Merge branch 'zacharysabourin/main/null-date-fix' into 'main'

fix: Fix issue with null date See merge request !36

Merge branch 'zacharysabourin/main/null-date-fix' into 'main'
fix: Fix issue with null date See merge request !36
9819e427 · Zachary Sabourin · 9f062ddf · 37227c7f · 9819e427 · 9819e427
Commit 9819e427 authored 1 year ago by Zachary Sabourin
--- a/src/main/java/org/eclipsefoundation/cve/model/CveData.java
+++ b/src/main/java/org/eclipsefoundation/cve/model/CveData.java
@@ -34,6 +34,7 @@ public abstract class CveData {

    public abstract String getId();

+    @Nullable
    public abstract LocalDate getDatePublished();

    public abstract String getProject();
@@ -66,7 +67,7 @@ public abstract class CveData {
    public abstract static class Builder {
        public abstract Builder setId(String id);

-        public abstract Builder setDatePublished(LocalDate date);
+        public abstract Builder setDatePublished(@Nullable LocalDate date);

        public abstract Builder setProject(String project);


--- a/src/main/java/org/eclipsefoundation/cve/model/CveProjectData.java
+++ b/src/main/java/org/eclipsefoundation/cve/model/CveProjectData.java
@@ -76,7 +76,7 @@ public abstract class CveProjectData {

        public abstract Optional<List<Description>> getDescriptions();

-        public abstract Optional<List<Map<String, Metric>>> getMetrics();
+        public abstract Optional<List<Metric>> getMetrics();

        public static Builder builder() {
            return new AutoValue_CveProjectData_Cna.Builder();
@@ -88,7 +88,7 @@ public abstract class CveProjectData {

            public abstract Builder setDescriptions(Optional<List<Description>> desc);

-            public abstract Builder setMetrics(Optional<List<Map<String, Metric>>> metrics);
+            public abstract Builder setMetrics(Optional<List<Metric>> metrics);

            public abstract Cna build();
        }
@@ -122,6 +122,38 @@ public abstract class CveProjectData {
    @AutoValue
    @JsonDeserialize(builder = AutoValue_CveProjectData_Metric.Builder.class)
    public abstract static class Metric {
+      
+        public abstract Optional<CvssData> getCvssV31();
+        
+        public abstract Optional<CvssData> getCvssV30();
+      
+        public abstract Optional<CvssData> getCvssV2();
+
+        public static Builder builder() {
+            return new AutoValue_CveProjectData_Metric.Builder();
+        }
+
+        @AutoValue.Builder
+        @JsonPOJOBuilder(withPrefix = "set")
+        public abstract static class Builder {
+
+            @JsonProperty("cvssV3_1")
+            public abstract Builder setCvssV31(Optional<CvssData> cvss);
+
+            @JsonProperty("cvssV3_0")
+            public abstract Builder setCvssV30(Optional<CvssData> cvss);
+
+            @JsonProperty("cvssV2_0")
+            public abstract Builder setCvssV2(Optional<CvssData> cvss);
+
+            public abstract Metric build();
+        }
+    }
+
+
+    @AutoValue
+    @JsonDeserialize(builder = AutoValue_CveProjectData_CvssData.Builder.class)
+    public abstract static class CvssData {
        @Nullable
        public abstract String getVersion();

@@ -134,7 +166,7 @@ public abstract class CveProjectData {
        public abstract String getVectorString();

        public static Builder builder() {
-            return new AutoValue_CveProjectData_Metric.Builder();
+            return new AutoValue_CveProjectData_CvssData.Builder();
        }

        @AutoValue.Builder
@@ -149,7 +181,7 @@ public abstract class CveProjectData {
            @JsonProperty("vectorString")
            public abstract Builder setVectorString(@Nullable String vectorString);

-            public abstract Metric build();
+            public abstract CvssData build();
        }
    }


