Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(VulnerableCode): Handle invalid URLs in references #6807

Conversation

oheger-bosch
Copy link
Member

There are some packages for which VulnerableCode returns vulnerabilities with URL references that cannot be converted to URIs, since they contain invalid characters. In such cases, no meaningful advisor result was generated. Prevent this by handling exceptions when converting to URIs.

@oheger-bosch oheger-bosch requested review from a team and MarcelBochtler as code owners April 5, 2023 06:28
@codecov
Copy link

codecov bot commented Apr 5, 2023

Codecov Report

Patch coverage: 75.00% and project coverage change: +0.05 🎉

Comparison is base (834f86b) 64.63% compared to head (b971234) 64.68%.

Additional details and impacted files
@@             Coverage Diff              @@
##               main    #6807      +/-   ##
============================================
+ Coverage     64.63%   64.68%   +0.05%     
- Complexity     1955     1956       +1     
============================================
  Files           322      322              
  Lines         16164    16192      +28     
  Branches       2295     2308      +13     
============================================
+ Hits          10447    10474      +27     
+ Misses         4725     4722       -3     
- Partials        992      996       +4     
Flag Coverage Δ
funTest-docker 64.54% <ø> (+0.59%) ⬆️
funTest-non-docker 49.46% <0.00%> (-0.04%) ⬇️
test 32.39% <75.00%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
advisor/src/main/kotlin/advisors/VulnerableCode.kt 86.11% <75.00%> (-4.22%) ⬇️

... and 4 files with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@sschuberth
Copy link
Member

There are some packages for which VulnerableCode returns vulnerabilities with URL references that cannot be converted to URIs, since they contain invalid characters

Please also report this to https://github.com/nexB/vulnerablecode/issues if not already done so.

* advisor fails, handle those URLs by returning them with a special scheme and URL-encoded.
*/
private fun VulnerableCodeService.VulnerabilityReference.safeUri(): URI =
url.toUri().getOrDefault(URI("unparsed:${URLEncoder.encode(url, StandardCharsets.UTF_8)}"))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder whether having such an "unparsed" URI is of any value, or whether we rather should create a warning issue / log for such things. I currently have a tendency for the latter. What do you think @oheger-bosch?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem I see here is that the vulnerability reference could also be associated with scores and severities. Consider the case that there is a reference indicating a high severity, but with an invalid URL. Wouldn't it be better than if the reference is still visible in the reports where it is expected? But since the URL is not nullable, it must contain something. The hope is that a human reader can at least get an impression from where this reference comes from.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it be better than if the reference is still visible in the reports where it is expected?

To be honest, I don't necessarily think so. First of all, personally I do not care much about the references at all; all I want to know is if there is a vulnerability, and I do regard all sources that ORT's advisors use as trustful anyway.

The hope is that a human reader can at least get an impression from where this reference comes from.

With the escaping happening, a human reading is going to have a hard time making sense of the URI anyway. So I'd still prefer the issue-approach.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another idea could be to fixup the URI before parsing so it becomes valid. Is there a pattern behind what makes these URIs invalid?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The solution with an issue is also fine with me, I can try this out.
I am not sure whether we can identify a general pattern. In theory, the URI conversion could always fail.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed the implementation to create an issue.

@oheger-bosch
Copy link
Member Author

Please also report this to https://github.com/nexB/vulnerablecode/issues if not already done so.

Created this issue: aboutcode-org/vulnerablecode#1173

@oheger-bosch oheger-bosch force-pushed the oheger-bosch/advisor/vc_references branch from 2d04b52 to 66641d2 Compare April 5, 2023 11:06
@oheger-bosch oheger-bosch requested a review from sschuberth April 5, 2023 11:08
There are some packages for which VulnerableCode returns
vulnerabilities with URL references that cannot be converted to URIs,
since they contain invalid characters. In such cases, no meaningful
advisor result was generated. Prevent this by handling exceptions when
converting to URIs.

Signed-off-by: Oliver Heger <oliver.heger@bosch.io>
@oheger-bosch oheger-bosch force-pushed the oheger-bosch/advisor/vc_references branch from 66641d2 to b971234 Compare April 5, 2023 11:29
@oheger-bosch oheger-bosch requested a review from sschuberth April 5, 2023 11:30
@oheger-bosch oheger-bosch merged commit 629a6ba into oss-review-toolkit:main Apr 5, 2023
@oheger-bosch oheger-bosch deleted the oheger-bosch/advisor/vc_references branch April 5, 2023 12:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants