Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue #931 : Support for Google OSV #1703

Merged
merged 28 commits into from
Jul 24, 2022
Merged

Issue #931 : Support for Google OSV #1703

merged 28 commits into from
Jul 24, 2022

Commits on Jun 10, 2022

  1. draft for using google OSV 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jun 10, 2022
    Configuration menu
    Copy the full SHA
    bcbddff View commit details
    Browse the repository at this point in the history

  2. ConfigProperties test fix 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jun 10, 2022
    Configuration menu
    Copy the full SHA
    ee624bc View commit details
    Browse the repository at this point in the history

Commits on Jun 14, 2022

  1. Vulnerability mapping done 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jun 14, 2022
    Configuration menu
    Copy the full SHA
    594af37 View commit details
    Browse the repository at this point in the history

Commits on Jun 15, 2022

  1. unit test for osv task 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jun 15, 2022
    Configuration menu
    Copy the full SHA
    7b6ea43 View commit details
    Browse the repository at this point in the history

Commits on Jun 16, 2022

  1. osv enabled default to true 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jun 16, 2022
    Configuration menu
    Copy the full SHA
    a9a0783 View commit details
    Browse the repository at this point in the history

Commits on Jun 17, 2022

  1. fixes and tests 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jun 17, 2022
    Configuration menu
    Copy the full SHA
    a8adf36 View commit details
    Browse the repository at this point in the history

  2. fix http client 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jun 17, 2022
    Configuration menu
    Copy the full SHA
    eeb1372 View commit details
    Browse the repository at this point in the history

Commits on Jun 23, 2022

  1. update source of vulnerability 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jun 23, 2022
    Configuration menu
    Copy the full SHA
    dba49b5 View commit details
    Browse the repository at this point in the history

  2. map credits 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jun 23, 2022
    Configuration menu
    Copy the full SHA
    0fb6ad1 View commit details
    Browse the repository at this point in the history

Commits on Jun 24, 2022

  1. minor changes 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jun 24, 2022
    Configuration menu
    Copy the full SHA
    6f725af View commit details
    Browse the repository at this point in the history

  2. close reader 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jun 24, 2022
    Configuration menu
    Copy the full SHA
    b987030 View commit details
    Browse the repository at this point in the history

Commits on Jun 28, 2022

  1. update severity calculation and prioritize 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jun 28, 2022
    Configuration menu
    Copy the full SHA
    cca6c9f View commit details
    Browse the repository at this point in the history

  2. handle vulnerability mapping to avoid whole task 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jun 28, 2022
    Configuration menu
    Copy the full SHA
    cdf1e90 View commit details
    Browse the repository at this point in the history

  3. fix out of bound exception 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jun 28, 2022
    Configuration menu
    Copy the full SHA
    7fe4c5d View commit details
    Browse the repository at this point in the history

Commits on Jun 29, 2022

  1. changes to avoid clashing with github or nvd 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jun 29, 2022
    Configuration menu
    Copy the full SHA
    2edf945 View commit details
    Browse the repository at this point in the history

Commits on Jun 30, 2022

  1. fix for commit hash ranges and small changes requested 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jun 30, 2022
    Configuration menu
    Copy the full SHA
    7fb3b42 View commit details
    Browse the repository at this point in the history

Commits on Jul 1, 2022

  1. handle purl parsing 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jul 1, 2022
    Configuration menu
    Copy the full SHA
    d8f836a View commit details
    Browse the repository at this point in the history

  2. handle version range types, disable default osv 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jul 1, 2022
    Configuration menu
    Copy the full SHA
    985a58f View commit details
    Browse the repository at this point in the history

  3. fix de duplication of vulnerable softwares 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jul 1, 2022
    Configuration menu
    Copy the full SHA
    94072d5 View commit details
    Browse the repository at this point in the history

  4. small test fix 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jul 1, 2022
    Configuration menu
    Copy the full SHA
    7b0afee View commit details
    Browse the repository at this point in the history

  5. Merge branch 'master' into google-osv-support

    @sahibamittal
    sahibamittal authored Jul 1, 2022
    Configuration menu
    Copy the full SHA
    d66e211 View commit details
    Browse the repository at this point in the history

Commits on Jul 2, 2022

  1. Perform null check before parsing PURLs 

    Signed-off-by: nscuro <nscuro@protonmail.com>
    @nscuro
    nscuro committed Jul 2, 2022
    Configuration menu
    Copy the full SHA
    0477ecd View commit details
    Browse the repository at this point in the history

  2. Adjust class names to rest of the code base 

    Signed-off-by: nscuro <nscuro@protonmail.com>
    @nscuro
    nscuro committed Jul 2, 2022
    Configuration menu
    Copy the full SHA
    a8aba45 View commit details
    Browse the repository at this point in the history

