Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix VDR export containing non-vulnerable components #2878

Merged
merged 1 commit into from
Aug 14, 2023
Merged

Fix VDR export containing non-vulnerable components #2878

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDXExporter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,12 @@ public Bom create(final Component component) {
return create(components, null, null, null);
}

private Bom create(final List<Component>components, final List<ServiceComponent> services, final List<Finding> findings, final Project project) {
private Bom create(List<Component> components, final List<ServiceComponent> services, final List<Finding> findings, final Project project) {
if (Variant.VDR == variant) {
components = components.stream()
.filter(component -> !component.getVulnerabilities().isEmpty())
.toList();
}
final List<org.cyclonedx.model.Component> cycloneComponents = (Variant.VEX != variant && components != null) ? components.stream().map(component -> ModelConverter.convert(qm, component)).collect(Collectors.toList()) : null;
final List<org.cyclonedx.model.Service> cycloneServices = (Variant.VEX != variant && services != null) ? services.stream().map(service -> ModelConverter.convert(qm, service)).collect(Collectors.toList()) : null;
final List<org.cyclonedx.model.vulnerability.Vulnerability> cycloneVulnerabilities = (findings != null) ? findings.stream().map(finding -> ModelConverter.convert(qm, variant, finding)).collect(Collectors.toList()) : null;
Expand Down
12 changes: 8 additions & 4 deletions src/main/java/org/dependencytrack/parser/cyclonedx/util/ModelConverter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.UUID;

public class ModelConverter {

Expand Down Expand Up @@ -748,19 +749,19 @@ public static List<Dependency> generateDependencies(final Project project, final

final var dependencies = new ArrayList<Dependency>();
final var rootDependency = new Dependency(project.getUuid().toString());
rootDependency.setDependencies(convertDirectDependencies(project.getDirectDependencies()));
rootDependency.setDependencies(convertDirectDependencies(project.getDirectDependencies(), components));
dependencies.add(rootDependency);

for (final Component component : components) {
final var dependency = new Dependency(component.getUuid().toString());
dependency.setDependencies(convertDirectDependencies(component.getDirectDependencies()));
dependency.setDependencies(convertDirectDependencies(component.getDirectDependencies(), components));
dependencies.add(dependency);
}

return dependencies;
}

private static List<Dependency> convertDirectDependencies(final String directDependenciesRaw) {
private static List<Dependency> convertDirectDependencies(final String directDependenciesRaw, final List<Component> components) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

15% of developers fix this issue

MixedMutabilityReturnType: This method returns both mutable and immutable collections or maps from different paths. This may be confusing for users of the method.

Suggested change
private static List<Dependency> convertDirectDependencies(final String directDependenciesRaw, final List<Component> components) {
private static ImmutableList<Dependency> convertDirectDependencies(final String directDependenciesRaw, final List<Component> components) {
ℹ️ Expand to see all @sonatype-lift commands

You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.

Command Usage
@sonatype-lift ignore Leave out the above finding from this PR
@sonatype-lift ignoreall Leave out all the existing findings from this PR
@sonatype-lift exclude <file|issue|path|tool> Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file

Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.

if (directDependenciesRaw == null || directDependenciesRaw.isBlank()) {
return Collections.emptyList();
}
Expand All @@ -772,7 +773,10 @@ private static List<Dependency> convertDirectDependencies(final String directDep
if (directDependenciesJson instanceof final JsonArray directDependenciesJsonArray) {
for (final JsonValue directDependency : directDependenciesJsonArray) {
if (directDependency instanceof final JsonObject directDependencyObject) {
dependencies.add(new Dependency(directDependencyObject.getString("uuid")));
final String componentUuid = directDependencyObject.getString("uuid", null);
if (componentUuid != null && components.stream().map(Component::getUuid).map(UUID::toString).anyMatch(componentUuid::equals)) {
dependencies.add(new Dependency(directDependencyObject.getString("uuid")));
}
}
}
}
Expand Down
13 changes: 0 additions & 13 deletions src/test/java/org/dependencytrack/resources/v1/BomResourceTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -531,12 +531,6 @@ public void exportProjectAsCycloneDxVdrTest() {
]
},
"components": [
{
"type": "library",
"bom-ref": "${json-unit.matches:componentWithoutVulnUuid}",
"name": "acme-lib-a",
"version": "1.0.0"
},
{
"type": "library",
"bom-ref": "${json-unit.matches:componentWithVulnUuid}",
Expand All @@ -554,16 +548,9 @@ public void exportProjectAsCycloneDxVdrTest() {
{
"ref": "${json-unit.matches:projectUuid}",
"dependsOn": [
"${json-unit.matches:componentWithoutVulnUuid}",
"${json-unit.matches:componentWithVulnAndAnalysisUuid}"
]
},
{
"ref": "${json-unit.matches:componentWithoutVulnUuid}",
"dependsOn": [
"${json-unit.matches:componentWithVulnUuid}"
]
},
{
"ref": "${json-unit.matches:componentWithVulnUuid}",
"dependsOn": []
Expand Down