• Home
• com.metaeffekt.artifact.analysis
• ae-artifact-analysis
• 0.122.0
• source code
• GhsaVulnerabilitiesEnrichment.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.metaeffekt.artifact.enrichment.vulnerability.ghsa.GhsaVulnerabilitiesEnrichment Maven / Gradle / Ivy

/*
 * Copyright 2021-2024 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.metaeffekt.artifact.enrichment.vulnerability.ghsa;

import com.metaeffekt.artifact.analysis.utils.LazySupplier;
import com.metaeffekt.artifact.enrichment.InventoryEnricher;
import com.metaeffekt.artifact.enrichment.configurations.GhsaVulnerabilitiesEnrichmentConfiguration;
import com.metaeffekt.mirror.contents.advisory.GhsaAdvisorEntry;
import com.metaeffekt.mirror.contents.base.DataSourceIndicator;
import com.metaeffekt.mirror.contents.base.VulnerabilityContextInventory;
import com.metaeffekt.mirror.contents.store.VulnerabilityTypeStore;
import com.metaeffekt.mirror.contents.vulnerability.Vulnerability;
import com.metaeffekt.mirror.download.documentation.EnricherMetadata;
import com.metaeffekt.mirror.download.documentation.InventoryEnrichmentPhase;
import com.metaeffekt.mirror.query.GhsaAdvisorIndexQuery;
import org.metaeffekt.core.inventory.processor.model.Artifact;
import org.metaeffekt.core.inventory.processor.model.Inventory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.io.File;
import java.util.List;
import java.util.Map;
import java.util.Set;

@EnricherMetadata(
        name = "GHSA Vulnerabilities", phase = InventoryEnrichmentPhase.VULNERABILITY_MATCHING,
        intermediateFileSuffix = "ghsa-cve", mavenPropertyName = "ghsaVulnerabilitiesEnrichment"
)
public class GhsaVulnerabilitiesEnrichment extends InventoryEnricher {

    private final static Logger LOG = LoggerFactory.getLogger(GhsaVulnerabilitiesEnrichment.class);

    private final LazySupplier ghsaAdvisorQuery;

    private GhsaVulnerabilitiesEnrichmentConfiguration configuration = new GhsaVulnerabilitiesEnrichmentConfiguration();

    public GhsaVulnerabilitiesEnrichment(File baseMirrorDirectory) {
        ghsaAdvisorQuery = new LazySupplier<>(() -> new GhsaAdvisorIndexQuery(baseMirrorDirectory));
    }

    public void setConfiguration(GhsaVulnerabilitiesEnrichmentConfiguration configuration) {
        this.configuration = configuration;
    }

    @Override
    public GhsaVulnerabilitiesEnrichmentConfiguration getConfiguration() {
        return configuration;
    }

    @Override
    protected void performEnrichment(Inventory inventory) {
        final List matchers = configuration.buildMatchers(ghsaAdvisorQuery.get());

        final VulnerabilityContextInventory vInventory = VulnerabilityContextInventory.fromInventory(inventory);

        LOG.info("Matching GHSA vulnerabilities for [{}] artifacts using [{}] matcher{}", inventory.getArtifacts().size(), matchers.size(), matchers.size() > 1 ? "s" : "");

        for (final Artifact artifact : inventory.getArtifacts()) {
            for (GhsaArtifactVulnerabilityMatcher matcher : matchers) {
                if (matcher.mayMatch(artifact)) {
                    final Map ghsaAdvisorEntries = matcher.match(artifact);

                    // differentiate entries based on whether they have CVEs or not.
                    // we are mainly interested in the entries that have vulnerabilities in this step
                    for (Map.Entry matchedEntry : ghsaAdvisorEntries.entrySet()) {
                        final GhsaAdvisorEntry ghsaAdvisorEntry = matchedEntry.getKey();
                        final DataSourceIndicator dataSourceIndicator = matchedEntry.getValue();

                        final Set entryCves = ghsaAdvisorEntry.getReferencedVulnerabilities(VulnerabilityTypeStore.CVE);
                        if (entryCves.isEmpty()) {
                            vInventory.add(vInventory.findOrCreateAdvisoryEntryByName(ghsaAdvisorEntry.getId(), GhsaAdvisorEntry::new)
                                    .addMatchingSource(dataSourceIndicator));
                        } else {
                            for (String entryCve : entryCves) {
                                final Vulnerability vulnerability = vInventory
                                        .findOrCreateVulnerabilityByName(entryCve)
                                        .addMatchingSource(dataSourceIndicator);
                                vulnerability.setSourceIdentifier(VulnerabilityTypeStore.CVE);
                                vInventory.add(vulnerability);
                            }
                        }
                    }
                }
            }
        }

        vInventory.writeBack(true);
    }
}