Added functionality for parsing CVSSv3

rsenden · rsenden · commit a0ab10fe3f5c · 2020-05-19T16:33:18.000+02:00
diff --git a/src/main/java/com/fortify/ssc/parser/owasp/dependencycheck/CustomVulnAttribute.java b/src/main/java/com/fortify/ssc/parser/owasp/dependencycheck/CustomVulnAttribute.java
@@ -19,10 +19,11 @@ public enum CustomVulnAttribute implements com.fortify.plugin.spi.VulnerabilityA
 	name(AttrType.STRING),
 	cveUrl(AttrType.STRING),
 	notes(AttrType.STRING),
-	cvssScore(AttrType.DECIMAL),
-	cvssAccessVector(AttrType.STRING),
-	cvssAccessComplexity(AttrType.STRING),
-	cvssConfidentialImpact(AttrType.STRING),
+	cvssVersion(AttrType.STRING),
+	cvssBaseScore(AttrType.DECIMAL),
+	cvssAttackVector(AttrType.STRING),
+	cvssAttackComplexity(AttrType.STRING),
+	cvssConfidentialityImpact(AttrType.STRING),
 	cvssIntegrityImpact(AttrType.STRING),
 	cvssAvailabilityImpact(AttrType.STRING),
 	cwes(AttrType.STRING),
diff --git a/src/main/java/com/fortify/ssc/parser/owasp/dependencycheck/domain/CVSSv2.java b/src/main/java/com/fortify/ssc/parser/owasp/dependencycheck/domain/CVSSv2.java
@@ -36,4 +36,7 @@ public final class CVSSv2 {
 	@JsonProperty private String confidentialImpact;
 	@JsonProperty private String integrityImpact;
 	@JsonProperty private String availabilityImpact;
+	
+	// Available in JSON, but currently not used/shown by plugin
+	//@JsonProperty private String severity;
 }
diff --git a/src/main/java/com/fortify/ssc/parser/owasp/dependencycheck/domain/CVSSv3.java b/src/main/java/com/fortify/ssc/parser/owasp/dependencycheck/domain/CVSSv3.java
@@ -0,0 +1,56 @@
+/*******************************************************************************
+ * (c) Copyright 2020 Micro Focus or one of its affiliates
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a 
+ * copy of this software and associated documentation files (the 
+ * "Software"), to deal in the Software without restriction, including without 
+ * limitation the rights to use, copy, modify, merge, publish, distribute, 
+ * sublicense, and/or sell copies of the Software, and to permit persons to 
+ * whom the Software is furnished to do so, subject to the following 
+ * conditions:
+ * 
+ * The above copyright notice and this permission notice shall be included 
+ * in all copies or substantial portions of the Software.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 
+ * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 
+ * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 
+ * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 
+ * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 
+ * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 
+ * IN THE SOFTWARE.
+ ******************************************************************************/
