Added UI support for working with CycloneDX VEX data.

stevespringett · stevespringett · commit 63243f9ff37b · 2022-02-03T13:58:10.000-06:00
DependencyTrack/dependency-track#1365
diff --git a/src/i18n/locales/en.json b/src/i18n/locales/en.json
@@ -114,6 +114,7 @@
     "project_cloning_in_progress": "The project is being created with the cloning options specified",
     "vulnerability": "Vulnerability",
     "analysis": "Analysis",
+    "justification": "Justification",
     "title": "Title",
     "subtitle": "Subtitle",
     "recommendation": "Recommendation",
@@ -129,10 +130,26 @@
     "approved": "Approved",
     "rejected": "Rejected",
     "not_set": "Not Set",
+    "resolved": "Resolved",
     "exploitable": "Exploitable",
     "in_triage": "In Triage",
     "false_positive": "False Positive",
     "not_affected": "Not Affected",
+    "code_not_present": "Code not present",
+    "code_not_reachable": "Code not reachable",
+    "requires_configuration": "Requires configuration",
+    "requires_dependency": "Requires dependency",
+    "requires_environment": "Requires environment",
+    "protected_by_compiler": "Protected by compiler",
+    "protected_at_runtime": "Protected at runtime",
+    "protected_at_perimeter": "Protected at perimeter",
+    "protected_by_mitigating_control": "Protected by mitigating control",
+    "can_not_fix": "Can not fix",
+    "will_not_fix": "Will not fix",
+    "rollback": "Rollback",
+    "workaround_available": "Workaround available",
+    "response": "Vendor Response (project)",
+    "analysis_details": "Details (explanation, workaround details, and other impact information)",
     "updated": "Updated",
     "add_component": "Add Component",
     "remove_component": "Remove Component",
diff --git a/src/shared/common.js b/src/shared/common.js
@@ -118,22 +118,71 @@ $common.formatAnalyzerLabel = function formatAnalyzerLabel(analyzer, vulnId, alt
 };
 
 /**
- * 
+ *
  * @param {*} i18n - VueI18n instance with $t translate function available
- * @returns a specialized label for an analysis state (NOT_SET, APPROVED, REJECTED, etc). 
- * It must have a corresponding entry in the locales files (e.g. src/locales/en.json) 
+ * @returns a specialized label for an analysis state (NOT_SET, APPROVED, REJECTED, etc).
+ * It must have a corresponding entry in the locales files (e.g. src/locales/en.json)
  * (not_set, approved, rejected, etc.)
  */
 $common.makeAnalysisStateLabelFormatter = (i18n) => {
   return function (value) {
     switch (value) {
       case 'NOT_SET':
-      case 'APPROVED':
-      case 'REJECTED':
       case 'EXPLOITABLE':
       case 'IN_TRIAGE':
       case 'FALSE_POSITIVE':
       case 'NOT_AFFECTED':
+      case 'RESOLVED':
+        return i18n.$t(`message.${value.toLowerCase()}`)
+      default:
+        return null;
+    }
+  }
+};
+
+/**
+ *
+ * @param {*} i18n - VueI18n instance with $t translate function available
+ * @returns a specialized label for an analysis justification (CODE_NOT_REACHABLE, etc).
+ * It must have a corresponding entry in the locales files (e.g. src/locales/en.json)
+ * (code_not_reachable, etc.)
+ */
+$common.makeAnalysisJustificationLabelFormatter = (i18n) => {
+  return function (value) {
+    switch (value) {
+      case 'NOT_SET':
+      case 'CODE_NOT_PRESENT':
+      case 'CODE_NOT_REACHABLE':
+      case 'REQUIRES_CONFIGURATION':
+      case 'REQUIRES_DEPENDENCY':
+      case 'REQUIRES_ENVIRONMENT':
+      case 'PROTECTED_BY_COMPILER':
+      case 'PROTECTED_AT_RUNTIME':
+      case 'PROTECTED_AT_PERIMETER':
+      case 'PROTECTED_BY_MITIGATING_CONTROL':
+        return i18n.$t(`message.${value.toLowerCase()}`)
+      default:
+        return null;
+    }
+  }
+};
+
+/**
+ *
+ * @param {*} i18n - VueI18n instance with $t translate function available
+ * @returns a specialized label for an analysis response (WILL_NOT_FIX, etc).
