Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix multi equals in version spec (again) #134

Merged
merged 2 commits into from
Jan 26, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@

package eu.fasten.vulnerabilityproducer.utils.mappers;

import com.google.common.collect.Lists;
import com.google.common.collect.Sets;

import eu.fasten.vulnerabilityproducer.utils.Vulnerability;
Expand Down Expand Up @@ -342,11 +341,11 @@ public List<String> getVulnerableVersionsYAML(List<String> encodedRangeVersions,
}

public List<String> getVulnerableVersionsJSON(String encodedRangeVersions, List<String> allVersions) {
var allParsedVersions = allVersions.stream().map(ComparableVersion::new).collect(Collectors.toList());
List<ComparableVersion> allParsedVersions = allVersions.stream().map(ComparableVersion::new).collect(Collectors.toList());
Set<String> vulnerableVersions = Sets.newLinkedHashSet(allVersions);

List<Integer> versionIndicesToRemove = Lists.newArrayList();
List<Integer> versionIndicesToKeep = Lists.newArrayList();
Set<Integer> versionIndicesToRemove = Sets.newLinkedHashSet();
Set<Integer> versionIndicesToKeep = Sets.newLinkedHashSet();

for (String range : encodedRangeVersions.split(",")) {
String operator = range.strip().split("[0-9]")[0].strip();
Expand All @@ -360,31 +359,30 @@ public List<String> getVulnerableVersionsJSON(String encodedRangeVersions, List<
break;
}
case "<=": {
versionIndicesToRemove = findGreaterVersions(parsedVersionFromRange, allParsedVersions);
versionIndicesToRemove.addAll(findGreaterVersions(parsedVersionFromRange, allParsedVersions));
break;
}
case "<": {
versionIndicesToRemove = findEqualAndGreaterVersions(parsedVersionFromRange, allParsedVersions);
versionIndicesToRemove.addAll(findEqualAndGreaterVersions(parsedVersionFromRange, allParsedVersions));
break;
}
case ">=": {
versionIndicesToRemove = findSmallerVersions(parsedVersionFromRange, allParsedVersions);
versionIndicesToRemove.addAll(findSmallerVersions(parsedVersionFromRange, allParsedVersions));
break;
}
case ">": {
versionIndicesToRemove = findEqualAndSmallerVersions(parsedVersionFromRange, allParsedVersions);
versionIndicesToRemove.addAll(findEqualAndSmallerVersions(parsedVersionFromRange, allParsedVersions));
break;
}
default:
logger.warn("getVulnerableVersionsJSON: unknown operator " + operator);
}
// If we only have some specific versions in the spec, only those should be kept.
if(versionIndicesToRemove.size() == 0 && versionIndicesToKeep.size() > 0) {
vulnerableVersions.clear();
}
versionIndicesToRemove.stream().map(allVersions::get).forEach(vulnerableVersions::remove);
versionIndicesToKeep.stream().map(allVersions::get).forEach(vulnerableVersions::add);
}
if(versionIndicesToRemove.size() == 0 && versionIndicesToKeep.size() != 0) {
vulnerableVersions.clear();
}
versionIndicesToRemove.stream().map(allVersions::get).forEach(vulnerableVersions::remove);
versionIndicesToKeep.stream().map(allVersions::get).forEach(vulnerableVersions::add);
return vulnerableVersions.stream().collect(Collectors.toList());
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@
import java.util.stream.Stream;

import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.mockito.Mockito.when;

public class GHParserTest {
Expand Down Expand Up @@ -153,6 +154,16 @@ public class GHParserTest {
}
}

String CVE_2024_22233;

{
try {
CVE_2024_22233 = FileUtils.readFileToString(new File("./src/test/resources/parsers/CVE-2024-22233.json"), StandardCharsets.UTF_8);
} catch (IOException e) {
e.printStackTrace();
}
}

@Test
public void testQueryBuilder() {
String queryWithoutCursor = ghParser.buildQuery(null);
Expand Down Expand Up @@ -204,6 +215,24 @@ public void testParseGHResponseWithdrawn() throws Exception {
assertEquals(0, result.size());
}

@Test
public void testParseCVE_2024_22233() throws Exception {
HashMap<String, String> values = new HashMap<>();
values.put("query", queryNoCursor);
when(clientMock.sendPost("https://api.github.com/graphql", token, values)).thenReturn(CVE_2024_22233);
var versions = Stream.of("", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "6.0.0", "6.0.15", "6.1.2", "6.0.16", "6.1.3").map(x -> new ImmutablePair<>(x, new DateTime())).collect(Collectors.toList());
ghParser.getVersionRanger().versionsMappings.put("pkg:maven/org.springframework/spring-core", versions);
ghParser.setCursor(null);

HashMap<String, Vulnerability> result = ghParser.getVulnerabilities(false);

assertEquals(1, result.size());
var purls = result.get("CVE-2024-22233").getPurls();
assertEquals(2, purls.size());
assertTrue(purls.contains("pkg:maven/org.springframework/spring-core@6.0.15"));
assertTrue(purls.contains("pkg:maven/org.springframework/spring-core@6.1.2"));
}

@AfterAll
public static void deleteCursor() {
File ghCursor = new File("./src/test/resources/parsers/cursor.txt.txt");
Expand Down
69 changes: 69 additions & 0 deletions src/test/resources/parsers/CVE-2024-22233.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
{
"data" : {
"securityAdvisories": {
"nodes": [
{
"description": "In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.\n\nSpecifically, an application is vulnerable when all of the following are true:\n\n * the application uses Spring MVC\n * Spring Security 6.1.6+ or 6.2.1+ is on the classpath\n\n\nTypically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions.\n\n\n",
"withdrawnAt": null,
"identifiers": [
{
"type": "GHSA",
"value": "GHSA-r4q3-7g4q-x89m"
},
{
"type": "CVE",
"value": "CVE-2024-22233"
}
],
"severity": "HIGH",
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"cwes": {
"nodes": []
},
"references": [
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22233"
},
{
"url": "https://spring.io/security/cve-2024-22233/"
},
{
"url": "https://github.com/advisories/GHSA-r4q3-7g4q-x89m"
}
],
"vulnerabilities": {
"nodes": [
{
"vulnerableVersionRange": "= 6.0.15",
"firstPatchedVersion": {
"identifier": "6.0.16"
},
"package": {
"ecosystem": "MAVEN",
"name": "org.springframework:spring-core"
}
},
{
"vulnerableVersionRange": "= 6.1.2",
"firstPatchedVersion": {
"identifier": "6.1.3"
},
"package": {
"ecosystem": "MAVEN",
"name": "org.springframework:spring-core"
}
}
]
}
}
],
"pageInfo": {
"endCursor": "Y3Vyc29yOnYyOpK5MjAyMC0wNi0wNFQwMDowMjoxOSswMjowMM0ITw==",
"hasNextPage": false
}
}
}
}
Loading