Skip to content
Open
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -49,5 +49,9 @@ properties:
suppress:
type: boolean
default: false
annotations:
type: array
items:
$ref: "./vuln-policy-annotation.yaml"
required:
- state
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# This file is part of Dependency-Track.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) OWASP Foundation. All Rights Reserved.
type: object
properties:
key:
type: string
value:
type: string
required:
- key
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.datatype.jdk8.Jdk8Module;
import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;

/**
* @since 5.0.0
Expand All @@ -39,7 +40,8 @@ public static ObjectMapper jsonMapper() {
private static ObjectMapper createJsonMapper() {
return new ObjectMapper()
.setDefaultPropertyInclusion(JsonInclude.Include.NON_NULL)
.registerModule(new Jdk8Module());
.registerModule(new Jdk8Module())
.registerModule(new JavaTimeModule());
}

}
21 changes: 21 additions & 0 deletions apiserver/src/main/java/org/dependencytrack/model/Analysis.java
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,10 @@
import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.annotation.JsonProperty;
import jakarta.validation.constraints.NotNull;
import org.dependencytrack.persistence.converter.PolicyAnnotationsJsonConverter;

import javax.jdo.annotations.Column;
import javax.jdo.annotations.Convert;
import javax.jdo.annotations.Extension;
import javax.jdo.annotations.Extensions;
import javax.jdo.annotations.ForeignKey;
Expand Down Expand Up @@ -157,6 +159,17 @@ public class Analysis implements Serializable {
@JsonIgnore
private Long vulnerabilityPolicyId;

@Persistent(defaultFetchGroup = "true")
@Column(name = "POLICY_ANNOTATIONS", jdbcType = "CLOB")
@Extensions(value = {
@Extension(vendorName = "datanucleus", key = "insert-function", value = "CAST(? AS JSONB)"),
@Extension(vendorName = "datanucleus", key = "update-function", value = "CAST(? AS JSONB)")
})
@Convert(PolicyAnnotationsJsonConverter.class)
@JsonProperty(value = "policyAnnotations")
private List<AppliedPolicyAnnotation> policyAnnotations;


public long getId() {
return id;
}
Expand Down Expand Up @@ -313,4 +326,12 @@ public Long getVulnerabilityPolicyId() {
public void setVulnerabilityPolicyId(Long vulnerabilityPolicyId) {
this.vulnerabilityPolicyId = vulnerabilityPolicyId;
}

public List<AppliedPolicyAnnotation> getPolicyAnnotations() {
return policyAnnotations;
}

public void setPolicyAnnotations(final List<AppliedPolicyAnnotation> policyAnnotations) {
this.policyAnnotations = policyAnnotations;
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
/*
* This file is part of Dependency-Track.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
* Copyright (c) OWASP Foundation. All Rights Reserved.
*/
package org.dependencytrack.model;

import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.databind.annotation.JsonSerialize;
import org.dependencytrack.resources.v1.serializers.Iso8601InstantSerializer;
import org.jspecify.annotations.Nullable;

import java.io.Serializable;
import java.time.Instant;

/**
* Policy-driven annotation materialized on an {@link Analysis} record.
*
* @since 5.0.0
*/
@JsonInclude(JsonInclude.Include.NON_NULL)
public record AppliedPolicyAnnotation(
String policyName,
@JsonSerialize(using = Iso8601InstantSerializer.class)
Instant appliedAt,
@Nullable String annotator) implements Serializable {
}
29 changes: 29 additions & 0 deletions apiserver/src/main/java/org/dependencytrack/model/Finding.java
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
import org.dependencytrack.persistence.jdbi.FindingDao;

import java.io.Serializable;
import java.time.Instant;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
Expand Down Expand Up @@ -99,6 +100,7 @@ public Finding(final FindingDao.FindingRow findingRow) {

optValue(analysis, "state", findingRow.analysisState());
optValue(analysis, "isSuppressed", findingRow.suppressed(), false);
optValue(analysis, "policyAnnotations", toPolicyAnnotationsApi(findingRow.policyAnnotationsJson()));
if (findingRow.vulnPublished() != null) {
optValue(vulnerability, "published", Date.from(findingRow.vulnPublished()));
}
Expand Down Expand Up @@ -136,6 +138,33 @@ private void optValue(Map<String, Object> map, String key, Object value) {
}
}

private static List<Map<String, Object>> toPolicyAnnotationsApi(
final List<AppliedPolicyAnnotation> annotations) {
if (annotations == null || annotations.isEmpty()) {
return null;
}

final var apiAnnotations = new ArrayList<Map<String, Object>>(annotations.size());
for (final AppliedPolicyAnnotation annotation : annotations) {
if (annotation == null) {
continue;
}

