Adding support for vulnerability aliases

Signed-off-by: Steve Springett <[email protected]>

Author: stevespringett

src/i18n/locales/en.json

@@ -225,6 +225,8 @@
     "comments": "Comments",
     "affected_projects": "Affected Projects",
     "weakness": "Weakness",
+    "alias": "Alias",
+    "aliases": "Aliases",
     "references": "References",
     "credits": "Credits",
     "component_vulnerabilities": "Component Vulnerabilities",

src/shared/common.js

@@ -127,6 +127,82 @@ $common.formatAnalyzerLabel = function formatAnalyzerLabel(analyzer, vulnSource,
   return `<span class="label label-source label-analyzer" style="white-space:nowrap;">${analyzerLabel}</span>`;
 };
 
+/**
+ * Given the source of a vulnerability (vulnSource) and the vulnerabilities identifier, create
+ * a value object which also contains the proper name of the source and the URL to the vulnerability
+ * hosted by the source.
+ * @param vulnSource the source of a vulnerability
+ * @param vulnId the unique identifier
+ * @returns a SourceInfo object
+ */
+$common.resolveSourceVulnInfo = function resolveSourceVulnInfo(vulnSource, vulnId) {
+  let sourceInfo = {};
+  sourceInfo.source = vulnSource;
+  sourceInfo.vulnId = vulnId;
+  switch (vulnSource) {
+    case "INTERNAL":
+      // TODO
+      break;
+    case "NVD":
+      sourceInfo.name = "National Vulnerability Database";
+      sourceInfo.url = "https://nvd.nist.gov/vuln/detail/" + vulnId;
+      break;
+    case "GITHUB":
+      sourceInfo.name = "GitHub Advisories";
+      sourceInfo.url = "https://github.com/advisories/" + vulnId;
+      break;
+    case "OSSINDEX":
+      sourceInfo.name = "OSS Index";
+      sourceInfo.url = "https://ossindex.sonatype.org/vuln/" + vulnId;
+      break;
+    case "SNYK":
+      sourceInfo.name = "Snyk";
+      sourceInfo.url = "https://security.snyk.io/vuln/" + vulnId;
+      break;
+    case "OSV":
+      sourceInfo.name = "Open Source Vulnerability Database";
+      sourceInfo.url = "https://osv.dev/vulnerability/" + vulnId;
+      break;
+    case "GSD":
+      sourceInfo.name = "Global Security Database";
+      sourceInfo.url = "https://github.com/cloudsecurityalliance/gsd-database";
+      break;
+    case "VULNDB":
+      sourceInfo.name = "VulnDB";
+      sourceInfo.url = "https://vulndb.cyberriskanalytics.com/vulnerabilities/" + vulnId;
+      break;
+  }
+  return sourceInfo;
+}
+
+/**
+ * Given the source of a vulnerability (vulnSource) and an alias of the vulnerability, normalizes
+ * the return object.
+ * @param vulnSource the source of a Vulnerability object
+ * @param alias a VulnerabilityAlias response object for the given Vulnerability
+ * @returns A resolved and normalized object with metadata
+ */
+$common.resolveVulnAliasInfo = function resolveVulnAliasInfo(vulnSource, alias) {
+  if (!vulnSource || !alias) return;
+  if (vulnSource !== "INTERNAL" && alias.internalId) {
+    return $common.resolveSourceVulnInfo("INTERNAL", alias.internalId);
+  } else if (vulnSource !== "NVD" && alias.cveId) {
+    return $common.resolveSourceVulnInfo("NVD", alias.cveId);
+  } else if (vulnSource !== "GITHUB" && alias.ghsaId) {
+    return $common.resolveSourceVulnInfo("GITHUB", alias.ghsaId);
+  } else if (vulnSource !== "OSSINDEX" && alias.sonatypeId) {
+    return $common.resolveSourceVulnInfo("OSSINDEX", alias.sonatypeId);
+  } else if (vulnSource !== "SNYK" && alias.snykId) {
+    return $common.resolveSourceVulnInfo("SNYK", alias.snykId);
+  } else if (vulnSource !== "OSV" && alias.osvId) {
+    return $common.resolveSourceVulnInfo("OSV", alias.osvId);
+  } else if (vulnSource !== "GSD" && alias.gsdId) {
+    return $common.resolveSourceVulnInfo("GSD", alias.gsdId);
+  } else if (vulnSource !== "VULNDB" && alias.vulnDbId) {
+    return $common.resolveSourceVulnInfo("VULNDB", alias.vulnDbId);
+  }
+}
+
 /**
  *
  * @param {*} i18n - VueI18n instance with $t translate function available
@@ -328,6 +404,9 @@ $common.toBoolean = function(string) {
   if (!string) {
     return false;
   }
+  if (typeof string == "boolean") {
+    return string;
+  }
   switch(string.toLowerCase().trim()) {
     case "true": case "yes": case "1": return true;
     case "false": case "no": case "0": case null: return false;
@@ -353,6 +432,8 @@ module.exports = {
   formatCweLabel: $common.formatCweLabel,
   formatCweShortLabel: $common.formatCweShortLabel,
   formatAnalyzerLabel: $common.formatAnalyzerLabel,
+  resolveSourceVulnInfo: $common.resolveSourceVulnInfo,
+  resolveVulnAliasInfo: $common.resolveVulnAliasInfo,
   makeAnalysisStateLabelFormatter: $common.makeAnalysisStateLabelFormatter,
   makeAnalysisJustificationLabelFormatter: $common.makeAnalysisJustificationLabelFormatter,
   componentClassifierLabelFormatter: $common.componentClassifierLabelFormatter,

