Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -49,5 +49,9 @@ properties:
suppress:
type: boolean
default: false
annotations:
type: array
items:
$ref: "./vuln-policy-annotation.yaml"
required:
- state
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# This file is part of Dependency-Track.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) OWASP Foundation. All Rights Reserved.
type: object
properties:
key:
type: string
value:
type: string
required:
- key
21 changes: 21 additions & 0 deletions apiserver/src/main/java/org/dependencytrack/model/Analysis.java
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,10 @@
import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.annotation.JsonProperty;
import jakarta.validation.constraints.NotNull;
import org.dependencytrack.persistence.converter.PolicyAnnotationsJsonConverter;

import javax.jdo.annotations.Column;
import javax.jdo.annotations.Convert;
import javax.jdo.annotations.Extension;
import javax.jdo.annotations.Extensions;
import javax.jdo.annotations.ForeignKey;
Expand Down Expand Up @@ -157,6 +159,17 @@ public class Analysis implements Serializable {
@JsonIgnore
private Long vulnerabilityPolicyId;

@Persistent(defaultFetchGroup = "true")
@Column(name = "POLICY_ANNOTATIONS", jdbcType = "CLOB")
@Extensions(value = {
@Extension(vendorName = "datanucleus", key = "insert-function", value = "CAST(? AS JSONB)"),
@Extension(vendorName = "datanucleus", key = "update-function", value = "CAST(? AS JSONB)")
})
@Convert(PolicyAnnotationsJsonConverter.class)
@JsonProperty(value = "policyAnnotations")
private List<AppliedPolicyAnnotation> policyAnnotations;


public long getId() {
return id;
}
Expand Down Expand Up @@ -313,4 +326,12 @@ public Long getVulnerabilityPolicyId() {
public void setVulnerabilityPolicyId(Long vulnerabilityPolicyId) {
this.vulnerabilityPolicyId = vulnerabilityPolicyId;
}

public List<AppliedPolicyAnnotation> getPolicyAnnotations() {
return policyAnnotations != null ? policyAnnotations : List.of();
}

public void setPolicyAnnotations(final List<AppliedPolicyAnnotation> policyAnnotations) {
this.policyAnnotations = policyAnnotations;
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
/*
* This file is part of Dependency-Track.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
* Copyright (c) OWASP Foundation. All Rights Reserved.
*/
package org.dependencytrack.model;

import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.databind.annotation.JsonSerialize;
import org.dependencytrack.resources.v1.serializers.Iso8601DateSerializer;
import org.jspecify.annotations.Nullable;

import java.io.Serializable;
import java.util.Date;

/**
* Policy-driven annotation materialized on an {@link Analysis} record.
*
* @since 5.0.0
*/
@JsonInclude(JsonInclude.Include.NON_NULL)
public record AppliedPolicyAnnotation(
String policyName,
@JsonSerialize(using = Iso8601DateSerializer.class)
Date appliedAt,
@Nullable String annotator) implements Serializable {
}
27 changes: 27 additions & 0 deletions apiserver/src/main/java/org/dependencytrack/model/Finding.java
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,7 @@ public Finding(final FindingDao.FindingRow findingRow) {

optValue(analysis, "state", findingRow.analysisState());
optValue(analysis, "isSuppressed", findingRow.suppressed(), false);
analysis.put("policyAnnotations", toPolicyAnnotationsApi(findingRow.policyAnnotationsJson()));
optValue(analysis, "detail", findingRow.analysisDetail());
if (findingRow.vulnPublished() != null) {
optValue(vulnerability, "published", Date.from(findingRow.vulnPublished()));
Expand Down Expand Up @@ -140,6 +141,32 @@ private void optValue(Map<String, Object> map, String key, Object value) {
}
}

private static List<Map<String, Object>> toPolicyAnnotationsApi(
final List<AppliedPolicyAnnotation> annotations) {
if (annotations == null || annotations.isEmpty()) {
return List.of();
}

final var apiAnnotations = new ArrayList<Map<String, Object>>(annotations.size());
for (final AppliedPolicyAnnotation annotation : annotations) {
if (annotation == null) {
continue;
}

final var apiAnnotation = new LinkedHashMap<String, Object>();
apiAnnotation.put("policyName", annotation.policyName());
if (annotation.annotator() != null) {
apiAnnotation.put("annotator", annotation.annotator());
}
if (annotation.appliedAt() != null) {
apiAnnotation.put("appliedAt", annotation.appliedAt());
}
apiAnnotations.add(apiAnnotation);
}

return List.copyOf(apiAnnotations);
}

static List<Cwe> getCwes(final List<Integer> cweIds) {
if (cweIds == null || cweIds.isEmpty()) {
return null;
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
/*
* This file is part of Dependency-Track.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
* Copyright (c) OWASP Foundation. All Rights Reserved.
*/
package org.dependencytrack.model;

import com.fasterxml.jackson.annotation.JsonInclude;

import java.io.Serializable;

