From 01ca8245dd3f42ac6076cfcc7a1644e5bb3f6aed Mon Sep 17 00:00:00 2001 From: Sebastian Schuberth Date: Tue, 17 Sep 2024 18:33:35 +0200 Subject: [PATCH] refactor(model)!: Generalize the scoring system mapping Only look for prefixes when matching scoring system names to properly recognize e.g. "cvssv3.1_qr" as a `Cvss3Rating`. Signed-off-by: Sebastian Schuberth --- evaluator/src/main/kotlin/PackageRule.kt | 11 ++++++----- model/src/main/kotlin/vulnerabilities/Cvss2Rating.kt | 4 ++-- model/src/main/kotlin/vulnerabilities/Cvss3Rating.kt | 4 ++-- model/src/main/kotlin/vulnerabilities/Cvss4Rating.kt | 4 ++-- .../kotlin/vulnerabilities/VulnerabilityReference.kt | 12 +++++++----- .../advisors/oss-index/src/main/kotlin/OssIndex.kt | 2 +- 6 files changed, 20 insertions(+), 17 deletions(-) diff --git a/evaluator/src/main/kotlin/PackageRule.kt b/evaluator/src/main/kotlin/PackageRule.kt index d12e1b084376f..f57d3b75370b8 100644 --- a/evaluator/src/main/kotlin/PackageRule.kt +++ b/evaluator/src/main/kotlin/PackageRule.kt @@ -110,11 +110,12 @@ open class PackageRule( val severities = matchingSystems .mapNotNull { it.severity } - .mapNotNull { - when (scoringSystem.uppercase()) { - in Cvss2Rating.NAMES -> enumValueOf(it) - in Cvss3Rating.NAMES -> enumValueOf(it) - in Cvss4Rating.NAMES -> enumValueOf(it) + .mapNotNull { severity -> + val system = scoringSystem.uppercase() + when { + Cvss2Rating.PREFIXES.any { system.startsWith(it) } -> enumValueOf(severity) + Cvss3Rating.PREFIXES.any { system.startsWith(it) } -> enumValueOf(severity) + Cvss4Rating.PREFIXES.any { system.startsWith(it) } -> enumValueOf(severity) else -> null } } diff --git a/model/src/main/kotlin/vulnerabilities/Cvss2Rating.kt b/model/src/main/kotlin/vulnerabilities/Cvss2Rating.kt index c06c8629aae24..61ae4c9d5a89b 100644 --- a/model/src/main/kotlin/vulnerabilities/Cvss2Rating.kt +++ b/model/src/main/kotlin/vulnerabilities/Cvss2Rating.kt @@ -30,9 +30,9 @@ enum class Cvss2Rating(private val upperBound: Float) { companion object { /** - * A set of names that refer to the CVSS version 2 scoring system. + * A set of prefixes that refer to the CVSS version 2 scoring system. */ - val NAMES = setOf("CVSS2", "CVSSV2", "CVSS_V2", "CVSS:2.0") + val PREFIXES = setOf("CVSS2", "CVSSV2", "CVSS_V2", "CVSS:2") /** * Get the [Cvss2Rating] from a [score], or null if the [score] does not map to any [Cvss2Rating]. diff --git a/model/src/main/kotlin/vulnerabilities/Cvss3Rating.kt b/model/src/main/kotlin/vulnerabilities/Cvss3Rating.kt index e04294540cd45..084da90df8a91 100644 --- a/model/src/main/kotlin/vulnerabilities/Cvss3Rating.kt +++ b/model/src/main/kotlin/vulnerabilities/Cvss3Rating.kt @@ -32,9 +32,9 @@ enum class Cvss3Rating(private val upperBound: Float) { companion object { /** - * A set of names that refer to the CVSS version 3 scoring system. + * A set of prefixes that refer to the CVSS version 3 scoring system. */ - val NAMES = setOf("CVSS3", "CVSSV3", "CVSS_V3", "CVSS:3.0", "CVSS:3.1") + val PREFIXES = setOf("CVSS3", "CVSSV3", "CVSS_V3", "CVSS:3") /** * Get