Skip to content

Commit

Permalink
Merge pull request #748 from DependencyTrack/port-truncate-ComponentP…
Browse files Browse the repository at this point in the history
…roperty-value

Port : Truncate component property value
  • Loading branch information
nscuro authored Jun 20, 2024
2 parents a48b797 + 0f5381b commit d4919a4
Show file tree
Hide file tree
Showing 6 changed files with 149 additions and 165 deletions.
10 changes: 8 additions & 2 deletions src/main/java/org/dependencytrack/model/ComponentProperty.java
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
import com.google.common.base.MoreObjects;
import org.apache.commons.lang3.StringUtils;
import org.dependencytrack.model.validation.EnumValue;

import javax.jdo.annotations.Column;
Expand All @@ -35,6 +36,7 @@
import javax.validation.constraints.NotBlank;
import javax.validation.constraints.NotNull;
import javax.validation.constraints.Pattern;
import javax.validation.constraints.Size;
import java.io.Serializable;
import java.util.UUID;

Expand Down Expand Up @@ -67,19 +69,22 @@ public Identity(final ComponentProperty property) {

@Persistent
@Column(name = "GROUPNAME")
@Size(min = 1, max = 255)
@JsonDeserialize(using = TrimmedStringDeserializer.class)
@Pattern(regexp = "\\P{Cc}+", message = "The groupName must not contain control characters")
private String groupName;

@Persistent
@Column(name = "PROPERTYNAME", allowsNull = "false")
@NotBlank
@Size(min = 1, max = 255)
@JsonDeserialize(using = TrimmedStringDeserializer.class)
@Pattern(regexp = "\\P{Cc}+", message = "The propertyName must not contain control characters")
private String propertyName;

@Persistent
@Column(name = "PROPERTYVALUE")
@Column(name = "PROPERTYVALUE", length = 1024)
@Size(max = 1024)
@JsonDeserialize(using = TrimmedStringDeserializer.class)
@Pattern(regexp = "\\P{Cc}+", message = "The propertyValue must not contain control characters")
private String propertyValue;
Expand All @@ -98,6 +103,7 @@ public Identity(final ComponentProperty property) {

@Persistent
@Column(name = "DESCRIPTION")
@Size(max = 255)
@JsonDeserialize(using = TrimmedStringDeserializer.class)
@Pattern(regexp = "\\P{Cc}+", message = "The description must not contain control characters")
private String description;
Expand Down Expand Up @@ -145,7 +151,7 @@ public String getPropertyValue() {
}

public void setPropertyValue(final String propertyValue) {
this.propertyValue = propertyValue;
this.propertyValue = StringUtils.abbreviate(propertyValue, 1024);
}

public PropertyType getPropertyType() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ public class ProjectProperty implements IConfigProperty, Serializable {

@Persistent
@Column(name = "PROPERTYVALUE", length = 1024)
@Size(min = 0, max = 1024)
@Size(max = 1024)
@JsonDeserialize(using = TrimmedStringDeserializer.class)
@Pattern(regexp = "[\\P{Cc}]+", message = "The propertyValue must not contain control characters")
private String propertyValue;
Expand Down
7 changes: 7 additions & 0 deletions src/main/resources/migration/changelog-v5.5.0.xml
Original file line number Diff line number Diff line change
Expand Up @@ -151,4 +151,11 @@
DROP FUNCTION IF EXISTS "CALC_SEVERITY"(VARCHAR, VARCHAR, NUMERIC, NUMERIC);
</sql>
</changeSet>