+package com.fortify.ssc.parser.owasp.dependencycheck.domain;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import lombok.Getter;
+
+@Getter
+public final class CVSSv3 {
+	@JsonProperty private Float baseScore;
+	@JsonProperty private String attackVector;
+	@JsonProperty private String attackComplexity;
+	@JsonProperty private String confidentialityImpact;
+	@JsonProperty private String integrityImpact;
+	@JsonProperty private String availabilityImpact;
+	
+	// Available in JSON, but currently not used/shown by plugin
+	//@JsonProperty private String privilegesRequired;
+	//@JsonProperty private String userInteraction;
+	//@JsonProperty private String scope;
+	//@JsonProperty private String baseSeverity;
+	
+	public static final CVSSv3 fromCvssv2(CVSSv2 cvssv2) {
+		CVSSv3 result = new CVSSv3();
+		result.baseScore = cvssv2.getScore();
+		result.attackVector = cvssv2.getAccessVector();
+		result.attackComplexity = cvssv2.getAccessComplexity();
+		result.confidentialityImpact = cvssv2.getConfidentialImpact();
+		result.integrityImpact = cvssv2.getIntegrityImpact();
+		result.availabilityImpact = cvssv2.getAvailabilityImpact();
+		return result;
+	}
+}
diff --git a/src/main/java/com/fortify/ssc/parser/owasp/dependencycheck/domain/Vulnerability.java b/src/main/java/com/fortify/ssc/parser/owasp/dependencycheck/domain/Vulnerability.java
@@ -37,4 +37,17 @@ public final class Vulnerability {
 	@JsonProperty private String notes;
 	@JsonProperty private String[] cwes;
 	@JsonProperty private CVSSv2 cvssv2;
+	@JsonProperty private CVSSv3 cvssv3;
+	
+	public String getCvssVersion() {
+		return cvssv3!=null ? "3"
+				: cvssv2!=null ? "2"
+				: "None";
+	}
+	
+	public CVSSv3 getCvssAsv3() {
+		return cvssv3!=null ? cvssv3
+				: cvssv2!=null ? CVSSv3.fromCvssv2(cvssv2)
+				: null;
+	}
 }
diff --git a/src/main/java/com/fortify/ssc/parser/owasp/dependencycheck/parser/VulnerabilitiesParser.java b/src/main/java/com/fortify/ssc/parser/owasp/dependencycheck/parser/VulnerabilitiesParser.java
@@ -14,7 +14,7 @@
 import com.fortify.plugin.api.StaticVulnerabilityBuilder;
 import com.fortify.plugin.api.VulnerabilityHandler;
 import com.fortify.ssc.parser.owasp.dependencycheck.CustomVulnAttribute;
-import com.fortify.ssc.parser.owasp.dependencycheck.domain.CVSSv2;
+import com.fortify.ssc.parser.owasp.dependencycheck.domain.CVSSv3;
 import com.fortify.ssc.parser.owasp.dependencycheck.domain.Dependency;
 import com.fortify.ssc.parser.owasp.dependencycheck.domain.Vulnerability;
 import com.fortify.util.ssc.parser.EngineTypeHelper;
@@ -77,26 +77,27 @@ private final void buildVulnerability(Dependency dependency, Vulnerability vulne
 			vb.setPriority(Priority.Medium);
 		}
 		