src/views/portfolio/projects/ProjectFindings.vue

@@ -107,6 +107,24 @@
               return common.formatSourceLabel(row.vulnerability.source) + ` <a href="${url}">${xssFilters.inHTMLData(value)}</a>`;
             }
           },
+          {
+            title: this.$t('message.aliases'),
+            field: "vulnerability.aliases",
+            sortable: true,
+            visible: false,
+            formatter(value, row, index) {
+              if (typeof value !== 'undefined') {
+                let label = "";
+                for (let i=0; i<value.length; i++) {
+                  let alias = common.resolveVulnAliasInfo(row.vulnerability.source, value[i]);
+                  let url = xssFilters.uriInUnQuotedAttr("../vulnerabilities/" + alias.source + "/" + alias.vulnId);
+                  label += common.formatSourceLabel(alias.source) + ` <a href="${url}">${xssFilters.inHTMLData(alias.vulnId)}</a>`
+                  if (i < value.length-1) label += ", "
+                }
+                return label;
+              }
+            }
+          },
           {
             title: this.$t('message.cwe'),
             field: "vulnerability.cwes",
@@ -195,6 +213,16 @@
               template: `
                 <b-row class="expanded-row">
                   <b-col sm="6">
+                    <div v-if="finding.vulnerability.aliases && finding.vulnerability.aliases.length > 0">
+                    <label>Aliases</label>
+                      <b-card class="font-weight-bold">
+                        <b-card-text>
+                          <span v-for="alias in finding.vulnerability.aliases">
+                          <b-link style="margin-right:1.0rem" :href="'/vulnerabilities/' + aliasLabel(finding.vulnerability.source, alias).source + '/' + aliasLabel(finding.vulnerability.source, alias).vulnId">{{aliasLabel(finding.vulnerability.source, alias).vulnId}}</b-link>
+                         </span>
+                        </b-card-text>
+                     </b-card>
+                    </div>
                     <b-form-group v-if="finding.vulnerability.title" id="fieldset-1" :label="this.$t('message.title')" label-for="input-1">
                       <b-form-input id="input-1" v-model="finding.vulnerability.title" class="form-control disabled" readonly trim />
                     </b-form-group>
@@ -305,6 +333,9 @@
               },
               mixins: [permissionsMixin],
               methods: {
+                aliasLabel: function(vulnSource, alias) {
+                  return common.resolveVulnAliasInfo(vulnSource, alias);
+                },
                 getAnalysis: function() {
                   let queryString = "?project=" + projectUuid + "&component=" + this.finding.component.uuid + "&vulnerability=" + this.finding.vulnerability.uuid;
                   let url = `${this.$api.BASE_URL}/${this.$api.URL_ANALYSIS}` + queryString;

src/views/portfolio/vulnerabilities/Vulnerability.vue

@@ -31,6 +31,22 @@
         <b-link class="font-weight-bold font-xs btn-block text-muted" v-b-modal.vulnerabilityDetailsModal>{{ $t('message.view_details') }} <i class="fa fa-angle-right float-right font-lg"></i></b-link>
       </div>
     </b-card>
+
+    <div v-if="vulnerability.published || vulnerability.aliases">
+      <b-card>
+        <b-card-text>
+          <span v-if="vulnerability.published" class="font-weight-bold font-xs">Published: </span>
+          <span v-if="vulnerability.published" class="font-weight-bold font-xs" style="margin-right:1.2rem">{{prettyTimestamp}}</span>
+          <span v-if="vulnerability.aliases && vulnerability.aliases.length > 0" class="font-weight-bold font-xs">
+            Aliases:
+            <span v-for="alias in vulnerability.aliases">
+              <b-link style="margin-right:1.0rem" :href="`/vulnerabilities/${aliasLabel(alias).source}/${aliasLabel(alias).vulnId}`">{{ aliasLabel(alias).vulnId }}</b-link>
+            </span>
+          </span>
+        </b-card-text>
+      </b-card>
+    </div>
+
     <b-tabs class="body-bg-color" style="border-left: 0; border-right:0; border-top:0 ">
       <b-tab class="body-bg-color overview-chart" style="border-left: 0; border-right:0; border-top:0 " active>
         <template v-slot:title><i class="fa fa-line-chart"></i> {{ $t('message.overview') }}</template>
@@ -108,7 +124,7 @@
         <affected-projects :key="this.uuid" :source="source" :vulnId="vulnId" v-on:total="totalAffectedProjects = $event" />
       </b-tab>
     </b-tabs>
-  <vulnerability-details-modal :vulnProp="cloneDeep(vulnerability)" v-on:vulnerabilityUpdated="syncVulnerabilityFields"/>
+  <vulnerability-details-modal :vulnProp="clonedVulnerability" v-on:vulnerabilityUpdated="syncVulnerabilityFields"/>
   </div>
 </template>
 