<changeSet id="v5.5.0-12" author="sahibamittal">
<modifyDataType tableName="COMPONENT_PROPERTY" columnName="GROUPNAME" newDataType="VARCHAR(255)"/>
<modifyDataType tableName="COMPONENT_PROPERTY" columnName="PROPERTYNAME" newDataType="VARCHAR(255)"/>
<modifyDataType tableName="COMPONENT_PROPERTY" columnName="PROPERTYVALUE" newDataType="VARCHAR(1024)"/>
<modifyDataType tableName="COMPONENT_PROPERTY" columnName="DESCRIPTION" newDataType="VARCHAR(255)"/>
</changeSet>
</databaseChangeLog>
287 changes: 125 additions & 162 deletions src/test/java/org/dependencytrack/resources/v1/FindingResourceTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@
import org.dependencytrack.model.Vulnerability;
import org.dependencytrack.model.WorkflowStep;
import org.glassfish.jersey.server.ResourceConfig;
import org.json.JSONArray;
import org.json.JSONObject;
import org.junit.Assert;
import org.junit.ClassRule;
import org.junit.Test;
Expand Down Expand Up @@ -688,174 +690,135 @@ public void getSARIFFindingsByProjectTest() {
Assert.assertEquals(200, response.getStatus(), 0);
Assert.assertEquals(MEDIA_TYPE_SARIF_JSON, response.getHeaderString(HttpHeaders.CONTENT_TYPE));
final String jsonResponse = getPlainTextBody(response);
JSONArray resultArray = new JSONObject(jsonResponse).getJSONArray("runs").getJSONObject(0).getJSONArray("results");

assertThatJson(jsonResponse)
.withMatcher("version", equalTo(new About().getVersion()))
.withMatcher("fullName", equalTo("OWASP Dependency-Track - " + new About().getVersion()))
.isEqualTo(json("""
{
"version": "2.1.0",
"$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"name": "OWASP Dependency-Track",
"fullName": "${json-unit.matches:fullName}",
"version": "${json-unit.matches:version}",
"informationUri": "https://dependencytrack.org/",
"rules": [
{
"id": "Vuln-1",
"name": "ImproperNeutralizationOfScript-relatedHtmlTagsInAWebPage(basicXss)",
"shortDescription": {
"text": "Vuln-1"
},
"fullDescription": {
"text": "This is a description"
}
},
{
"id": "Vuln-2",
"name": "PathEquivalence:'filename'(trailingSpace)",
"shortDescription": {
"text": "Vuln-2"
},
"fullDescription": {
"text": "Yet another description but with surrounding whitespaces"
}
},
{
"id": "Vuln-3",
"name": "RelativePathTraversal",
"shortDescription": {
"text": "Vuln-3"
},
"fullDescription": {
"text": "A description-with-hyphens-(and parentheses)"
}
}
]
}
},
"results": [
.withMatcher("fullName", equalTo("OWASP Dependency-Track - " + new About().getVersion()));

