Merge pull request #170 from sahibamittal/osv-support-enable-flag

Issue #931 : Enable flag for Google OSV mirroring

Author: nscuro

src/assets/img/osv-logo.png

@@ -104,6 +104,10 @@
   background-color: #D4BBF7;
   border: 1px solid #A66AF7;
 }
+.label-source-google {
+  background-color: #f7bbdc;
+  border: 1px solid #cc668a;
+}
 .label-source-internal {
   background-color: #EBE5A8;
   border: 1px solid #DCD167;

src/assets/scss/_custom.scss

@@ -388,6 +388,7 @@
     "nvd": "NVD",
     "national_vulnerability_database": "National Vulnerability Database",
     "github_advisories": "GitHub Advisories",
+    "osv_advisories": "Google OSV Advisories",
     "repositories": "Repositories",
     "cargo": "Cargo",
     "composer": "Composer",
@@ -452,6 +453,8 @@
     "vulnsource_nvd_feeds_url": "NVD Feeds URL",
     "vulnsource_github_advisories_enable": "Enable GitHub Advisory mirroring",
     "vulnsource_github_advisories_desc": "GitHub Advisories (GHSA) is a database of CVEs and GitHub-originated security advisories affecting the open source world. Dependency-Track integrates with GHSA by mirroring advisories via GitHub's public GraphQL API. The mirror is refreshed daily, or upon restart of the Dependency-Track instance. A personal access token (PAT) is required in order to authenticate with GitHub, but no scopes need to be assigned to it.",
+    "vulnsource_osv_advisories_enable": "Enable Google OSV Advisory mirroring",
+    "vulnsource_osv_advisories_desc": "Google OSV is a distributed vulnerability and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source. It serves as an aggregator of vulnerability databases that have adopted the OpenSSF Vulnerability format.",
     "registered_email_address": "Registered email address",
     "api_token": "API token",
     "consumer_key": "Consumer key",

src/i18n/locales/en.json

@@ -95,15 +95,20 @@ $common.formatCweShortLabel = function formatCweShortLabel(cweId, cweName) {
 /**
  * Formats and returns a specialized label for a vulnerability analyzer (OSSINDEX_ANALYZER, INTERNAL_ANALYZER, etc).
  */
-$common.formatAnalyzerLabel = function formatAnalyzerLabel(analyzer, vulnId, alternateIdentifier, referenceUrl) {
+$common.formatAnalyzerLabel = function formatAnalyzerLabel(analyzer, vulnSource, vulnId, alternateIdentifier, referenceUrl) {
   if (! analyzer) {
     return null;
   }
   let analyzerLabel = "";
   let analyzerUrl = null;
   switch (analyzer) {
     case 'INTERNAL_ANALYZER':
-      analyzerLabel = "Internal";
+      analyzerLabel = vulnSource;
+      if(vulnSource === "GITHUB") {
+        analyzerUrl = "https://github.com/advisories/" + vulnId;
+      } else if(vulnSource === "OSV") {
+        analyzerUrl = "https://osv.dev/vulnerability/" + vulnId;
+      }
       break;
     case 'OSSINDEX_ANALYZER':
       analyzerLabel = "OSS Index";

src/shared/common.js

@@ -97,6 +97,11 @@
                 component: "VulnSourceGitHubAdvisories",
                 name: this.$t('admin.github_advisories'),
                 href: "#vulnsourceGitHubAdvisoriesTab"
+              },
+              {
+                component: "VulnSourceOSVAdvisories",
+                name: this.$t('admin.osv_advisories'),
+                href: "#vulnsourceOSVAdvisoriesTab"
               }
             ]
           },

src/views/administration/AdminMenu.vue

@@ -30,6 +30,7 @@
   // Vulnerability sources
   import VulnSourceNvd from "./vuln-sources/VulnSourceNvd";
   import VulnSourceGitHubAdvisories from "./vuln-sources/VulnSourceGitHubAdvisories";
+  import VulnSourceOSVAdvisories from "./vuln-sources/VulnSourceOSVAdvisories";
   // Repositories
   import Cargo from "./repositories/Cargo";
   import Composer from "./repositories/Composer";
@@ -62,7 +63,7 @@
       AdminMenu,
       General, BomFormats, Email, InternalComponents,
       InternalAnalyzer, OssIndexAnalyzer, VulnDbAnalyzer,
-      VulnSourceNvd, VulnSourceGitHubAdvisories,
+      VulnSourceNvd, VulnSourceGitHubAdvisories, VulnSourceOSVAdvisories,
       Cargo, Composer, Gem, GoModules, Hex, Maven, Npm, Nuget, Python,
       Alerts, Templates,
       FortifySsc, DefectDojo, KennaSecurity,

src/views/administration/Administration.vue

@@ -0,0 +1,70 @@
+<template>
+  <b-card no-body :header="header">
+    <b-card-body>
+      <img alt="OSV logo" src="@/assets/img/osv-logo.png" width="65"/>
+      <hr/>
+      <c-switch
+        color="primary"
+        id="vulnsourceEnabled"
+        label
+        v-bind="labelIcon"
+        v-model="vulnsourceEnabled"
+      />
+      {{$t('admin.vulnsource_osv_advisories_enable')}}
+      <hr/>
+      {{ $t('admin.vulnsource_osv_advisories_desc') }}
+    </b-card-body>
+    <b-card-footer>
+      <b-button
+        @click="saveChanges"
+        class="px-4"
+        variant="outline-primary">
+          {{ $t('message.update') }}
+      </b-button>
+    </b-card-footer>
+  </b-card>
+</template>
+
+<script>
+import { Switch as cSwitch } from '@coreui/vue';
+import common from "../../../shared/common";
+import configPropertyMixin from "../mixins/configPropertyMixin";
+
+export default {
+  mixins: [configPropertyMixin],
+  props: {
+    header: String
+  },
+  components: {
+    cSwitch
+  },
+  data() {
+    return {
+      vulnsourceEnabled: false,
+      labelIcon: {
+        dataOn: '\u2713',
+        dataOff: '\u2715'
+      },
+    }
+  },
+  methods: {
+    saveChanges: function() {
+      this.updateConfigProperties([
+        {groupName: 'vuln-source', propertyName: 'google.osv.enabled', propertyValue: this.vulnsourceEnabled}
+      ]);
+    }
+  },
+  created () {
+    this.axios.get(this.configUrl).then((response) => {
+      let configItems = response.data.filter(function (item) { return item.groupName === "vuln-source" });
+      for (let i=0; i<configItems.length; i++) {
+        let item = configItems[i];
+        switch (item.propertyName) {
+          case "google.osv.enabled":
+            this.vulnsourceEnabled = common.toBoolean(item.propertyValue); break;
+        }
+      }
+    });
+  }
+}
+</script>

src/views/administration/vuln-sources/VulnSourceOSVAdvisories.vue

@@ -139,7 +139,7 @@
             field: "attribution.analyzerIdentity",
             sortable: true,
             formatter(value, row, index) {
-              return common.formatAnalyzerLabel(row.attribution.analyzerIdentity, row.vulnerability.vulnId,
+              return common.formatAnalyzerLabel(row.attribution.analyzerIdentity, row.vulnerability.source, row.vulnerability.vulnId,
                 row.attribution.alternateIdentifier, row.attribution.referenceUrl);
             }
           },