the [Cvss3Rating] from a [score], or null if the [score] does not map to any [Cvss3Rating]. diff --git a/model/src/main/kotlin/vulnerabilities/Cvss4Rating.kt b/model/src/main/kotlin/vulnerabilities/Cvss4Rating.kt index d74e8f6f06f89..3d0491b944ff3 100644 --- a/model/src/main/kotlin/vulnerabilities/Cvss4Rating.kt +++ b/model/src/main/kotlin/vulnerabilities/Cvss4Rating.kt @@ -32,9 +32,9 @@ enum class Cvss4Rating(private val upperBound: Float) { companion object { /** - * A set of names that refer to the CVSS version 4 scoring system. + * A set of prefixes that refer to the CVSS version 4 scoring system. */ - val NAMES = setOf("CVSS4", "CVSSV4", "CVSS_V4", "CVSS:4.0") + val PREFIXES = setOf("CVSS4", "CVSSV4", "CVSS_V4", "CVSS:4") /** * Get the [Cvss4Rating] from a [score], or null if the [score] does not map to any [Cvss4Rating]. diff --git a/model/src/main/kotlin/vulnerabilities/VulnerabilityReference.kt b/model/src/main/kotlin/vulnerabilities/VulnerabilityReference.kt index fc20c5962d891..bcba0a02e2927 100644 --- a/model/src/main/kotlin/vulnerabilities/VulnerabilityReference.kt +++ b/model/src/main/kotlin/vulnerabilities/VulnerabilityReference.kt @@ -66,12 +66,14 @@ data class VulnerabilityReference( /** * Return a qualitative rating that is determined based on the given [scoringSystem] and [score]. */ - fun getQualitativeRating(scoringSystem: String?, score: Float?): Enum<*>? = - when (scoringSystem?.uppercase()) { - in Cvss2Rating.NAMES -> score?.let { Cvss2Rating.fromScore(it) } - in Cvss3Rating.NAMES -> score?.let { Cvss3Rating.fromScore(it) } - in Cvss4Rating.NAMES -> score?.let { Cvss4Rating.fromScore(it) } + fun getQualitativeRating(scoringSystem: String?, score: Float?): Enum<*>? { + val system = scoringSystem?.uppercase() ?: return null + return when { + Cvss2Rating.PREFIXES.any { system.startsWith(it) } -> score?.let { Cvss2Rating.fromScore(it) } + Cvss3Rating.PREFIXES.any { system.startsWith(it) } -> score?.let { Cvss3Rating.fromScore(it) } + Cvss4Rating.PREFIXES.any { system.startsWith(it) } -> score?.let { Cvss4Rating.fromScore(it) } else -> null } + } } } diff --git a/plugins/advisors/oss-index/src/main/kotlin/OssIndex.kt b/plugins/advisors/oss-index/src/main/kotlin/OssIndex.kt index 5331e2520375d..a1dceafff4a7e 100644 --- a/plugins/advisors/oss-index/src/main/kotlin/OssIndex.kt +++ b/plugins/advisors/oss-index/src/main/kotlin/OssIndex.kt @@ -138,7 +138,7 @@ class OssIndex(override val descriptor: PluginDescriptor, config: OssIndexConfig */ private fun OssIndexService.Vulnerability.toVulnerability(): Vulnerability { // Only CVSS version 2 vectors do not contain the "CVSS:" label and version prefix. - val scoringSystem = cvssVector?.substringBefore('/', Cvss2Rating.NAMES.first()) + val scoringSystem = cvssVector?.substringBefore('/', Cvss2Rating.PREFIXES.first()) val severity = VulnerabilityReference.getQualitativeRating(scoringSystem, cvssScore)?.name val reference = VulnerabilityReference(URI(reference), scoringSystem, severity, cvssScore, cvssVector)