assertThat(resultArray).hasSize(4);
assertThat(resultArray).satisfiesExactlyInAnyOrder(
vuln1 -> assertThatJson(vuln1).isEqualTo("""
{
"ruleId": "Vuln-1",
"message": {
"text": "This is a description"
},
"locations": [
{
"logicalLocations": [
{
"ruleId": "Vuln-1",
"message": {
"text": "This is a description"
},
"locations": [
{
"logicalLocations": [
{
"fullyQualifiedName": "pkg:maven/org.acme/[email protected]?type=jar"
}
]
}
],
"level": "error",
"properties": {
"name": "Component 1",
"group": "org.acme",
"version": "1.1.4",
"source": "INTERNAL",
"cweId": "80",
"cvssV3BaseScore": "",
"epssScore": "",
"epssPercentile": "",
"severityRank": "0",
"recommendation": ""
}
},
{
"ruleId": "Vuln-3",
"message": {
"text": "A description-with-hyphens-(and parentheses)"
},
"locations": [
{
"logicalLocations": [
{
"fullyQualifiedName": "pkg:maven/org.acme/[email protected]?type=jar"
}
]
}
],
"level": "note",
"properties": {
"name": "Component 1",
"group": "org.acme",
"version": "1.1.4",
"source": "INTERNAL",
"cweId": "23",
"cvssV3BaseScore": "",
"epssScore": "",
"epssPercentile": "",
"severityRank": "3",
"recommendation": "Recommendation with whitespaces"
}
},
{
"ruleId": "Vuln-2",
"message": {
"text": "Yet another description but with surrounding whitespaces"
},
"locations": [
{
"logicalLocations": [
{
"fullyQualifiedName": "pkg:maven/org.acme/[email protected]?type=jar"
}
]
}
],
"level": "error",
"properties": {
"name": "Component 1",
"group": "org.acme",
"version": "1.1.4",
"source": "INTERNAL",
"cweId": "46",
"cvssV3BaseScore": "",
"epssScore": "",
"epssPercentile": "",
"severityRank": "1",
"recommendation": ""
}
},
{
"ruleId": "Vuln-3",
"message": {
"text": "A description-with-hyphens-(and parentheses)"
},
"locations": [
{
"logicalLocations": [
{
"fullyQualifiedName": "pkg:maven/com.xyz/[email protected]?type=jar"
}
]
}
],
"level": "note",
"properties": {
"name": "Component 2",
"group": "com.xyz",
"version": "2.78.123",
"source": "INTERNAL",
"cweId": "23",
"cvssV3BaseScore": "",
"epssScore": "",
"epssPercentile": "",
"severityRank": "3",
"recommendation": "Recommendation with whitespaces"
}
"fullyQualifiedName": "pkg:maven/org.acme/[email protected]?type=jar"
}
]
]
}
],
"level": "error",
"properties": {
"name": "Component 1",
"group": "org.acme",
"version": "1.1.4",
"source": "INTERNAL",
"cweId": "80",
"cvssV3BaseScore": "",
"epssScore": "",
"epssPercentile": "",
"severityRank": "0",
"recommendation": ""
}
]
}
"""));
}
"""),
vuln2 -> assertThatJson(vuln2).isEqualTo("""
{
"ruleId": "Vuln-2",
"message": {
"text": "Yet another description but with surrounding whitespaces"
},
"locations": [
{
"logicalLocations": [
{
"fullyQualifiedName": "pkg:maven/org.acme/[email protected]?type=jar"
}
]
}
],
"level": "error",
"properties": {
"name": "Component 1",
"group": "org.acme",
"version": "1.1.4",
"source": "INTERNAL",
"cweId": "46",
"cvssV3BaseScore": "",
"epssScore": "",
"epssPercentile": "",
"severityRank": "1",
"recommendation": ""
}
}
"""),
vuln3 -> assertThatJson(vuln3).isEqualTo("""
{
"ruleId": "Vuln-3",
"message": {
"text": "A description-with-hyphens-(and parentheses)"
},
"locations": [
{
"logicalLocations": [
{
"fullyQualifiedName": "pkg:maven/org.acme/[email protected]?type=jar"
}
]
}
],
"level": "note",
"properties": {
"name": "Component 1",
"group": "org.acme",
"version": "1.1.4",
"source": "INTERNAL",
"cweId": "23",
"cvssV3BaseScore": "",
"epssScore": "",
"epssPercentile": "",
"severityRank": "3",
"recommendation": "Recommendation with whitespaces"
}
}
"""),
vuln3 -> assertThatJson(vuln3).isEqualTo("""
{
"ruleId": "Vuln-3",
"message": {
"text": "A description-with-hyphens-(and parentheses)"
},
"locations": [
{
"logicalLocations": [
{
"fullyQualifiedName": "pkg:maven/com.xyz/[email protected]?type=jar"
}
]
}
],
"level": "note",
"properties": {
"name": "Component 2",
"group": "com.xyz",
"version": "2.78.123",
"source": "INTERNAL",
"cweId": "23",
"cvssV3BaseScore": "",
"epssScore": "",
"epssPercentile": "",
"severityRank": "3",
"recommendation": "Recommendation with whitespaces"
}
}
""")
);
}

private Component createComponent(Project project, String name, String version) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,13 @@ public void informTest() throws Exception {
assertThat(property.getPropertyValue()).isEqualTo("qux");
assertThat(property.getPropertyType()).isEqualTo(PropertyType.STRING);
assertThat(property.getDescription()).isNull();
},
property -> {
assertThat(property.getGroupName()).isNull();
assertThat(property.getPropertyName()).isEqualTo("long");
assertThat(property.getPropertyValue()).isEqualTo("a".repeat(1021) + "...");
assertThat(property.getPropertyType()).isEqualTo(PropertyType.STRING);
assertThat(property.getDescription()).isNull();
}
);

Expand Down
Loading

0 comments on commit d4919a4

Please sign in to comment.