-		CVSSv2 cvss = vulnerability.getCvssv2();
-		if ( cvss!=null ) {
-			vb.setImpact(cvss.getScore()==null 
+		CVSSv3 cvssv3 = vulnerability.getCvssAsv3();
+		if ( cvssv3!=null ) {
+			vb.setImpact(cvssv3.getBaseScore()==null 
 					? 2.5f // Default value if not defined in JSON
-					: (cvss.getScore()/10*5)); // CVVS2 score is 0-10, SSC impact is 0-5
+					: (cvssv3.getBaseScore()/10*5)); // CVVS3 score is 0-10, SSC impact is 0-5
 			
-			if ( StringUtils.equalsIgnoreCase("LOW", cvss.getAccessComplexity()) ) {
+			if ( StringUtils.equalsIgnoreCase("LOW", cvssv3.getAttackComplexity()) ) {
 				vb.setProbability(0f);
-			} else if ( StringUtils.equalsIgnoreCase("HIGH", cvss.getAccessComplexity()) ) {
+			} else if ( StringUtils.equalsIgnoreCase("HIGH", cvssv3.getAttackComplexity()) ) {
 				vb.setProbability(5.0f);
 			} else {
 				vb.setProbability(2.5f);
 			}
 			
-			vb.setDecimalCustomAttributeValue(CustomVulnAttribute.cvssScore, cvss.getScore()==null?null:new BigDecimal(cvss.getScore().toString()));
-			vb.setStringCustomAttributeValue(CustomVulnAttribute.cvssAccessVector, cvss.getAccessVector());
-			vb.setStringCustomAttributeValue(CustomVulnAttribute.cvssAccessComplexity, cvss.getAccessComplexity());
-			vb.setStringCustomAttributeValue(CustomVulnAttribute.cvssConfidentialImpact, cvss.getConfidentialImpact());
-			vb.setStringCustomAttributeValue(CustomVulnAttribute.cvssIntegrityImpact, cvss.getIntegrityImpact());
-			vb.setStringCustomAttributeValue(CustomVulnAttribute.cvssAvailabilityImpact, cvss.getAvailabilityImpact());
+			vb.setStringCustomAttributeValue(CustomVulnAttribute.cvssVersion, vulnerability.getCvssVersion());
+			vb.setDecimalCustomAttributeValue(CustomVulnAttribute.cvssBaseScore, cvssv3.getBaseScore()==null?null:new BigDecimal(cvssv3.getBaseScore().toString()));
+			vb.setStringCustomAttributeValue(CustomVulnAttribute.cvssAttackVector, cvssv3.getAttackVector());
+			vb.setStringCustomAttributeValue(CustomVulnAttribute.cvssAttackComplexity, cvssv3.getAttackComplexity());
+			vb.setStringCustomAttributeValue(CustomVulnAttribute.cvssConfidentialityImpact, cvssv3.getConfidentialityImpact());
+			vb.setStringCustomAttributeValue(CustomVulnAttribute.cvssIntegrityImpact, cvssv3.getIntegrityImpact());
+			vb.setStringCustomAttributeValue(CustomVulnAttribute.cvssAvailabilityImpact, cvssv3.getAvailabilityImpact());
 		}
 		
 		String[] cwes = vulnerability.getCwes();
diff --git a/src/main/resources/viewtemplate/OWASPDependencyCheckTemplate.json b/src/main/resources/viewtemplate/OWASPDependencyCheckTemplate.json
@@ -60,34 +60,41 @@
 	[
 		{
 			"type": "template",
-			"title": "CVSS 2.0",
+			"title": "CVSS",
 			"templateId": "TITLEBOX",
 			"items": [
+				{
+					"type": "template",
+					"title": "CVSS Version",
+					"key": "customAttributes.cvssVersion",
+					"templateId": "SIMPLE",
+					"dataType": "string"
+				},
 				{
 					"type": "template",
 					"title": "Score",
-					"key": "customAttributes.cvssScore",
+					"key": "customAttributes.cvssBaseScore",
 					"templateId": "SIMPLE",
 					"dataType": "string"
 				},
 				{
 					"type": "template",
-					"title": "Access Vector",
-					"key": "customAttributes.cvssAccessVector",
+					"title": "Attack Vector",
+					"key": "customAttributes.cvssAttackVector",
 					"templateId": "SIMPLE",
 					"dataType": "string"
 				},
 				{
 					"type": "template",
-					"title": "Access Complexity",
-					"key": "customAttributes.cvssAccessComplexity",
+					"title": "Attack Complexity",
+					"key": "customAttributes.cvssAttackComplexity",
 					"templateId": "SIMPLE",
 					"dataType": "string"
 				},
 				{
 					"type": "template",
 					"title": "Confidentiality Impact",
-					"key": "customAttributes.cvssConfidentialImpact",
+					"key": "customAttributes.cvssConfidentialityImpact",
 					"templateId": "SIMPLE",
 					"dataType": "string"
 				},

Original file line number	Diff line number	Diff line change
`@@ -36,4 +36,7 @@ public final class CVSSv2 {`
`36`	`36`	`@JsonProperty private String confidentialImpact;`
`37`	`37`	`@JsonProperty private String integrityImpact;`
`38`	`38`	`@JsonProperty private String availabilityImpact;`
	`39`	`+`
	`40`	`+ // Available in JSON, but currently not used/shown by plugin`
	`41`	`+ //@JsonProperty private String severity;`
`39`	`42`	`}`