Skip to content

Commit

Permalink
refactor(model)!: Split vulnerability classes to a separate package
Browse files Browse the repository at this point in the history
For a better overview, split out CVSS classes to separate files in a new
"vulnerabilities" sub-package of the ORT model. A plural name for the
package was chosen to align with the "licenses" sub-package.

Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
  • Loading branch information
sschuberth committed Oct 31, 2023
1 parent 5b42f08 commit cd40dd1
Show file tree
Hide file tree
Showing 30 changed files with 233 additions and 137 deletions.
4 changes: 2 additions & 2 deletions advisor/src/main/kotlin/advisors/NexusIq.kt
Original file line number Diff line number Diff line change
Expand Up @@ -39,12 +39,12 @@ import org.ossreviewtoolkit.model.AdvisorResult
import org.ossreviewtoolkit.model.AdvisorSummary
import org.ossreviewtoolkit.model.Issue
import org.ossreviewtoolkit.model.Package
import org.ossreviewtoolkit.model.Vulnerability
import org.ossreviewtoolkit.model.VulnerabilityReference
import org.ossreviewtoolkit.model.config.PluginConfiguration
import org.ossreviewtoolkit.model.utils.PurlType
import org.ossreviewtoolkit.model.utils.getPurlType
import org.ossreviewtoolkit.model.utils.toPurl
import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
import org.ossreviewtoolkit.utils.common.Options
import org.ossreviewtoolkit.utils.common.collectMessages
import org.ossreviewtoolkit.utils.common.enumSetOf
Expand Down
4 changes: 2 additions & 2 deletions advisor/src/main/kotlin/advisors/OssIndex.kt
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,10 @@ import org.ossreviewtoolkit.model.AdvisorResult
import org.ossreviewtoolkit.model.AdvisorSummary
import org.ossreviewtoolkit.model.Issue
import org.ossreviewtoolkit.model.Package
import org.ossreviewtoolkit.model.Vulnerability
import org.ossreviewtoolkit.model.VulnerabilityReference
import org.ossreviewtoolkit.model.config.PluginConfiguration
import org.ossreviewtoolkit.model.utils.toPurl
import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
import org.ossreviewtoolkit.utils.common.Options
import org.ossreviewtoolkit.utils.common.collectMessages
import org.ossreviewtoolkit.utils.common.enumSetOf
Expand Down
6 changes: 3 additions & 3 deletions advisor/src/main/kotlin/advisors/Osv.kt
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,8 @@ import org.ossreviewtoolkit.model.AdvisorResult
import org.ossreviewtoolkit.model.AdvisorSummary
import org.ossreviewtoolkit.model.Identifier
import org.ossreviewtoolkit.model.Package
import org.ossreviewtoolkit.model.VulnerabilityReference
import org.ossreviewtoolkit.model.config.PluginConfiguration
import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
import org.ossreviewtoolkit.utils.common.Options
import org.ossreviewtoolkit.utils.common.collectMessages
import org.ossreviewtoolkit.utils.common.enumSetOf
Expand Down Expand Up @@ -176,7 +176,7 @@ private fun createRequest(pkg: Package): VulnerabilitiesForPackageRequest? {
return null
}

private fun Vulnerability.toOrtVulnerability(): org.ossreviewtoolkit.model.Vulnerability {
private fun Vulnerability.toOrtVulnerability(): org.ossreviewtoolkit.model.vulnerabilities.Vulnerability {
// OSV uses a list in order to support multiple representations of the severity using different scoring systems.
// However, only one representation is actually possible currently, because the enum 'Severity.Type' contains just a
// single element / scoring system. So, picking first severity is fine, in particular because ORT only supports a
Expand Down Expand Up @@ -218,7 +218,7 @@ private fun Vulnerability.toOrtVulnerability(): org.ossreviewtoolkit.model.Vulne
}.getOrNull()
}

