com.metaeffekt.mirror.query.NvdCveIndexQuery Maven / Gradle / Ivy
/*
* Copyright 2021-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.metaeffekt.mirror.query;
import com.metaeffekt.artifact.analysis.utils.LruLinkedHashMap;
import com.metaeffekt.mirror.contents.store.VulnerabilityTypeIdentifier;
import com.metaeffekt.mirror.contents.store.VulnerabilityTypeStore;
import com.metaeffekt.mirror.contents.vulnerability.Vulnerability;
import com.metaeffekt.mirror.contents.vulnerability.VulnerableSoftwareVersionRangeCpe;
import com.metaeffekt.mirror.index.IndexSearch;
import com.metaeffekt.mirror.index.nvd.NvdCveApiIndex;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.lucene.document.Document;
import org.apache.lucene.queryparser.flexible.standard.QueryParserUtil;
import org.metaeffekt.core.inventory.processor.model.Constants;
import us.springett.parsers.cpe.Cpe;
import java.io.File;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
@Slf4j
public class NvdCveIndexQuery extends VulnerabilityIndexQuery {
private final Map vulnerabilityByNameCache = new LruLinkedHashMap<>(1000);
private final Map> documentByVendorProductCache = new LruLinkedHashMap<>(1000);
public NvdCveIndexQuery(File baseMirrorDirectory) {
super(baseMirrorDirectory, NvdCveApiIndex.class);
}
@Override
public VulnerabilityTypeIdentifier> getVulnerabilityType() {
return VulnerabilityTypeStore.CVE;
}
private Optional findVulnerabilityByNameInternal(String name) {
return super.getIndex().findDocuments(new IndexSearch().fieldEquals("name", name)).stream()
.map(this::fromDocument)
.findFirst();
}
@Override
public List findAll() {
return super.getIndex().findAllDocuments().stream()
.map(this::fromDocument)
.collect(Collectors.toList());
}
@Override
public Optional findVulnerabilityByName(String name) {
if (vulnerabilityByNameCache.containsKey(name)) {
return Optional.of(vulnerabilityByNameCache.get(name));
}
return findVulnerabilityByNameInternal(name).map(v -> {
vulnerabilityByNameCache.put(name, v);
return v;
});
}
@Override
public List findVulnerabilitiesByFlatAffectedConfiguration(Cpe cpe) {
final String key = cpe.getVendor() + ":" + cpe.getProduct();
if (documentByVendorProductCache.containsKey(key)) {
return documentByVendorProductCache.get(key).stream()
.filter(v -> v.cpeFlatMatchesVulnerableSoftware(cpe))
.sorted(Vulnerability.COMPARE_BY_NAME)
.collect(Collectors.toList());
} else {
final List vulnerabilityDocuments = searchIndexForCpe(cpe);
documentByVendorProductCache.put(key, vulnerabilityDocuments);
return vulnerabilityDocuments.stream()
.distinct()
.filter(v -> v.cpeFlatMatchesVulnerableSoftware(cpe))
.sorted(Vulnerability.COMPARE_BY_NAME)
.collect(Collectors.toList());
}
}
@Override
public Map findVulnerabilitiesByFlatAffectedConfigurationRetainSource(Cpe cpe) {
final String key = cpe.getVendor() + ":" + cpe.getProduct();
if (documentByVendorProductCache.containsKey(key)) {
return documentByVendorProductCache.get(key).stream()
.map(v -> Pair.of(v, v.getCpeFlatMatchedVulnerableSoftware(cpe)))
.filter(p -> p.getRight() != null)
.collect(Collectors.toMap(Pair::getLeft, Pair::getRight));
} else {
final List vulnerabilityDocuments = searchIndexForCpe(cpe);
documentByVendorProductCache.put(key, vulnerabilityDocuments);
return vulnerabilityDocuments.stream()
.distinct()
.map(v -> Pair.of(v, v.getCpeFlatMatchedVulnerableSoftware(cpe)))
.filter(p -> p.getRight() != null)
.collect(Collectors.toMap(Pair::getLeft, Pair::getRight));
}
}
private List searchIndexForCpe(Cpe cpe) {
final boolean vendorAsterisk = Constants.ASTERISK.equals(cpe.getVendor());
final boolean productAsterisk = Constants.ASTERISK.equals(cpe.getProduct());
final String queryString;
if (vendorAsterisk && productAsterisk) {
log.warn("Wildcard search for both vendor and product is not supported. Returning empty list.");
return Collections.emptyList();
} else if (vendorAsterisk) {
queryString = "*\\:" + QueryParserUtil.escape(cpe.getProduct());
} else if (productAsterisk) {
queryString = QueryParserUtil.escape(cpe.getVendor()) + "\\:*";
} else {
queryString = cpe.getVendor() + ":" + cpe.getProduct();
}
if (vendorAsterisk || productAsterisk) {
log.warn("It is recommended to avoid using only the vendor OR product information when querying vulnerability databases for the CPE [{}]. This broad approach can inadvertently match vulnerabilities that were not intended to be included, leading to inaccurate results. Even if the current data appears to correct as of now, there is no guarantee that the NVD will not introduce new CPE entries with different vendor/product combinations that could still match the original query unintentionally. To ensure precise and reliable vulnerability matching, it is recommended to provide more specific CPE identifiers that include both the vendor and product information whenever possible.", cpe);
return super.getIndex().findDocuments(
new IndexSearch().fieldContainsUnquoted("vulnerable_software_vp", queryString)
).stream()
.map(this::findInCacheOrCreateVulnerabilityFromDocument)
.distinct()
.collect(Collectors.toList());
} else {
return super.getIndex().findDocuments(
new IndexSearch().fieldContains("vulnerable_software_vp", queryString)
).stream()
.map(this::findInCacheOrCreateVulnerabilityFromDocument)
.distinct()
.collect(Collectors.toList());
}
}
private Vulnerability findInCacheOrCreateVulnerabilityFromDocument(Document document) {
final String name = document.get("name");
Vulnerability vulnerability = vulnerabilityByNameCache.get(name);
if (vulnerability == null) {
vulnerability = Vulnerability.fromDocument(document);
vulnerabilityByNameCache.put(name, vulnerability);
}
return vulnerability;
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy