Update vuln model to match what is actually returned by REST API

synopsys-sig · Mar 2, 2022 · c6058f2 · c6058f2
1 parent 98143d8
commit c6058f2
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 5 deletions.
diff --git a/dist/index.js b/dist/index.js
@@ -107,6 +107,7 @@ class BlackduckApiService {
     }
     getComponentVulnerabilties(bearerToken, componentVersion) {
         return __awaiter(this, void 0, void 0, function* () {
+            // Accept: application/vnd.blackducksoftware.vulnerability-4+json
             return this.get(bearerToken, `${componentVersion._meta.href}/vulnerabilities`);
         });
     }
@@ -357,7 +358,10 @@ function createComponentVulnerabilityReports(policyViolatingVulnerabilities, com
     }
     else {
         const violatingPolicyVulnerabilityNames = policyViolatingVulnerabilities.map(vulnerability => vulnerability.name);
-        vulnerabilityReport = componentVulnerabilities.map(vulnerability => createVulnerabilityReport(vulnerability.vulnerabilityName, violatingPolicyVulnerabilityNames.includes(vulnerability.vulnerabilityName), vulnerability._meta.href, vulnerability.baseScore, vulnerability.severity));
+        vulnerabilityReport = componentVulnerabilities.map(vulnerability => {
+            const compVulnBaseScore = vulnerability.useCvss3 ? vulnerability.cvss3.baseScore : vulnerability.cvss2.baseScore;
+            return createVulnerabilityReport(vulnerability.name, violatingPolicyVulnerabilityNames.includes(vulnerability.name), vulnerability._meta.href, compVulnBaseScore, vulnerability.severity);
+        });
     }
     return vulnerabilityReport;
 }

diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/src/blackduck-api.ts b/src/blackduck-api.ts
@@ -44,14 +44,21 @@ export interface IComponentVersion {
 }
 
 export interface IComponentVulnerability {
-  vulnerabilityName: string
-  baseScore: number
+  name: string
   severity: string
+  useCvss3: boolean
+  cvss2: ICvssView
+  cvss3: ICvssView
   _meta: {
     href: string
   }
 }
 
+export interface ICvssView {
+  baseScore: number
+  severity: string
+}
+
 export interface IRapidScanResults {
   componentName: string
   versionName: string
@@ -144,6 +151,7 @@ export class BlackduckApiService {
   }
 
   async getComponentVulnerabilties(bearerToken: string, componentVersion: IComponentVersion): Promise<IRestResponse<IBlackduckItemArray<IComponentVulnerability>>> {
+    // Accept: application/vnd.blackducksoftware.vulnerability-4+json
     return this.get(bearerToken, `${componentVersion._meta.href}/vulnerabilities`)
   }
 

diff --git a/src/detect/report.ts b/src/detect/report.ts
@@ -84,7 +84,10 @@ export function createComponentVulnerabilityReports(policyViolatingVulnerabiliti
     vulnerabilityReport = policyViolatingVulnerabilities.map(vulnerability => createVulnerabilityReport(vulnerability.name, true))
   } else {
     const violatingPolicyVulnerabilityNames = policyViolatingVulnerabilities.map(vulnerability => vulnerability.name)
-    vulnerabilityReport = componentVulnerabilities.map(vulnerability => createVulnerabilityReport(vulnerability.vulnerabilityName, violatingPolicyVulnerabilityNames.includes(vulnerability.vulnerabilityName), vulnerability._meta.href, vulnerability.baseScore, vulnerability.severity))
+    vulnerabilityReport = componentVulnerabilities.map(vulnerability => {
+      const compVulnBaseScore = vulnerability.useCvss3 ? vulnerability.cvss3.baseScore : vulnerability.cvss2.baseScore;
+      return createVulnerabilityReport(vulnerability.name, violatingPolicyVulnerabilityNames.includes(vulnerability.name), vulnerability._meta.href, compVulnBaseScore, vulnerability.severity)
+    })
   }
 
   return vulnerabilityReport