com.metaeffekt.mirror.query.GhsaAdvisorIndexQuery Maven / Gradle / Ivy
/*
* Copyright 2021-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.metaeffekt.mirror.query;
import com.metaeffekt.artifact.analysis.utils.StringUtils;
import com.metaeffekt.artifact.analysis.version.Version;
import com.metaeffekt.artifact.enrichment.vulnerability.ghsa.GhsaEcosystem;
import com.metaeffekt.mirror.contents.advisory.GhsaAdvisorEntry;
import com.metaeffekt.mirror.contents.base.DataSourceIndicator;
import com.metaeffekt.mirror.index.IndexSearch;
import com.metaeffekt.mirror.index.advisor.GhsaAdvisorIndex;
import org.apache.lucene.document.Document;
import org.metaeffekt.core.inventory.processor.model.Artifact;
import java.io.File;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
public class GhsaAdvisorIndexQuery extends AdvisorIndexQuery {
public GhsaAdvisorIndexQuery(File baseMirrorDirectory) {
super(baseMirrorDirectory, GhsaAdvisorIndex.class);
}
@Override
protected GhsaAdvisorEntry createAdvisoryEntry(Document document) {
return GhsaAdvisorEntry.fromDocument(document);
}
private String normalizeVsNameForLuceneIndexTokenizer(String name) {
return String.join(" ", name.split("[.:-]"));
}
public Map findByVsMaven(Artifact originArtifact, String groupId, String artifactId, Version version, boolean githubReviewed) {
final IndexSearch searcher = new IndexSearch()
.fieldContains("vulnerableSoftware", GhsaEcosystem.MAVEN.getName());
if (StringUtils.hasText(groupId)) {
searcher.fieldContains("vulnerableSoftwareNamePhrases", normalizeVsNameForLuceneIndexTokenizer(groupId));
}
if (StringUtils.hasText(artifactId)) {
searcher.fieldContains("vulnerableSoftwareNamePhrases", normalizeVsNameForLuceneIndexTokenizer(artifactId));
}
if (githubReviewed) {
searcher.fieldContains("githubReviewed", "true");
}
final List documents = super.index.findDocuments(searcher);
final Map result = new HashMap<>();
for (Document indexableFields : documents) {
final GhsaAdvisorEntry entry = createAdvisoryEntry(indexableFields);
entry.getVulnerableSoftwares().stream().filter(e ->
e.getEcosystem().equals(GhsaEcosystem.MAVEN.getName()) &&
(groupId == null || StringUtils.equals(e.getMavenGroupId(), groupId)) &&
(artifactId == null || StringUtils.equals(e.getMavenArtifactId(), artifactId)) &&
(version == null || e.matches(version))
)
.findFirst()
.ifPresent(e -> result.put(entry, DataSourceIndicator.ghsa(originArtifact, e.toString())));
}
return result;
}
public Map findByArtifactIdAndVersionInEcosystem(Artifact originArtifact, GhsaEcosystem ecosystem, String artifactId, Version version, boolean githubReviewed) {
final IndexSearch searcher = new IndexSearch()
.fieldContains("vulnerableSoftware", ecosystem.getName());
if (StringUtils.hasText(artifactId)) {
searcher.fieldContains("vulnerableSoftwareNamePhrases", normalizeVsNameForLuceneIndexTokenizer(artifactId));
}
if (githubReviewed) {
searcher.fieldContains("githubReviewed", "true");
}
final Map result = new HashMap<>();
for (Document indexableFields : super.index.findDocuments(searcher)) {
final GhsaAdvisorEntry entry = createAdvisoryEntry(indexableFields);
entry.getVulnerableSoftwares().stream().filter(e ->
e.getEcosystem().equals(ecosystem.getName()) &&
(artifactId == null || artifactId.equalsIgnoreCase(e.getName())) &&
(version == null || e.matches(version))
)
.findFirst()
.ifPresent(e -> result.put(entry, DataSourceIndicator.ghsa(originArtifact, e.toString())));
}
return result;
}
public Map findByNpm(Artifact originArtifact, String artifactId, Version version, boolean githubReviewed) {
return findByArtifactIdAndVersionInEcosystem(originArtifact, GhsaEcosystem.NPM, artifactId, version, githubReviewed);
}
public Map findByRubyGem(Artifact originArtifact, String artifactId, Version version, boolean githubReviewed) {
return findByArtifactIdAndVersionInEcosystem(originArtifact, GhsaEcosystem.RUBY_GEMS, artifactId, version, githubReviewed);
}
public Map findByPythonPip(Artifact originArtifact, String artifactId, Version version, boolean githubReviewed) {
return findByArtifactIdAndVersionInEcosystem(originArtifact, GhsaEcosystem.PY_PI, artifactId, version, githubReviewed);
}
public Map findByNuGet(Artifact originArtifact, String artifactId, Version version, boolean githubReviewed) {
return findByArtifactIdAndVersionInEcosystem(originArtifact, GhsaEcosystem.NU_GET, artifactId, version, githubReviewed);
}
public Map findByHex(Artifact originArtifact, String artifactId, Version version, boolean githubReviewed) {
return findByArtifactIdAndVersionInEcosystem(originArtifact, GhsaEcosystem.HEX, artifactId, version, githubReviewed);
}
public Map findByCratesIo(Artifact originArtifact, String artifactId, Version version, boolean githubReviewed) {
return findByArtifactIdAndVersionInEcosystem(originArtifact, GhsaEcosystem.CRATES_IO, artifactId, version, githubReviewed);
}
public Map findByAnyEcosystem(Artifact originArtifact, String artifactId, Version version, boolean githubReviewed) {
final IndexSearch searcher = new IndexSearch();
if (StringUtils.hasText(artifactId)) {
searcher.fieldContains("vulnerableSoftwareNamePhrases", normalizeVsNameForLuceneIndexTokenizer(artifactId));
}
if (githubReviewed) {
searcher.fieldContains("githubReviewed", "true");
}
final Map result = new HashMap<>();
for (Document indexableFields : super.index.findDocuments(searcher)) {
final GhsaAdvisorEntry entry = createAdvisoryEntry(indexableFields);
entry.getVulnerableSoftwares().stream().filter(e ->
(artifactId == null || artifactId.equalsIgnoreCase(e.getName())) &&
(version == null || e.matches(version))
)
.findFirst()
.ifPresent(e -> result.put(entry, DataSourceIndicator.ghsa(originArtifact, e.toString())));
}
return result;
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy