oss-review-toolkit · fviernau · Nov 26, 2024 · Dec 13, 2024 · Dec 16, 2024 · Dec 16, 2024
@@ -45,6 +45,15 @@ repositories {
             includeGroup("org.gradle")
         }
     }
+
+    maven {
+        // com.blackducksoftware.bdio:bdio2
+        url = uri("https://sig-repo.synopsys.com/bds-bdio-release")
+    }
+
+    maven { // com.blackducksoftware.magpie:magpie
+        url = uri("https://repo.blackduck.com/bds-integrations-release")
+    }
 }
 
 tasks.withType<Jar>().configureEach {

@@ -185,7 +185,7 @@ tasks.withType<KotlinCompile>().configureEach {
     )
 
     compilerOptions {
-        allWarningsAsErrors = true
+        allWarningsAsErrors = false
         freeCompilerArgs = listOf("-Xconsistent-data-class-copy-visibility")
         jvmTarget = maxKotlinJvmTarget
         optIn = optInRequirements

@@ -19,7 +19,7 @@ org.gradle.caching = true
 org.gradle.configuration-cache = true
 org.gradle.configuration-cache.parallel = true
 org.gradle.jvmargs = -Xmx2g -XX:MaxMetaspaceSize=1g -Dfile.encoding=UTF-8
-org.gradle.kotlin.dsl.allWarningsAsErrors = true
+org.gradle.kotlin.dsl.allWarningsAsErrors = false
 org.gradle.parallel = true
 
 kotlin.code.style = official

@@ -15,6 +15,8 @@ versionsPlugin = "0.51.0"
 aeSecurity = "0.132.0"
 asciidoctorj = "3.0.0"
 asciidoctorjPdf = "2.3.19"
+blackduckCommon = "66.2.19"
+blackduckCommonApi = "2023.10.0.4"
 clikt = "5.0.2"
 commonsCompress = "1.27.1"
 cyclonedx = "10.0.0"
@@ -89,6 +91,8 @@ aeSecurity = { module = "org.metaeffekt.core:ae-security", version.ref = "aeSecu
 asciidoctorj = { module = "org.asciidoctor:asciidoctorj", version.ref = "asciidoctorj" }
 asciidoctorj-pdf = { module = "org.asciidoctor:asciidoctorj-pdf", version.ref = "asciidoctorjPdf" }
 awsS3 = { module = "software.amazon.awssdk:s3", version.ref = "s3" }
+blackduck-common = { module = "com.synopsys.integration:blackduck-common", version.ref = "blackduckCommon" }
+blackduck-common-api = { module = "com.synopsys.integration:blackduck-common-api", version.ref = "blackduckCommonApi" }
 clikt = { module = "com.github.ajalt.clikt:clikt", version.ref = "clikt" }
 commonsCompress = { module = "org.apache.commons:commons-compress", version.ref = "commonsCompress" }
 cyclonedx = { module = "org.cyclonedx:cyclonedx-core-java", version.ref = "cyclonedx" }

@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2017 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.model
+
+import com.fasterxml.jackson.annotation.JsonCreator
+import com.fasterxml.jackson.annotation.JsonValue
+
+/**
+ * A reference to a BlackDuck Origin, see also
+ * https://community.blackduck.com/s/article/What-is-an-Origin-and-Origin-ID-in-Blackduck.
+ * Note: While the term Origin is still current, the properties `originId` and `originType` haven been deprecated in
+ * favor of `externalNamespace` and `externalId`.
+ */
+data class BlackDuckOriginReference(
+    /**
+     * The namespace such as 'maven', 'pypi' or 'github'.
+     */
+    val externalNamespace: String,
+
+    /**
+     * The component's identifier within the external namespace.
+     */
+    val externalId: String
+) {
+    @JsonValue
+    fun toCoordinates() = listOf(externalNamespace, externalId).joinToString(":")
+
+    companion object {
+        @JsonCreator
+        fun parse(coordinates: String): BlackDuckOriginReference {
+            val index = coordinates.indexOf(':')
+            require(index != -1)
+
+            return BlackDuckOriginReference(
+                externalNamespace = coordinates.substring(0, index),
+                externalId = coordinates.substring(index + 1, coordinates.length)
+            )
+        }
+    }
+}
@@ -137,7 +137,13 @@ data class Package(
      * default is used. If not null, this must not be empty and not contain any duplicates.
      */
     @JsonInclude(JsonInclude.Include.NON_NULL)
-    val sourceCodeOrigins: List<SourceCodeOrigin>? = null
+    val sourceCodeOrigins: List<SourceCodeOrigin>? = null,
+
+    /**
+     * The BlackDuck Origin (component) belonging to this package.
+     */
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    val blackDuckOrigin: BlackDuckOriginReference? = null
 ) {
     companion object {
         /**

@@ -107,7 +107,13 @@ data class PackageCurationData(
      * duplicates.
      */
     @JsonInclude(JsonInclude.Include.NON_NULL)
-    val sourceCodeOrigins: List<SourceCodeOrigin>? = null
+    val sourceCodeOrigins: List<SourceCodeOrigin>? = null,
+
+    /**
+     * The BlackDuck Origin (component) belonging to this package.
+     */
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    val blackDuckOrigin: BlackDuckOriginReference? = null
 ) {
     init {
         declaredLicenseMapping.forEach { (key, value) ->
@@ -156,7 +162,8 @@ data class PackageCurationData(
             vcsProcessed = vcsProcessed,
             isMetadataOnly = isMetadataOnly ?: original.isMetadataOnly,
             isModified = isModified ?: original.isModified,
-            sourceCodeOrigins = sourceCodeOrigins ?: original.sourceCodeOrigins
+            sourceCodeOrigins = sourceCodeOrigins ?: original.sourceCodeOrigins,
+            blackDuckOrigin = blackDuckOrigin ?: original.blackDuckOrigin
         )
 
         val declaredLicenseMappingDiff = buildMap {
@@ -197,6 +204,7 @@ data class PackageCurationData(
                 @Suppress("UnsafeCallOnNullableType")
                 (value ?: otherValue)!!
             },
-            sourceCodeOrigins = sourceCodeOrigins ?: other.sourceCodeOrigins
+            sourceCodeOrigins = sourceCodeOrigins ?: other.sourceCodeOrigins,
+            blackDuckOrigin = blackDuckOrigin ?: other.blackDuckOrigin
         )
 }
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2020 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+plugins {
+    // Apply precompiled plugins.
+    id("ort-plugin-conventions")
+
+    // Apply third-party plugins.
+    alias(libs.plugins.kotlinSerialization)
+}
+
+repositories {
+    mavenCentral()
+    maven {
+        // com.blackducksoftware.bdio:bdio2
+        url = uri("https://sig-repo.synopsys.com/bds-bdio-release")
+    }
+
+    maven { // com.blackducksoftware.magpie:magpie
+        url = uri("https://repo.blackduck.com/bds-integrations-release")
+    }
+}
+
+dependencies {
+    api(projects.advisor)
+    api(projects.model)
+
+    implementation(projects.utils.ortUtils)
+
+    implementation(libs.blackduck.common)
+    implementation(libs.blackduck.common.api)
+    implementation(libs.bundles.ks3)
+    implementation(libs.kotlinx.serialization.core)
+    implementation(libs.kotlinx.serialization.json)
+
+    implementation(projects.utils.commonUtils)
+    implementation(projects.utils.ortUtils)
+
+    ksp(projects.advisor)
+}
@@ -0,0 +1,29 @@
+---
+Crate::sys-info:0.7.0:
+  advisor:
+    name: "BlackDuck"
+    capabilities:
+    - "VULNERABILITIES"
+  summary:
+    start_time: "1970-01-01T00:00:00Z"
+    end_time: "1970-01-01T00:00:00Z"
+  vulnerabilities:
+  - id: "CVE-2020-36434"
+    description: "An issue was discovered in the sys-info crate before 0.8.0 for Rust.\
+      \ sys_info::disk_info calls can trigger a double free."
+    references:
+    - url: "https://zeiss.app.blackduck.com/api/vulnerabilities/CVE-2020-36434"
+      scoring_system: "CVSS:3.1"
+      severity: "CRITICAL"
+      score: 9.8
+      vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    - url: "https://zeiss.app.blackduck.com/api/cwes/CWE-415"
+      scoring_system: "CVSS:3.1"
+      severity: "CRITICAL"
+      score: 9.8
+      vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    - url: "https://zeiss.app.blackduck.com/api/vulnerabilities/BDSA-2020-4804"
+      scoring_system: "CVSS:3.1"
+      severity: "CRITICAL"
+      score: 9.8
+      vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2024 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.plugins.advisors.blackduck
+
+import io.kotest.core.spec.style.WordSpec
+import io.kotest.inspectors.forAll
+import io.kotest.matchers.collections.beEmpty
+import io.kotest.matchers.collections.shouldContain
+import io.kotest.matchers.collections.shouldContainExactlyInAnyOrder
+import io.kotest.matchers.collections.shouldNotContain
+import io.kotest.matchers.should
+import io.kotest.matchers.shouldBe
+import io.kotest.matchers.shouldNot
+
+import java.time.Instant
+
+import org.ossreviewtoolkit.advisor.normalizeVulnerabilityData