--- a/src/main/java/org/eclipsefoundation/cve/precaches/InternalAdvisoriesPrecacheProvider.java
+++ b/src/main/java/org/eclipsefoundation/cve/precaches/InternalAdvisoriesPrecacheProvider.java
@@ -12,9 +12,7 @@
 package org.eclipsefoundation.cve.precaches;

 import java.net.URI;
-import java.util.Collections;
 import java.util.List;
-import java.util.Map;
 import java.util.Optional;
 import java.util.regex.Matcher;
 import java.util.stream.Collectors;
@@ -40,6 +38,7 @@ import org.eclipsefoundation.cve.helpers.SummarySourceURIBuilder;
 import org.eclipsefoundation.cve.model.CveData;
 import org.eclipsefoundation.cve.model.CveData.Summary;
 import org.eclipsefoundation.cve.model.CveProjectData;
+import org.eclipsefoundation.cve.model.CveProjectData.CvssData;
 import org.eclipsefoundation.cve.model.CveProjectData.Description;
 import org.eclipsefoundation.cve.model.CveProjectData.Metric;
 import org.eclipsefoundation.cve.model.GithubAdvisoriesData;
@@ -249,16 +248,15 @@ public class InternalAdvisoriesPrecacheProvider implements LoadingCacheProvider<

        if (!projectData.isEmpty()) {
            // Pull metrics from CveProject data.
-            Optional<List<Map<String, Metric>>> metrics = projectData.get().getContainers().getCna().getMetrics();
-            impactScore = metrics.isPresent()
-                    ? metrics.get().stream()
-                            .findFirst()
-                            .orElse(Collections.emptyMap())
-                            .values().stream()
-                            .findFirst()
-                            .orElse(Metric.builder().build())
-                            .getBaseScore()
-                    : null;
+            Optional<List<Metric>> metrics = projectData.get().getContainers().getCna().getMetrics();
+            if (metrics.isPresent()) {
+                // Get latest metric and pull the score
+                Metric mostRecent = metrics.get().get(0);
+                CvssData cvss = mostRecent.getCvssV31().orElse(mostRecent.getCvssV30().orElse(mostRecent.getCvssV2().orElse(null)));
+                if (cvss != null) {
+                    impactScore = cvss.getBaseScore();
+                }
+            }
        }

        // Use GH advisories as fallback if the impact score is still null

--- a/src/test/java/org/eclipsefoundation/cve/test/api/MockGithubCveAPI.java
+++ b/src/test/java/org/eclipsefoundation/cve/test/api/MockGithubCveAPI.java
@@ -31,6 +31,7 @@ import org.eclipsefoundation.cve.model.CveProjectData.Containers;
 import org.eclipsefoundation.cve.model.CveProjectData.Description;
 import org.eclipsefoundation.cve.model.CveProjectData.Metadata;
 import org.eclipsefoundation.cve.model.CveProjectData.Metric;
+import org.eclipsefoundation.cve.model.CveProjectData.CvssData;
 import org.eclipsefoundation.cve.model.GithubAdvisoriesData;
 import org.eclipsefoundation.cve.model.GithubAdvisoriesData.Cvss;

@@ -44,72 +45,74 @@ import io.quarkus.test.Mock;
 @ApplicationScoped
 public class MockGithubCveAPI implements GithubCveAPI {

-    private List<GithubAdvisoriesData> ghAdvisories;
-    private List<CveProjectData> cveProjectDatas;
+	private List<GithubAdvisoriesData> ghAdvisories;
+	private List<CveProjectData> cveProjectDatas;

-    @Inject
-    ObjectMapper om;
+	@Inject
+	ObjectMapper om;

-    public MockGithubCveAPI() {
-        this.ghAdvisories = new ArrayList<>(Arrays.asList(
-                GithubAdvisoriesData.builder()
-                        .setCveId("CVE-2020-27225")
-                        .setSummary("Here is a description of this CVE")
-                        .setCvss(Cvss.builder()
-                                .setVectorString("Vector")
-                                .setScore(4.2).build())
-                        .build(),
-                GithubAdvisoriesData.builder()
-                        .setCveId("CVE-2022-0103")
-                        .setSummary("Here is description of this CVE")
-                        .setCvss(Cvss.builder()
-                                .setVectorString("Vector")
-                                .setScore(9.0).build())
-                        .build()));
+	public MockGithubCveAPI() {
+		this.ghAdvisories = new ArrayList<>(Arrays.asList(
+				GithubAdvisoriesData.builder()
+						.setCveId("CVE-2020-27225")
+						.setSummary("Here is a description of this CVE")
+						.setCvss(Cvss.builder()
+								.setVectorString("Vector")
+								.setScore(4.2).build())
+						.build(),
+				GithubAdvisoriesData.builder()
+						.setCveId("CVE-2022-0103")
+						.setSummary("Here is description of this CVE")
+						.setCvss(Cvss.builder()
+								.setVectorString("Vector")
+								.setScore(9.0).build())
+						.build()));

