feat: ingest scores

Author: ctron

Cargo.lock

@@ -37,6 +37,9 @@ pub enum Relation {
 
     #[sea_orm(has_many = "super::purl_status::Entity")]
     PurlStatus,
+
+    #[sea_orm(has_many = "super::advisory_vulnerability_score::Entity")]
+    Score,
 }
 
 impl Related<advisory::Entity> for Entity {

entity/src/advisory_vulnerability.rs

@@ -0,0 +1,127 @@
+use crate::{advisory, advisory_vulnerability, cvss3, vulnerability};
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel)]
+#[sea_orm(table_name = "advisory_vulnerability_score")]
+pub struct Model {
+    #[sea_orm(primary_key)]
+    pub id: Uuid,
+
+    pub advisory_id: Uuid,
+    pub vulnerability_id: String,
+
+    pub r#type: ScoreType,
+    pub vector: String,
+    pub score: f64,
+    pub severity: Severity,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::advisory_vulnerability::Entity",
+        from = "(super::advisory_vulnerability_score::Column::AdvisoryId, super::advisory_vulnerability_score::Column::VulnerabilityId)"
+        to = "(super::advisory_vulnerability::Column::AdvisoryId, super::advisory_vulnerability::Column::VulnerabilityId)"
+    )]
+    AdvisoryVulnerability,
+    #[sea_orm(
+        belongs_to = "super::advisory::Entity",
+        from = "super::advisory_vulnerability_score::Column::AdvisoryId"
+        to = "super::advisory::Column::Id"
+    )]
+    Advisory,
+    #[sea_orm(
+        belongs_to = "super::vulnerability::Entity",
+        from = "super::advisory_vulnerability_score::Column::VulnerabilityId"
+        to = "super::vulnerability::Column::Id"
+    )]
+    Vulnerability,
+}
+
+impl Related<advisory::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::Advisory.def()
+    }
+}
+
+impl Related<vulnerability::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::Vulnerability.def()
+    }
+}
+
+impl Related<advisory_vulnerability::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::AdvisoryVulnerability.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}
+
+// score type
+
+#[derive(Debug, Copy, Clone, PartialEq, Eq, EnumIter, DeriveActiveEnum)]
+#[sea_orm(rs_type = "String", db_type = "Enum", enum_name = "score_type")]
+pub enum ScoreType {
+    #[sea_orm(string_value = "2.0")]
+    V2_0,
+    #[sea_orm(string_value = "3.0")]
+    V3_0,
+    #[sea_orm(string_value = "3.1")]
+    V3_1,
+    #[sea_orm(string_value = "4.0")]
+    V4_0,
+}
+
+// severity
+
+#[derive(
+    Debug,
+    Copy,
+    Clone,
+    PartialEq,
+    Eq,
+    EnumIter,
+    DeriveActiveEnum,
+    strum::EnumString,
+    strum::Display,
+    strum::VariantNames,
+)]
+#[sea_orm(rs_type = "String", db_type = "Enum", enum_name = "severity")]
+#[strum(serialize_all = "lowercase")]
+pub enum Severity {
+    #[sea_orm(string_value = "none")]
+    None,
+    #[sea_orm(string_value = "low")]
+    Low,
+    #[sea_orm(string_value = "medium")]
+    Medium,
+    #[sea_orm(string_value = "high")]
+    High,
+    #[sea_orm(string_value = "critical")]
+    Critical,
+}
+
+impl From<cvss3::Severity> for Severity {
+    fn from(value: cvss3::Severity) -> Self {
+        match value {
+            cvss3::Severity::None => Self::None,
+            cvss3::Severity::Low => Self::Low,
+            cvss3::Severity::Medium => Self::Medium,
+            cvss3::Severity::High => Self::High,
+            cvss3::Severity::Critical => Self::Critical,
+        }
+    }
+}
+
+impl From<Severity> for cvss3::Severity {
+    fn from(value: Severity) -> Self {
+        match value {
+            Severity::None => Self::None,
+            Severity::Low => Self::Low,
+            Severity::Medium => Self::Medium,
+            Severity::High => Self::High,
+            Severity::Critical => Self::Critical,
+        }
+    }
+}