  3. Remove redundant QueryManager method; Test more mapped vulnerability … 

    …fields

Signed-off-by: nscuro <nscuro@protonmail.com>
    @nscuro
    nscuro committed Jul 2, 2022
    Configuration menu
    Copy the full SHA
    da1d059 View commit details
    Browse the repository at this point in the history

  4. Refactor OSV range parsing to avoid infinite loops 

    Additional changes:

* Rename `OsvVulnerability` to `OsvAffectedPackage` to avoid confusion
* Be more strict about ordering of range events

Signed-off-by: nscuro <nscuro@protonmail.com>
    @nscuro
    nscuro committed Jul 2, 2022
    Configuration menu
    Copy the full SHA
    bb57600 View commit details
    Browse the repository at this point in the history

Commits on Jul 3, 2022

  1. Fetch Vulnerability#vulnerableSoftware lazily 

    For some odd reason, the query generated by DataNucleus for fetching `VulnerableSoftware` is drastically less efficient when using the `VULNERABLESOFTWARE` `@FetchGroup` over lazy fetching via `Vulnerability#getVulnerableSoftware()`.

Query generated by fetch group:

```
SELECT 'org.dependencytrack.model.VulnerableSoftware' AS DN_TYPE,A1.CPE22,A1.CPE23,A1.EDITION,A1.ID AS NUCORDER0,A1."LANGUAGE",A1.OTHER,A1.PART,A1.PRODUCT,A1.PURL,A1.PURL_NAME,A1.PURL_NAMESPACE,A1.PURL_QUALIFIERS,A1.PURL_SUBPATH,A1.PURL_TYPE,A1.PURL_VERSION,A1.SWEDITION,A1.TARGETHW,A1.TARGETSW,A1."UPDATE",A1.UUID,A1.VENDOR,A1.VERSION,A1.VERSIONENDEXCLUDING,A1.VERSIONENDINCLUDING,A1.VERSIONSTARTEXCLUDING,A1.VERSIONSTARTINCLUDING,A1.VULNERABLE,A0.VULNERABILITY_ID FROM VULNERABLESOFTWARE_VULNERABILITIES A0 INNER JOIN VULNERABLESOFTWARE A1 ON A0.VULNERABLESOFTWARE_ID = A1.ID WHERE EXISTS (SELECT 'org.dependencytrack.model.Vulnerability' AS DN_TYPE,A0_SUB.ID AS DN_APPID FROM VULNERABILITY A0_SUB WHERE A0_SUB.SOURCE = 'NVD' AND A0_SUB.VULNID = 'CVE-2020-0404' AND A0.VULNERABILITY_ID = A0_SUB.ID) ORDER BY NUCORDER0
```

Query generated by `getVulnerableSoftware()`:

```
SELECT 'org.dependencytrack.model.VulnerableSoftware' AS DN_TYPE,A1.CPE22,A1.CPE23,A1.EDITION,A1.ID AS NUCORDER0,A1."LANGUAGE",A1.OTHER,A1.PART,A1.PRODUCT,A1.PURL,A1.PURL_NAME,A1.PURL_NAMESPACE,A1.PURL_QUALIFIERS,A1.PURL_SUBPATH,A1.PURL_TYPE,A1.PURL_VERSION,A1.SWEDITION,A1.TARGETHW,A1.TARGETSW,A1."UPDATE",A1.UUID,A1.VENDOR,A1.VERSION,A1.VERSIONENDEXCLUDING,A1.VERSIONENDINCLUDING,A1.VERSIONSTARTEXCLUDING,A1.VERSIONSTARTINCLUDING,A1.VULNERABLE FROM VULNERABLESOFTWARE_VULNERABILITIES A0 INNER JOIN VULNERABLESOFTWARE A1 ON A0.VULNERABLESOFTWARE_ID = A1.ID WHERE A0.VULNERABILITY_ID = ? ORDER BY NUCORDER0
```

Signed-off-by: nscuro <nscuro@protonmail.com>
    @nscuro
    nscuro committed Jul 3, 2022
    Configuration menu
    Copy the full SHA
    c6c687e View commit details
    Browse the repository at this point in the history

Commits on Jul 21, 2022

  1. change OSV label from Google 

    Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com>
    @sahibamittal
    sahibamittal committed Jul 21, 2022
    Configuration menu
    Copy the full SHA
    d855040 View commit details
    Browse the repository at this point in the history

  2. Merge remote-tracking branch 'upstream/master' into google-osv-support

    @sahibamittal
    sahibamittal committed Jul 21, 2022
    Configuration menu
    Copy the full SHA
    0c23fac View commit details
    Browse the repository at this point in the history