Vulnerability refactorings

advisor/src/main/kotlin/advisors/NexusIq.kt

@@ -39,12 +39,12 @@ import org.ossreviewtoolkit.model.AdvisorResult
 import org.ossreviewtoolkit.model.AdvisorSummary
 import org.ossreviewtoolkit.model.Issue
 import org.ossreviewtoolkit.model.Package
-import org.ossreviewtoolkit.model.Vulnerability
-import org.ossreviewtoolkit.model.VulnerabilityReference
 import org.ossreviewtoolkit.model.config.PluginConfiguration
 import org.ossreviewtoolkit.model.utils.PurlType
 import org.ossreviewtoolkit.model.utils.getPurlType
 import org.ossreviewtoolkit.model.utils.toPurl
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
+import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
 import org.ossreviewtoolkit.utils.common.Options
 import org.ossreviewtoolkit.utils.common.collectMessages
 import org.ossreviewtoolkit.utils.common.enumSetOf

advisor/src/main/kotlin/advisors/OssIndex.kt

@@ -35,10 +35,10 @@ import org.ossreviewtoolkit.model.AdvisorResult
 import org.ossreviewtoolkit.model.AdvisorSummary
 import org.ossreviewtoolkit.model.Issue
 import org.ossreviewtoolkit.model.Package
-import org.ossreviewtoolkit.model.Vulnerability
-import org.ossreviewtoolkit.model.VulnerabilityReference
 import org.ossreviewtoolkit.model.config.PluginConfiguration
 import org.ossreviewtoolkit.model.utils.toPurl
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
+import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
 import org.ossreviewtoolkit.utils.common.Options
 import org.ossreviewtoolkit.utils.common.collectMessages
 import org.ossreviewtoolkit.utils.common.enumSetOf

advisor/src/main/kotlin/advisors/Osv.kt

@@ -39,8 +39,8 @@ import org.ossreviewtoolkit.model.AdvisorResult
 import org.ossreviewtoolkit.model.AdvisorSummary
 import org.ossreviewtoolkit.model.Identifier
 import org.ossreviewtoolkit.model.Package
-import org.ossreviewtoolkit.model.VulnerabilityReference
 import org.ossreviewtoolkit.model.config.PluginConfiguration
+import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
 import org.ossreviewtoolkit.utils.common.Options
 import org.ossreviewtoolkit.utils.common.collectMessages
 import org.ossreviewtoolkit.utils.common.enumSetOf
@@ -176,7 +176,7 @@ private fun createRequest(pkg: Package): VulnerabilitiesForPackageRequest? {
     return null
 }
 
-private fun Vulnerability.toOrtVulnerability(): org.ossreviewtoolkit.model.Vulnerability {
+private fun Vulnerability.toOrtVulnerability(): org.ossreviewtoolkit.model.vulnerabilities.Vulnerability {
     // OSV uses a list in order to support multiple representations of the severity using different scoring systems.
     // However, only one representation is actually possible currently, because the enum 'Severity.Type' contains just a
     // single element / scoring system. So, picking first severity is fine, in particular because ORT only supports a
@@ -218,7 +218,7 @@ private fun Vulnerability.toOrtVulnerability(): org.ossreviewtoolkit.model.Vulne
         }.getOrNull()
     }
 
-    return org.ossreviewtoolkit.model.Vulnerability(
+    return org.ossreviewtoolkit.model.vulnerabilities.Vulnerability(
         id = id,
         summary = summary,
         description = details,

advisor/src/main/kotlin/advisors/VulnerableCode.kt

@@ -33,11 +33,11 @@ import org.ossreviewtoolkit.model.AdvisorSummary
 import org.ossreviewtoolkit.model.Issue
 import org.ossreviewtoolkit.model.Package
 import org.ossreviewtoolkit.model.Severity
-import org.ossreviewtoolkit.model.Vulnerability
-import org.ossreviewtoolkit.model.VulnerabilityReference
 import org.ossreviewtoolkit.model.config.PluginConfiguration
 import org.ossreviewtoolkit.model.createAndLogIssue
 import org.ossreviewtoolkit.model.utils.toPurl
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
+import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
 import org.ossreviewtoolkit.utils.common.Options
 import org.ossreviewtoolkit.utils.common.collectMessages
 import org.ossreviewtoolkit.utils.common.enumSetOf

