Added severity score vector (#2569)

* Added severity score vector
saveourtool · Sep 11, 2023 · 9db8b12 · 9db8b12
1 parent e34bab5
commit 9db8b12
Show file tree

Hide file tree

Showing 10 changed files with 34 additions and 12 deletions.
diff --git a/db/v-2/tables/cosv-metadata.xml b/db/v-2/tables/cosv-metadata.xml
@@ -59,4 +59,11 @@
     <changeSet id="cosv-metadata-4" author="nulls">
         <renameColumn tableName="cosv_metadata" oldColumnName="published" newColumnName="submitted" columnDataType="DATETIME(3)"/>
     </changeSet>
+
+    <changeSet id="cosv-metadata-5" author="frolov">
+        <dropColumn tableName="cosv_metadata">
+            <column name="severity"/>
+        </dropColumn>
+    </changeSet>
+
 </databaseChangeLog>
diff --git a/...rc/main/kotlin/com/saveourtool/save/backend/service/vulnerability/VulnerabilityService.kt b/...rc/main/kotlin/com/saveourtool/save/backend/service/vulnerability/VulnerabilityService.kt
@@ -218,7 +218,6 @@ class VulnerabilityService(
                     cosvId = "default-${Random.nextInt()}",
                     summary = "STUB",
                     details = "STUB",
-                    severity = null,
                     severityNum = 0,
                     submitted = getCurrentLocalDateTime().toJavaLocalDateTime(),
                     modified = getCurrentLocalDateTime().toJavaLocalDateTime(),
@@ -229,7 +228,7 @@ class VulnerabilityService(
                 )
             )
             val newName = "SOTV-${getCurrentLocalDateTime().year}-${metadata.requiredId()}"
-            cosvMetadataRepository.saveAndFlush(metadata.apply {
+            cosvMetadataRepository.save(metadata.apply {
                 cosvId = newName
             })
             newName

diff --git a/...-cloud-common/src/commonMain/kotlin/com/saveourtool/save/entities/cosv/CosvMetadataDto.kt b/...-cloud-common/src/commonMain/kotlin/com/saveourtool/save/entities/cosv/CosvMetadataDto.kt
@@ -11,7 +11,6 @@ import kotlinx.datetime.LocalDateTime
  * @property cosvId [com.saveourtool.osv4k.OsvSchema.id]
  * @property summary [com.saveourtool.osv4k.OsvSchema.summary]
  * @property details [com.saveourtool.osv4k.OsvSchema.details]
- * @property severity [com.saveourtool.osv4k.Severity.score]
  * @property severityNum [com.saveourtool.osv4k.Severity.scoreNum]
  * @property modified [com.saveourtool.osv4k.OsvSchema.modified]
  * @property submitted
@@ -24,7 +23,6 @@ data class CosvMetadataDto(
     val cosvId: String,
     val summary: String,
     val details: String,
-    val severity: String?,
     val severityNum: Int,
     val modified: LocalDateTime,
     val submitted: LocalDateTime,

diff --git a/...mon/src/commonMain/kotlin/com/saveourtool/save/entities/vulnerability/VulnerabilityDto.kt b/...mon/src/commonMain/kotlin/com/saveourtool/save/entities/vulnerability/VulnerabilityDto.kt
@@ -23,6 +23,7 @@ import kotlinx.serialization.Serializable
  * @property creationDateTime [LocalDateTime] of creation
  * @property lastUpdatedDateTime [LocalDateTime] of last updating
  * @property tags
+ * @property severity
  */
 @Serializable
 data class VulnerabilityDto(
@@ -41,6 +42,7 @@ data class VulnerabilityDto(
     val creationDateTime: LocalDateTime? = null,
     val lastUpdatedDateTime: LocalDateTime? = null,
     val tags: Set<String> = emptySet(),
+    val severity: String = "",
 ) {
     /**
      * @return map where key is LocalDateTime and value is a label of LocalDateTime
@@ -77,7 +79,6 @@ data class VulnerabilityDto(
         )
         val vulnerabilityPrefixes = listOf(
             "CVE-",
-
         )
     }
 }
diff --git a/...d-common/src/commonMain/kotlin/com/saveourtool/save/validation/ValidationErrorMessages.kt b/...d-common/src/commonMain/kotlin/com/saveourtool/save/validation/ValidationErrorMessages.kt
@@ -44,3 +44,8 @@ const val CVE_NAME_ERROR_MESSAGE = "CVE identifier is invalid"
  * Error message that is shown when tag is invalid.
  */
 const val TAG_ERROR_MESSAGE = "Tag length should be in [3, 15] range, no commas are allowed."
+
+/**
+ * Error message that is shown when severity score vector is invalid.
+ */
+const val SEVERITY_VECTOR_ERROR_MESSAGE = "Severity score vector is invalid"
diff --git a/save-cloud-common/src/jvmMain/kotlin/com/saveourtool/save/entities/cosv/CosvMetadata.kt b/save-cloud-common/src/jvmMain/kotlin/com/saveourtool/save/entities/cosv/CosvMetadata.kt
@@ -16,7 +16,6 @@ import kotlinx.datetime.toKotlinLocalDateTime
  * @property cosvId [com.saveourtool.osv4k.OsvSchema.id]
  * @property summary [com.saveourtool.osv4k.OsvSchema.summary]
  * @property details [com.saveourtool.osv4k.OsvSchema.details]
- * @property severity [com.saveourtool.osv4k.Severity.score]
  * @property severityNum [com.saveourtool.osv4k.Severity.scoreNum]
  * @property modified [com.saveourtool.osv4k.OsvSchema.modified]
  * @property submitted when vulnerability submitted to saveourtool platform
@@ -31,7 +30,6 @@ class CosvMetadata(
     var cosvId: String,
     var summary: String,
     var details: String,
-    var severity: String?,
     var severityNum: Int,
     var modified: LocalDateTime,
     var submitted: LocalDateTime,
@@ -50,7 +48,6 @@ class CosvMetadata(
         cosvId = cosvId,
         summary = summary,
         details = details,
-        severity = severity,
         severityNum = severityNum,
         modified = modified.toKotlinLocalDateTime(),
         submitted = submitted.toKotlinLocalDateTime(),
@@ -74,7 +71,6 @@ class CosvMetadata(
             cosvId = cosvId,
             summary = summary,
             details = details,
-            severity = severity,
             severityNum = severityNum,
             modified = modified.toJavaLocalDateTime(),
             submitted = submitted.toJavaLocalDateTime(),

