Skip to content

Commit

Permalink
add cvss vector to vulnerability
Browse files Browse the repository at this point in the history 
Signed-off-by: vithikashukla <[email protected]>
  • Loading branch information
vithikashukla committed Jun 4, 2024
1 parent b0ffbb1 commit 2cc7a46
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 0 deletions.
8 changes: 8 additions & 0 deletions src/main/java/org/dependencytrack/persistence/jdbi/NotificationSubjectDao.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,14 @@ public interface NotificationSubjectDao extends SqlObject {
WHEN "A"."SEVERITY" IS NOT NULL THEN "A"."CVSSV3SCORE"
ELSE "V"."CVSSV3BASESCORE"
END AS "vulnCvssV3BaseScore",
CASE
WHEN "A"."CVSSV2VECTOR" IS NOT NULL THEN "A"."CVSSV2VECTOR"
ELSE "V"."CVSSV2VECTOR"
END AS "vulnCvssV2Vector",
CASE
WHEN "A"."CVSSV3VECTOR" IS NOT NULL THEN "A"."CVSSV3VECTOR"
ELSE "V"."CVSSV3VECTOR"
END AS "vulnCvssV3Vector",
-- TODO: Analysis only has a single score, but OWASP RR defines multiple.
-- How to handle this?
CASE
Expand Down
2 changes: 2 additions & 0 deletions ...java/org/dependencytrack/persistence/jdbi/mapping/NotificationVulnerabilityRowMapper.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,8 @@ public Vulnerability map(final ResultSet rs, final StatementContext ctx) throws
maybeSet(rs, "vulnRecommendation", ResultSet::getString, builder::setRecommendation);
maybeSet(rs, "vulnCvssV2BaseScore", RowMapperUtil::nullableDouble, builder::setCvssV2);
maybeSet(rs, "vulnCvssV3BaseScore", RowMapperUtil::nullableDouble, builder::setCvssV3);
maybeSet(rs, "vulnCvssV2Vector", ResultSet::getString, builder::setCvssV2Vector);
maybeSet(rs, "vulnCvssV3Vector", ResultSet::getString, builder::setCvssV3Vector);
maybeSet(rs, "vulnOwaspRrBusinessImpactScore", RowMapperUtil::nullableDouble, builder::setOwaspRrBusinessImpact);
maybeSet(rs, "vulnOwaspRrLikelihoodScore", RowMapperUtil::nullableDouble, builder::setOwaspRrLikelihood);
maybeSet(rs, "vulnOwaspRrTechnicalImpactScore", RowMapperUtil::nullableDouble, builder::setOwaspRrTechnicalImpact);
Expand Down
2 changes: 2 additions & 0 deletions src/main/proto/org/dependencytrack/notification/v1/notification.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,8 @@ message Vulnerability {
optional double owasp_rr_business_impact = 13 [json_name = "owaspRRBusinessImpact"];
optional string severity = 14;
repeated Cwe cwes = 15;
optional string cvss_v2_vector = 16;
optional string cvss_v3_vector = 17;

message Alias {
string id = 1 [json_name = "vulnId"];
Expand Down
5 changes: 5 additions & 0 deletions .../java/org/dependencytrack/event/kafka/processor/VulnerabilityScanResultProcessorTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -246,10 +246,13 @@ public void processSuccessfulScanResult() {
final var vulnA = new Vulnerability();
vulnA.setVulnId("INT-001");
vulnA.setSource(Vulnerability.Source.INTERNAL);
vulnA.setCvssV2Vector("(AV:N/AC:M/Au:S/C:P/I:P/A:P)");
qm.persist(vulnA);
final var vulnB = new Vulnerability();
vulnB.setVulnId("SONATYPE-002");
vulnB.setSource(Vulnerability.Source.OSSINDEX);
vulnB.setCvssV3Vector("CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
qm.persist(vulnB);
final var vulnC = new Vulnerability();
vulnC.setVulnId("INT-002");
vulnC.setSource(Vulnerability.Source.INTERNAL);
Expand Down Expand Up @@ -326,6 +329,7 @@ record -> {
assertThat(notification.getGroup()).isEqualTo(GROUP_NEW_VULNERABILITY);
assertThat(notification.getSubject().is(NewVulnerabilitySubject.class)).isTrue();
final var subject = notification.getSubject().unpack(NewVulnerabilitySubject.class);
assertThat(subject.getVulnerability().getCvssV2Vector()).isEqualTo("(AV:N/AC:M/Au:S/C:P/I:P/A:P)");
assertThat(subject.getVulnerabilityAnalysisLevel()).isEqualTo("BOM_UPLOAD_ANALYSIS");
},
record -> {
Expand All @@ -336,6 +340,7 @@ record -> {
assertThat(notification.getGroup()).isEqualTo(GROUP_NEW_VULNERABILITY);
assertThat(notification.getSubject().is(NewVulnerabilitySubject.class)).isTrue();
final var subject = notification.getSubject().unpack(NewVulnerabilitySubject.class);
assertThat(subject.getVulnerability().getCvssV3Vector()).isEqualTo("CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
assertThat(subject.getVulnerabilityAnalysisLevel()).isEqualTo("BOM_UPLOAD_ANALYSIS");
}
// INT-002 is discarded because it is internal but doesn't exist in the database.
Expand Down

0 comments on commit 2cc7a46

Please sign in to comment.