Skip to content

Commit

Permalink
refactor(model)!: Generalize the scoring system mapping
Browse files Browse the repository at this point in the history
Only look for prefixes when matching scoring system names to properly
recognize e.g. "cvssv3.1_qr" as a `Cvss3Rating`.

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
  • Loading branch information
sschuberth committed Sep 17, 2024
1 parent 09ec750 commit ea95f4b
Show file tree
Hide file tree
Showing 6 changed files with 20 additions and 17 deletions.
11 changes: 6 additions & 5 deletions evaluator/src/main/kotlin/PackageRule.kt
Original file line number Diff line number Diff line change
Expand Up @@ -110,11 +110,12 @@ open class PackageRule(

val severities = matchingSystems
.mapNotNull { it.severity }
.mapNotNull {
when (scoringSystem.uppercase()) {
in Cvss2Rating.NAMES -> enumValueOf<Cvss2Rating>(it)
in Cvss3Rating.NAMES -> enumValueOf<Cvss3Rating>(it)
in Cvss4Rating.NAMES -> enumValueOf<Cvss4Rating>(it)
.mapNotNull { severity ->
val system = scoringSystem.uppercase()
when {
Cvss2Rating.PREFIXES.any { system.startsWith(it) } -> enumValueOf<Cvss2Rating>(severity)
Cvss3Rating.PREFIXES.any { system.startsWith(it) } -> enumValueOf<Cvss3Rating>(severity)
Cvss4Rating.PREFIXES.any { system.startsWith(it) } -> enumValueOf<Cvss4Rating>(severity)
else -> null
}
}
Expand Down
4 changes: 2 additions & 2 deletions model/src/main/kotlin/vulnerabilities/Cvss2Rating.kt
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,9 @@ enum class Cvss2Rating(private val upperBound: Float) {

companion object {
/**
* A set of names that refer to the CVSS version 2 scoring system.
* A set of prefixes that refer to the CVSS version 2 scoring system.
*/
val NAMES = setOf("CVSS2", "CVSSV2", "CVSS_V2", "CVSS:2.0")
val PREFIXES = setOf("CVSS2", "CVSSV2", "CVSS_V2", "CVSS:2")

/**
* Get the [Cvss2Rating] from a [score], or null if the [score] does not map to any [Cvss2Rating].
Expand Down
4 changes: 2 additions & 2 deletions model/src/main/kotlin/vulnerabilities/Cvss3Rating.kt
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,9 @@ enum class Cvss3Rating(private val upperBound: Float) {

companion object {
/**
* A set of names that refer to the CVSS version 3 scoring system.
* A set of prefixes that refer to the CVSS version 3 scoring system.
*/
val NAMES = setOf("CVSS3", "CVSSV3", "CVSS_V3", "CVSS:3.0", "CVSS:3.1")
val PREFIXES = setOf("CVSS3", "CVSSV3", "CVSS_V3", "CVSS:3")

/**
* Get the [Cvss3Rating] from a [score], or null if the [score] does not map to any [Cvss3Rating].
Expand Down
4 changes: 2 additions & 2 deletions model/src/main/kotlin/vulnerabilities/Cvss4Rating.kt
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,9 @@ enum class Cvss4Rating(private val upperBound: Float) {

companion object {
/**
* A set of names that refer to the CVSS version 4 scoring system.
* A set of prefixes that refer to the CVSS version 4 scoring system.
*/
val NAMES = setOf("CVSS4", "CVSSV4", "CVSS_V4", "CVSS:4.0")
val PREFIXES = setOf("CVSS4", "CVSSV4", "CVSS_V4", "CVSS:4")

/**
* Get the [Cvss4Rating] from a [score], or null if the [score] does not map to any [Cvss4Rating].
Expand Down
12 changes: 7 additions & 5 deletions model/src/main/kotlin/vulnerabilities/VulnerabilityReference.kt
Original file line number Diff line number Diff line change
Expand Up @@ -66,12 +66,14 @@ data class VulnerabilityReference(
/**
* Return a qualitative rating that is determined based on the given [scoringSystem] and [score].
*/
fun getQualitativeRating(scoringSystem: String?, score: Float?): Enum<*>? =
when (scoringSystem?.uppercase()) {
in Cvss2Rating.NAMES -> score?.let { Cvss2Rating.fromScore(it) }
in Cvss3Rating.NAMES -> score?.let { Cvss3Rating.fromScore(it) }
in Cvss4Rating.NAMES -> score?.let { Cvss4Rating.fromScore(it) }
fun getQualitativeRating(scoringSystem: String?, score: Float?): Enum<*>? {
val system = scoringSystem?.uppercase() ?: return null
return when {
Cvss2Rating.PREFIXES.any { system.startsWith(it) } -> score?.let { Cvss2Rating.fromScore(it) }
Cvss3Rating.PREFIXES.any { system.startsWith(it) } -> score?.let { Cvss3Rating.fromScore(it) }
Cvss4Rating.PREFIXES.any { system.startsWith(it) } -> score?.let { Cvss4Rating.fromScore(it) }
else -> null

Check warning on line 75 in model/src/main/kotlin/vulnerabilities/VulnerabilityReference.kt

View check run for this annotation

Codecov / codecov/patch

model/src/main/kotlin/vulnerabilities/VulnerabilityReference.kt#L75

Added line #L75 was not covered by tests
}
}
}
}
2 changes: 1 addition & 1 deletion plugins/advisors/oss-index/src/main/kotlin/OssIndex.kt
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ class OssIndex(override val descriptor: PluginDescriptor, config: OssIndexConfig
*/
private fun OssIndexService.Vulnerability.toVulnerability(): Vulnerability {
// Only CVSS version 2 vectors do not contain the "CVSS:" label and version prefix.
val scoringSystem = cvssVector?.substringBefore('/', Cvss2Rating.NAMES.first())
val scoringSystem = cvssVector?.substringBefore('/', Cvss2Rating.PREFIXES.first())

val severity = VulnerabilityReference.getQualitativeRating(scoringSystem, cvssScore)?.name
val reference = VulnerabilityReference(URI(reference), scoringSystem, severity, cvssScore, cvssVector)
Expand Down

0 comments on commit ea95f4b

Please sign in to comment.