entity/src/advisory_vulnerability_score.rs

@@ -1,5 +1,6 @@
 pub mod advisory;
 pub mod advisory_vulnerability;
+pub mod advisory_vulnerability_score;
 pub mod base_purl;
 pub mod conversation;
 pub mod cpe;

entity/src/lib.rs

@@ -12,6 +12,7 @@ path = "src/lib.rs"
 [dependencies]
 trustify-common = { workspace = true }
 trustify-entity = { workspace = true }
+trustify-module-ingestor = { workspace = true }
 trustify-module-storage = { workspace = true }
 
 anyhow = { workspace = true }
@@ -29,6 +30,7 @@ sea-orm-migration = { workspace = true, features = ["runtime-tokio-rustls", "sql
 serde-cyclonedx = { workspace = true }
 serde_json = { workspace = true }
 spdx-rs = { workspace = true }
+strum = { workspace = true, features = ["derive"] }
 tokio = { workspace = true, features = ["full"] }
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true }

migration/Cargo.toml

@@ -194,7 +194,7 @@ macro_rules! sbom {
 ///
 /// See: [`handler!`].
 #[macro_export]
-macro_rules! advisories {
+macro_rules! advisory {
     (async | $doc:ident, $model:ident, $tx:ident | $body:block) => {
         $crate::handler!(async |$doc: $crate::data::Advisory, $model, $tx| $body)
     };

migration/src/data/mod.rs

@@ -72,7 +72,7 @@ impl Migrator {
             .normal(m0001160_improve_expand_spdx_licenses_function::Migration)
             .normal(m0001170_non_null_source_document_id::Migration)
             .data(m0002000_example_sbom_data_migration::Migration)
-            .data(m0002010_)
+            .data(m0002010_example_advisory_data_migration::Migration)
     }
 }
 

migration/src/lib.rs

@@ -1,10 +1,12 @@
 use crate::{
-    data::{MigrationTraitWithData, Sbom as SbomDoc, SchemaDataManager},
-    sbom,
+    advisory,
+    data::{Advisory as AdvisoryDoc, MigrationTraitWithData, SchemaDataManager},
 };
-use sea_orm::{ActiveModelTrait, IntoActiveModel, Set};
+use sea_orm::{EntityTrait, IntoActiveModel, sea_query::extension::postgres::Type};
 use sea_orm_migration::prelude::*;
-use trustify_common::advisory::cyclonedx::extract_properties_json;
+use strum::VariantNames;
+use trustify_entity::{advisory, advisory_vulnerability_score};
+use trustify_module_ingestor::{graph::cvss::ScoreCreator, service::advisory::osv::extract_scores};
 
 #[derive(DeriveMigrationName)]
 pub struct Migration;
@@ -13,47 +15,92 @@ pub struct Migration;
 impl MigrationTraitWithData for Migration {
     async fn up(&self, manager: &SchemaDataManager) -> Result<(), DbErr> {
         manager
-            .alter_table(
-                Table::alter()
-                    .table(Sbom::Table)
-                    .add_column_if_not_exists(
-                        ColumnDef::new(Sbom::Properties)
-                            .json()
-                            .default(serde_json::Value::Null)
-                            .to_owned(),
-                    )
+            .create_type(
+                Type::create()
+                    .as_enum(Severity::Table)
+                    .values(Severity::VARIANTS.iter().skip(1).copied())
                     .to_owned(),
             )
             .await?;
 
