Access scw links (#60)

This adds support for getting the new [Secure Code Warrior](https://www.securecodewarrior.com/) vulnerability remediation links that were added to the VRT.  The mapping portion is maintained within the securecodewarrior API, so the VRT just maintains a flat list of which ids are supported and their respective link.

#### Example:

```ruby
VRT.find_node(
  vrt_id: 'server_security_misconfiguration.unsafe_cross_origin_resource_sharing'
).third_party_links[:scw]

=> "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:unsafe_cross_origin_resource_sharing&redirect=true"
```

Author: adamrdavid

CHANGELOG.md

@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
 
 ## [Unreleased]
 ### Added
+- Find the [Secure Code Warrior](https://www.securecodewarrior.com/) remediation training associated with a VRT node
 
 ### Changed
 

README.md

@@ -77,14 +77,15 @@ node.id
 
 node.name
 
-node.mappings
+node.mappings # The node's mappings to other classifications
 ```
 
-### If you need to deal with mappings between versions
+### If you need to deal with translating between versions
 VRT module also has a `find_node` method that is version agnostic.  This is used to find the best
 match for a node under any version and has options to specify a preferred version.
 
 #### Examples:
+
 ```ruby
 # Find a node in a given preferred version that best maps to the given id
 VRT.find_node(
@@ -103,3 +104,37 @@ VRT.find_node(
 # deprecated ids to the search with `all_matching_categories`
 categories_to_search_for += VRT.all_matching_categories(categories_to_search_for)
 ```
+
+### Mappings and external links
+
+#### Mappings
+
+A mapping is a relationship defined from a node to another classification like cvss or cwe or to
+more information like remediation advice. The relationships that are defined in mappings are
+maintained by the Bugcrowd team as well as external contributors to the
+[VRT repo](https://github.com/bugcrowd/vulnerability-rating-taxonomy/tree/master/mappings).
+
+##### Example getting the CWE for a particular VRT ID
+
+```ruby
+VRT.find_node(
+  vrt_id: 'server_security_misconfiguration.unsafe_cross_origin_resource_sharing'
+).mappings[:cwe]
+
+=> ["CWE-942", "CWE-16"]
+```
+
+#### Third party links
+
+These are simillar to mappings, but the relationships are maintained by an external party instead of
+Bugcrowd.
+
+##### Example getting Secure Code Warrior training link for a particular VRT ID
+
+```ruby
+VRT.find_node(
+  vrt_id: 'server_security_misconfiguration.unsafe_cross_origin_resource_sharing'
+).third_party_links[:scw]
+
+=> "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:unsafe_cross_origin_resource_sharing&redirect=true"
+```

lib/vrt.rb

@@ -7,6 +7,7 @@
 require 'vrt/mapping'
 require 'vrt/cross_version_mapping'
 require 'vrt/errors'
+require 'vrt/third_party_links'
 
 require 'date'
 require 'json'
@@ -123,6 +124,12 @@ def mappings
     @mappings ||= Hash[MAPPINGS.map { |name| [name, VRT::Mapping.new(name)] }]
   end
 
+  def third_party_links
+    @third_party_links ||= {
+      scw: VRT::ThirdPartyLinks.new('secure-code-warrior-links', 'remediation_training')
+    }
+  end
+
   # Cache the VRT contents in-memory, so we're not hitting File I/O multiple times per
   # request that needs it.
   def reload!
@@ -131,6 +138,7 @@ def reload!
     get_json
     get_map
     last_updated
+    third_party_links
     mappings
   end
 

lib/vrt/mapping.rb

@@ -1,7 +1,12 @@
+# frozen_string_literal: true
+
 module VRT
   class Mapping
-    def initialize(scheme)
+    PARENT_DIR = 'mappings'
+
+    def initialize(scheme, subdirectory = nil)
       @scheme = scheme.to_s
+      @parent_directory = File.join(self.class::PARENT_DIR, (subdirectory || @scheme))
       load_mappings
     end
 
@@ -14,9 +19,9 @@ def get(id_list, version)
         id_list = VRT.find_node(vrt_id: id_list.join('.'), preferred_version: @min_version).id_list
         version = @min_version
       end
-      mapping = @mappings[version]['content']
-      default = @mappings[version]['metadata']['default']
-      keys = @mappings[version]['metadata']['keys']
+      mapping = @mappings.dig(version, 'content') || @mappings[version]
+      default = @mappings.dig(version, 'metadata', 'default')
+      keys = @mappings.dig(version, 'metadata', 'keys')
       if keys
         # Convert mappings with multiple keys to be nested under a single
         # top-level key. Remediation advice has keys 'remediation_advice'
@@ -53,11 +58,12 @@ def load_mappings
     end
 
     def mapping_file_path(version)
-      filename = VRT::DIR.join(version, 'mappings', "#{@scheme}.json")
+      # Supports legacy flat file structure `mappings/cvss.json`
+      filename = VRT::DIR.join(version, self.class::PARENT_DIR, "#{@scheme}.json")
       return filename if File.file?(filename)
 
       # Supports mappings that are nested under their scheme name e.g. `mappings/cvss/cvss.json`
-      VRT::DIR.join(version, 'mappings', @scheme, "#{@scheme}.json")
+      VRT::DIR.join(version, @parent_directory, "#{@scheme}.json")
     end
 
     # Converts arrays to hashes keyed by the id attribute (as a symbol) for easier lookup. So

lib/vrt/node.rb

@@ -27,6 +27,10 @@ def mappings
       Hash[VRT.mappings.map { |name, map| [name, map.get(id_list, @version)] }]
     end
 
+    def third_party_links
+      Hash[VRT.third_party_links.map { |name, map| [name, map.get(id_list, @version)] }]
+    end
+
     def id_list
       parent ? parent.id_list << id : [id]
     end

lib/vrt/third_party_links.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module VRT
+  class ThirdPartyLinks < Mapping
+    PARENT_DIR = 'third-party-mappings'
+
+    # Example:
+    # scw = VRT::ThirdPartyLinks.new('secure-code-warrior-links', 'remediation_training')
+    # scw.get(['automotive_security_misconfiguration', 'can', 'injection_dos'], '1.10.1')
+
+    private
+
+    def load_mappings
+      @mappings = {}
