Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support the CycloneDX vulnerability extension in Reporter #7751

Merged
merged 1 commit into from
Nov 1, 2023
Merged

Support the CycloneDX vulnerability extension in Reporter #7751

merged 1 commit into from
Nov 1, 2023

Conversation

geoandri
Copy link
Contributor

This PR adds support for CycloneDX vulnerabilities in Reporter.

Closes #4531

@geoandri geoandri requested a review from a team as a code owner October 27, 2023 12:07
@codecov
Copy link

codecov bot commented Oct 27, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (fc10c12) 67.70% compared to head (1af097e) 67.70%.
Report is 16 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff            @@
##               main    #7751   +/-   ##
=========================================
  Coverage     67.70%   67.70%           
  Complexity     2055     2055           
=========================================
  Files           358      358           
  Lines         16917    16917           
  Branches       2401     2401           
=========================================
  Hits          11453    11453           
  Misses         4467     4467           
  Partials        997      997
Flag Coverage Δ
funTest-non-docker 36.16% <ø> (ø)
test 35.72% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

sschuberth
sschuberth requested changes Oct 27, 2023
View reviewed changes
Copy link
Member

@sschuberth sschuberth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for the contribution!

model/src/main/kotlin/AdvisorRecord.kt Outdated Show resolved Hide resolved
reporter/src/testFixtures/kotlin/TestData.kt Outdated Show resolved Hide resolved
plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt Outdated Show resolved Hide resolved
plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml
<vulnerability>
<id>CVE-2021-1234</id>
<ratings>
<rating>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any idea why no severity value (should be "MEDIUM") shows up here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it's because of the fromString(String text) method in CycloneDX java core library, which is case-sensitive. Should I always pass the lowercase value e.g.

Severity.fromString(reference.severity?.lowercase())

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me quickly refactor some code on our side to provide better convenience functions for this use-case. I'll keep you posted.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like you figured out yourself already how to make use of the refactored code, great! 🚀

@sschuberth sschuberth mentioned this pull request Oct 30, 2023
Merged
@geoandri geoandri force-pushed the reporter-support-cyclonedx-vulnerabilities branch from acfbea7 to 1af097e Compare November 1, 2023 19:35
sschuberth
sschuberth approved these changes Nov 1, 2023
View reviewed changes
Copy link
Member

@sschuberth sschuberth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me now, thanks a lot for the contribution!

plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt
source = org.cyclonedx.model.vulnerability.Vulnerability.Source()
.apply { url = reference.url.toString() }
severity = org.cyclonedx.model.vulnerability.Vulnerability.Rating.Severity
.fromString(reference.severityRating.lowercase())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml
<vulnerability>
<id>CVE-2021-1234</id>
<ratings>
<rating>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like you figured out yourself already how to make use of the refactored code, great! 🚀

@sschuberth
Copy link
Member

Merging despite the unrelated SpmFunTest failure.

@sschuberth sschuberth merged commit d0efc19 into oss-review-toolkit:main Nov 1, 2023
20 of 21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sschuberth sschuberth sschuberth approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support the CycloneDX vulnerability extension
2 participants
@geoandri @sschuberth