         manager
-            .alter_table(
-                Table::alter()
-                    .table(Sbom::Table)
-                    .modify_column(ColumnDef::new(Sbom::Properties).not_null().to_owned())
+            .create_type(
+                Type::create()
+                    .as_enum(ScoreType::Table)
+                    .values(ScoreType::VARIANTS.iter().skip(1).copied())
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .create_table(
+                Table::create()
+                    .table(AdvisoryVulnerabilityScore::Table)
+                    .if_not_exists()
+                    .col(
+                        ColumnDef::new(AdvisoryVulnerabilityScore::Id)
+                            .uuid()
+                            .not_null()
+                            .primary_key()
+                            .to_owned(),
+                    )
+                    .col(
+                        ColumnDef::new(AdvisoryVulnerabilityScore::AdvisoryId)
+                            .uuid()
+                            .not_null()
+                            .to_owned(),
+                    )
+                    .col(
+                        ColumnDef::new(AdvisoryVulnerabilityScore::VulnerabilityId)
+                            .uuid()
+                            .not_null()
+                            .to_owned(),
+                    )
+                    .col(
+                        ColumnDef::new(AdvisoryVulnerabilityScore::Type)
+                            .custom(ScoreType::Table)
+                            .not_null()
+                            .to_owned(),
+                    )
+                    .col(
+                        ColumnDef::new(AdvisoryVulnerabilityScore::Vector)
+                            .string()
+                            .not_null()
+                            .to_owned(),
+                    )
+                    .col(
+                        ColumnDef::new(AdvisoryVulnerabilityScore::Score)
+                            .float()
+                            .not_null()
+                            .to_owned(),
+                    )
+                    .col(
+                        ColumnDef::new(AdvisoryVulnerabilityScore::Severity)
+                            .custom(Severity::Table)
+                            .not_null()
+                            .to_owned(),
+                    )
                     .to_owned(),
             )
             .await?;
 
         manager
             .process(
                 self,
-                sbom!(async |sbom, model, tx| {
-                    let mut model = model.into_active_model();
-                    match sbom {
-                        SbomDoc::CycloneDx(sbom) => {
-                            model.properties = Set(extract_properties_json(&sbom));
+                advisory!(async |advisory, model, tx| {
+                    match advisory {
+                        AdvisoryDoc::Cve(advisory) => {}
+                        AdvisoryDoc::Csaf(advisory) => {}
+                        AdvisoryDoc::Osv(advisory) => {
+                            let mut creator = ScoreCreator::new(model.id);
+                            extract_scores(&advisory, &mut creator);
+                            creator.create(tx).await?;
                         }
-                        SbomDoc::Spdx(_sbom) => {
-                            model.properties = Set(serde_json::Value::Object(Default::default()));
-                        }
-                        SbomDoc::Other(_) => {
+                        _ => {
                             // we ignore others
                         }
                     }
 
-                    model.save(tx).await?;
-
                     Ok(())
                 }),
             )
@@ -64,20 +111,60 @@ impl MigrationTraitWithData for Migration {
 
     async fn down(&self, manager: &SchemaDataManager) -> Result<(), DbErr> {
         manager
-            .alter_table(
-                Table::alter()
-                    .table(Sbom::Table)
-                    .drop_column(Sbom::Properties)
+            .drop_table(
+                Table::drop()
+                    .table(AdvisoryVulnerabilityScore::Table)
+                    .if_exists()
                     .to_owned(),
             )
             .await?;
 
+        manager
+            .drop_type(Type::drop().if_exists().name("severity").to_owned())
+            .await?;
+
+        manager
+            .drop_type(Type::drop().if_exists().name("score_type").to_owned())
+            .await?;
+
         Ok(())
     }
 }
 
 #[derive(DeriveIden)]
-enum Sbom {
+enum AdvisoryVulnerabilityScore {
+    Table,
+    Id,
+    AdvisoryId,
+    VulnerabilityId,
+    Type,
+    Vector,
+    Score,
+    Severity,
+}
+
+#[derive(DeriveIden, strum::VariantNames, strum::Display)]
+#[allow(unused)]
+enum ScoreType {
+    Table,
+    #[strum(to_string = "2.0")]
+    V2_0,
+    #[strum(to_string = "3.0")]
+    V3_0,
+    #[strum(to_string = "3.1")]
+    V3_1,
+    #[strum(to_string = "4.0")]
+    V4_0,
+}
+
+#[derive(DeriveIden, strum::VariantNames, strum::Display)]
+#[strum(serialize_all = "lowercase")]
+#[allow(unused)]
+enum Severity {
     Table,
-    Properties,
+    None,
+    Low,
+    Medium,
+    High,
+    Critical,
 }