Merge pull request #1753 from blackducksoftware/OTWO-7127

OTWO-7127 Added BDSA landing page
blackducksoftware · Nov 16, 2023 · 6b9e554 · 6b9e554
2 parents f4ee545 + 0c8e338
commit 6b9e554
Show file tree

Hide file tree

Showing 8 changed files with 31 additions and 3 deletions.
diff --git a/app/assets/javascripts/api/vulnerability.js.coffee b/app/assets/javascripts/api/vulnerability.js.coffee
@@ -56,6 +56,7 @@ cve_cvss3 = (cvss_data, severity) ->
 
 search_bdsa = (id) ->
   if id != ''
+    id = id.toUpperCase()
     bdsa_format = /^BDSA-(19|[2-9][0-9])\d{2}-\d{4}$/
     if bdsa_format.test(id)
       window.location.href = '/vulnerabilities/bdsa/' + id

diff --git a/app/assets/stylesheets/api/custom.sass b/app/assets/stylesheets/api/custom.sass
@@ -116,6 +116,16 @@
     padding: 6em 2em
     box-shadow: 0 0 2px 0
 
+  .landing
+    height: 100%
+    border: 1px solid #f7f7f7
+    width: 75rem
+    text-align: center
+    padding: 5em 3em
+    box-shadow: 0 0 2px 0
+
+    p
+      font-size: medium
   .search-container
     display: flex
     justify-content: center

diff --git a/app/controllers/api/vulnerabilities_controller.rb b/app/controllers/api/vulnerabilities_controller.rb
@@ -7,7 +7,7 @@ class Api::VulnerabilitiesController < ApplicationController
   layout 'vulnerability'
 
   def show
-    url = ENV['BDSA_VULNERABILITY_API'].gsub('BDSA_ID', params[:id])
+    url = ENV['BDSA_VULNERABILITY_API'].gsub('BDSA_ID', params[:id].upcase)
     code, @response = Api.get_response(url)
     return render 'no_data' if code != '200' || @response['publishedDate'].to_datetime > 30.days.ago.to_datetime
 
@@ -44,6 +44,6 @@ def fetch_cve
   end
 
   def valid_bdsa_id
-    return render 'no_data' unless params[:id].match(/^BDSA-(19|[2-9][0-9])\d{2}-\d{4}$/)
+    return render 'no_data' unless params[:id].upcase.match(/^BDSA-(19|[2-9][0-9])\d{2}-\d{4}$/)
   end
 end
diff --git a/app/views/api/vulnerabilities/index.html.haml b/app/views/api/vulnerabilities/index.html.haml
@@ -0,0 +1,8 @@
+.search-container
+  .landing
+    %span.fa
+      %p Black Duck Security Advisories (BDSAs) are a Black Duck-exclusive vulnerability data feed sourced and curated by our Cybersecurity Research Center (CyRC). BDSAs offer deeper coverage for a wide set of vulnerabilities than is available through the National Vulnerability Database (NVD). While providing more timely and detailed vulnerability insights, including severity, impact and exploitability metrics. BDSAs also provide actionable remediation guidance to save time by providing details on fixed versions, patch information, exploits, and workarounds where available.
+      %p The CyRC team provide detailed vulnerability guidance over beyond what the NVD typically provide in CVE records. BDSA are also cross-checked and validated against possibly affected component versions this often results in additional and more accurate mappings for components and versions affected by a given vulnerability.
+      %p Where a BDSA has not been mapped to a component version which is mapped to a CVE record this indicates that the COSRI's team additional research has determined that this component version is not affected by the vulnerability. BDSAs are frequently reviewed and updated often on an hourly basis in the event of a new zero day vulnerability.
+      %p The NVD CVE records are typically not cross-checked nor does the NVD verify vulnerability data published or provided from 3rd parties. The NVD are typically slower to update their records when new vulnerabilities or data becomes available.
+      %p BDSA records should not be considered separate vulnerabilities from CVE records or other publicly available vulnerability data sources but instead viewed as additional research and insights which users can use to make better decisions, faster with regard to open source security vulnerabilities.
diff --git a/app/views/layouts/partials/_menubar.html.haml b/app/views/layouts/partials/_menubar.html.haml
@@ -16,4 +16,6 @@
         = link_to t(:tools_menu), tools_path, class: tools_select
       %li.menu_item.blog
         %a{ href: 'https://community.synopsys.com/s/black-duck-open-hub?tabset-c30ff=d9d77', target: '_blank' }= t :blog
+      %li.menu_item.bdsa
+        %a{ href: bdsa_vulnerabilities_path, target: '_blank' }= t :bdsa
       = render 'shared/search.html.haml'
diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -50,6 +50,7 @@ en:
   organizations_menu: 'Organizations'
   tools_menu: 'Tools'
   blog: 'Blog'
+  bdsa: 'BDSA'
   forum: 'Forums'
   terms: 'Terms'
   privacy_blog: 'Privacy'

diff --git a/config/routes.rb b/config/routes.rb
@@ -511,6 +511,7 @@
   get 'sitemaps/:ctrl/:page.xml', controller: 'sitemap', action: 'show', format: 'xml'
 
   get 'vulnerabilities/bdsa/:id', to: 'api/vulnerabilities#show'
+  get 'vulnerabilities/bdsa' => 'api/vulnerabilities#index', as: :bdsa_vulnerabilities
   match 'vulnerabilities/*all', to: 'api/vulnerabilities#raise_not_found!', via: :all
 
   # the unmatched_route must be last as it matches everything

diff --git a/test/controllers/api/vulnerabilities_controller_test.rb b/test/controllers/api/vulnerabilities_controller_test.rb
@@ -26,7 +26,7 @@ class Api::VulnerabilitiesControllerTest < ActionDispatch::IntegrationTest
   end
 
   it 'must render error page for unmatched vulnerabilities routes' do
-    get '/vulnerabilities/bdsa'
+    get '/vulnerabilities/bdsa_data'
     assert_response :not_found
     assert_template 'error'
   end
@@ -56,4 +56,9 @@ class Api::VulnerabilitiesControllerTest < ActionDispatch::IntegrationTest
       _(response.body).must_match 'Agree'
     end
   end
+
+  it 'must render BDSA landing page' do
+    get '/vulnerabilities/bdsa'
+    assert_response :success
+  end
 end