From c936866a6301445215809fea311f9fd35bbbf7ba Mon Sep 17 00:00:00 2001 From: Sahiba Mittal Date: Mon, 10 Jun 2024 15:57:29 +0100 Subject: [PATCH 1/2] Apply consistent formatting to SQL query Co-Authored-By: Niklas --- .../kenna/KennaDataTransformer.java | 2 +- .../org/dependencytrack/model/Finding.java | 102 ++++++++++-------- .../persistence/FindingsQueryManager.java | 3 +- .../dependencytrack/model/FindingTest.java | 12 +-- 4 files changed, 64 insertions(+), 55 deletions(-) diff --git a/src/main/java/org/dependencytrack/integrations/kenna/KennaDataTransformer.java b/src/main/java/org/dependencytrack/integrations/kenna/KennaDataTransformer.java index c781aeed2..9bd908c96 100644 --- a/src/main/java/org/dependencytrack/integrations/kenna/KennaDataTransformer.java +++ b/src/main/java/org/dependencytrack/integrations/kenna/KennaDataTransformer.java @@ -73,7 +73,7 @@ public void process(final Project project, final String externalId) { final JSONArray vulns = new JSONArray(); final List findings = qm.getFindings(project); for (final Finding finding: findings) { - final Map analysis = finding.getAnalysis(); + final Map analysis = finding.getAnalysis(); final Object suppressed = finding.getAnalysis().get("isSuppressed"); if (suppressed instanceof Boolean) { final boolean isSuppressed = (Boolean)analysis.get("isSuppressed"); diff --git a/src/main/java/org/dependencytrack/model/Finding.java b/src/main/java/org/dependencytrack/model/Finding.java index e52a0c0ec..4a6efcf15 100644 --- a/src/main/java/org/dependencytrack/model/Finding.java +++ b/src/main/java/org/dependencytrack/model/Finding.java @@ -53,48 +53,58 @@ public class Finding implements Serializable { * in double quotes to satisfy PostgreSQL case-sensitive requirements. This also places a requirement * on ANSI_QUOTES mode being enabled in MySQL. SQL Server works regardless and is just happy to be invited :-) */ - public static final String QUERY = "SELECT " + - "\"COMPONENT\".\"UUID\"," + - "\"COMPONENT\".\"NAME\"," + - "\"COMPONENT\".\"GROUP\"," + - "\"COMPONENT\".\"VERSION\"," + - "\"COMPONENT\".\"PURL\"," + - "\"COMPONENT\".\"CPE\"," + - "\"VULNERABILITY\".\"UUID\"," + - "\"VULNERABILITY\".\"SOURCE\"," + - "\"VULNERABILITY\".\"VULNID\"," + - "\"VULNERABILITY\".\"TITLE\"," + - "\"VULNERABILITY\".\"SUBTITLE\"," + - "\"VULNERABILITY\".\"DESCRIPTION\"," + - "\"VULNERABILITY\".\"RECOMMENDATION\"," + - "\"VULNERABILITY\".\"SEVERITY\"," + - "\"VULNERABILITY\".\"CVSSV2BASESCORE\"," + - "\"VULNERABILITY\".\"CVSSV3BASESCORE\"," + - "\"VULNERABILITY\".\"OWASPRRLIKELIHOODSCORE\"," + - "\"VULNERABILITY\".\"OWASPRRTECHNICALIMPACTSCORE\"," + - "\"VULNERABILITY\".\"OWASPRRBUSINESSIMPACTSCORE\"," + - "\"EPSS\".\"SCORE\"," + - "\"EPSS\".\"PERCENTILE\"," + - "\"VULNERABILITY\".\"CWES\"," + - "\"FINDINGATTRIBUTION\".\"ANALYZERIDENTITY\"," + - "\"FINDINGATTRIBUTION\".\"ATTRIBUTED_ON\"," + - "\"FINDINGATTRIBUTION\".\"ALT_ID\"," + - "\"FINDINGATTRIBUTION\".\"REFERENCE_URL\"," + - "\"ANALYSIS\".\"STATE\"," + - "\"ANALYSIS\".\"SUPPRESSED\" " + - "FROM \"COMPONENT\" " + - "INNER JOIN \"COMPONENTS_VULNERABILITIES\" ON (\"COMPONENT\".\"ID\" = \"COMPONENTS_VULNERABILITIES\".\"COMPONENT_ID\") " + - "INNER JOIN \"VULNERABILITY\" ON (\"COMPONENTS_VULNERABILITIES\".\"VULNERABILITY_ID\" = \"VULNERABILITY\".\"ID\") " + - "LEFT JOIN \"EPSS\" ON (\"VULNERABILITY\".\"VULNID\" = \"EPSS\".\"CVE\") " + - "INNER JOIN \"FINDINGATTRIBUTION\" ON (\"COMPONENT\".\"ID\" = \"FINDINGATTRIBUTION\".\"COMPONENT_ID\") AND (\"VULNERABILITY\".\"ID\" = \"FINDINGATTRIBUTION\".