• Home
• com.metaeffekt.artifact.analysis
• ae-artifact-analysis
• 0.132.0
• source code
• DetailsFillingEnrichmentGhsa.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.metaeffekt.artifact.enrichment.details.DetailsFillingEnrichmentGhsa Maven / Gradle / Ivy

/*
 * Copyright 2021-2024 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.metaeffekt.artifact.enrichment.details;

import com.metaeffekt.artifact.analysis.utils.LazySupplier;
import com.metaeffekt.artifact.analysis.utils.StringUtils;
import com.metaeffekt.artifact.enrichment.configurations.details.DetailsFillingGhsaInventoryEnrichmentConfiguration;
import com.metaeffekt.mirror.contents.advisory.AdvisoryEntry;
import com.metaeffekt.mirror.contents.advisory.GhsaAdvisorEntry;
import com.metaeffekt.mirror.contents.base.DataSourceIndicator;
import com.metaeffekt.mirror.contents.base.VulnerabilityContextInventory;
import com.metaeffekt.mirror.contents.store.AdvisoryTypeStore;
import com.metaeffekt.mirror.contents.store.VulnerabilityTypeStore;
import com.metaeffekt.mirror.contents.vulnerability.Vulnerability;
import com.metaeffekt.mirror.download.documentation.EnricherMetadata;
import com.metaeffekt.mirror.download.documentation.InventoryEnrichmentPhase;
import com.metaeffekt.mirror.query.GhsaAdvisorIndexQuery;
import org.metaeffekt.core.inventory.processor.model.Inventory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.io.File;
import java.util.List;

@EnricherMetadata(
        name = "GHSA Vulnerability Details", phase = InventoryEnrichmentPhase.SECURITY_ADVISORY_MATCHING,
        intermediateFileSuffix = "details-vulnerability-ghsa", mavenPropertyName = "ghsaAdvisorFillDetailsEnrichment",
        explicitConfiguration = DetailsFillingGhsaInventoryEnrichmentConfiguration.class
)
public class DetailsFillingEnrichmentGhsa extends DetailsFillingEnrichment {

    private static final Logger LOG = LoggerFactory.getLogger(DetailsFillingEnrichmentGhsa.class);

    private final LazySupplier ghsaAdvisorIndexQuery;

    public DetailsFillingEnrichmentGhsa(File baseMirrorDirectory) {
        setConfiguration(new DetailsFillingGhsaInventoryEnrichmentConfiguration());
        this.ghsaAdvisorIndexQuery = new LazySupplier<>(() -> new GhsaAdvisorIndexQuery(baseMirrorDirectory));
    }

    @Override
    protected boolean isApplicable(Vulnerability vulnerability) {
        final String name = vulnerability.getId();
        if (!AdvisoryTypeStore.GHSA.patternMatchesId(name) && !VulnerabilityTypeStore.CVE.patternMatchesId(name)) {
            return false;
        }
        return !vulnerability.getRelatedAdvisorsTypes().contains(AdvisoryTypeStore.GHSA);
    }

    @Override
    protected boolean isApplicable(AdvisoryEntry advisory) {
        return advisory.getSourceIdentifier() == AdvisoryTypeStore.GHSA && StringUtils.isEmpty(advisory.getSummary()) && advisory.getDescription().isEmpty();
    }

    @Override
    protected void fillDetailsOnVulnerability(Inventory inventory, VulnerabilityContextInventory vInventory, Vulnerability queryVulnerability) {
        final List advisorEntries = super.pickNonEmptyQueryResult(
                () -> ghsaAdvisorIndexQuery.get().findById(queryVulnerability.getId()),
                () -> ghsaAdvisorIndexQuery.get().findByReferencedId(queryVulnerability.getId())
        );

        if (advisorEntries.isEmpty()) {
            return;
        }

        for (GhsaAdvisorEntry advisoryEntry : advisorEntries) {
            final AdvisoryEntry constructedAdvisory = vInventory.findOrCreateAdvisoryEntryByName(advisoryEntry.getId(), GhsaAdvisorEntry::new);
            constructedAdvisory.addMatchingSource(DataSourceIndicator.vulnerability(queryVulnerability));
            queryVulnerability.addSecurityAdvisory(constructedAdvisory);
        }
    }

    @Override
    protected void fillDetailsOnAdvisory(Inventory inventory, VulnerabilityContextInventory vInventory, AdvisoryEntry queryAdvisory) {
        final GhsaAdvisorEntry foundAdvisory = ghsaAdvisorIndexQuery.get().findById(queryAdvisory.getId());

        if (foundAdvisory != null) {
            queryAdvisory.appendFromDataClass(foundAdvisory);
        }
    }
}