advisor/src/test/kotlin/advisors/OssIndexTest.kt

@@ -43,9 +43,9 @@ import org.ossreviewtoolkit.model.AdvisorDetails
 import org.ossreviewtoolkit.model.Identifier
 import org.ossreviewtoolkit.model.Package
 import org.ossreviewtoolkit.model.Severity
-import org.ossreviewtoolkit.model.Vulnerability
-import org.ossreviewtoolkit.model.VulnerabilityReference
 import org.ossreviewtoolkit.model.utils.toPurl
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
+import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
 import org.ossreviewtoolkit.utils.common.enumSetOf
 import org.ossreviewtoolkit.utils.test.shouldNotBeNull
 

advisor/src/test/kotlin/advisors/VulnerableCodeTest.kt

@@ -46,10 +46,10 @@ import org.ossreviewtoolkit.model.Identifier
 import org.ossreviewtoolkit.model.OrtResult
 import org.ossreviewtoolkit.model.Package
 import org.ossreviewtoolkit.model.Severity
-import org.ossreviewtoolkit.model.Vulnerability
-import org.ossreviewtoolkit.model.VulnerabilityReference
 import org.ossreviewtoolkit.model.readValue
 import org.ossreviewtoolkit.model.utils.toPurl
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
+import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
 import org.ossreviewtoolkit.utils.common.enumSetOf
 import org.ossreviewtoolkit.utils.test.shouldNotBeNull
 

evaluator/src/main/kotlin/PackageRule.kt

@@ -25,12 +25,12 @@ import org.ossreviewtoolkit.model.LicenseSource
 import org.ossreviewtoolkit.model.Package
 import org.ossreviewtoolkit.model.Project
 import org.ossreviewtoolkit.model.Severity
-import org.ossreviewtoolkit.model.Vulnerability
-import org.ossreviewtoolkit.model.VulnerabilityReference
 import org.ossreviewtoolkit.model.config.Excludes
 import org.ossreviewtoolkit.model.licenses.LicenseView
 import org.ossreviewtoolkit.model.licenses.ResolvedLicense
 import org.ossreviewtoolkit.model.licenses.ResolvedLicenseInfo
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
+import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
 import org.ossreviewtoolkit.utils.spdx.SpdxExpression
 import org.ossreviewtoolkit.utils.spdx.SpdxLicenseReferenceExpression
 

evaluator/src/test/kotlin/TestData.kt

@@ -44,8 +44,6 @@ import org.ossreviewtoolkit.model.Scope
 import org.ossreviewtoolkit.model.TextLocation
 import org.ossreviewtoolkit.model.UnknownProvenance
 import org.ossreviewtoolkit.model.VcsInfo
-import org.ossreviewtoolkit.model.Vulnerability
-import org.ossreviewtoolkit.model.VulnerabilityReference
 import org.ossreviewtoolkit.model.config.AdvisorConfiguration
 import org.ossreviewtoolkit.model.config.AnalyzerConfiguration
 import org.ossreviewtoolkit.model.config.Excludes
@@ -54,6 +52,8 @@ import org.ossreviewtoolkit.model.config.PackageLicenseChoice
 import org.ossreviewtoolkit.model.config.PathExclude
 import org.ossreviewtoolkit.model.config.PathExcludeReason
 import org.ossreviewtoolkit.model.config.RepositoryConfiguration
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
+import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
 import org.ossreviewtoolkit.utils.common.enumSetOf
 import org.ossreviewtoolkit.utils.ort.DeclaredLicenseProcessor
 import org.ossreviewtoolkit.utils.ort.Environment

model/src/main/kotlin/AdvisorRecord.kt

@@ -22,6 +22,8 @@ package org.ossreviewtoolkit.model
 import com.fasterxml.jackson.annotation.JsonIgnore
 import com.fasterxml.jackson.annotation.JsonPropertyOrder
 
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
+
 /**
  * Type alias for a function that allows filtering of [AdvisorResult]s.
  */

model/src/main/kotlin/AdvisorResult.kt

@@ -19,6 +19,8 @@
 
 package org.ossreviewtoolkit.model
 
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
+
 /**
  * The result of a specific advisor execution for a single package.
  *

model/src/main/kotlin/OrtResult.kt

@@ -32,6 +32,7 @@ import org.ossreviewtoolkit.model.config.LicenseFindingCuration
 import org.ossreviewtoolkit.model.config.RepositoryConfiguration
 import org.ossreviewtoolkit.model.config.Resolutions
 import org.ossreviewtoolkit.model.config.orEmpty
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
 import org.ossreviewtoolkit.utils.common.zipWithCollections
 import org.ossreviewtoolkit.utils.spdx.model.SpdxLicenseChoice
 

model/src/main/kotlin/config/VulnerabilityResolution.kt

@@ -19,7 +19,7 @@
 
 package org.ossreviewtoolkit.model.config
 
-import org.ossreviewtoolkit.model.Vulnerability
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
 