\"VULNERABILITY_ID\")" + - "LEFT JOIN \"ANALYSIS\" ON (\"COMPONENT\".\"ID\" = \"ANALYSIS\".\"COMPONENT_ID\") AND (\"VULNERABILITY\".\"ID\" = \"ANALYSIS\".\"VULNERABILITY_ID\") AND (\"COMPONENT\".\"PROJECT_ID\" = \"ANALYSIS\".\"PROJECT_ID\") " + - "WHERE \"COMPONENT\".\"PROJECT_ID\" = ?"; - - private UUID project; - private Map component = new LinkedHashMap<>(); - private Map vulnerability = new LinkedHashMap<>(); - private Map analysis = new LinkedHashMap<>(); - private Map attribution = new LinkedHashMap<>(); + // language=SQL + public static final String QUERY = """ + SELECT "COMPONENT"."UUID" + , "COMPONENT"."NAME" + , "COMPONENT"."GROUP" + , "COMPONENT"."VERSION" + , "COMPONENT"."PURL" + , "COMPONENT"."CPE" + , "VULNERABILITY"."UUID" + , "VULNERABILITY"."SOURCE" + , "VULNERABILITY"."VULNID" + , "VULNERABILITY"."TITLE" + , "VULNERABILITY"."SUBTITLE" + , "VULNERABILITY"."DESCRIPTION" + , "VULNERABILITY"."RECOMMENDATION" + , "VULNERABILITY"."SEVERITY" + , "VULNERABILITY"."CVSSV2BASESCORE" + , "VULNERABILITY"."CVSSV3BASESCORE" + , "VULNERABILITY"."OWASPRRLIKELIHOODSCORE" + , "VULNERABILITY"."OWASPRRTECHNICALIMPACTSCORE" + , "VULNERABILITY"."OWASPRRBUSINESSIMPACTSCORE" + , "EPSS"."SCORE" + , "EPSS"."PERCENTILE" + , "VULNERABILITY"."CWES" + , "FINDINGATTRIBUTION"."ANALYZERIDENTITY" + , "FINDINGATTRIBUTION"."ATTRIBUTED_ON" + , "FINDINGATTRIBUTION"."ALT_ID" + , "FINDINGATTRIBUTION"."REFERENCE_URL" + , "ANALYSIS"."STATE" + , "ANALYSIS"."SUPPRESSED" + FROM "COMPONENT" + INNER JOIN "COMPONENTS_VULNERABILITIES" + ON "COMPONENT"."ID" = "COMPONENTS_VULNERABILITIES"."COMPONENT_ID" + INNER JOIN "VULNERABILITY" + ON "COMPONENTS_VULNERABILITIES"."VULNERABILITY_ID" = "VULNERABILITY"."ID" + INNER JOIN "EPSS" + ON "VULNERABILITY"."VULNID" = "EPSS"."CVE" + INNER JOIN "FINDINGATTRIBUTION" + ON "COMPONENT"."ID" = "FINDINGATTRIBUTION"."COMPONENT_ID" + AND "VULNERABILITY"."ID" = "FINDINGATTRIBUTION"."VULNERABILITY_ID" + LEFT JOIN "ANALYSIS" + ON "COMPONENT"."ID" = "ANALYSIS"."COMPONENT_ID" + AND "VULNERABILITY"."ID" = "ANALYSIS"."VULNERABILITY_ID" + AND "COMPONENT"."PROJECT_ID" = "ANALYSIS"."PROJECT_ID" + WHERE "COMPONENT"."PROJECT_ID" = ? + """; + + private final UUID project; + private final Map component = new LinkedHashMap<>(); + private final Map vulnerability = new LinkedHashMap<>(); + private final Map analysis = new LinkedHashMap<>(); + private final Map attribution = new LinkedHashMap<>(); /** * Constructs a new Finding object. The generic Object array passed as an argument is the @@ -146,19 +156,19 @@ public Finding(UUID project, Object... o) { optValue(analysis, "isSuppressed", o[27], false); } - public Map getComponent() { + public Map getComponent() { return component; } - public Map getVulnerability() { + public Map getVulnerability() { return vulnerability; } - public Map getAnalysis() { + public Map getAnalysis() { return analysis; } - public Map getAttribution() { + public Map getAttribution() { return attribution; } diff --git a/src/main/java/org/dependencytrack/persistence/FindingsQueryManager.java b/src/main/java/org/dependencytrack/persistence/FindingsQueryManager.java index bd247a076..c5d2f9fd6 100644 --- a/src/main/java/org/dependencytrack/persistence/FindingsQueryManager.java +++ b/src/main/java/org/dependencytrack/persistence/FindingsQueryManager.java @@ -20,7 +20,6 @@ import alpine.resources.AlpineRequest; import com.github.packageurl.PackageURL; -import org.datanucleus.api.jdo.JDOQuery; import org.dependencytrack.model.Analysis; import org.dependencytrack.model.AnalysisComment; import