviewedAdvisoriesTypes = failOnUnreviewedAdvisoriesTypes.toString();
return this;
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setFailOnUnreviewedAdvisoriesTypes(Map failOnUnreviewedAdvisoriesTypes) {
final JSONArray failOnUnreviewedAdvisoriesTypesArray = new JSONArray();
failOnUnreviewedAdvisoriesTypes.forEach((name, implementation) -> failOnUnreviewedAdvisoriesTypesArray.put(new JSONObject().put("name", name).put("implementation", StringUtils.hasText(implementation) ? implementation : name)));
this.failOnUnreviewedAdvisoriesTypes = failOnUnreviewedAdvisoriesTypesArray.toString();
return this;
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setFailOnUnreviewedAdvisoriesTypes(List> failOnUnreviewedAdvisoriesTypes) {
final JSONArray failOnUnreviewedAdvisoriesTypesArray = new JSONArray();
failOnUnreviewedAdvisoriesTypes.forEach(advisoryTypeIdentifier -> failOnUnreviewedAdvisoriesTypesArray.put(new JSONObject().put("name", advisoryTypeIdentifier.getName()).put("implementation", advisoryTypeIdentifier.getImplementation())));
this.failOnUnreviewedAdvisoriesTypes = failOnUnreviewedAdvisoriesTypesArray.toString();
return this;
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration addFailOnUnreviewedAdvisoriesType(AdvisoryTypeIdentifier> failOnUnreviewedAdvisoriesType) {
final JSONObject advisoryType = new JSONObject().put("name", failOnUnreviewedAdvisoriesType.getName()).put("implementation", failOnUnreviewedAdvisoriesType.getImplementation());
this.failOnUnreviewedAdvisoriesTypes = new JSONArray(this.failOnUnreviewedAdvisoriesTypes).put(advisoryType).toString();
return this;
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setOutputDashboardFile(File outputDashboardFile) {
this.outputDashboardFile = outputDashboardFile;
return this;
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setSvgDirectory(File svgDirectory) {
this.svgDirectory = svgDirectory;
return this;
}
public List getDetailLevels(Vulnerability vulnerability, VulnerabilityStatus status, Set artifacts) {
return detailLevels.stream()
.filter(detailLevel -> detailLevel.getMatcher().matches(vulnerability, status, artifacts))
.collect(Collectors.toList());
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration addDetailLevel(VadDetailLevelConfiguration detailLevel) {
detailLevels.add(detailLevel);
return this;
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setDetailLevels(List detailLevels) {
this.detailLevels.clear();
this.detailLevels.addAll(detailLevels);
return this;
}
public VulnerabilityAssessmentDashboardEnrichmentConfiguration setVulnerabilitySvgChartInterpolationMethod(VulnerabilityCvssSvgChartInterpolationMethod vulnerabilitySvgChartInterpolationMethod) {
this.vulnerabilitySvgChartInterpolationMethod = vulnerabilitySvgChartInterpolationMethod;
return this;
}
@Override
public LinkedHashMap getProperties() {
final LinkedHashMap properties = new LinkedHashMap<>();
properties.put("maximumVulnerabilitiesPerDashboardCount", maximumVulnerabilitiesPerDashboardCount);
properties.put("vulnerabilityIncludeFilter", vulnerabilityIncludeFilter);
properties.put("vulnerabilityIncludeFilterAttribute", vulnerabilityIncludeFilterAttribute);
properties.put("maximumCpeForTimelinesPerVulnerability", maximumCpeForTimelinesPerVulnerability);
properties.put("maximumVulnerabilitiesPerTimeline", maximumVulnerabilitiesPerTimeline);
properties.put("maximumVersionsPerTimeline", maximumVersionsPerTimeline);
properties.put("maximumTimeSpentOnTimelines", maximumTimeSpentOnTimelines);
properties.put("maximumTimeSpentPerTimeline", maximumTimeSpentPerTimeline);
properties.put("vulnerabilityTimelinesGlobalEnabled", vulnerabilityTimelinesGlobalEnabled);
properties.put("vulnerabilityTimelineHideIrrelevantVersions", vulnerabilityTimelineHideIrrelevantVersions);
properties.put("failOnVulnerabilityWithoutSpecifiedRisk", failOnVulnerabilityWithoutSpecifiedRisk);
properties.put("failOnUnreviewedAdvisories", failOnUnreviewedAdvisories);
