Merge branch 'main' into backport-endpoint-outdated-components

DependencyTrack · Oct 19, 2023 · ca982da · ca982da
2 parents 261ed54 + d150510
commit ca982da
Show file tree

Hide file tree

Showing 21 changed files with 529 additions and 60 deletions.
diff --git a/src/main/java/org/dependencytrack/model/Project.java b/src/main/java/org/dependencytrack/model/Project.java
@@ -277,6 +277,8 @@ public enum FetchGroup {
 
     private transient ProjectMetrics metrics;
 
+    private transient List<ProjectVersion> versions;
+
     private transient List<Component> dependencyGraph;
 
     public long getId() {
@@ -476,6 +478,14 @@ public void setMetrics(ProjectMetrics metrics) {
         this.metrics = metrics;
     }
 
+    public List<ProjectVersion> getVersions() {
+        return versions;
+    }
+
+    public void setVersions(List<ProjectVersion> versions) {
+        this.versions = versions;
+    }
+
     public List<Team> getAccessTeams() {
         return accessTeams;
     }

diff --git a/src/main/java/org/dependencytrack/model/ProjectVersion.java b/src/main/java/org/dependencytrack/model/ProjectVersion.java
@@ -0,0 +1,64 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) Steve Springett. All Rights Reserved.
+ */
+package org.dependencytrack.model;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+
+import java.io.Serializable;
+import java.util.UUID;
+
+/**
+ * Value object holding UUID and version for a project
+ */
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class ProjectVersion implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    private UUID uuid;
+
+    private String version;
+
+    public ProjectVersion() {
+        this.uuid = null;
+        this.version = null;
+    }
+
+    public ProjectVersion(UUID uuid, String version) {
+        this.uuid = uuid;
+        this.version = version;
+
+    }
+
+    public void setUuid(UUID uuid) {
+        this.uuid = uuid;
+    }
+
+    public UUID getUuid() {
+        return uuid;
+    }
+
+    public void setVersion(String version) {
+        this.version = version;
+    }
+
+    public String getVersion() {
+        return version;
+    }
+}
diff --git a/src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDXVexImporter.java b/src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDXVexImporter.java
@@ -18,12 +18,12 @@
  */
 package org.dependencytrack.parser.cyclonedx;
 
+import alpine.common.logging.Logger;
 import org.apache.commons.lang3.StringUtils;
 import org.cyclonedx.model.Bom;
 import org.cyclonedx.util.BomLink;
 import org.cyclonedx.util.ObjectLocator;
 import org.dependencytrack.model.Analysis;
-import org.dependencytrack.model.AnalysisComment;
 import org.dependencytrack.model.AnalysisJustification;
 import org.dependencytrack.model.AnalysisResponse;
 import org.dependencytrack.model.AnalysisState;
@@ -34,47 +34,51 @@
 import org.dependencytrack.parser.cyclonedx.util.ModelConverter;
 import org.dependencytrack.persistence.QueryManager;
 import org.dependencytrack.util.AnalysisCommentUtil;
+
 import java.util.List;
 
 public class CycloneDXVexImporter {
 
+    private static final Logger LOGGER = Logger.getLogger(CycloneDXVexImporter.class);
     private static final String COMMENTER = "CycloneDX VEX";
 
     public void applyVex(final QueryManager qm, final Bom bom, final Project project) {
         if (bom.getVulnerabilities() == null) return;
         List<org.cyclonedx.model.vulnerability.Vulnerability> auditableVulnerabilities = bom.getVulnerabilities().stream().filter(
                 bomVuln -> bomVuln.getSource() == null || Vulnerability.Source.isKnownSource(bomVuln.getSource().getName())
         ).toList();
-        for (org.cyclonedx.model.vulnerability.Vulnerability cdxVuln: auditableVulnerabilities) {
+        for (org.cyclonedx.model.vulnerability.Vulnerability cdxVuln : auditableVulnerabilities) {
             if (cdxVuln.getAnalysis() == null) continue;
             final List<Vulnerability> vulns = qm.getVulnerabilities(project, true);
             if (vulns == null) continue;
-            for (final Vulnerability vuln: vulns) {
+            for (final Vulnerability vuln : vulns) {
                 // NOTE: These vulnerability objects are detached
                 if (shouldAuditVulnerability(cdxVuln, vuln)) {
 
                     if (cdxVuln.getAffects() == null) continue;
-                    for (org.cyclonedx.model.vulnerability.Vulnerability.Affect affect: cdxVuln.getAffects()) {
+                    for (org.cyclonedx.model.vulnerability.Vulnerability.Affect affect : cdxVuln.getAffects()) {
                         final ObjectLocator ol = new ObjectLocator(bom, affect.getRef()).locate();
                         if ((ol.found() && ol.isMetadataComponent()) || (!ol.found() && BomLink.isBomLink(affect.getRef()))) {
                             // Affects the project itself
                             List<Component> components = qm.getAllVulnerableComponents(project, vuln, true);
-                            for (final Component component: components) {
+                            for (final Component component : components) {
                                 updateAnalysis(qm, component, vuln, cdxVuln);
                             }
                         } else if (ol.found() && ol.isComponent()) {
                             // Affects an individual component
-                            final org.cyclonedx.model.Component cdxComponent = (org.cyclonedx.model.Component)ol.getObject();
+                            final org.cyclonedx.model.Component cdxComponent = (org.cyclonedx.model.Component) ol.getObject();
                             final ComponentIdentity cid = new ComponentIdentity(cdxComponent);
                             List<Component> components = qm.matchIdentity(project, cid);
-                            for (final Component component: components) {
+                            for (final Component component : components) {
                                 updateAnalysis(qm, component, vuln, cdxVuln);
                             }
                         } else if (ol.found() && ol.isService()) {
                             // Affects an individual service
                             // TODO add VEX support for services
                         }
                     }
+                } else {
+                    LOGGER.warn("Analysis data for vulnerability " + cdxVuln.getId() + " will be ignored because either the source is missing or there is a source/vulnid mismatch between VEX and Dependency Track database.");
                 }
             }
         }
@@ -115,7 +119,7 @@ private void updateAnalysis(final QueryManager qm, final Component component, fi
             AnalysisCommentUtil.makeAnalysisDetailsComment(qm, analysis, cdxVuln.getAnalysis().getDetail().trim(), COMMENTER);
         }
         if (cdxVuln.getAnalysis().getResponses() != null) {
-            for (org.cyclonedx.model.vulnerability.Vulnerability.Analysis.Response cdxRes: cdxVuln.getAnalysis().getResponses()) {
+            for (org.cyclonedx.model.vulnerability.Vulnerability.Analysis.Response cdxRes : cdxVuln.getAnalysis().getResponses()) {
                 analysisResponse = ModelConverter.convertCdxVulnAnalysisResponseToDtAnalysisResponse(cdxRes);
                 AnalysisCommentUtil.makeAnalysisResponseComment(qm, analysis, analysisResponse, COMMENTER);
             }