chore(advisor)!: Remove the NexusIQ advisor

The NexusIQ advisor was originally created to assist with a migration
away from that commercial product. As that migration completed
successfully and no maintainer has access to a NexusIQ instance anymore,
it becomes infeasible to maintain.

So remove the NexusIQ advisor and replace various mentions, e.g. in
tests, with the similar but public OSSIndex advisor.

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>

.ort.yml

@@ -56,11 +56,6 @@ resolutions:
  This vulnerability is triggered by the org.springframework:spring-beans package which comes as a transitive
  dependency of the Jira REST client used by the notifier. The vulnerability applies only to Spring MVC or Spring
  WebFlux applications; so it is ineffective for the current usage scenario.
- - id: "sonatype-2022-1764"
- reason: "INEFFECTIVE_VULNERABILITY"
- comment: >-
- This is a duplicate for CVE-2022-22965 reported by Sonatype NexusIQ, as Sonatype reported this issue before a
- CVE ID was officially released.
  - id: "CVE-2016-7954"
  reason: "INEFFECTIVE_VULNERABILITY"
  comment: >-

cli/src/funTest/assets/semver4j-ort-result.yml

@@ -374,26 +374,54 @@ advisor:
  tool_versions: {}
  config:
  config:
- NexusIQ:
+ OssIndex:
  options:
- server_url: "https://oss-review-toolkit.org"
- browse_url: "https://oss-review-toolkit.org"
+ serverUrl: "https://ossindex.sonatype.org"
  secrets:
- username: "user"
+ username: "username"
+ password: "password"
  results:
  Maven:junit:junit:4.12:
  - advisor:
- name: "NexusIQ"
+ name: "OSSIndex"
  capabilities:
  - "VULNERABILITIES"
  summary:
- start_time: "2021-04-29T14:54:17.322191Z"
- end_time: "2021-04-29T14:54:18.966672Z"
+ start_time: "2024-09-09T09:06:07.446242337Z"
+ end_time: "2024-09-09T09:06:08.652601586Z"
  vulnerabilities:
  - id: "CVE-2020-15250"
+ summary: "[CVE-2020-15250] CWE-200: Information Exposure"
+ description: "In JUnit4 from version 4.7 and before 4.13.1, the test rule\
+ \ TemporaryFolder contains a local information disclosure vulnerability.\
+ \ On Unix like systems, the system's temporary directory is shared between\
+ \ all users on that system. Because of this, when files and directories\
+ \ are written into this directory they are, by default, readable by other\
+ \ users on that same system. This vulnerability does not allow other users\
+ \ to overwrite the contents of these directories or files. This is purely\
+ \ an information disclosure vulnerability. This vulnerability impacts you\
+ \ if the JUnit tests write sensitive information, like API keys or passwords,\
+ \ into the temporary folder, and the JUnit tests execute in an environment\
+ \ where the OS has other untrusted users. Because certain JDK file system\
+ \ APIs were only added in JDK 1.7, this this fix is dependent upon the version\
+ \ of the JDK you are using. For Java 1.7 and higher users: this vulnerability\
+ \ is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available,\
+ \ you must use the workaround below. If you are unable to patch, or are\
+ \ stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment\
+ \ variable to a directory that is exclusively owned by the executing user\
+ \ will fix this vulnerability. For more information, including an example\
+ \ of vulnerable code, see the referenced GitHub Security Advisory."
  references:
- - url: "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250"
- scoring_system: "CVSS2"
+ - url: "https://ossindex.sonatype.org/vulnerability/CVE-2020-15250?component-type=maven&component-name=junit%2Fjunit&utm_source=okhttp&utm_medium=integration&utm_content=4.12.0"
+ scoring_system: "CVSS:3.1"
+ severity: "MEDIUM"
+ score: 5.5
+ - url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15250"
+ scoring_system: "CVSS:3.1"
+ severity: "MEDIUM"
+ score: 5.5
+ - url: "https://github.com/advisories/GHSA-269g-pwp5-87pp"
+ scoring_system: "CVSS:3.1"
  severity: "MEDIUM"
  score: 5.5
 evaluator: null

examples/example.rules.kts

@@ -215,7 +215,7 @@ fun RuleSet.vulnerabilityInPackageRule() = packageRule("VULNERABILITY_IN_PACKAGE
 
 fun RuleSet.highSeverityVulnerabilityInPackageRule() = packageRule("HIGH_SEVERITY_VULNERABILITY_IN_PACKAGE") {
  val scoreThreshold = 5.0f
- val scoringSystem = "CVSS2"
+ val scoringSystem = "CVSS:3.1"
 
  require {
  -isExcluded()

integrations/completions/ort-completion.fish

@@ -25,7 +25,7 @@ complete -c ort -n "__fish_seen_subcommand_from advise" -l output-dir -s o -r -F
 complete -c ort -n "__fish_seen_subcommand_from advise" -l output-formats -s f -r -fa "JSON YAML" -d 'The list of output formats to be used for the ORT result file(s).'
 complete -c ort -n "__fish_seen_subcommand_from advise" -l label -s l -r -d 'Set a label in the ORT result, overwriting any existing label of the same name. Can be used multiple times. For example: --label distribution=external'
 complete -c ort -n "__fish_seen_subcommand_from advise" -l resolutions-file -r -F -d 'A file containing issue and rule violation resolutions.'
-complete -c ort -n "__fish_seen_subcommand_from advise" -l advisors -s a -r -d 'The comma-separated advisors to use, any of [NexusIQ, OSSIndex, OSV, VulnerableCode].'
+complete -c ort -n "__fish_seen_subcommand_from advise" -l advisors -s a -r -d 'The comma-separated advisors to use, any of [OSSIndex, OSV, VulnerableCode].'
 complete -c ort -n "__fish_seen_subcommand_from advise" -l skip-excluded -d 'Do not check excluded projects or packages.'
 complete -c ort -n "__fish_seen_subcommand_from advise" -s h -l help -d 'Show this message and exit'