/**
* Key-value annotation defined on a vulnerability policy's analysis block.
*
* @since 5.0.0
*/
@JsonInclude(JsonInclude.Include.NON_NULL)
public record PolicyAnnotation(String key, String value) implements Serializable {
}
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
import org.dependencytrack.model.Project;
import org.dependencytrack.model.Tag;
import org.dependencytrack.model.Vulnerability;
import org.dependencytrack.resources.v1.vo.ComponentVulnerabilityView;
import org.dependencytrack.model.VulnerabilityAlias;
import org.dependencytrack.model.VulnerabilityKey;
import org.dependencytrack.model.VulnerableSoftware;
Expand Down Expand Up @@ -381,27 +382,40 @@ WHERE EXISTS (
}

/**
* Returns a List of Vulnerability for the specified Component.
* Returns vulnerabilities for the specified component, including per-finding analysis.
*
* @param component the Component to retrieve vulnerabilities of
* @return a List of Vulnerability objects
* @return a paginated list of {@link ComponentVulnerabilityView} objects
*/
public PaginatedResult getVulnerabilities(Component component, boolean includeSuppressed) {
List<Vulnerability> componentVulnerabilities;
List<ComponentVulnerabilityView> componentVulnerabilities;
List<AffectedProjectCountRow> affectedProjectCounts;

try (final Handle jdbiHandle = openJdbiHandle(this.request)) {
final var dao = jdbiHandle.attach(VulnerabilityDao.class);
componentVulnerabilities = dao.getVulnerabilitiesByComponent(component.getId(), includeSuppressed);
affectedProjectCounts = dao.getAffectedProjectCount(
componentVulnerabilities.stream().map(Vulnerability::getId).toList(),
includeSuppressed);
if (componentVulnerabilities.isEmpty()) {
affectedProjectCounts = List.of();
} else {
affectedProjectCounts = dao.getAffectedProjectCount(
componentVulnerabilities.stream()
.map(view -> view.getVulnerability().getId())
.toList(),
includeSuppressed);
}
}
Map<Long, Vulnerability> vulnById = componentVulnerabilities.stream().collect(Collectors.toMap(Vulnerability::getId, vulnerability -> vulnerability));
final Map<Long, ComponentVulnerabilityView> vulnById = componentVulnerabilities.stream()
.collect(Collectors.toMap(view -> view.getVulnerability().getId(), view -> view));
for (var vulnerabilityProjectCount : affectedProjectCounts) {
var vulnerability = vulnById.get(vulnerabilityProjectCount.id());
final var view = vulnById.get(vulnerabilityProjectCount.id());
if (view == null) {
continue;
}
final Vulnerability vulnerability = view.getVulnerability();
vulnerability.setAffectedProjectCount(vulnerabilityProjectCount.totalProjectCount());
vulnerability.setAffectedActiveProjectCount(vulnerabilityProjectCount.activeProjectCount());
vulnerability.setAffectedInactiveProjectCount(vulnerabilityProjectCount.totalProjectCount() - vulnerabilityProjectCount.activeProjectCount());
vulnerability.setAffectedInactiveProjectCount(
vulnerabilityProjectCount.totalProjectCount() - vulnerabilityProjectCount.activeProjectCount());
}
return (new PaginatedResult()).objects(componentVulnerabilities).total(componentVulnerabilities.size());
}
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
/*
* This file is part of Dependency-Track.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
* Copyright (c) OWASP Foundation. All Rights Reserved.
*/
package org.dependencytrack.persistence.converter;

import com.fasterxml.jackson.core.type.TypeReference;
import org.dependencytrack.model.AppliedPolicyAnnotation;

import java.util.List;

public class PolicyAnnotationsJsonConverter extends AbstractJsonConverter<List<AppliedPolicyAnnotation>> {

private static final TypeReference<List<AppliedPolicyAnnotation>> TYPE_REF = new TypeReference<>() {};

public PolicyAnnotationsJsonConverter() {
super(TYPE_REF);
}

@Override
public String convertToDatastore(final List<AppliedPolicyAnnotation> attributeValue) {
if (attributeValue == null || attributeValue.isEmpty()) {
return null;
}

return super.convertToDatastore(attributeValue);
}

@Override
public List<AppliedPolicyAnnotation> convertToAttribute(final String datastoreValue) {
if (datastoreValue == null || datastoreValue.isBlank()) {
return List.of();
}

final List<AppliedPolicyAnnotation> annotations = super.convertToAttribute(datastoreValue);
return annotations != null ? annotations : List.of();
}

}
Loading
Loading