-        // one entry with no desc, one with no score. Used to test advisories fallback
-        this.cveProjectDatas = new ArrayList<>(Arrays.asList(
-                CveProjectData.builder()
-                        .setCveMetadata(Metadata.builder().setCveId("CVE-2020-27225").build())
-                        .setContainers(Containers.builder()
-                                .setCna(Cna.builder()
-                                        .setDescriptions(Optional.of(Arrays.asList(Description.builder()
-                                                .setValue("Here is a description of this CVE")
-                                                .build())))
-                                        .setMetrics(Optional.empty())
-                                        .build())
-                                .build())
-                        .build(),
-                CveProjectData.builder()
-                        .setCveMetadata(Metadata.builder().setCveId("CVE-2022-0103").build())
-                        .setContainers(Containers.builder()
-                                .setCna(Cna.builder()
-                                        .setDescriptions(Optional.empty())
-                                        .setMetrics(Optional.of(Arrays.asList(Map.of("cvssV3_1", Metric.builder()
-                                                .setBaseScore(9.0)
-                                                .setVectorString("Vector")
-                                                .build()))))
-                                        .build())
-                                .build())
-                        .build()));
-    }
+		// one entry with no desc, one with no score. Used to test advisories fallback
+		this.cveProjectDatas = new ArrayList<>(Arrays.asList(
+				CveProjectData.builder()
+						.setCveMetadata(Metadata.builder().setCveId("CVE-2020-27225").build())
+						.setContainers(Containers.builder()
+								.setCna(Cna.builder()
+										.setDescriptions(Optional.of(Arrays.asList(Description.builder()
+												.setValue("Here is a description of this CVE")
+												.build())))
+										.setMetrics(Optional.empty())
+										.build())
+								.build())
+						.build(),
+				CveProjectData.builder()
+						.setCveMetadata(Metadata.builder().setCveId("CVE-2022-0103").build())
+						.setContainers(Containers.builder()
+								.setCna(Cna.builder()
+										.setDescriptions(Optional.empty())
+										.setMetrics(Optional.of(Arrays.asList(Metric.builder()
+												.setCvssV31(Optional.of(CvssData.builder()
+														.setBaseScore(9.0)
+														.setVectorString("Vector")
+														.build()))
+												.build())))
+										.build())
+								.build())
+						.build()));
+	}

-    @Override
-    public List<GithubAdvisoriesData> getGhAdvisoriesDetails(GithubAdvisoriesRequestParams params) {
-        return ghAdvisories.stream().filter(cve -> cve.getCveId().equalsIgnoreCase(params.getCveId()))
-                .collect(Collectors.toList());
-    }
+	@Override
+	public List<GithubAdvisoriesData> getGhAdvisoriesDetails(GithubAdvisoriesRequestParams params) {
+		return ghAdvisories.stream().filter(cve -> cve.getCveId().equalsIgnoreCase(params.getCveId()))
+				.collect(Collectors.toList());
+	}

-    @Override
-    public String getCveProjectDetails(CveProjectRequestParams params) {
-        try {
-            String details = om.writeValueAsString(
-                    cveProjectDatas.stream()
-                            .filter(cve -> cve.getCveMetadata().getCveId().equalsIgnoreCase(params.getCveId()))
-                            .findFirst());
-            return details;
-        } catch (JsonProcessingException e) {
-            throw new RuntimeException("Could not fetch test GH CVE data", e);
-        }
-    }
+	@Override
+	public String getCveProjectDetails(CveProjectRequestParams params) {
+		try {
+			String details = om.writeValueAsString(
+					cveProjectDatas.stream()
+							.filter(cve -> cve.getCveMetadata().getCveId().equalsIgnoreCase(params.getCveId()))
+							.findFirst());
+			return details;
+		} catch (JsonProcessingException e) {
+			throw new RuntimeException("Could not fetch test GH CVE data", e);
+		}
+	}
 }