• Home
• org.ossreviewtoolkit
• model
• 33.1.0
• source code
• VulnerabilityReference.kt

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

vulnerabilities.VulnerabilityReference.kt Maven / Gradle / Ivy

/*
 * Copyright (C) 2021 The ORT Project Authors (see )
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * SPDX-License-Identifier: Apache-2.0
 * License-Filename: LICENSE
 */

package org.ossreviewtoolkit.model.vulnerabilities

import com.fasterxml.jackson.annotation.JsonIgnoreProperties

import java.net.URI

/**
 * A data class representing detailed information about a vulnerability obtained from a specific source.
 *
 * A single vulnerability can be listed by multiple sources using different scoring systems to denote its severity.
 * So when ORT queries different providers for vulnerability information it may well find multiple records for a single
 * vulnerability, which could even contain contradicting information. To model this, a [Vulnerability] is associated
 * with a list of references; each reference points to the source of the information and has some detailed information
 * provided by this source.
 */
@JsonIgnoreProperties(value = ["severity_rating"])
data class VulnerabilityReference(
    /**
     * The URI pointing to details of the belonging vulnerability.
     */
    val url: URI,

    /**
     * The name of the scoring system, if any, as reported by the advice provider.
     */
    val scoringSystem: String?,

    /**
     * The severity, if any, this reference assigns to the belonging vulnerability. This string is supposed to be a
     * qualitative rating like "LOW" or "HIGH".
     */
    val severity: String?,

    /**
     * The (base) score, if any, this reference assigns to the belonging vulnerability. The meaning of this number
     * depends on the [scoringSystem].
     */
    val score: Float?,

    /**
     * The full CVSS vector, if any, this reference assigns to the belonging vulnerability. Note that while the vector
     * usually contains the [scoringSystem], that is not the case for e.g. CVSS version 2.
     */
    val vector: String?
) {
    companion object {
        /**
         * Return a qualitative rating that is determined based on the given [scoringSystem] and [score].
         */
        fun getQualitativeRating(scoringSystem: String?, score: Float?): Enum<*>? {
            val system = scoringSystem?.uppercase() ?: return null
            return when {
                Cvss2Rating.PREFIXES.any { system.startsWith(it) } -> score?.let { Cvss2Rating.fromScore(it) }
                Cvss3Rating.PREFIXES.any { system.startsWith(it) } -> score?.let { Cvss3Rating.fromScore(it) }
                Cvss4Rating.PREFIXES.any { system.startsWith(it) } -> score?.let { Cvss4Rating.fromScore(it) }
                else -> null
            }
        }
    }
}