+      VRT.versions.each do |version|
+        filename = mapping_file_path(version)
+        next unless File.file?(filename)
+
+        mapping = JSON.parse(File.read(filename))
+        @mappings[version] = mapping
+        # VRT.versions is sorted in reverse semver order
+        # so this will end up as the earliest version with a mapping file
+        @min_version = version
+      end
+      raise VRT::Errors::MappingNotFound if @mappings.empty?
+    end
+
+    # For flat third party links ther is no hierarchical step up
+    def get_key(id_list:, mapping:, key: nil) # rubocop:disable Lint/UnusedMethodArgument
+      mapping.dig(id_list.join('.'))
+    end
+  end
+end

spec/sample_vrt/2.0/third-party-mappings/remediation_training/secure-code-warrior-links.json

@@ -0,0 +1,34 @@
+{
+  "server_security_misconfiguration": null,
+  "server_security_misconfiguration.unsafe_cross_origin_resource_sharing": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:unsafe_cross_origin_resource_sharing&redirect=true",
+  "server_security_misconfiguration.path_traversal": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:path_traversal&redirect=true",
+  "server_security_misconfiguration.directory_listing_enabled": null,
+  "server_security_misconfiguration.directory_listing_enabled.sensitive_data_exposure": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:directory_listing_enabled:sensitive_data_exposure&redirect=true",
+  "server_security_misconfiguration.directory_listing_enabled.non_sensitive_data_exposure": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:directory_listing_enabled:non_sensitive_data_exposure&redirect=true",
+  "server_security_misconfiguration.same_site_scripting": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:same_site_scripting&redirect=true",
+  "server_security_misconfiguration.ssl_attack_breach_poodle_etc": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:ssl_attack_breach_poodle_etc&redirect=true",
+  "server_security_misconfiguration.using_default_credentials": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:using_default_credentials&redirect=true",
+  "server_security_misconfiguration.misconfigured_dns": null,
+  "server_security_misconfiguration.misconfigured_dns.basic_subdomain_takeover": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:misconfigured_dns:basic_subdomain_takeover&redirect=true",
+  "server_security_misconfiguration.misconfigured_dns.high_impact_subdomain_takeover": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:misconfigured_dns:high_impact_subdomain_takeover&redirect=true",
+  "server_security_misconfiguration.misconfigured_dns.zone_transfer": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:misconfigured_dns:zone_transfer&redirect=true",
+  "server_security_misconfiguration.misconfigured_dns.missing_caa_record": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:misconfigured_dns:missing_caa_record&redirect=true",
+  "server_security_misconfiguration.mail_server_misconfiguration": null,
+  "server_security_misconfiguration.mail_server_misconfiguration.no_spoofing_protection_on_email_domain": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:mail_server_misconfiguration:no_spoofing_protection_on_email_domain&redirect=true",
+  "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:mail_server_misconfiguration:email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain&redirect=true",
+  "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_to_spam_folder": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:mail_server_misconfiguration:email_spoofing_to_spam_folder&redirect=true",
+  "server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:mail_server_misconfiguration:missing_or_misconfigured_spf_and_or_dkim&redirect=true",
+  "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_non_email_domain": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:mail_server_misconfiguration:email_spoofing_on_non_email_domain&redirect=true",
+  "server_security_misconfiguration.dbms_misconfiguration": null,
+  "server_security_misconfiguration.dbms_misconfiguration.excessively_privileged_user_dba": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:dbms_misconfiguration:excessively_privileged_user_dba&redirect=true",
+  "server_security_misconfiguration.lack_of_password_confirmation": null,
+  "server_security_misconfiguration.lack_of_password_confirmation.change_email_address": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:lack_of_password_confirmation:change_email_address&redirect=true",
+  "server_security_misconfiguration.lack_of_password_confirmation.change_password": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:lack_of_password_confirmation:change_password&redirect=true",
+  "server_security_misconfiguration.lack_of_password_confirmation.delete_account": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:lack_of_password_confirmation:delete_account&redirect=true",
+  "server_security_misconfiguration.lack_of_password_confirmation.manage_two_fa": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:lack_of_password_confirmation:manage_two_fa&redirect=true",
+  "server_security_misconfiguration.no_rate_limiting_on_form": null,
+  "server_security_misconfiguration.no_rate_limiting_on_form.registration": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:no_rate_limiting_on_form:registration&redirect=true",
+  "server_security_misconfiguration.no_rate_limiting_on_form.login": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:no_rate_limiting_on_form:login&redirect=true",
+  "server_security_misconfiguration.no_rate_limiting_on_form.email_triggering": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:no_rate_limiting_on_form:email_triggering&redirect=true",
+  "server_security_misconfiguration.no_rate_limiting_on_form.sms_triggering": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:no_rate_limiting_on_form:sms_triggering&redirect=true"
+}