Skip to content

Commit

Permalink
feat(osv): Support parsing CVSS v4 vectors
Browse files Browse the repository at this point in the history 
Switch to MetaEffect's Java library (see [1]) that also supports CVSS
v4 already.

Resolves #9354.

[1]: stevespringett/cvss-calculator#78 (comment)

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
  • Loading branch information
@sschuberth
sschuberth committed Nov 1, 2024
1 parent 52d1ce0 commit 0b2b2af
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 14 deletions.
4 changes: 2 additions & 2 deletions gradle/libs.versions.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,11 @@ mavenPublishPlugin = "0.30.0"
reproducibleBuildsPlugin = "1.0"
versionsPlugin = "0.51.0"

aeSecurity = "0.125.0"
asciidoctorj = "3.0.0"
asciidoctorjPdf = "2.3.19"
clikt = "5.0.1"
commonsCompress = "1.27.1"
cvssCalculator = "1.4.3"
cyclonedx = "9.1.0"
diffUtils = "4.12"
discoClient = "21.0.1"
Expand Down Expand Up @@ -85,12 +85,12 @@ plugin-ksp = { module = "com.google.devtools.ksp:com.google.devtools.ksp.gradle.
plugin-mavenPublish = { module = "com.vanniktech:gradle-maven-publish-plugin", version.ref = "mavenPublishPlugin" }
plugin-reproducibleBuilds = { module = "org.gradlex:reproducible-builds", version.ref = "reproducibleBuildsPlugin" }

aeSecurity = { module = "org.metaeffekt.core:ae-security", version.ref = "aeSecurity" }
asciidoctorj = { module = "org.asciidoctor:asciidoctorj", version.ref = "asciidoctorj" }
asciidoctorj-pdf = { module = "org.asciidoctor:asciidoctorj-pdf", version.ref = "asciidoctorjPdf" }
awsS3 = { module = "software.amazon.awssdk:s3", version.ref = "s3" }
clikt = { module = "com.github.ajalt.clikt:clikt", version.ref = "clikt" }
commonsCompress = { module = "org.apache.commons:commons-compress", version.ref = "commonsCompress" }
cvssCalculator = { module = "us.springett:cvss-calculator", version.ref = "cvssCalculator" }
cyclonedx = { module = "org.cyclonedx:cyclonedx-core-java", version.ref = "cyclonedx" }
detekt-api = { module = "io.gitlab.arturbosch.detekt:detekt-api", version.ref = "detektPlugin" }
detekt-test = { module = "io.gitlab.arturbosch.detekt:detekt-test", version.ref = "detektPlugin" }
Expand Down
2 changes: 1 addition & 1 deletion plugins/advisors/osv/build.gradle.kts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ dependencies {
implementation(projects.utils.commonUtils)
implementation(projects.utils.ortUtils)

implementation(libs.cvssCalculator)
implementation(libs.aeSecurity)
implementation(libs.kotlinx.serialization.core)
implementation(libs.kotlinx.serialization.json)

Expand Down
12 changes: 6 additions & 6 deletions plugins/advisors/osv/src/funTest/assets/retrieve-package-findings-expected-result.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,37 +126,37 @@
"url" : "https://nvd.nist.gov/vuln/detail/CVE-2019-7537",
"scoring_system" : "CVSS_V4",
"severity" : "CRITICAL",
"score" : null,
"score" : 9.3,
"vector" : "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}, {
"url" : "https://github.com/pytroll/donfig/issues/5",
"scoring_system" : "CVSS_V4",
"severity" : "CRITICAL",
"score" : null,
"score" : 9.3,
"vector" : "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}, {
"url" : "https://github.com/pytroll/donfig/commit/1f9dbf83b17419a06d63c14ef3fbd29dbc1b8ce5",
"scoring_system" : "CVSS_V4",
"severity" : "CRITICAL",
"score" : null,
"score" : 9.3,
"vector" : "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}, {
"url" : "https://github.com/pypa/advisory-database/tree/main/vulns/donfig/PYSEC-2019-21.yaml",
"scoring_system" : "CVSS_V4",
"severity" : "CRITICAL",
"score" : null,
"score" : 9.3,
"vector" : "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}, {
"url" : "https://github.com/pytroll/donfig",
"scoring_system" : "CVSS_V4",
"severity" : "CRITICAL",
"score" : null,
"score" : 9.3,
"vector" : "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}, {
"url" : "https://github.com/pytroll/donfig/commits/master",
"scoring_system" : "CVSS_V4",
"severity" : "CRITICAL",
"score" : null,
"score" : 9.3,
"vector" : "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
} ]
}, {
Expand Down
8 changes: 3 additions & 5 deletions plugins/advisors/osv/src/main/kotlin/Osv.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ import kotlinx.serialization.json.contentOrNull

import org.apache.logging.log4j.kotlin.logger

import org.metaeffekt.core.security.cvss.CvssVector

import org.ossreviewtoolkit.advisor.AdviceProvider
import org.ossreviewtoolkit.advisor.AdviceProviderFactory
import org.ossreviewtoolkit.clients.osv.OsvServiceWrapper
Expand All @@ -46,8 +48,6 @@ import org.ossreviewtoolkit.utils.common.enumSetOf
import org.ossreviewtoolkit.utils.common.toUri
import org.ossreviewtoolkit.utils.ort.OkHttpClientHelper

import us.springett.cvss.Cvss

/**
* An advice provider that obtains vulnerability information from Open Source Vulnerabilities (https://osv.dev/).
*
Expand Down Expand Up @@ -168,10 +168,8 @@ private fun Vulnerability.toOrtVulnerability(): org.ossreviewtoolkit.model.vulne
// See also https://github.com/google/osv.dev/issues/484.
val specificSeverity = databaseSpecific?.get("severity")

// Note that the CVSS Calculator does not support CVSS 4.0 yet:
// https://github.com/stevespringett/cvss-calculator/issues/78
val baseScore = runCatching {
Cvss.fromVector(severity)?.calculateScore()?.baseScore?.toFloat()
CvssVector.parseVector(severity)?.baseScore?.toFloat()
}.onFailure {
logger.debug { "Unable to parse CVSS vector '$severity': ${it.collectMessages()}." }
}.getOrNull()
Expand Down

0 comments on commit 0b2b2af

Please sign in to comment.