address comments

smithy-security · Feb 27, 2024 · 8c792be · 8c792be
1 parent 050f561
commit 8c792be
Show file tree

Hide file tree

Showing 4 changed files with 103 additions and 72 deletions.
diff --git a/api/proto/v1/issue.pb.go b/api/proto/v1/issue.pb.go
diff --git a/api/proto/v1/issue.proto b/api/proto/v1/issue.proto
@@ -66,8 +66,8 @@ message Issue {
   // optional string that allows producers to communicate relevant code/request segments
   optional string context_segment = 12;
 
-  // optionally the related CWE
-  optional string cwe = 13;
+  // optionally the related CWEs
+  repeated int32 cwe = 13;
 }
 
 /* Represents an issue that has been enriched with metadata from the enrichment service */

diff --git a/components/producers/dependency-track/main.go b/components/producers/dependency-track/main.go
@@ -2,6 +2,7 @@
 package main
 
 import (
+	"encoding/json"
 	"fmt"
 	"log"
 
@@ -43,16 +44,47 @@ func parseIssues(out *DependencyTrackOut) ([]*v1.Issue, error) {
 		iss := v1.Issue{}
 		target := element.Component.Purl
 		iss.Target = target
-		cwe := fmt.Sprintf("%d", element.Vulnerability.CweID)
+		cwe := []int32{}
+		for _, c := range element.Vulnerability.Cwes {
+			cwe = append(cwe, int32(c.CweID))
+		}
 		iss.Type = element.Vulnerability.VulnID
 		iss.Title = element.Vulnerability.Title
-		iss.Cvss = element.Vulnerability.CvssV3BaseScore
-		iss.Severity = v1.Severity(v1.Severity_value[fmt.Sprintf("SEVERITY_%s", element.Vulnerability.Severity)])
-		iss.Cwe = &cwe
+		if element.Vulnerability.CvssV3BaseScore != 0 {
+			iss.Cvss = element.Vulnerability.CvssV3BaseScore
+		}
+		switch element.Vulnerability.Severity {
+		case "CRITICAL":
+			iss.Severity = v1.Severity_SEVERITY_CRITICAL
+		case "HIGH":
+			iss.Severity = v1.Severity_SEVERITY_HIGH
+
+		case "MEDIUM":
+			iss.Severity = v1.Severity_SEVERITY_MEDIUM
+		case "LOW":
+			iss.Severity = v1.Severity_SEVERITY_LOW
+		case "INFO":
+			iss.Severity = v1.Severity_SEVERITY_INFO
+		case "UNASSIGNED":
+			iss.Severity = v1.Severity_SEVERITY_UNSPECIFIED
+
+		}
+		iss.Cwe = cwe
 		if len(element.Vulnerability.Aliases) > 0 {
 			iss.Cve = element.Vulnerability.Aliases[0].CveID
 		}
 		iss.Description = fmt.Sprintf("%s\n%s", element.Vulnerability.Description, element.Vulnerability.Recommendation)
+		if len(element.Vulnerability.Aliases) > 0 {
+			iss.Description = fmt.Sprintf("%s\nVulnerability Aliases:", iss.Description)
+			for _, alias := range element.Vulnerability.Aliases {
+				serialised, err := json.Marshal(alias)
+				if err != nil {
+					log.Println("Error serialising vulnerability alias", alias, "skipping")
+					continue
+				}
+				iss.Description = fmt.Sprintf("%s\n%s", iss.Description, string(serialised))
+			}
+		}
 		issues = append(issues, &iss)
 	}
 

diff --git a/components/producers/dependency-track/main_test.go b/components/producers/dependency-track/main_test.go
@@ -16,28 +16,28 @@ func TestParseIssues(t *testing.T) {
 
