• Home
• com.metaeffekt.artifact.analysis
• ae-artifact-analysis
• 0.132.0
• source code
• GhsaAdvisorIndexQuery.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.metaeffekt.mirror.query.GhsaAdvisorIndexQuery Maven / Gradle / Ivy

/*
 * Copyright 2021-2024 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.metaeffekt.mirror.query;

import com.metaeffekt.artifact.analysis.utils.StringUtils;
import com.metaeffekt.artifact.analysis.version.Version;
import com.metaeffekt.artifact.enrichment.vulnerability.ghsa.GhsaEcosystem;
import com.metaeffekt.mirror.contents.advisory.GhsaAdvisorEntry;
import com.metaeffekt.mirror.contents.base.DataSourceIndicator;
import com.metaeffekt.mirror.index.IndexSearch;
import com.metaeffekt.mirror.index.advisor.GhsaAdvisorIndex;
import org.apache.lucene.document.Document;
import org.metaeffekt.core.inventory.processor.model.Artifact;

import java.io.File;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

public class GhsaAdvisorIndexQuery extends AdvisorIndexQuery {

    public GhsaAdvisorIndexQuery(File baseMirrorDirectory) {
        super(baseMirrorDirectory, GhsaAdvisorIndex.class);
    }

    @Override
    protected GhsaAdvisorEntry createAdvisoryEntry(Document document) {
        return GhsaAdvisorEntry.fromDocument(document);
    }

    private String normalizeVsNameForLuceneIndexTokenizer(String name) {
        return String.join(" ", name.split("[.:-]"));
    }

    public Map findByVsMaven(Artifact originArtifact, String groupId, String artifactId, Version version, boolean githubReviewed) {
        final IndexSearch searcher = new IndexSearch()
                .fieldContains("vulnerableSoftware", GhsaEcosystem.MAVEN.getName());
        if (StringUtils.hasText(groupId)) {
            searcher.fieldContains("vulnerableSoftwareNamePhrases", normalizeVsNameForLuceneIndexTokenizer(groupId));
        }
        if (StringUtils.hasText(artifactId)) {
            searcher.fieldContains("vulnerableSoftwareNamePhrases", normalizeVsNameForLuceneIndexTokenizer(artifactId));
        }
        if (githubReviewed) {
            searcher.fieldContains("githubReviewed", "true");
        }

        final List documents = super.index.findDocuments(searcher);

        final Map result = new HashMap<>();
        for (Document indexableFields : documents) {
            final GhsaAdvisorEntry entry = createAdvisoryEntry(indexableFields);
            entry.getVulnerableSoftwares().stream().filter(e ->
                            e.getEcosystem().equals(GhsaEcosystem.MAVEN.getName()) &&
                                    (groupId == null || StringUtils.equals(e.getMavenGroupId(), groupId)) &&
                                    (artifactId == null || StringUtils.equals(e.getMavenArtifactId(), artifactId)) &&
                                    (version == null || e.matches(version))
                    )
                    .findFirst()
                    .ifPresent(e -> result.put(entry, DataSourceIndicator.ghsa(originArtifact, e.toString())));
        }

        return result;
    }

    public Map findByArtifactIdAndVersionInEcosystem(Artifact originArtifact, GhsaEcosystem ecosystem, String artifactId, Version version, boolean githubReviewed) {
        final IndexSearch searcher = new IndexSearch()
                .fieldContains("vulnerableSoftware", ecosystem.getName());
        if (StringUtils.hasText(artifactId)) {
            searcher.fieldContains("vulnerableSoftwareNamePhrases", normalizeVsNameForLuceneIndexTokenizer(artifactId));
        }
        if (githubReviewed) {
            searcher.fieldContains("githubReviewed", "true");
        }

        final Map result = new HashMap<>();

        for (Document indexableFields : super.index.findDocuments(searcher)) {
            final GhsaAdvisorEntry entry = createAdvisoryEntry(indexableFields);
            entry.getVulnerableSoftwares().stream().filter(e ->
                            e.getEcosystem().equals(ecosystem.getName()) &&
                                    (artifactId == null || artifactId.equalsIgnoreCase(e.getName())) &&
                                    (version == null || e.matches(version))
                    )
                    .findFirst()
                    .ifPresent(e -> result.put(entry, DataSourceIndicator.ghsa(originArtifact, e.toString())));

        }

        return result;
    }

    public Map findByNpm(Artifact originArtifact, String artifactId, Version version, boolean githubReviewed) {
        return findByArtifactIdAndVersionInEcosystem(originArtifact, GhsaEcosystem.NPM, artifactId, version, githubReviewed);
    }

    public Map findByRubyGem(Artifact originArtifact, String artifactId, Version version, boolean githubReviewed) {
        return findByArtifactIdAndVersionInEcosystem(originArtifact, GhsaEcosystem.RUBY_GEMS, artifactId, version, githubReviewed);
    }

    public Map findByPythonPip(Artifact originArtifact, String artifactId, Version version, boolean githubReviewed) {
        return findByArtifactIdAndVersionInEcosystem(originArtifact, GhsaEcosystem.PY_PI, artifactId, version, githubReviewed);
    }

    public Map findByNuGet(Artifact originArtifact, String artifactId, Version version, boolean githubReviewed) {
        return findByArtifactIdAndVersionInEcosystem(originArtifact, GhsaEcosystem.NU_GET, artifactId, version, githubReviewed);
    }

    public Map findByHex(Artifact originArtifact, String artifactId, Version version, boolean githubReviewed) {
        return findByArtifactIdAndVersionInEcosystem(originArtifact, GhsaEcosystem.HEX, artifactId, version, githubReviewed);
    }

    public Map findByCratesIo(Artifact originArtifact, String artifactId, Version version, boolean githubReviewed) {
        return findByArtifactIdAndVersionInEcosystem(originArtifact, GhsaEcosystem.CRATES_IO, artifactId, version, githubReviewed);
    }

    public Map findByAnyEcosystem(Artifact originArtifact, String artifactId, Version version, boolean githubReviewed) {
        final IndexSearch searcher = new IndexSearch();
        if (StringUtils.hasText(artifactId)) {
            searcher.fieldContains("vulnerableSoftwareNamePhrases", normalizeVsNameForLuceneIndexTokenizer(artifactId));
        }
        if (githubReviewed) {
            searcher.fieldContains("githubReviewed", "true");
        }

        final Map result = new HashMap<>();

        for (Document indexableFields : super.index.findDocuments(searcher)) {
            final GhsaAdvisorEntry entry = createAdvisoryEntry(indexableFields);
            entry.getVulnerableSoftwares().stream().filter(e ->
                            (artifactId == null || artifactId.equalsIgnoreCase(e.getName())) &&
                                    (version == null || e.matches(version))
                    )
                    .findFirst()
                    .ifPresent(e -> result.put(entry, DataSourceIndicator.ghsa(originArtifact, e.toString())));

        }

        return result;
    }
}