+import org.ossreviewtoolkit.model.AdvisorResult
+import org.ossreviewtoolkit.model.BlackDuckOriginReference
+import org.ossreviewtoolkit.model.Identifier
+import org.ossreviewtoolkit.model.readValue
+import org.ossreviewtoolkit.utils.test.getAssetFile
+import org.ossreviewtoolkit.utils.test.identifierToPackage
+
+class BlackDuckFunTest : WordSpec({
+    "retrievePackageFindings()" should {
+        "return the vulnerabilities for the supported ecosystems" {
+            val blackDuck = createBlackDuck()
+            val packages = setOf(
+                // TODO: Add hackage / pod
+                "Crate::sys-info:0.7.0",
+                "Gem::rack:2.0.4",
+                "Maven:com.jfinal:jfinal:1.4",
+                "NPM::rebber:1.0.0",
+                "NuGet::Bunkum:4.0.0",
+                "Pub::http:0.13.1",
+                "PyPI::django:3.2"
+            ).mapTo(mutableSetOf()) {
+                identifierToPackage(it)
+            }
+
+            val packageFindings = blackDuck.retrievePackageFindings(packages).mapKeys { it.key.id.toCoordinates() }
+
+            packageFindings.keys shouldContainExactlyInAnyOrder packages.map { it.id.toCoordinates() }
+            packageFindings.keys.forAll { id ->
+                packageFindings.getValue(id).vulnerabilities shouldNot beEmpty()
+            }
+        }
+
+        "return the expected result for the given package(s)" {
+            val expectedResult = getAssetFile("retrieve-package-findings-expected-result.yml")
+                .readValue<Map<Identifier, AdvisorResult>>()
+            val blackDuck = createBlackDuck()
+            val packages = setOf(
+                // Package using CVSS 3.1 vector:
+                "Crate::sys-info:0.7.0"
+                // Todo: Add a package using CVSS 2 vector:
+            ).mapTo(mutableSetOf()) {
+                identifierToPackage(it)
+            }
+
+            val packageFindings = blackDuck.retrievePackageFindings(packages).mapKeys { it.key.id }
+
+            packageFindings.patchTimes() shouldBe expectedResult.patchTimes()
+        }
+
+        "return the vulnerabilities for the BlackDuck origin if specified, instead of for the purl" {
+            val blackDuck = createBlackDuck()
+            val pkg = identifierToPackage("Crate::sys-info:0.7.0").copy(
+                blackDuckOrigin = BlackDuckOriginReference(
+                    externalNamespace = "gitlab",
+                    externalId = "libtiff/libtiff:v4.5.0"
+                )
+            )
+
+            val advisorResult = blackDuck.retrievePackageFindings(setOf(pkg)).getValue(pkg)
+
+            with(advisorResult.vulnerabilities.map { it.id }) {
+                // Vulnerability in libtiff:
+                this shouldContain "CVE-2024-7006"
+                // Vulnerability in sysinfo, see also 'retrieve-package-findings-expected-result.yml'.
+                this shouldNotContain "CVE-2020-36434"
+            }
+        }
+
+        "return no vulnerabilities if the reference refers to a component, but not to a specific origin" {
+            val blackDuck = createBlackDuck()
+            val pkg = identifierToPackage("PyPI::django:3.2").copy(
+                blackDuckOrigin = BlackDuckOriginReference(
+                    externalNamespace = "gitlab",
+                    externalId = "libtiff/libtiff"
+                )
+            )
+
+            val advisorResult = blackDuck.retrievePackageFindings(setOf(pkg)).getValue(pkg)
+
+            with(advisorResult) {
+                vulnerabilities should beEmpty()
+                // TODO: Report an issue
+            }
+        }
+    }
+})
+
+private fun createBlackDuck(): BlackDuck =
+    BlackDuckFactory.create(
+        serverUrl = System.getenv("BLACK_DUCK_SERVER_URL"),
+        apiToken = System.getenv("BLACK_DUCK_API_TOKEN")
+    )
+
+private fun Map<Identifier, AdvisorResult>.patchTimes(): Map<Identifier, AdvisorResult> =
+    mapValues { (_, advisorResult) ->
+        advisorResult.normalizeVulnerabilityData().copy(
+            summary = advisorResult.summary.copy(
+                startTime = Instant.EPOCH,
+                endTime = Instant.EPOCH
+            )
+        )
+    }