org.dependencytrack.model.AnalysisJustification; @@ -338,7 +337,7 @@ public List getFindings(Project project) { */ @SuppressWarnings("unchecked") public List getFindings(Project project, boolean includeSuppressed) { - final Query query = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, Finding.QUERY); + final Query query = pm.newQuery(Query.SQL, Finding.QUERY); query.setParameters(project.getId()); final List list = query.executeList(); final List findings = new ArrayList<>(); diff --git a/src/test/java/org/dependencytrack/model/FindingTest.java b/src/test/java/org/dependencytrack/model/FindingTest.java index b86b956fc..676026243 100644 --- a/src/test/java/org/dependencytrack/model/FindingTest.java +++ b/src/test/java/org/dependencytrack/model/FindingTest.java @@ -31,16 +31,16 @@ public class FindingTest extends PersistenceCapableTest { - private UUID projectUuid = UUID.randomUUID(); - private Date attributedOn = new Date(); - private Finding finding = new Finding(projectUuid, "component-uuid", "component-name", "component-group", + private final UUID projectUuid = UUID.randomUUID(); + private final Date attributedOn = new Date(); + private final Finding finding = new Finding(projectUuid, "component-uuid", "component-name", "component-group", "component-version", "component-purl", "component-cpe", "vuln-uuid", "vuln-source", "vuln-vulnId", "vuln-title", "vuln-subtitle", "vuln-description", "vuln-recommendation", Severity.HIGH, BigDecimal.valueOf(7.2), BigDecimal.valueOf(8.4), BigDecimal.valueOf(1.25), BigDecimal.valueOf(1.75), BigDecimal.valueOf(1.3), BigDecimal.valueOf(0.5), BigDecimal.valueOf(0.9), null, AnalyzerIdentity.INTERNAL_ANALYZER, attributedOn, null, null, AnalysisState.NOT_AFFECTED, true); @Test public void testComponent() { - Map map = finding.getComponent(); + Map map = finding.getComponent(); Assert.assertEquals("component-uuid", map.get("uuid")); Assert.assertEquals("component-name", map.get("name")); Assert.assertEquals("component-group", map.get("group")); @@ -50,7 +50,7 @@ public void testComponent() { @Test public void testVulnerability() { - Map map = finding.getVulnerability(); + Map map = finding.getVulnerability(); Assert.assertEquals("vuln-uuid", map.get("uuid")); Assert.assertEquals("vuln-source", map.get("source")); Assert.assertEquals("vuln-vulnId", map.get("vulnId")); @@ -71,7 +71,7 @@ public void testVulnerability() { @Test public void testAnalysis() { - Map map = finding.getAnalysis(); + Map map = finding.getAnalysis(); Assert.assertEquals(AnalysisState.NOT_AFFECTED, map.get("state")); Assert.assertEquals(true, map.get("isSuppressed")); } From e5cfb8d712a22ab4db5d078186819c28f185a9cd Mon Sep 17 00:00:00 2001 From: Sahiba Mittal Date: Tue, 11 Jun 2024 10:26:18 +0100 Subject: [PATCH 2/2] Update Finding.java --- src/main/java/org/dependencytrack/model/Finding.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/dependencytrack/model/Finding.java b/src/main/java/org/dependencytrack/model/Finding.java index 4a6efcf15..ce4a57ca7 100644 --- a/src/main/java/org/dependencytrack/model/Finding.java +++ b/src/main/java/org/dependencytrack/model/Finding.java @@ -88,7 +88,7 @@ public class Finding implements Serializable { ON "COMPONENT"."ID" = "COMPONENTS_VULNERABILITIES"."COMPONENT_ID" INNER JOIN "VULNERABILITY" ON "COMPONENTS_VULNERABILITIES"."VULNERABILITY_ID" = "VULNERABILITY"."ID" - INNER JOIN "EPSS" + LEFT JOIN "EPSS" ON "VULNERABILITY"."VULNID" = "EPSS"."CVE" INNER JOIN "FINDINGATTRIBUTION" ON "COMPONENT"."ID" = "FINDINGATTRIBUTION"."COMPONENT_ID"