github.com/ouraigua/jenkins-library@v0.0.0-20231028010029-fbeaf2f3aa9b/pkg/protecode/analysis.go

github.com/ouraigua/jenkins-library@v0.0.0-20231028010029-fbeaf2f3aa9b/pkg/protecode/analysis.go (about)

     1  package protecode
     2  
     3  import "strconv"
     4  
     5  const (
     6  	vulnerabilitySeverityThreshold = 7.0
     7  )
     8  
     9  // HasFailed checks the return status of the provided result
    10  func HasFailed(result ResultData) bool {
    11  	//TODO: check this in PollForResult and return error once
    12  	return len(result.Result.Status) > 0 && result.Result.Status == statusFailed
    13  }
    14  
    15  // HasSevereVulnerabilities checks if any non-historic, non-triaged, non-excluded vulnerability has a CVSS score above the defined threshold
    16  func HasSevereVulnerabilities(result Result, excludeCVEs string) bool {
    17  	for _, component := range result.Components {
    18  		for _, vulnerability := range component.Vulns {
    19  			if isSevere(vulnerability) &&
    20  				!isTriaged(vulnerability) &&
    21  				!isExcluded(vulnerability, excludeCVEs) &&
    22  				isExact(vulnerability) {
    23  				return true
    24  			}
    25  		}
    26  	}
    27  	return false
    28  }
    29  
    30  func isSevere(vulnerability Vulnerability) bool {
    31  	cvss3, _ := strconv.ParseFloat(vulnerability.Vuln.Cvss3Score, 64)
    32  	if cvss3 >= vulnerabilitySeverityThreshold {
    33  		return true
    34  	}
    35  	// CVSS v3 not set, fallback to CVSS v2
    36  	parsedCvss, _ := strconv.ParseFloat(vulnerability.Vuln.Cvss, 64)
    37  	if cvss3 == 0 && parsedCvss >= vulnerabilitySeverityThreshold {
    38  		return true
    39  	}
    40  	return false
    41  }