+ * It must have a corresponding entry in the locales files (e.g. src/locales/en.json)
+ * (will_not_fix, etc.)
+ */
+$common.makeAnalysisResponseLabelFormatter = (i18n) => {
+  return function (value) {
+    switch (value) {
+      case 'NOT_SET':
+      case 'CAN_NOT_FIX':
+      case 'WILL_NOT_FIX':
+      case 'UPDATE':
+      case 'ROLLBACK':
+      case 'WORKAROUND_AVAILABLE':
         return i18n.$t(`message.${value.toLowerCase()}`)
       default:
         return null;
@@ -241,6 +290,7 @@ module.exports = {
   formatCweLabel: $common.formatCweLabel,
   formatAnalyzerLabel: $common.formatAnalyzerLabel,
   makeAnalysisStateLabelFormatter: $common.makeAnalysisStateLabelFormatter,
+  makeAnalysisJustificationLabelFormatter: $common.makeAnalysisJustificationLabelFormatter,
   formatTimestamp: $common.formatTimestamp,
   concatenateComponentName: $common.concatenateComponentName,
   valueWithDefault: $common.valueWithDefault,
diff --git a/src/views/portfolio/projects/ProjectFindings.vue b/src/views/portfolio/projects/ProjectFindings.vue
@@ -195,6 +195,26 @@
                       <bootstrap-toggle v-model="isSuppressed" :options="{ on: 'Suppressed', off: 'Suppress', onstyle: 'warning', offstyle: 'outline-disabled'}" :disabled="false" />
                     </b-input-group>
                     </b-form-group>
+                    <b-row>
+                      <b-col sm="6">
+                        <b-form-group id="fieldset-10" :label="this.$t('message.justification')" label-for="input-10">
+                          <b-input-group id="input-10">
+                            <b-form-select v-model="analysisJustification" :options="justificationChoices" @change="makeAnalysis" :disabled="analysisState !== 'NOT_AFFECTED'"/>
+                          </b-input-group>
+                        </b-form-group>
+                      </b-col>
+                      <b-col sm="6">
+                        <b-form-group id="fieldset-11" :label="this.$t('message.response')" label-for="input-11">
+                          <b-input-group id="input-11">
+                            <b-form-select v-model="analysisResponse" :options="responseChoices" @change="makeAnalysis"/>
+                          </b-input-group>
+                        </b-form-group>
+                      </b-col>
+                    </b-row>
+                    <b-form-group id="fieldset-12" :label="this.$t('message.details')" label-for="analysisDetailsField">
+                      <b-form-textarea id="analysisDetailsField" v-model="analysisDetails" rows="7" class="form-control"
+                          v-debounce:750ms="makeAnalysis" :debounce-events="'keyup'"/>
+                    </b-form-group>
                   </b-col>
                 </b-row>
               `,
@@ -208,17 +228,41 @@
                     { value: 'NOT_SET', text: this.$t('message.not_set') },
                     { value: 'EXPLOITABLE', text: this.$t('message.exploitable') },
                     { value: 'IN_TRIAGE', text: this.$t('message.in_triage') },
+                    { value: 'RESOLVED', text: this.$t('message.resolved') },
                     { value: 'FALSE_POSITIVE', text: this.$t('message.false_positive') },
-                    { value: 'NOT_AFFECTED', text: this.$t('message.not_affected') }
+                    { value: 'NOT_AFFECTED', text: this.$t('message.not_affected') },
+                  ],
+                  justificationChoices: [
+                    { value: 'NOT_SET', text: this.$t('message.not_set') },
+                    { value: 'CODE_NOT_PRESENT', text: this.$t('message.code_not_present') },
+                    { value: 'CODE_NOT_REACHABLE', text: this.$t('message.code_not_reachable') },
+                    { value: 'REQUIRES_CONFIGURATION', text: this.$t('message.requires_configuration') },
+                    { value: 'REQUIRES_DEPENDENCY', text: this.$t('message.requires_dependency') },
+                    { value: 'REQUIRES_ENVIRONMENT', text: this.$t('message.requires_environment') },
+                    { value: 'PROTECTED_BY_COMPILER', text: this.$t('message.protected_by_compiler') },
