Merge branch 'gk-fix-vuln-model'

synopsys-sig · Mar 3, 2022 · 522bb56 · 522bb56
2 parents 98143d8 + 0cba6cc
commit 522bb56
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 11 deletions.
diff --git a/dist/index.js b/dist/index.js
@@ -107,7 +107,7 @@ class BlackduckApiService {
     }
     getComponentVulnerabilties(bearerToken, componentVersion) {
         return __awaiter(this, void 0, void 0, function* () {
-            return this.get(bearerToken, `${componentVersion._meta.href}/vulnerabilities`);
+            return this.get(bearerToken, `${componentVersion._meta.href}/vulnerabilities`, 'application/vnd.blackducksoftware.vulnerability-4+json');
         });
     }
     getPolicies(bearerToken, limit = 10, enabled) {
@@ -122,11 +122,11 @@ class BlackduckApiService {
             return this.get(bearerToken, `${this.blackduckUrl}${requestPath}&offset=${offset}&limit=${limit}`);
         });
     }
-    get(bearerToken, requestUrl) {
+    get(bearerToken, requestUrl, acceptHeader) {
         return __awaiter(this, void 0, void 0, function* () {
             const bearerTokenHandler = new Handlers_1.BearerCredentialHandler(bearerToken, true);
             const blackduckRestClient = new RestClient_1.RestClient(application_constants_1.APPLICATION_NAME, this.blackduckUrl, [bearerTokenHandler]);
-            return blackduckRestClient.get(requestUrl);
+            return blackduckRestClient.get(requestUrl, { acceptHeader });
         });
     }
 }
@@ -357,7 +357,10 @@ function createComponentVulnerabilityReports(policyViolatingVulnerabilities, com
     }
     else {
         const violatingPolicyVulnerabilityNames = policyViolatingVulnerabilities.map(vulnerability => vulnerability.name);
-        vulnerabilityReport = componentVulnerabilities.map(vulnerability => createVulnerabilityReport(vulnerability.vulnerabilityName, violatingPolicyVulnerabilityNames.includes(vulnerability.vulnerabilityName), vulnerability._meta.href, vulnerability.baseScore, vulnerability.severity));
+        vulnerabilityReport = componentVulnerabilities.map(vulnerability => {
+            const compVulnBaseScore = vulnerability.useCvss3 ? vulnerability.cvss3.baseScore : vulnerability.cvss2.baseScore;
+            return createVulnerabilityReport(vulnerability.name, violatingPolicyVulnerabilityNames.includes(vulnerability.name), vulnerability._meta.href, compVulnBaseScore, vulnerability.severity);
+        });
     }
     return vulnerabilityReport;
 }

diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/src/blackduck-api.ts b/src/blackduck-api.ts
@@ -44,14 +44,21 @@ export interface IComponentVersion {
 }
 
 export interface IComponentVulnerability {
-  vulnerabilityName: string
-  baseScore: number
+  name: string
   severity: string
+  useCvss3: boolean
+  cvss2: ICvssView
+  cvss3: ICvssView
   _meta: {
     href: string
   }
 }
 
+export interface ICvssView {
+  baseScore: number
+  severity: string
+}
+
 export interface IRapidScanResults {
   componentName: string
   versionName: string
@@ -144,7 +151,7 @@ export class BlackduckApiService {
   }
 
   async getComponentVulnerabilties(bearerToken: string, componentVersion: IComponentVersion): Promise<IRestResponse<IBlackduckItemArray<IComponentVulnerability>>> {
-    return this.get(bearerToken, `${componentVersion._meta.href}/vulnerabilities`)
+    return this.get(bearerToken, `${componentVersion._meta.href}/vulnerabilities`, 'application/vnd.blackducksoftware.vulnerability-4+json')
   }
 
   async getPolicies(bearerToken: string, limit: number = 10, enabled?: boolean) {
@@ -158,11 +165,11 @@ export class BlackduckApiService {
     return this.get(bearerToken, `${this.blackduckUrl}${requestPath}&offset=${offset}&limit=${limit}`)
   }
 
-  async get<Type>(bearerToken: string, requestUrl: string): Promise<IRestResponse<Type>> {
+  async get<Type>(bearerToken: string, requestUrl: string, acceptHeader?: string): Promise<IRestResponse<Type>> {
     const bearerTokenHandler = new BearerCredentialHandler(bearerToken, true)
     const blackduckRestClient = new RestClient(APPLICATION_NAME, this.blackduckUrl, [bearerTokenHandler])
 
-    return blackduckRestClient.get(requestUrl)
+    return blackduckRestClient.get(requestUrl, { acceptHeader })
   }
 }
 

diff --git a/src/detect/report.ts b/src/detect/report.ts
@@ -84,7 +84,10 @@ export function createComponentVulnerabilityReports(policyViolatingVulnerabiliti
     vulnerabilityReport = policyViolatingVulnerabilities.map(vulnerability => createVulnerabilityReport(vulnerability.name, true))
   } else {
     const violatingPolicyVulnerabilityNames = policyViolatingVulnerabilities.map(vulnerability => vulnerability.name)
-    vulnerabilityReport = componentVulnerabilities.map(vulnerability => createVulnerabilityReport(vulnerability.vulnerabilityName, violatingPolicyVulnerabilityNames.includes(vulnerability.vulnerabilityName), vulnerability._meta.href, vulnerability.baseScore, vulnerability.severity))
+    vulnerabilityReport = componentVulnerabilities.map(vulnerability => {
+      const compVulnBaseScore = vulnerability.useCvss3 ? vulnerability.cvss3.baseScore : vulnerability.cvss2.baseScore
+      return createVulnerabilityReport(vulnerability.name, violatingPolicyVulnerabilityNames.includes(vulnerability.name), vulnerability._meta.href, compVulnBaseScore, vulnerability.severity)
+    })
   }
 
   return vulnerabilityReport