return org.ossreviewtoolkit.model.Vulnerability(
return org.ossreviewtoolkit.model.vulnerabilities.Vulnerability(
id = id,
summary = summary,
description = details,
Expand Down
4 changes: 2 additions & 2 deletions advisor/src/main/kotlin/advisors/VulnerableCode.kt
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,11 @@ import org.ossreviewtoolkit.model.AdvisorSummary
import org.ossreviewtoolkit.model.Issue
import org.ossreviewtoolkit.model.Package
import org.ossreviewtoolkit.model.Severity
import org.ossreviewtoolkit.model.Vulnerability
import org.ossreviewtoolkit.model.VulnerabilityReference
import org.ossreviewtoolkit.model.config.PluginConfiguration
import org.ossreviewtoolkit.model.createAndLogIssue
import org.ossreviewtoolkit.model.utils.toPurl
import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
import org.ossreviewtoolkit.utils.common.Options
import org.ossreviewtoolkit.utils.common.collectMessages
import org.ossreviewtoolkit.utils.common.enumSetOf
Expand Down
4 changes: 2 additions & 2 deletions advisor/src/test/kotlin/advisors/OssIndexTest.kt
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,9 @@ import org.ossreviewtoolkit.model.AdvisorDetails
import org.ossreviewtoolkit.model.Identifier
import org.ossreviewtoolkit.model.Package
import org.ossreviewtoolkit.model.Severity
import org.ossreviewtoolkit.model.Vulnerability
import org.ossreviewtoolkit.model.VulnerabilityReference
import org.ossreviewtoolkit.model.utils.toPurl
import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
import org.ossreviewtoolkit.utils.common.enumSetOf
import org.ossreviewtoolkit.utils.test.shouldNotBeNull

Expand Down
4 changes: 2 additions & 2 deletions advisor/src/test/kotlin/advisors/VulnerableCodeTest.kt
Original file line number Diff line number Diff line change
Expand Up @@ -46,10 +46,10 @@ import org.ossreviewtoolkit.model.Identifier
import org.ossreviewtoolkit.model.OrtResult
import org.ossreviewtoolkit.model.Package
import org.ossreviewtoolkit.model.Severity
import org.ossreviewtoolkit.model.Vulnerability
import org.ossreviewtoolkit.model.VulnerabilityReference
import org.ossreviewtoolkit.model.readValue
import org.ossreviewtoolkit.model.utils.toPurl
import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
import org.ossreviewtoolkit.utils.common.enumSetOf
import org.ossreviewtoolkit.utils.test.shouldNotBeNull

Expand Down
4 changes: 2 additions & 2 deletions evaluator/src/main/kotlin/PackageRule.kt
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,12 @@ import org.ossreviewtoolkit.model.LicenseSource
import org.ossreviewtoolkit.model.Package
import org.ossreviewtoolkit.model.Project
import org.ossreviewtoolkit.model.Severity
import org.ossreviewtoolkit.model.Vulnerability
import org.ossreviewtoolkit.model.VulnerabilityReference
import org.ossreviewtoolkit.model.config.Excludes
import org.ossreviewtoolkit.model.licenses.LicenseView
import org.ossreviewtoolkit.model.licenses.ResolvedLicense
import org.ossreviewtoolkit.model.licenses.ResolvedLicenseInfo
import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
import org.ossreviewtoolkit.utils.spdx.SpdxExpression
import org.ossreviewtoolkit.utils.spdx.SpdxLicenseReferenceExpression

Expand Down
4 changes: 2 additions & 2 deletions evaluator/src/test/kotlin/TestData.kt
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,6 @@ import org.ossreviewtoolkit.model.Scope
import org.ossreviewtoolkit.model.TextLocation
import org.ossreviewtoolkit.model.UnknownProvenance
import org.ossreviewtoolkit.model.VcsInfo
import org.ossreviewtoolkit.model.Vulnerability
import org.ossreviewtoolkit.model.VulnerabilityReference
import org.ossreviewtoolkit.model.config.AdvisorConfiguration
import org.ossreviewtoolkit.model.config.AnalyzerConfiguration
import org.ossreviewtoolkit.model.config.Excludes
Expand All @@ -54,6 +52,8 @@ import org.ossreviewtoolkit.model.config.PackageLicenseChoice
import org.ossreviewtoolkit.model.config.PathExclude
import org.ossreviewtoolkit.model.config.PathExcludeReason
import org.ossreviewtoolkit.model.config.RepositoryConfiguration
import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
import org.ossreviewtoolkit.utils.common.enumSetOf
import org.ossreviewtoolkit.utils.ort.DeclaredLicenseProcessor
import org.ossreviewtoolkit.utils.ort.Environment
Expand Down
2 changes: 2 additions & 0 deletions model/src/main/kotlin/AdvisorRecord.kt
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ package org.ossreviewtoolkit.model
import com.fasterxml.jackson.annotation.JsonIgnore
import com.fasterxml.jackson.annotation.JsonPropertyOrder