 	issues, err := parseIssues(&results)
 	assert.Nil(t, err)
-	cwe0 := "400"
-	cwe1 := "601"
+	cwe0 := []int32{400}
+	cwe1 := []int32{601, 918}
 	expectedIssue := []*v1.Issue{
 		{
 			Target:   "pkg:maven/org.springframework/[email protected]",
 			Type:     "SNYK-JAVA-ORGSPRINGFRAMEWORK-6183818",
 			Title:    "Uncontrolled Resource Consumption ('Resource Exhaustion')",
 			Severity: 4, Cvss: 7.5, Confidence: 0,
-			Description: "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via specially crafted HTTP requests. An attacker can cause a denial-of-service condition by sending malicious requests that exploit this issue. \r\n\r\n**Notes:**\r\n\r\nThis is only exploitable if the application uses Spring MVC and Spring Security 6.1.6+ or 6.2.1+ is on the classpath.\r\n\r\nTypically, Spring Boot applications need the 'org.springframework.boot:spring-boot-starter-web' and 'org.springframework.boot:spring-boot-starter-security' dependencies to meet all conditions.\n## Remediation\nUpgrade 'org.springframework:spring-core' to version 6.0.16, 6.1.3 or higher.\n## References\n- [Vulnerability Advisory](https://spring.io/security/cve-2024-22233/)\n\nUpgrade the package version to 6.0.16,6.1.3 to fix this vulnerability",
+			Description: "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via specially crafted HTTP requests. An attacker can cause a denial-of-service condition by sending malicious requests that exploit this issue. \r\n\r\n**Notes:**\r\n\r\nThis is only exploitable if the application uses Spring MVC and Spring Security 6.1.6+ or 6.2.1+ is on the classpath.\r\n\r\nTypically, Spring Boot applications need the 'org.springframework.boot:spring-boot-starter-web' and 'org.springframework.boot:spring-boot-starter-security' dependencies to meet all conditions.\n## Remediation\nUpgrade 'org.springframework:spring-core' to version 6.0.16, 6.1.3 or higher.\n## References\n- [Vulnerability Advisory](https://spring.io/security/cve-2024-22233/)\n\nUpgrade the package version to 6.0.16,6.1.3 to fix this vulnerability\nVulnerability Aliases:\n{\"cveId\":\"CVE-2024-22233\",\"snykId\":\"SNYK-JAVA-ORGSPRINGFRAMEWORK-6183818\"}",
 			Source:      "", Cve: "CVE-2024-22233", Uuid: "",
-			Cwe: &cwe0,
+			Cwe: cwe0,
 		},
 		{
 			Target:   "pkg:maven/org.springframework/[email protected]",
 			Type:     "SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586",
 			Title:    "Open Redirect",
 			Severity: 4, Cvss: 7.1, Confidence: 0,
-			Description: "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when 'UriComponentsBuilder' parses an externally provided URL, and the application subsequently uses that URL. If it contains hierarchical components such as path, query, and fragment it may evade validation.\n## Remediation\nUpgrade 'org.springframework:spring-web' to version 5.3.32, 6.0.17, 6.1.4 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/120ea0a51c63171e624ca55dbd7cae627d53a042)\n- [Spring Advisory](https://spring.io/security/cve-2024-22243)\n\nUpgrade the package version to 5.3.32,6.0.17,6.1.4 to fix this vulnerability",
+			Description: "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when 'UriComponentsBuilder' parses an externally provided URL, and the application subsequently uses that URL. If it contains hierarchical components such as path, query, and fragment it may evade validation.\n## Remediation\nUpgrade 'org.springframework:spring-web' to version 5.3.32, 6.0.17, 6.1.4 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/120ea0a51c63171e624ca55dbd7cae627d53a042)\n- [Spring Advisory](https://spring.io/security/cve-2024-22243)\n\nUpgrade the package version to 5.3.32,6.0.17,6.1.4 to fix this vulnerability\nVulnerability Aliases:\n{\"cveId\":\"CVE-2024-22243\",\"snykId\":\"SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586\"}",
 			Source:      "",
 			Cve:         "CVE-2024-22243",
 			Uuid:        "",
-			Cwe:         &cwe1,
+			Cwe:         cwe1,
 		},
 	}
 	assert.Equal(t, expectedIssue, issues)