+                    { value: 'PROTECTED_AT_RUNTIME', text: this.$t('message.protected_at_runtime') },
+                    { value: 'PROTECTED_AT_PERIMETER', text: this.$t('message.protected_at_perimeter') },
+                    { value: 'PROTECTED_BY_MITIGATING_CONTROL', text: this.$t('message.protected_by_mitigating_control') }
+                  ],
+                  responseChoices: [
+                    { value: 'NOT_SET', text: this.$t('message.not_set') },
+                    { value: 'CAN_NOT_FIX', text: this.$t('message.can_not_fix') },
+                    { value: 'WILL_NOT_FIX', text: this.$t('message.will_not_fix') },
+                    { value: 'UPDATE', text: this.$t('message.update') },
+                    { value: 'ROLLBACK', text: this.$t('message.rollback') },
+                    { value: 'WORKAROUND_AVAILABLE', text: this.$t('message.workaround_available') }
                   ],
                   analysisState: null,
+                  analysisJustification: null,
+                  analysisResponse: null,
+                  analysisDetails: null,
                   projectUuid: projectUuid
                 }
               },
               watch: {
                 isSuppressed: function (currentValue, oldValue) {
                   if (oldValue != null) {
-                    this.callRestEndpoint(this.analysisState, null, currentValue);
+                    this.callRestEndpoint(this.analysisState, null, null, null, null, currentValue);
                   }
                 }
               },
@@ -247,27 +291,39 @@
                   if (Object.prototype.hasOwnProperty.call(analysis, "analysisState")) {
                     this.analysisState = analysis.analysisState;
                   }
+                  if (Object.prototype.hasOwnProperty.call(analysis, "analysisJustification")) {
+                    this.analysisJustification = analysis.analysisJustification;
+                  }
+                  if (Object.prototype.hasOwnProperty.call(analysis, "analysisResponse")) {
+                    this.analysisResponse = analysis.analysisResponse;
+                  }
+                  if (Object.prototype.hasOwnProperty.call(analysis, "analysisDetails")) {
+                    this.analysisDetails = analysis.analysisDetails;
+                  }
                   if (Object.prototype.hasOwnProperty.call(analysis, "isSuppressed")) {
                     this.isSuppressed = analysis.isSuppressed;
                   } else {
                     this.isSuppressed = false;
                   }
                 },
                 makeAnalysis: function() {
-                  this.callRestEndpoint(this.analysisState, null, null);
+                  this.callRestEndpoint(this.analysisState,  this.analysisJustification, this.analysisResponse, this.analysisDetails, null, null);
                 },
                 addComment: function() {
                   if (this.comment != null) {
-                    this.callRestEndpoint(this.analysisState, this.comment, null);
+                    this.callRestEndpoint(this.analysisState, this.analysisJustification, this.analysisResponse, this.analysisDetails, this.comment, null);
                   }
                 },
-                callRestEndpoint: function(analysisState, comment, isSuppressed) {
+                callRestEndpoint: function(analysisState, analysisJustification, analysisResponse, analysisDetails, comment, isSuppressed) {
                   let url = `${this.$api.BASE_URL}/${this.$api.URL_ANALYSIS}`;
                   this.axios.put(url, {
                     project: projectUuid,
                     component: this.finding.component.uuid,
                     vulnerability: this.finding.vulnerability.uuid,
                     analysisState: analysisState,
+                    analysisJustification: analysisJustification,
+                    analysisResponse: analysisResponse,
+                    analysisDetails: analysisDetails,
                     comment: comment,
                     isSuppressed: isSuppressed
                   }).then((response) => {
