github.com/ouraigua/jenkins-library@v0.0.0-20231028010029-fbeaf2f3aa9b/pkg/format/assessment.go

github.com/ouraigua/jenkins-library@v0.0.0-20231028010029-fbeaf2f3aa9b/pkg/format/assessment.go (about)

     1  package format
     2  
     3  import (
     4  	"fmt"
     5  	"io"
     6  
     7  	cdx "github.com/CycloneDX/cyclonedx-go"
     8  	"github.com/ghodss/yaml"
     9  	"github.com/package-url/packageurl-go"
    10  	"github.com/pkg/errors"
    11  )
    12  
    13  type Assessment struct {
    14  	Vulnerability string             `json:"vulnerability"`
    15  	Status        AssessmentStatus   `json:"status"`
    16  	Analysis      AssessmentAnalysis `json:"analysis"`
    17  	Purls         []Purl             `json:"purls"`
    18  }
    19  
    20  type AssessmentStatus string
    21  
    22  const (
    23  	//NotAssessed AssessmentStatus = "notAssessed" //"Not Assessed"
    24  	Relevant    AssessmentStatus = "relevant"    //"Relevant (True Positive)"
    25  	NotRelevant AssessmentStatus = "notRelevant" //"Not Relevant (False Positive)"
    26  	InProcess   AssessmentStatus = "inProcess"   //"In Process"
    27  )
    28  
    29  type AssessmentAnalysis string
    30  
    31  const (
    32  	WaitingForFix         AssessmentAnalysis = "waitingForFix"         //"Waiting for OSS community fix"
    33  	RiskAccepted          AssessmentAnalysis = "riskAccepted"          //"Risk Accepted"
    34  	NotPresent            AssessmentAnalysis = "notPresent"            //"Affected parts of the OSS library are not present"
    35  	NotUsed               AssessmentAnalysis = "notUsed"               //"Affected parts of the OSS library are not used"
    36  	AssessmentPropagation AssessmentAnalysis = "assessmentPropagation" //"Assessment Propagation"
    37  	FixedByDevTeam        AssessmentAnalysis = "fixedByDevTeam"        //"OSS Component fixed by development team"
    38  	Mitigated             AssessmentAnalysis = "mitigated"             //"Mitigated by the Application"
    39  	WronglyReported       AssessmentAnalysis = "wronglyReported"       //"Wrongly reported CVE"
    40  )
    41  
    42  type Purl struct {
    43  	Purl string `json:"purl"`
    44  }
    45  
    46  func (p Purl) ToPackageUrl() (packageurl.PackageURL, error) {
    47  	return packageurl.FromString(p.Purl)
    48  }
    49  
    50  func (a Assessment) ToImpactAnalysisState() cdx.ImpactAnalysisState {
    51  	switch a.Status {
    52  	case Relevant:
    53  		return cdx.IASExploitable
    54  	case NotRelevant:
    55  		return cdx.IASFalsePositive
    56  	case InProcess:
    57  		return cdx.IASInTriage
    58  	}
    59  	return cdx.IASExploitable
    60  }
    61  
    62  func (a Assessment) ToImpactJustification() cdx.ImpactAnalysisJustification {
    63  	switch a.Analysis {
    64  	case WaitingForFix:
    65  		return cdx.IAJRequiresDependency
    66  	case RiskAccepted:
    67  		return cdx.IAJRequiresEnvironment
    68  	case NotPresent:
    69  		return cdx.IAJCodeNotPresent
    70  	case NotUsed:
    71  		return cdx.IAJCodeNotReachable
    72  	case AssessmentPropagation:
    73  		return cdx.IAJRequiresDependency
    74  	case FixedByDevTeam:
    75  		return cdx.IAJProtectedByMitigatingControl
    76  	case Mitigated:
    77  		return cdx.IAJProtectedByMitigatingControl
    78  	case WronglyReported:
    79  		return cdx.IAJCodeNotPresent
    80  	}
    81  	return cdx.IAJProtectedAtRuntime
    82  }
    83  
    84  func (a Assessment) ToImpactAnalysisResponse() *[]cdx.ImpactAnalysisResponse {
    85  	switch a.Analysis {
    86  	case WaitingForFix:
    87  		return &[]cdx.ImpactAnalysisResponse{cdx.IARCanNotFix}
    88  	case RiskAccepted:
    89  		return &[]cdx.ImpactAnalysisResponse{cdx.IARWillNotFix}
    90  	case NotPresent:
    91  		return &[]cdx.ImpactAnalysisResponse{cdx.IARCanNotFix}
    92  	case NotUsed:
    93  		return &[]cdx.ImpactAnalysisResponse{cdx.IARWillNotFix}
    94  	case AssessmentPropagation:
    95  		return &[]cdx.ImpactAnalysisResponse{cdx.IARCanNotFix}
    96  	case FixedByDevTeam:
    97  		return &[]cdx.ImpactAnalysisResponse{cdx.IARUpdate}
    98  	case Mitigated:
    99  		return &[]cdx.ImpactAnalysisResponse{cdx.IARWorkaroundAvailable}
   100  	case WronglyReported:
   101  		return &[]cdx.ImpactAnalysisResponse{cdx.IARCanNotFix}
   102  	}
   103  	return &[]cdx.ImpactAnalysisResponse{cdx.IARWillNotFix}
   104  }
   105  
   106  // ReadAssessment loads the assessments and returns their contents
   107  func ReadAssessments(assessmentFile io.ReadCloser) (*[]Assessment, error) {
   108  	defer assessmentFile.Close()
   109  	ignore := struct {
   110  		Assessments []Assessment `json:"ignore"`
   111  	}{
   112  		Assessments: []Assessment{},
   113  	}
   114  
   115  	content, err := io.ReadAll(assessmentFile)
   116  	if err != nil {
   117  		return nil, errors.Wrapf(err, "error reading %v", assessmentFile)
   118  	}
   119  
   120  	err = yaml.Unmarshal(content, &ignore)
   121  	if err != nil {
   122  		return nil, NewParseError(fmt.Sprintf("format of assessment file is invalid %q: %v", content, err))
   123  	}
   124  	return &ignore.Assessments, nil
   125  }