Update dependency list parser to parse vulnerability field in addition do dependency_list field
What does this MR do?
We use different analysers for DS (dependency scanning). Gemnasium analyser generates report with dependency_list field. Meanwhile retirejs analyser generates report without dependency_list field.
Example vulnerability entity (from output of analyser)
{
"category": "dependency_scanning",
"name": "io.netty/netty - CVE-2014-3488",
"message": "DoS by CPU exhaustion when using malicious SSL packets",
"cve": "app/pom.xml:io.netty/netty@3.9.1.Final:CVE-2014-3488",
"severity": "Unknown",
"solution": "Upgrade to the latest version",
"scanner": {
"id": "gemnasium",
"name": "Gemnasium"
},
"location": {
"file": "app/pom.xml",
"dependency": {
"package": {
"name": "io.netty/netty"
},
"version": "3.9.1.Final"
}
}
Example dependency_list entity (from output of analyser)
"dependency_files": [
{
"path": "rails/Gemfile.lock",
"package_manager": "bundler",
"dependencies": [
{
"package": {
"name": "io.netty/netty"
},
"version": "3.9.1.Final"
}
]
We populate dependency list from artifacts generated by analysers using parsers. Old parser works like follows,
- Parse
dependency_list
field get name of the dependency and version - For each dependency that is found in
dependency_list
go through vulnerability field check if that vulnerability belongs to that dependency, if it is populate PORO objects
This approach causes a bug because not all analyser produce dependency_list
field. Thats why we can't populate vulnerabilities retire.js found in dependency list. This MR changes parse like follows,
- Parse
dependency_list
and add to to a map. (if there is any) - Parse
vulnerabilities
field, add dependency to map if there is no entity in the map. Otherwise, update dependency with vulnerability information. - Eliminate same vulnerabilities reported by different analysers.
Class diagram in case you are lost (green boxes are added classes)
Conformity
Edited by 🤖 GitLab Bot 🤖