import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability

/**
* Type alias for a function that allows filtering of [AdvisorResult]s.
*/
Expand Down
2 changes: 2 additions & 0 deletions model/src/main/kotlin/AdvisorResult.kt
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@

package org.ossreviewtoolkit.model

import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability

/**
* The result of a specific advisor execution for a single package.
*
Expand Down
1 change: 1 addition & 0 deletions model/src/main/kotlin/OrtResult.kt
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ import org.ossreviewtoolkit.model.config.LicenseFindingCuration
import org.ossreviewtoolkit.model.config.RepositoryConfiguration
import org.ossreviewtoolkit.model.config.Resolutions
import org.ossreviewtoolkit.model.config.orEmpty
import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
import org.ossreviewtoolkit.utils.common.zipWithCollections
import org.ossreviewtoolkit.utils.spdx.model.SpdxLicenseChoice

Expand Down
2 changes: 1 addition & 1 deletion model/src/main/kotlin/config/VulnerabilityResolution.kt
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@

package org.ossreviewtoolkit.model.config

import org.ossreviewtoolkit.model.Vulnerability
import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability

/**
* Defines the resolution of an [Vulnerability]. This can be used to silence false positives, or vulnerabilities that
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@

package org.ossreviewtoolkit.model.config

import org.ossreviewtoolkit.model.Vulnerability
import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability

/**
* Possible reasons for resolving an [Vulnerability] using a [VulnerabilityResolution].
Expand Down
2 changes: 1 addition & 1 deletion model/src/main/kotlin/utils/ConfigurationResolver.kt
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,9 @@ import org.ossreviewtoolkit.model.PackageCuration
import org.ossreviewtoolkit.model.ResolvedPackageCurations
import org.ossreviewtoolkit.model.RuleViolation
import org.ossreviewtoolkit.model.ScanResult
import org.ossreviewtoolkit.model.Vulnerability
import org.ossreviewtoolkit.model.config.PackageConfiguration
import org.ossreviewtoolkit.model.config.Resolutions
import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability

object ConfigurationResolver {
/**
Expand Down
2 changes: 1 addition & 1 deletion model/src/main/kotlin/utils/DefaultResolutionProvider.kt
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,9 @@ import java.io.File
import org.ossreviewtoolkit.model.Issue
import org.ossreviewtoolkit.model.OrtResult
import org.ossreviewtoolkit.model.RuleViolation
import org.ossreviewtoolkit.model.Vulnerability
import org.ossreviewtoolkit.model.config.Resolutions
import org.ossreviewtoolkit.model.readValue
import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability

/**
* A [ResolutionProvider] that provides the given [resolutions].
Expand Down
2 changes: 1 addition & 1 deletion model/src/main/kotlin/utils/ResolutionProvider.kt
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,10 @@ package org.ossreviewtoolkit.model.utils

import org.ossreviewtoolkit.model.Issue
import org.ossreviewtoolkit.model.RuleViolation
import org.ossreviewtoolkit.model.Vulnerability
import org.ossreviewtoolkit.model.config.IssueResolution
import org.ossreviewtoolkit.model.config.RuleViolationResolution
import org.ossreviewtoolkit.model.config.VulnerabilityResolution
import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability

/**
* An interface to provide resolutions for [Issue]s, [RuleViolation]s and [Vulnerability]s .
Expand Down
49 changes: 49 additions & 0 deletions model/src/main/kotlin/vulnerabilities/Cvss2Rating.kt
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
/*
* Copyright (C) 2021 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
* License-Filename: LICENSE
*/

package org.ossreviewtoolkit.model.vulnerabilities

/**
* The rating attaches human-readable semantics to the score number according to CVSS version 2, see
* https://www.balbix.com/insights/cvss-v2-vs-cvss-v3/#CVSSv3-Scoring-Scale-vs-CVSSv2-6.
*/
enum class Cvss2Rating(private val upperBound: Float) {
LOW(4.0f),
MEDIUM(7.0f),
HIGH(10.0f);

companion object {
/**
* A set of names that refer to the CVSS version 2 scoring system.
*/
val NAMES = setOf("CVSS2", "CVSSV2", "CVSS:2.0")

