Support for CSAF-based Vulnerability Analyser

commons-persistence/src/main/java/org/dependencytrack/persistence/model/Advisory.java

@@ -0,0 +1,184 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.persistence.model;
+
+import jakarta.persistence.Basic;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.Table;
+
+import java.io.Serializable;
+import java.time.Instant;
+
+/**
+ * Model for security advisories (CSAF documents).
+ */
+@Entity
+@Table(name = "ADVISORY")
+public class Advisory implements Serializable {
+
+    @Id
+    @Column(name = "ID")
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private long id;
+
+    /**
+     * A machine-readable name of the CSAF document. This is typically the "document.tracking.id" field.
+     */
+    @Column(name = "NAME")
+    private String name;
+
+    /**
+     * The version of the CSAF document. This is typically the "document.tracking.version" field.
+     */
+    @Column(name = "VERSION")
+    private String version;
+
+    /**
+     * The publisher (namespace) of the CSAF document. This is typically the "document.publisher.namespace" field.
+     */
+    @Column(name = "PUBLISHER")
+    private String publisher;
+
+    /**
+     * A human-readable title for the CSAF document.
+     */
+    @Column(name = "TITLE")
+    private String title;
+
+    /**
+     * The URL where the CSAF document can be found externally.
+     */
+    @Column(name = "URL")
+    private String url;
+
+    /**
+     * The format of the document, e.g., "CSAF".
+     */
+    @Column(name = "FORMAT")
+    private String format;
+
+    /**
+     * The raw content of the CSAF document, typically in JSON format.
+     */
+    @Column(name = "CONTENT", columnDefinition = "CLOB")
+    @Basic(fetch = FetchType.LAZY)
+    private String content;
+
+    /**
+     * Whether the document has been marked as "seen" in the UI.
+     */
+    @Column(name = "SEEN")
+    private boolean seen;
+
+    /**
+     * The time when the document was last fetched from the external source.
+     */
+    @Column(name = "LASTFETCHED")
+    private Instant lastFetched;
+
+    public Advisory() {
+        // no args for JPA
+    }
+
+    public long getId() {
+        return id;
+    }
+
+    public void setId(long id) {
+        this.id = id;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public String getVersion() {
+        return version;
+    }
+
+    public void setVersion(String version) {
+        this.version = version;
+    }
+
+    public String getPublisher() {
+        return publisher;
+    }
+
+    public void setPublisher(String publisher) {
+        this.publisher = publisher;
+    }
+
+    public String getTitle() {
+        return title;
+    }
+
+    public void setTitle(String title) {
+        this.title = title;
+    }
+
+    public String getUrl() {
+        return url;
+    }
+
+    public void setUrl(String url) {
+        this.url = url;
+    }
+
+    public String getFormat() {
+        return format;
+    }
+
+    public void setFormat(String format) {
+        this.format = format;
+    }
+
+    public String getContent() {
+        return content;
+    }
+
+    public void setContent(String content) {
+        this.content = content;
+    }
+
+    public boolean isSeen() {
+        return seen;
+    }
+
+    public void setSeen(boolean seen) {
+        this.seen = seen;
+    }
+
+    public Instant getLastFetched() {
+        return lastFetched;
+    }
+
+    public void setLastFetched(Instant lastFetched) {
+        this.lastFetched = lastFetched;
+    }
+
+}

commons-persistence/src/main/java/org/dependencytrack/persistence/model/Vulnerability.java

@@ -69,7 +69,8 @@ public enum Source {
         RETIREJS, // Retire.js
         INTERNAL,  // Internally-managed (and manually entered) vulnerability
         SNYK,    // Snyk Purl Vulnerability
-        OSV // Google OSV Advisories
+        OSV, // Google OSV Advisories
+        CSAF // CSAF Advisories
     }
 
     @Id

commons-persistence/src/main/java/org/dependencytrack/persistence/repository/AdvisoryRepository.java

@@ -0,0 +1,29 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.persistence.repository;
+
+import io.quarkus.hibernate.orm.panache.PanacheRepositoryBase;
+import jakarta.enterprise.context.ApplicationScoped;
+import org.dependencytrack.persistence.model.Advisory;
+
+@ApplicationScoped
+public class AdvisoryRepository implements PanacheRepositoryBase<Advisory, Long> {
+
+
+}

commons-persistence/src/main/java/org/dependencytrack/persistence/repository/ComponentRepository.java

@@ -0,0 +1,28 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.persistence.repository;
+
+import io.quarkus.hibernate.orm.panache.PanacheRepository;
+import jakarta.enterprise.context.ApplicationScoped;
+import org.dependencytrack.persistence.model.Component;
+
+@ApplicationScoped
+public class ComponentRepository implements PanacheRepository<Component> {
+
+}

commons-persistence/src/main/resources/schema.sql

@@ -1075,6 +1075,28 @@ ALTER TABLE public."CONFIGPROPERTY" ALTER COLUMN "ID" ADD GENERATED BY DEFAULT A
     CACHE 1
 );
 
