feat(vulnerable-code): Support getting summary / description information

sschuberth · sschuberth · commit dc27c01256e1 · 2025-11-05T09:56:38.000+01:00
Signed-off-by: Sebastian Schuberth &lt;sebastian@doubleopen.org&gt;
diff --git a/clients/vulnerable-code/src/main/kotlin/VulnerableCodeService.kt b/clients/vulnerable-code/src/main/kotlin/VulnerableCodeService.kt
@@ -19,6 +19,7 @@
 
 package org.ossreviewtoolkit.clients.vulnerablecode
 
+import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
 import kotlinx.serialization.json.Json
 import kotlinx.serialization.json.JsonNames
@@ -129,6 +130,10 @@ interface VulnerableCodeService {
         /** The VulnerableCode-specific identifier for this vulnerability. */
         val vulnerabilityId: String,
 
+        /** A description of the vulnerability. Older versions of VulnerableCode do not have this field. */
+        @SerialName("summary")
+        val description: String? = null,
+
         /** A list with [VulnerabilityReference]s pointing to sources of information about this vulnerability. */
         val references: List<VulnerabilityReference>,
 
diff --git a/plugins/advisors/vulnerable-code/src/funTest/kotlin/VulnerableCodeFunTest.kt b/plugins/advisors/vulnerable-code/src/funTest/kotlin/VulnerableCodeFunTest.kt
@@ -46,7 +46,10 @@ class VulnerableCodeFunTest : WordSpec({
                     "CVE-2023-49295"
                 )
 
-                getValue("CVE-2023-49295").references.find {
+                val vulnerability = getValue("CVE-2023-49295")
+                vulnerability.summary shouldBe "quic-go is an implementation of the QUIC protocol (RFC 9000, RFC..."
+
+                vulnerability.references.find {
                     it.url.toString() == "https://nvd.nist.gov/vuln/detail/CVE-2023-49295"
                 } shouldNotBeNull {
                     scoringSystem shouldBe "cvssv3"
@@ -74,7 +77,10 @@ class VulnerableCodeFunTest : WordSpec({
                     "CVE-2023-2976"
                 )
 
-                getValue("CVE-2023-2976").references.find {
+                val vulnerability = getValue("CVE-2023-2976")
+                vulnerability.summary shouldBe "Use of Java's default temporary directory for file creation in `..."
+
+                vulnerability.references.find {
                     it.url.toString() == "https://nvd.nist.gov/vuln/detail/CVE-2023-2976"
                 } shouldNotBeNull {
                     scoringSystem shouldBe "cvssv3"
@@ -98,7 +104,10 @@ class VulnerableCodeFunTest : WordSpec({
                     "CVE-2023-42503"
                 )
 
-                getValue("CVE-2023-42503").references.find {
+                val vulnerability = getValue("CVE-2023-42503")
+                vulnerability.summary shouldBe "Improper Input Validation, Uncontrolled Resource Consumption vul..."
+
+                vulnerability.references.find {
                     it.url.toString() == "https://nvd.nist.gov/vuln/detail/CVE-2023-42503"
                 } shouldNotBeNull {
                     scoringSystem shouldBe "cvssv3"
@@ -124,7 +133,10 @@ class VulnerableCodeFunTest : WordSpec({
                     "CVE-2024-48948"
                 )
 
-                getValue("CVE-2024-48948").references.find {
+                val vulnerability = getValue("CVE-2024-48948")
+                vulnerability.summary shouldBe "The Elliptic package 6.5.7 for Node.js, in its for ECDSA impleme..."
+
+                vulnerability.references.find {
                     it.url.toString() == "https://github.com/indutny/elliptic"
                 } shouldNotBeNull {
                     scoringSystem shouldBe "cvssv3.1"
diff --git a/plugins/advisors/vulnerable-code/src/main/kotlin/VulnerableCode.kt b/plugins/advisors/vulnerable-code/src/main/kotlin/VulnerableCode.kt
@@ -57,6 +57,11 @@ import org.ossreviewtoolkit.utils.ort.OkHttpClientHelper
  */
 private const val BULK_REQUEST_SIZE = 100
 
+/**
+ * The maximum length for the summary as derived from the description of a vulnerability.
+ */
+private const val MAX_SUMMARY_LENGTH = 64
+
 /**
  * An [AdviceProvider] implementation that obtains security vulnerability information from a
  * [VulnerableCode][https://github.com/aboutcode-org/vulnerablecode] instance.
@@ -133,8 +138,19 @@ class VulnerableCode(
      * Convert this vulnerability from the VulnerableCode data model to a [Vulnerability]. Populate [issues] if this
      * fails.
      */
-    private fun VulnerableCodeService.Vulnerability.toModel(issues: MutableList<Issue>): Vulnerability =
-        Vulnerability(id = preferredCommonId(), references = references.flatMap { it.toModel(issues) })
+    private fun VulnerableCodeService.Vulnerability.toModel(issues: MutableList<Issue>): Vulnerability {
+        val description = description?.ifBlank { null }
+        return Vulnerability(
+            id = preferredCommonId(),
+            // VulnerableCode API v1 has no dedicated summary field (its summary actually is the description), so try to
+            // summarize the description.
+            summary = description?.take(MAX_SUMMARY_LENGTH)?.let {
+                if (it.length < description.length) "$it..." else it
+            },
+            description = description,
+            references = references.flatMap { it.toModel(issues) }
+        )
+    }
 
     /**
      * Convert this reference from the VulnerableCode data model to a list of [VulnerabilityReference] objects.
diff --git a/plugins/advisors/vulnerable-code/src/test/kotlin/VulnerableCodeTest.kt b/plugins/advisors/vulnerable-code/src/test/kotlin/VulnerableCodeTest.kt
@@ -193,6 +193,8 @@ class VulnerableCodeTest : WordSpec({
             val expLog4jVulnerabilities = listOf(
                 Vulnerability(
                     id = "GHSA-jfh8-c2jp-5v3q",
+                    summary = "Remote code injection in Log4j",
+                    description = "Remote code injection in Log4j",
                     references = listOf(
                         VulnerabilityReference(
                             URI("http://ref.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html"),
@@ -205,6 +207,8 @@ class VulnerableCodeTest : WordSpec({
                 ),
                 Vulnerability(
                     id = "CVE-2021-44832",
+                    summary = "Improper Input Validation and Injection in Apache Log4j2",
+                    description = "Improper Input Validation and Injection in Apache Log4j2",
                     references = listOf(
                         VulnerabilityReference(
                             URI("https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44832.json"),