diff --git a/save-cosv/src/main/kotlin/com/saveourtool/save/cosv/repository/CosvRepositoryInStorage.kt b/save-cosv/src/main/kotlin/com/saveourtool/save/cosv/repository/CosvRepositoryInStorage.kt
@@ -136,7 +136,6 @@ class CosvRepositoryInStorage(
             cosvId = id,
             summary = summary ?: "Summary not provided",
             details = details ?: "Details not provided",
-            severity = severity?.firstOrNull()?.score,
             severityNum = severity?.firstOrNull()?.scoreNum?.toInt() ?: 0,
             modified = modified.toJavaLocalDateTime(),
             submitted = getCurrentLocalDateTime().toJavaLocalDateTime(),
@@ -149,7 +148,6 @@ class CosvRepositoryInStorage(
         private fun CosvMetadata.updateBy(entry: CosvSchema<*, *, *, *>): CosvMetadata = apply {
             summary = entry.summary ?: "Summary not provided"
             details = entry.details ?: "Details not provided"
-            severity = entry.severity?.firstOrNull()?.score
             severityNum = entry.severity?.firstOrNull()
                 ?.scoreNum
                 ?.toInt() ?: 0

diff --git a/save-cosv/src/main/kotlin/com/saveourtool/save/cosv/service/CosvService.kt b/save-cosv/src/main/kotlin/com/saveourtool/save/cosv/service/CosvService.kt
@@ -141,7 +141,7 @@ class CosvService(
             severity = listOf(
                 Severity(
                     type = SeverityType.CVSS_V3,
-                    score = "N/A",
+                    score = vulnerabilityDto.severity,
                     scoreNum = vulnerabilityDto.progress.toString(),
                 )
             ),

diff --git a/...frontend/src/main/kotlin/com/saveourtool/save/frontend/components/inputform/InputForms.kt b/...frontend/src/main/kotlin/com/saveourtool/save/frontend/components/inputform/InputForms.kt
@@ -10,6 +10,7 @@ import com.saveourtool.save.validation.*
 
 private const val URL_PLACEHOLDER = "https://example.com"
 private const val EMAIL_PLACEHOLDER = "[email protected]"
+private const val SEVERITY_VECTOR_PLACEHOLDER = "CVSS:3.1/AV:_/AC:_/PR:_/UI:_/S:_/C:_/I:_/A:_"
 
 private const val NAME_TOOLTIP = "Allowed symbols: letters, digits, dots, hyphens and underscores." +
         "No dot, hyphen or underscore at the beginning and at the end of the line."
@@ -18,6 +19,9 @@ private const val NAME_ORG_PROJECT_TOOLTIP = "Name must not be longer than $NAMI
         "Allowed symbols: letters, digits, dots, hyphens and underscores." +
         "No dot, hyphen or underscore at the beginning and at the end of the line."
 
+private const val SEVERITY_VECTOR_TOOLTIP = "It's a string representation of the Common Vulnerability Scoring System (CVSS)." +
+        "If you know it, please indicate in this field."
+
 /**
  * @property str
  * @property placeholder
@@ -148,6 +152,12 @@ enum class InputTypes(
         tooltip = "If you know the vulnerability identifier, you can enter it here",
     ),
     CVE_DATE("CVE date"),
+    COSV_VECTORE(
+        "Severity score vector",
+        SEVERITY_VECTOR_ERROR_MESSAGE,
+        placeholder = SEVERITY_VECTOR_PLACEHOLDER,
+        tooltip = SEVERITY_VECTOR_TOOLTIP,
+    ),
     ;
 }
 

diff --git a/...ain/kotlin/com/saveourtool/save/frontend/components/views/vuln/CreateVulnerabilityView.kt b/...ain/kotlin/com/saveourtool/save/frontend/components/views/vuln/CreateVulnerabilityView.kt
@@ -275,6 +275,14 @@ val createVulnerabilityView: VFC = VFC {
                                     }
                                 }
 
+                                inputTextFormOptional {
+                                    form = InputTypes.COSV_VECTORE
+                                    textValue = vulnerability.relatedLink
+                                    classes = "col-12 my-2 px-2 text-left"
+                                    name = "Severity score vector"
+                                    onChangeFun = { event -> setVulnerability { it.copy(severity = event.target.value) } }
+                                }
+
                                 div {
                                     className = ClassName("col-12 my-2 px-2 text-left")
                                     label {