/**
* Get the [Cvss2Rating] from a [score], or null if the [score] does not map to any [Cvss2Rating].
*/
fun fromScore(score: Float): Cvss2Rating? =
when {
score < 0.0f || score > HIGH.upperBound -> null
score < LOW.upperBound -> LOW
score < MEDIUM.upperBound -> MEDIUM
score <= HIGH.upperBound -> HIGH
else -> null
}
}
}
53 changes: 53 additions & 0 deletions model/src/main/kotlin/vulnerabilities/Cvss3Rating.kt
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
/*
* Copyright (C) 2021 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
* License-Filename: LICENSE
*/

package org.ossreviewtoolkit.model.vulnerabilities

/**
* The rating attaches human-readable semantics to the score number according to CVSS version 3, see
* https://www.first.org/cvss/v3.0/specification-document#Qualitative-Severity-Rating-Scale.
*/
enum class Cvss3Rating(private val upperBound: Float) {
NONE(0.0f),
LOW(4.0f),
MEDIUM(7.0f),
HIGH(9.0f),
CRITICAL(10.0f);

companion object {
/**
* A set of names that refer to the CVSS version 3 scoring system.
*/
val NAMES = setOf("CVSS3", "CVSSV3", "CVSS:3.0", "CVSS:3.1")

/**
* Get the [Cvss3Rating] from a [score], or null if the [score] does not map to any [Cvss3Rating].
*/
fun fromScore(score: Float): Cvss3Rating? =
when {
score < 0.0f || score > CRITICAL.upperBound -> null
score == NONE.upperBound -> NONE
score < LOW.upperBound -> LOW
score < MEDIUM.upperBound -> MEDIUM
score < HIGH.upperBound -> HIGH
score <= CRITICAL.upperBound -> CRITICAL
else -> null
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
* License-Filename: LICENSE
*/

package org.ossreviewtoolkit.model
package org.ossreviewtoolkit.model.vulnerabilities

import com.fasterxml.jackson.annotation.JsonInclude
import com.fasterxml.jackson.annotation.JsonInclude.Include
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
* License-Filename: LICENSE
*/

package org.ossreviewtoolkit.model
package org.ossreviewtoolkit.model.vulnerabilities

import java.net.URI

Expand Down Expand Up @@ -63,66 +63,4 @@ data class VulnerabilityReference(
else -> severity?.uppercase()?.takeIf { it in CVSS3_SEVERITIES }
} ?: "UNKNOWN"
}

/**
* The rating attaches human-readable semantics to the score number according to CVSS version 2, see
* https://www.balbix.com/insights/cvss-v2-vs-cvss-v3/#CVSSv3-Scoring-Scale-vs-CVSSv2-6.
*/
enum class Cvss2Rating(private val upperBound: Float) {
LOW(4.0f),
MEDIUM(7.0f),
HIGH(10.0f);

companion object {
/**
* A set of names that refer to the CVSS version 2 scoring system.
*/
val NAMES = setOf("CVSS2", "CVSSV2", "CVSS:2.0")

/**
* Get the [Cvss2Rating] from a [score], or null if the [score] does not map to any [Cvss2Rating].
*/
fun fromScore(score: Float): Cvss2Rating? =
when {
score < 0.0f || score > HIGH.upperBound -> null
score < LOW.upperBound -> LOW
score < MEDIUM.upperBound -> MEDIUM
score <= HIGH.upperBound -> HIGH
else -> null
}
}
}

/**
* The rating attaches human-readable semantics to the score number according to CVSS version 3, see
* https://www.first.org/cvss/v3.0/specification-document#Qualitative-Severity-Rating-Scale.
*/
enum class Cvss3Rating(private val upperBound: Float) {
NONE(0.0f),
LOW(4.0f),
MEDIUM(7.0f),
HIGH(9.0f),
CRITICAL(10.0f);

companion object {
/**
* A set of names that refer to the CVSS version 3 scoring system.
*/
val NAMES = setOf("CVSS3", "CVSSV3", "CVSS:3.0", "CVSS:3.1")

/**
* Get the [Cvss3Rating] from a [score], or null if the [score] does not map to any [Cvss3Rating].
*/
fun fromScore(score: Float): Cvss3Rating? =
when {
score < 0.0f || score > CRITICAL.upperBound -> null
score == NONE.upperBound -> NONE
score < LOW.upperBound -> LOW
score < MEDIUM.upperBound -> MEDIUM
score < HIGH.upperBound -> HIGH
score <= CRITICAL.upperBound -> CRITICAL
else -> null
}
}
}
}
Loading

0 comments on commit cd40dd1

Please sign in to comment.