 /**
  * Defines the resolution of an [Vulnerability]. This can be used to silence false positives, or vulnerabilities that

model/src/main/kotlin/config/VulnerabilityResolutionReason.kt

@@ -19,7 +19,7 @@
 
 package org.ossreviewtoolkit.model.config
 
-import org.ossreviewtoolkit.model.Vulnerability
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
 
 /**
  * Possible reasons for resolving an [Vulnerability] using a [VulnerabilityResolution].

model/src/main/kotlin/utils/ConfigurationResolver.kt

@@ -30,9 +30,9 @@ import org.ossreviewtoolkit.model.PackageCuration
 import org.ossreviewtoolkit.model.ResolvedPackageCurations
 import org.ossreviewtoolkit.model.RuleViolation
 import org.ossreviewtoolkit.model.ScanResult
-import org.ossreviewtoolkit.model.Vulnerability
 import org.ossreviewtoolkit.model.config.PackageConfiguration
 import org.ossreviewtoolkit.model.config.Resolutions
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
 
 object ConfigurationResolver {
     /**

model/src/main/kotlin/utils/DefaultResolutionProvider.kt

@@ -24,9 +24,9 @@ import java.io.File
 import org.ossreviewtoolkit.model.Issue
 import org.ossreviewtoolkit.model.OrtResult
 import org.ossreviewtoolkit.model.RuleViolation
-import org.ossreviewtoolkit.model.Vulnerability
 import org.ossreviewtoolkit.model.config.Resolutions
 import org.ossreviewtoolkit.model.readValue
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
 
 /**
  * A [ResolutionProvider] that provides the given [resolutions].

model/src/main/kotlin/utils/ResolutionProvider.kt

@@ -21,10 +21,10 @@ package org.ossreviewtoolkit.model.utils
 
 import org.ossreviewtoolkit.model.Issue
 import org.ossreviewtoolkit.model.RuleViolation
-import org.ossreviewtoolkit.model.Vulnerability
 import org.ossreviewtoolkit.model.config.IssueResolution
 import org.ossreviewtoolkit.model.config.RuleViolationResolution
 import org.ossreviewtoolkit.model.config.VulnerabilityResolution
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
 
 /**
  * An interface to provide resolutions for [Issue]s, [RuleViolation]s and [Vulnerability]s .

model/src/main/kotlin/vulnerabilities/Cvss2Rating.kt

@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2021 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.model.vulnerabilities
+
+/**
+ * The rating attaches human-readable semantics to the score number according to CVSS version 2, see
+ * https://www.balbix.com/insights/cvss-v2-vs-cvss-v3/#CVSSv3-Scoring-Scale-vs-CVSSv2-6.
+ */
+enum class Cvss2Rating(private val upperBound: Float) {
+    LOW(4.0f),
+    MEDIUM(7.0f),
+    HIGH(10.0f);
+
+    companion object {
+        /**
+         * A set of names that refer to the CVSS version 2 scoring system.
+         */
+        val NAMES = setOf("CVSS2", "CVSSV2", "CVSS:2.0")
+
+        /**
+         * Get the [Cvss2Rating] from a [score], or null if the [score] does not map to any [Cvss2Rating].
+         */
+        fun fromScore(score: Float): Cvss2Rating? =
+            when {
+                score < 0.0f || score > HIGH.upperBound -> null
+                score < LOW.upperBound -> LOW
+                score < MEDIUM.upperBound -> MEDIUM
+                score <= HIGH.upperBound -> HIGH
+                else -> null
+            }
+    }
+}