final var apiAnnotation = new LinkedHashMap<String, Object>();
apiAnnotation.put("policyName", annotation.policyName());
if (annotation.annotator() != null) {
apiAnnotation.put("annotator", annotation.annotator());
}
final Instant appliedAt = annotation.appliedAt();
if (appliedAt != null) {
apiAnnotation.put("appliedAt", java.util.Date.from(appliedAt));
}
apiAnnotations.add(apiAnnotation);
}

return apiAnnotations.isEmpty() ? null : apiAnnotations;
}

static List<Cwe> getCwes(final List<Integer> cweIds) {
if (cweIds == null || cweIds.isEmpty()) {
return null;
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
/*
* This file is part of Dependency-Track.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
* Copyright (c) OWASP Foundation. All Rights Reserved.
*/
package org.dependencytrack.model;

import com.fasterxml.jackson.annotation.JsonInclude;

import java.io.Serializable;

/**
* Key-value annotation defined on a vulnerability policy's analysis block.
*
* @since 5.0.0
*/
@JsonInclude(JsonInclude.Include.NON_NULL)
public record PolicyAnnotation(String key, String value) implements Serializable {
}
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
import alpine.server.json.TrimmedStringDeserializer;
import com.fasterxml.jackson.annotation.JsonIgnore;
import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
import com.fasterxml.jackson.databind.annotation.JsonSerialize;
import io.swagger.v3.oas.annotations.media.ArraySchema;
Expand Down Expand Up @@ -406,6 +407,48 @@ public static boolean isKnownSource(String source) {

private transient List<VulnerabilityAlias> aliases;

private transient AnalysisInfo analysis;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need analysis inside vulnerability model? Any analysis should be at project/component level IMO.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

separated this out from the Vulnerability class


/**
* Per-component analysis summary included in component-scoped vulnerability API responses.
*
* @since 5.0.0
*/
@JsonInclude(JsonInclude.Include.NON_NULL)
public static class AnalysisInfo implements Serializable {

private AnalysisState state;

@JsonProperty(value = "isSuppressed")
private Boolean suppressed;

private List<AppliedPolicyAnnotation> policyAnnotations;

public AnalysisState getState() {
return state;
}

public void setState(final AnalysisState state) {
this.state = state;
}

public Boolean getSuppressed() {
return suppressed;
}

public void setSuppressed(final Boolean suppressed) {
this.suppressed = suppressed;
}

public List<AppliedPolicyAnnotation> getPolicyAnnotations() {
return policyAnnotations;
}

public void setPolicyAnnotations(final List<AppliedPolicyAnnotation> policyAnnotations) {
this.policyAnnotations = policyAnnotations;
}
}

public long getId() {
return id;
}
Expand Down Expand Up @@ -796,4 +839,12 @@ public Set<Tag> getTags() {
public void setTags(Set<Tag> tags) {
this.tags = tags;
}

public AnalysisInfo getAnalysis() {
return analysis;
}

public void setAnalysis(final AnalysisInfo analysis) {
this.analysis = analysis;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -347,13 +347,20 @@ public PaginatedResult getVulnerabilities(Component component, boolean includeSu
try (final Handle jdbiHandle = openJdbiHandle(this.request)) {
final var dao = jdbiHandle.attach(VulnerabilityDao.class);
componentVulnerabilities = dao.getVulnerabilitiesByComponent(component.getId(), includeSuppressed);
affectedProjectCounts = dao.getAffectedProjectCount(
componentVulnerabilities.stream().map(Vulnerability::getId).toList(),
includeSuppressed);
if (componentVulnerabilities.isEmpty()) {
affectedProjectCounts = List.of();
} else {
affectedProjectCounts = dao.getAffectedProjectCount(
componentVulnerabilities.stream().map(Vulnerability::getId).toList(),
includeSuppressed);
}
}
Map<Long, Vulnerability> vulnById = componentVulnerabilities.stream().collect(Collectors.toMap(Vulnerability::getId, vulnerability -> vulnerability));
for (var vulnerabilityProjectCount : affectedProjectCounts) {
var vulnerability = vulnById.get(vulnerabilityProjectCount.id());
if (vulnerability == null) {
continue;
}
vulnerability.setAffectedProjectCount(vulnerabilityProjectCount.totalProjectCount());
vulnerability.setAffectedActiveProjectCount(vulnerabilityProjectCount.activeProjectCount());
vulnerability.setAffectedInactiveProjectCount(vulnerabilityProjectCount.totalProjectCount() - vulnerabilityProjectCount.activeProjectCount());
Expand Down
Loading
Loading