Skip to content

Commit

Permalink
add mapping for attributed on
Browse files Browse the repository at this point in the history 
Co-Authored-By: Sébastien Delcoigne <[email protected]>
  • Loading branch information
@sahibamittal @sebD
sahibamittal and sebD committed Jun 6, 2024
1 parent 0dbf1d3 commit 7e59fb7
Show file tree
Hide file tree
Showing 4 changed files with 53 additions and 5 deletions.
3 changes: 2 additions & 1 deletion src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -583,7 +583,8 @@ public Project clone(UUID from, String newVersion, boolean includeTags, boolean
// Add vulnerabilties and finding attribution from the source component to the cloned component
for (Vulnerability vuln : sourceComponent.getVulnerabilities()) {
final FindingAttribution sourceAttribution = this.getFindingAttribution(vuln, sourceComponent);
this.addVulnerability(vuln, clonedComponent, sourceAttribution.getAnalyzerIdentity(), sourceAttribution.getAlternateIdentifier(), sourceAttribution.getReferenceUrl());
this.addVulnerability(vuln, clonedComponent, sourceAttribution.getAnalyzerIdentity(), sourceAttribution.getAlternateIdentifier(),
sourceAttribution.getReferenceUrl(), sourceAttribution.getAttributedOn());
}
clonedComponents.put(sourceComponent.getId(), clonedComponent);
}
Expand Down
5 changes: 5 additions & 0 deletions src/main/java/org/dependencytrack/persistence/QueryManager.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -881,6 +881,11 @@ public void addVulnerability(Vulnerability vulnerability, Component component, A
getVulnerabilityQueryManager().addVulnerability(vulnerability, component, analyzerIdentity, alternateIdentifier, referenceUrl);
}

public void addVulnerability(Vulnerability vulnerability, Component component, AnalyzerIdentity analyzerIdentity,
String alternateIdentifier, String referenceUrl, Date attributedOn) {
getVulnerabilityQueryManager().addVulnerability(vulnerability, component, analyzerIdentity, alternateIdentifier, referenceUrl, attributedOn);
}

public void removeVulnerability(Vulnerability vulnerability, Component component) {
getVulnerabilityQueryManager().removeVulnerability(vulnerability, component);
}
Expand Down
25 changes: 21 additions & 4 deletions src/main/java/org/dependencytrack/persistence/VulnerabilityQueryManager.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,6 @@

import javax.jdo.PersistenceManager;
import javax.jdo.Query;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
Expand All @@ -47,9 +46,9 @@
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.UUID;
import java.util.function.Function;
import java.util.stream.Collectors;

final class VulnerabilityQueryManager extends QueryManager implements IQueryManager {

Expand Down Expand Up @@ -200,7 +199,7 @@ public List<Vulnerability> getVulnerabilitiesForNpmModule(String module) {
* @param analyzerIdentity the identify of the analyzer
*/
public void addVulnerability(Vulnerability vulnerability, Component component, AnalyzerIdentity analyzerIdentity) {
this.addVulnerability(vulnerability, component, analyzerIdentity, null, null);
this.addVulnerability(vulnerability, component, analyzerIdentity, null, null, null);
}

/**
Expand All @@ -213,10 +212,28 @@ public void addVulnerability(Vulnerability vulnerability, Component component, A
*/
public void addVulnerability(Vulnerability vulnerability, Component component, AnalyzerIdentity analyzerIdentity,
String alternateIdentifier, String referenceUrl) {
this.addVulnerability(vulnerability, component, analyzerIdentity, alternateIdentifier, referenceUrl, null);
}

/**
* Adds a vulnerability to a component.
* @param vulnerability the vulnerability to add
* @param component the component affected by the vulnerability
* @param analyzerIdentity the identify of the analyzer
* @param alternateIdentifier the optional identifier if the analyzer refers to the vulnerability by an alternative identifier
* @param referenceUrl the optional URL that references the occurrence of the vulnerability if uniquely identified
* @param attributedOn the optional attribution date of the vulnerability. Used primarily when cloning projects, leave null when adding a new one.
*/
public void addVulnerability(Vulnerability vulnerability, Component component, AnalyzerIdentity analyzerIdentity,
String alternateIdentifier, String referenceUrl, Date attributedOn) {
if (!contains(vulnerability, component)) {
component.addVulnerability(vulnerability);
component = persist(component);
persist(new FindingAttribution(component, vulnerability, analyzerIdentity, alternateIdentifier, referenceUrl));
FindingAttribution findingAttribution = new FindingAttribution(component, vulnerability, analyzerIdentity, alternateIdentifier, referenceUrl);
if (attributedOn != null) {
findingAttribution.setAttributedOn(attributedOn);
}
persist(findingAttribution);
}
}

Expand Down
25 changes: 25 additions & 0 deletions src/test/java/org/dependencytrack/persistence/ProjectQueryManagerTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
import org.dependencytrack.model.Bom;
import org.dependencytrack.model.Component;
import org.dependencytrack.model.DependencyMetrics;
import org.dependencytrack.model.Finding;
import org.dependencytrack.model.IntegrityAnalysis;
import org.dependencytrack.model.IntegrityMatchStatus;
import org.dependencytrack.model.NotificationPublisher;
Expand All @@ -39,6 +40,7 @@
import org.dependencytrack.model.Project;
import org.dependencytrack.model.ProjectMetadata;
import org.dependencytrack.model.ProjectMetrics;
import org.dependencytrack.model.Severity;
import org.dependencytrack.model.Vex;
import org.dependencytrack.model.ViolationAnalysis;
import org.dependencytrack.model.ViolationAnalysisState;
Expand Down Expand Up @@ -201,4 +203,27 @@ public void recursivelyDeleteTest() {
assertThat(policy.getProjects()).isEmpty();
}

@Test
public void testCloneProjectPreservesVulnerabilityAttributionDate() throws Exception {
Project project = qm.createProject("Example Project 1", "Description 1", "1.0", null, null, null, true, false);
Component comp = new Component();
comp.setId(111L);
comp.setName("name");
comp.setProject(project);
comp.setVersion("1.0");
comp.setCopyright("Copyright Acme");
qm.createComponent(comp, true);
Vulnerability vuln = new Vulnerability();
vuln.setVulnId("INT-123");
vuln.setSource(Vulnerability.Source.INTERNAL);
vuln.setSeverity(Severity.HIGH);
qm.persist(vuln);
qm.addVulnerability(vuln, comp, AnalyzerIdentity.INTERNAL_ANALYZER, "Vuln1", "http://vuln.com/vuln1", new Date());
Project clonedProject = qm.clone(project.getUuid(), "1.1.0", false, false, true, false, false, false, false);
List<Finding> findings = qm.getFindings(clonedProject);
assertThat(findings.size()).isEqualTo(1);
Finding finding = findings.get(0);
assertThat(finding).isNotNull();
assertThat(finding.getAttribution().isEmpty()).isFalse();
}
}

0 comments on commit 7e59fb7

Please sign in to comment.