model/src/main/kotlin/vulnerabilities/Cvss3Rating.kt

@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2021 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.model.vulnerabilities
+
+/**
+ * The rating attaches human-readable semantics to the score number according to CVSS version 3, see
+ * https://www.first.org/cvss/v3.0/specification-document#Qualitative-Severity-Rating-Scale.
+ */
+enum class Cvss3Rating(private val upperBound: Float) {
+    NONE(0.0f),
+    LOW(4.0f),
+    MEDIUM(7.0f),
+    HIGH(9.0f),
+    CRITICAL(10.0f);
+
+    companion object {
+        /**
+         * A set of names that refer to the CVSS version 3 scoring system.
+         */
+        val NAMES = setOf("CVSS3", "CVSSV3", "CVSS:3.0", "CVSS:3.1")
+
+        /**
+         * Get the [Cvss3Rating] from a [score], or null if the [score] does not map to any [Cvss3Rating].
+         */
+        fun fromScore(score: Float): Cvss3Rating? =
+            when {
+                score < 0.0f || score > CRITICAL.upperBound -> null
+                score == NONE.upperBound -> NONE
+                score < LOW.upperBound -> LOW
+                score < MEDIUM.upperBound -> MEDIUM
+                score < HIGH.upperBound -> HIGH
+                score <= CRITICAL.upperBound -> CRITICAL
+                else -> null
+            }
+    }
+}

model/src/main/kotlin/Vulnerability.kt → model/src/main/kotlin/vulnerabilities/Vulnerability.kt

@@ -17,7 +17,7 @@
  * License-Filename: LICENSE
  */
 
-package org.ossreviewtoolkit.model
+package org.ossreviewtoolkit.model.vulnerabilities
 
 import com.fasterxml.jackson.annotation.JsonInclude
 import com.fasterxml.jackson.annotation.JsonInclude.Include

model/src/main/kotlin/VulnerabilityReference.kt → model/src/main/kotlin/vulnerabilities/VulnerabilityReference.kt

@@ -17,7 +17,7 @@
  * License-Filename: LICENSE
  */
 
-package org.ossreviewtoolkit.model
+package org.ossreviewtoolkit.model.vulnerabilities
 
 import java.net.URI
 
@@ -65,64 +65,7 @@ data class VulnerabilityReference(
     }
 
     /**
-     * The rating attaches human-readable semantics to the score number according to CVSS version 2, see
-     * https://www.balbix.com/insights/cvss-v2-vs-cvss-v3/#CVSSv3-Scoring-Scale-vs-CVSSv2-6.
+     * Return a human-readable severity rating string.
      */
-    enum class Cvss2Rating(private val upperBound: Float) {
-        LOW(4.0f),
-        MEDIUM(7.0f),
-        HIGH(10.0f);
-
-        companion object {
-            /**
-             * A set of names that refer to the CVSS version 2 scoring system.
-             */
-            val NAMES = setOf("CVSS2", "CVSSV2", "CVSS:2.0")
-
-            /**
-             * Get the [Cvss2Rating] from a [score], or null if the [score] does not map to any [Cvss2Rating].
-             */
-            fun fromScore(score: Float): Cvss2Rating? =
-                when {
-                    score < 0.0f || score > HIGH.upperBound -> null
-                    score < LOW.upperBound -> LOW
-                    score < MEDIUM.upperBound -> MEDIUM
-                    score <= HIGH.upperBound -> HIGH
-                    else -> null
-                }
-        }
-    }
-
-    /**
-     * The rating attaches human-readable semantics to the score number according to CVSS version 3, see
-     * https://www.first.org/cvss/v3.0/specification-document#Qualitative-Severity-Rating-Scale.
-     */
-    enum class Cvss3Rating(private val upperBound: Float) {
-        NONE(0.0f),
-        LOW(4.0f),
-        MEDIUM(7.0f),
-        HIGH(9.0f),
-        CRITICAL(10.0f);
-
-        companion object {
-            /**
-             * A set of names that refer to the CVSS version 3 scoring system.
-             */
-            val NAMES = setOf("CVSS3", "CVSSV3", "CVSS:3.0", "CVSS:3.1")
-
-            /**
-             * Get the [Cvss3Rating] from a [score], or null if the [score] does not map to any [Cvss3Rating].
-             */
-            fun fromScore(score: Float): Cvss3Rating? =
-                when {
-                    score < 0.0f || score > CRITICAL.upperBound -> null
-                    score == NONE.upperBound -> NONE
-                    score < LOW.upperBound -> LOW
-                    score < MEDIUM.upperBound -> MEDIUM
-                    score < HIGH.upperBound -> HIGH
-                    score <= CRITICAL.upperBound -> CRITICAL
-                    else -> null
-                }
-        }
-    }
+    val severityRating: String by lazy { getSeverityString(scoringSystem, severity) }
 }