+CREATE TABLE public."ADVISORY" (
+    "ID" bigint NOT NULL,
+    "NAME" character varying(255) NOT NULL,
+    "VERSION" character varying(255),
+    "PUBLISHER" character varying(1024),
+    "TITLE" character varying(1024),
+    "URL" character varying(255),
+    "FORMAT" character varying(50),
+    "CONTENT" text,
+    "SEEN" boolean,
+    "LASTFETCHED" timestamp with time zone
+);
+
+ALTER TABLE public."ADVISORY" ALTER COLUMN "ID" ADD GENERATED BY DEFAULT AS IDENTITY (
+    SEQUENCE NAME public."ADVISORY_ID_seq"
+    START WITH 1
+    INCREMENT BY 1
+    NO MINVALUE
+    NO MAXVALUE
+    CACHE 1
+);
+
 CREATE TABLE public."DEPENDENCYMETRICS" (
     "COMPONENT_ID" bigint NOT NULL,
     "CRITICAL" integer NOT NULL,

docker-compose.yml

@@ -183,6 +183,14 @@ services:
     volumes:
       - "postgres-data:/var/lib/postgresql/data"
     restart: unless-stopped
+  pgadmin:
+    image: dpage/pgadmin4
+    container_name: dt-pgadmin
+    environment:
+      PGADMIN_DEFAULT_EMAIL: [email protected]
+      PGADMIN_DEFAULT_PASSWORD: admin
+    ports:
+      - "5431:80"
 
   redpanda:
     image: docker.redpanda.com/redpandadata/redpanda:v24.2.17

pom.xml

@@ -94,6 +94,7 @@
     <quarkus.wiremock.version>1.3.3</quarkus.wiremock.version>
     <lib.brotli.version>0.1.2</lib.brotli.version>
     <lib.versatile.version>0.7.0</lib.versatile.version>
+    <lib.csaf-matching-jvm.version>0.4.1</lib.csaf-matching-jvm.version>
 
     <!-- Plugin Versions -->
     <plugin.jacoco.version>0.8.13</plugin.jacoco.version>
@@ -222,7 +223,7 @@
         <artifactId>json</artifactId>
         <version>${lib.org-json.version}</version>
       </dependency>
-             
+
       <dependency>
         <groupId>org.apache.kafka</groupId>
         <artifactId>kafka-clients</artifactId>
@@ -381,6 +382,12 @@
         <artifactId>versatile</artifactId>
         <version>${lib.versatile.version}</version>
       </dependency>
+
+      <dependency>
+        <groupId>io.csaf</groupId>
+        <artifactId>csaf-matching-jvm</artifactId>
+        <version>${lib.csaf-matching-jvm.version}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 

proto/src/main/proto/org/dependencytrack/mirror/v1/csaf_data.proto

@@ -0,0 +1,20 @@
+syntax = "proto3";
+
+import "google/protobuf/timestamp.proto";
+
+// Public API for DependencyTrack mirroring data.
+package org.dependencytrack.mirror.v1;
+
+option java_multiple_files = true;
+option java_package = "org.dependencytrack.proto.mirror.v1";
+
+message CsafDocumentItem {
+  string publisher_namespace = 1;
+  string tracking_id = 2;
+  string tracking_version = 3;
+  string name = 4;
+  optional string url = 5;
+  optional google.protobuf.Timestamp last_fetched = 6;
+  bytes json_content = 7;
+  bool seen = 8;
+}

proto/src/main/proto/org/dependencytrack/vulnanalysis/v1/vuln_analysis.proto

@@ -33,6 +33,7 @@ enum Scanner {
   SCANNER_INTERNAL = 2;
   SCANNER_OSSINDEX = 3;
   SCANNER_SNYK = 4;
+  SCANNER_CSAF = 5;
 }
 
 message ScanCommand {
@@ -66,6 +67,9 @@ message ScannerResult {
 
   // Bov identified in the scan.
   org.cyclonedx.v1_6.Bom bom = 5;
+
+  // Confidence of the match per vulnerability ID.
+  map<string, int32> matching_confidence = 6;
 }
 
 message ScanResult {

vulnerability-analyzer/pom.xml

@@ -84,6 +84,15 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-logging-json</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.csaf</groupId>
+            <artifactId>csaf-matching-jvm</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>pro.streem.pbandk</groupId>
+            <artifactId>pbandk-runtime-jvm</artifactId>
+            <version>0.16.0</version>
+        </dependency>
         <dependency>
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-junit5</artifactId>