@@ -145,6 +161,9 @@
       cvssExploitScore () {
         return common.valueWithDefault(((this.vulnerability.cvssV3ExploitabilitySubScore) ? this.vulnerability.cvssV3ExploitabilitySubScore : this.vulnerability.cvssV2ExploitabilitySubScore), 0);
       },
+      prettyTimestamp() {
+        return common.formatTimestamp(this.vulnerability.published);
+      },
       sourceLabel () {
         switch (this.vulnerability.source) {
           case 'NVD':
@@ -206,13 +225,11 @@
         source: null,
         vulnId: null,
         vulnerability: {},
+        clonedVulnerability: {},
         totalAffectedProjects: 0
       }
     },
     methods: {
-      cloneDeep: function(vulnerability) {
-        return cloneDeep(vulnerability);
-      },
       getStyle: function(style) {
         return getStyle(style);
       },
@@ -224,34 +241,56 @@
       },
       cweLink: function(cwe) {
         return `https://cwe.mitre.org/data/definitions/${cwe.cweId}`;
+      },
+      aliasLabel: function(alias) {
+        return common.resolveVulnAliasInfo(this.source, alias);
+      },
+      loadData: function () {
+        let url = "";
+        if (this.uuid) {
+          url = `${this.$api.BASE_URL}/${this.$api.URL_VULNERABILITY}/${this.uuid}`;
+        } else {
+          url = `${this.$api.BASE_URL}/${this.$api.URL_VULNERABILITY}/source/${this.source}/vuln/${this.vulnId}`;
+        }
+        this.axios.get(url).then((response) => {
+          this.vulnerability = response.data;
+          if (!this.source) {
+            this.source = response.data.source;
+          }
+          if (!this.vulnerability.affectedComponents) {
+            this.vulnerability.affectedComponents = []; // Initialize array so that components may be added to it.
+          }
+          if (!this.vulnId) {
+            this.vulnId = response.data.vulnId;
+          }
+          EventBus.$emit('addCrumb', this.vulnLabel);
+          this.$title = `${this.$t('message.vulnerability')} ${this.vulnLabel}`;
+          this.clonedVulnerability = cloneDeep(this.vulnerability);
+        });
+      },
+      initializeData: function() {
+        this.uuid = this.$route.params.uuid;
+        this.source = this.$route.params.source;
+        this.vulnId = this.$route.params.vulnId;
+      }
+    },
+    watch: {
+      '$route.params.uuid'(newValue) {
+        EventBus.$emit('crumble');
+        this.initializeData();
+        this.loadData();
+      },
+      '$route.params.vulnId'(newValue) {
+        EventBus.$emit('crumble');
+        this.initializeData();
+        this.loadData();
       }
     },
     beforeMount() {
-      this.uuid = this.$route.params.uuid;
-      this.source = this.$route.params.source;
-      this.vulnId = this.$route.params.vulnId;
+      this.initializeData();
     },
     mounted() {
-      let url = "";
-      if (this.uuid) {
-        url = `${this.$api.BASE_URL}/${this.$api.URL_VULNERABILITY}/${this.uuid}`;
-      } else {
-        url = `${this.$api.BASE_URL}/${this.$api.URL_VULNERABILITY}/source/${this.source}/vuln/${this.vulnId}`;
-      }
-      this.axios.get(url).then((response) => {
-        this.vulnerability = response.data;
-        if (!this.source) {
-          this.source = response.data.source;
-        }
-        if (!this.vulnerability.affectedComponents) {
-          this.vulnerability.affectedComponents = []; // Initialize array so that components may be added to it.
-        }
-        if (!this.vulnId) {
-          this.vulnId = response.data.vulnId;
-        }
-        EventBus.$emit('addCrumb', this.vulnLabel);
-        this.$title = `${this.$t('message.vulnerability')} ${this.vulnLabel}`;
-      });
+      this.loadData();
     },
     destroyed() {
       EventBus.$emit('crumble');