properties.put("failOnUnreviewedAdvisoriesTypes", failOnUnreviewedAdvisoriesTypes);
properties.put("outputDashboardFile", outputDashboardFile);
properties.put("svgDirectory", svgDirectory);
properties.put("vulnerabilitySvgChartInterpolationMethod", vulnerabilitySvgChartInterpolationMethod);
properties.put("detailLevels", detailLevels.stream().map(VadDetailLevelConfiguration::getProperties).collect(Collectors.toList()));
return properties;
}
@Override
public void setProperties(LinkedHashMap properties) {
super.loadIntegerProperty(properties, "maximumVulnerabilitiesPerDashboardCount", this::setMaximumVulnerabilitiesPerDashboardCount);
super.loadStringProperty(properties, "vulnerabilityIncludeFilter", this::setVulnerabilityIncludeFilter);
super.loadIntegerProperty(properties, "maximumCpeForTimelinesPerVulnerability", this::setMaximumCpeForTimelinesPerVulnerability);
super.loadIntegerProperty(properties, "maximumVulnerabilitiesPerTimeline", this::setMaximumVulnerabilitiesPerTimeline);
super.loadIntegerProperty(properties, "maximumVersionsPerTimeline", this::setMaximumVersionsPerTimeline);
super.loadIntegerProperty(properties, "maximumTimeSpentOnTimelines", this::setMaximumTimeSpentOnTimelines);
super.loadIntegerProperty(properties, "maximumTimeSpentPerTimeline", this::setMaximumTimeSpentPerTimeline);
super.loadBooleanProperty(properties, "vulnerabilityTimelinesGlobalEnabled", this::setVulnerabilityTimelinesGlobalEnabled);
super.loadBooleanProperty(properties, "vulnerabilityTimelineHideIrrelevantVersions", this::setVulnerabilityTimelineHideIrrelevantVersions);
super.loadBooleanProperty(properties, "failOnVulnerabilityWithoutSpecifiedRisk", this::setFailOnVulnerabilityWithoutSpecifiedRisk);
super.loadBooleanProperty(properties, "failOnUnreviewedAdvisories", this::setFailOnUnreviewedAdvisories);
super.loadJsonArrayProperty(properties, "failOnUnreviewedAdvisoriesTypes", this::setFailOnUnreviewedAdvisoriesTypes);
super.loadProperty(properties, "vulnerabilitySvgChartInterpolationMethod", obj -> VulnerabilityCvssSvgChartInterpolationMethod.valueOf(String.valueOf(obj)), this::setVulnerabilitySvgChartInterpolationMethod);
super.loadProperty(properties, "outputDashboardFile", obj -> new File(String.valueOf(obj)), this::setOutputDashboardFile);
super.loadProperty(properties, "svgDirectory", obj -> new File(String.valueOf(obj)), this::setSvgDirectory);
super.loadSubConfigurations(properties, "detailLevels", VadDetailLevelConfiguration::new, this::setDetailLevels);
}
@Override
protected void collectMisconfigurations(List misconfigurations) {
for (VadDetailLevelConfiguration config : detailLevels) {
config.collectMisconfigurations(misconfigurations);
}
if (maximumVulnerabilitiesPerDashboardCount < 1) {
misconfigurations.add(new ProcessMisconfiguration("maximumVulnerabilitiesPerDashboardCount", "must be greater than 0"));
}
if (maximumCpeForTimelinesPerVulnerability < -1) {
misconfigurations.add(new ProcessMisconfiguration("maximumCpeForTimelinesPerVulnerability", "must be greater or equal to -1"));
}
if (maximumVulnerabilitiesPerTimeline < -1) {
misconfigurations.add(new ProcessMisconfiguration("maximumVulnerabilitiesPerTimeline", "must be greater or equal to -1"));
}
if (maximumVersionsPerTimeline < -1) {
misconfigurations.add(new ProcessMisconfiguration("maximumVersionsPerTimeline", "must be greater or equal to -1"));
}
if (maximumTimeSpentOnTimelines < 0) {
misconfigurations.add(new ProcessMisconfiguration("maximumTimeSpentOnTimelines", "must be greater or equal to 0"));
}
if (maximumTimeSpentPerTimeline < 0) {
misconfigurations.add(new ProcessMisconfiguration("maximumTimeSpentPerTimeline", "must be greater or equal to 0"));
}
if (outputDashboardFile == null) {
misconfigurations.add(new ProcessMisconfiguration("outputDashboardFile", "must be specified"));
}
}
public enum VulnerabilityCvssSvgChartInterpolationMethod {
LINEAR,
BASE_METRICS
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy