vulnerabilities.VulnerabilityReference.kt Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of model Show documentation
Show all versions of model Show documentation
Part of the OSS Review Toolkit (ORT), a suite to automate software compliance checks.
/*
* Copyright (C) 2021 The ORT Project Authors (see )
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
* License-Filename: LICENSE
*/
package org.ossreviewtoolkit.model.vulnerabilities
import com.fasterxml.jackson.annotation.JsonIgnoreProperties
import java.net.URI
/**
* A data class representing detailed information about a vulnerability obtained from a specific source.
*
* A single vulnerability can be listed by multiple sources using different scoring systems to denote its severity.
* So when ORT queries different providers for vulnerability information it may well find multiple records for a single
* vulnerability, which could even contain contradicting information. To model this, a [Vulnerability] is associated
* with a list of references; each reference points to the source of the information and has some detailed information
* provided by this source.
*/
@JsonIgnoreProperties(value = ["severity_rating"])
data class VulnerabilityReference(
/**
* The URI pointing to details of the belonging vulnerability.
*/
val url: URI,
/**
* The name of the scoring system, if any, as reported by the advice provider.
*/
val scoringSystem: String?,
/**
* The severity, if any, this reference assigns to the belonging vulnerability. This string is supposed to be a
* qualitative rating like "LOW" or "HIGH".
*/
val severity: String?,
/**
* The (base) score, if any, this reference assigns to the belonging vulnerability. The meaning of this number
* depends on the [scoringSystem].
*/
val score: Float?,
/**
* The full CVSS vector, if any, this reference assigns to the belonging vulnerability. Note that while the vector
* usually contains the [scoringSystem], that is not the case for e.g. CVSS version 2.
*/
val vector: String?
) {
companion object {
/**
* Return a qualitative rating that is determined based on the given [scoringSystem] and [score].
*/
fun getQualitativeRating(scoringSystem: String?, score: Float?): Enum<*>? {
val system = scoringSystem?.uppercase() ?: return null
return when {
Cvss2Rating.PREFIXES.any { system.startsWith(it) } -> score?.let { Cvss2Rating.fromScore(it) }
Cvss3Rating.PREFIXES.any { system.startsWith(it) } -> score?.let { Cvss3Rating.fromScore(it) }
Cvss4Rating.PREFIXES.any { system.startsWith(it) } -> score?.let { Cvss4Rating.fromScore(it) }
else -> null
}
}
}
}