org.owasp.dependencycheck.data.nvd.ecosystem.CveEcosystemMapper Maven / Gradle / Ivy

/*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2023 Jeremy Long. All Rights Reserved.
 */
package org.owasp.dependencycheck.data.nvd.ecosystem;

import io.github.jeremylong.openvulnerability.client.nvd.Config;
import io.github.jeremylong.openvulnerability.client.nvd.CpeMatch;
import io.github.jeremylong.openvulnerability.client.nvd.Node;
import io.github.jeremylong.openvulnerability.client.nvd.DefCveItem;
import java.util.List;
import java.util.stream.Collectors;
import javax.annotation.concurrent.NotThreadSafe;

/**
 * Utility for mapping CVEs to their ecosystems.
 * 


 * Follows a best effort approach:
 * 
 * scans through the description for known keywords or file extensions;
 * alternatively 
 * attempts looks at the reference-data URLs for known hosts or path / query
 * strings.
 * 
 * This class is not thread safe and must be instantiated on a per-thread basis.
 *
 * @author skjolber
 */
@NotThreadSafe
public class CveEcosystemMapper {

    /**
     * A reference to the Description Ecosystem Mapper.
     */
    private final DescriptionEcosystemMapper descriptionEcosystemMapper = new DescriptionEcosystemMapper();
    /**
     * A reference to the URL Ecosystem Mapper.
     */
    private final UrlEcosystemMapper urlEcosystemMapper = new UrlEcosystemMapper();

    /**
     * Analyzes the description and associated URLs to determine if the
     * vulnerability/software is for a specific known ecosystem. The ecosystem
     * can be used later for filtering CPE matches.
     *
     * @param cve the item to be analyzed
     * @return the ecosystem if one could be identified; otherwise
     * null
     */
    public String getEcosystem(DefCveItem cve) {
        //if there are multiple vendor/product pairs we don't know if they are
        //all the same ecosystem.
        if (hasMultipleVendorProductConfigurations(cve)) {
            return null;
        }
        final String ecosystem = descriptionEcosystemMapper.getEcosystem(cve);
        if (ecosystem != null) {
            return ecosystem;
        }
        return urlEcosystemMapper.getEcosystem(cve);
    }

    /**
     * Analyzes the vulnerable configurations to see if the CVE applies to only
     * a single vendor/product pair.
     *
     * @param cve the item to be analyzed
     * @return the ecosystem if one could be identified; otherwise
     * null
     */
    private boolean hasMultipleVendorProductConfigurations(DefCveItem cve) {
        if (cve.getCve().getConfigurations() != null) {
            final List cpeEntries = cve.getCve().getConfigurations().stream()
                    .map(Config::getNodes)
                    .flatMap(List::stream)
                    .map(Node::getCpeMatch)
                    .flatMap(List::stream)
                    .filter(match -> match.getCriteria() != null)
                    .collect(Collectors.toList());
            if (!cpeEntries.isEmpty() && cpeEntries.size() > 1) {
                final CpeMatch firstMatch = cpeEntries.get(0);
                final String uri = firstMatch.getCriteria();
                final int pos = uri.indexOf(":", uri.indexOf(":", 10) + 1);
                final String match = uri.substring(0, pos + 1);
                return !cpeEntries.stream().allMatch(e -> e.getCriteria().startsWith(match));
            }
        }
        return false;
    }
}