feat: add rating source tracking for context-aware OWASP scores#6210
Open
fahedouch wants to merge 1 commit into
Open
feat: add rating source tracking for context-aware OWASP scores#6210fahedouch wants to merge 1 commit into
fahedouch wants to merge 1 commit into
Conversation
Signed-off-by: Fahed Dorgaa <fahed.dorgaa@gmail.com>
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a source column to analyses that tracks the origin of an analysis (POLICY, VEX, MANUAL, NVD) and enforces precedence rules so lower-precedence sources cannot overwrite higher-precedence ones. Also extends the analysis request/command surface with OWASP RR vector/score and updates the CycloneDX VEX importer to ingest OWASP ratings.
Changes:
- Introduces
RatingSourceenum +SOURCEcolumn onANALYSIS, with migration and DAO/mapper wiring to persist it. - Threads
source,owaspVector,owaspScorethroughMakeAnalysisCommand, REST request, and apply overwrite precedence inAnalysisQueryManager#makeAnalysis. - Updates
CycloneDXVexImporterto support OWASP ratings and proceed when a vulnerability has ratings but no analysis block.
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| migration/.../V202605291854__add_source_column_to_analysis.sql | Adds SOURCE column, index, and backfills POLICY/MANUAL values. |
| apiserver/.../model/RatingSource.java | New enum encoding source precedence and canOverwrite logic. |
| apiserver/.../model/Analysis.java | Adds persistent source field with getters/setters. |
| apiserver/.../persistence/command/MakeAnalysisCommand.java | Adds source, owaspVector, owaspScore fields/builders. |
| apiserver/.../persistence/AnalysisQueryManager.java | Guards updates by precedence and audits OWASP/source changes. |
| apiserver/.../persistence/jdbi/AnalysisDao.java | Includes SOURCE in policy-driven analysis upserts. |
| apiserver/.../persistence/jdbi/VulnerabilityPolicyDao.java | Resets SOURCE when unassigning policy. |
| apiserver/.../persistence/jdbi/mapping/AnalysisRowMapper.java | Reads SOURCE column into Analysis. |
| apiserver/.../resources/v1/vo/AnalysisRequest.java | Adds OWASP vector/score request fields. |
| apiserver/.../resources/v1/AnalysisResource.java | Passes OWASP fields and MANUAL source to the command. |
| apiserver/.../parser/cyclonedx/CycloneDXVexImporter.java | Imports OWASP ratings as VEX-sourced analyses. |
| apiserver/.../test/.../RatingSourceTest.java | Tests for precedence/overwrite behavior. |
| apiserver/.../test/.../AnalysisResourceTest.java | Updates constructor calls for new request params. |
| apiserver/.../test/.../ProcessScheduledNotificationRuleActivityTest.java | Adopts builder-style MakeAnalysisCommand. |
Comment on lines
+106
to
+108
| final boolean canUpdate = canUpdateAnalysis(analysis.getSource(), command.source()); | ||
|
|
||
| if (canUpdate) { |
Comment on lines
+224
to
+229
| private boolean canUpdateAnalysis(final RatingSource existingSource, final RatingSource newSource) { | ||
| if (newSource == null || existingSource == null) { | ||
| return true; | ||
| } | ||
| return newSource.canOverwrite(existingSource); | ||
| } |
Comment on lines
+241
to
+243
| final java.math.BigDecimal score = rating.getScore() != null | ||
| ? java.math.BigDecimal.valueOf(rating.getScore()) | ||
| : null; |
| maybeSet(rs, "CVSSV4SCORE", ResultSet::getBigDecimal, analysis::setCvssV4Score); | ||
| maybeSet(rs, "OWASPVECTOR", ResultSet::getString, analysis::setOwaspVector); | ||
| maybeSet(rs, "OWASPSCORE", ResultSet::getBigDecimal, analysis::setOwaspScore); | ||
| maybeSet(rs, "SOURCE", ResultSet::getString, value -> analysis.setSource(RatingSource.valueOf(value))); |
Comment on lines
+11
to
+24
| -- Backfill: other analyses with meaningful data get MANUAL source | ||
| UPDATE "ANALYSIS" | ||
| SET "SOURCE" = 'MANUAL' | ||
| WHERE "SOURCE" IS NULL | ||
| AND ( | ||
| ("STATE" IS NOT NULL AND "STATE" != 'NOT_SET') | ||
| OR ("JUSTIFICATION" IS NOT NULL AND "JUSTIFICATION" != 'NOT_SET') | ||
| OR ("RESPONSE" IS NOT NULL AND "RESPONSE" != 'NOT_SET') | ||
| OR "SEVERITY" IS NOT NULL | ||
| OR "CVSSV2VECTOR" IS NOT NULL | ||
| OR "CVSSV3VECTOR" IS NOT NULL | ||
| OR "CVSSV4VECTOR" IS NOT NULL | ||
| OR "OWASPVECTOR" IS NOT NULL | ||
| ); |
Comment on lines
+143
to
+148
| if (command.source() != null && analysis.getSource() != command.source()) { | ||
| if (analysis.getSource() != null) { | ||
| auditTrailComments.add("Source: %s → %s".formatted(analysis.getSource(), command.source())); | ||
| } | ||
| analysis.setSource(command.source()); | ||
| } |
Open
4 tasks
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Complexity | 26 |
| Duplication | 0 |
🟢 Coverage 80.36% diff coverage · -0.03% coverage variation
Metric Results Coverage variation ✅ -0.03% coverage variation (-1.00%) Diff coverage ✅ 80.36% diff coverage (70.00%) Coverage variation details
Coverable lines Covered lines Coverage Common ancestor commit (659d391) 41636 35834 86.06% Head commit (2a2c8a8) 41693 (+57) 35869 (+35) 86.03% (-0.03%) Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch:
<coverage of head commit> - <coverage of common ancestor commit>Diff coverage details
Coverable lines Covered lines Diff coverage Pull request (#6210) 112 90 80.36% Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified:
<covered lines added or modified>/<coverable lines added or modified> * 100%
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Re-targeting DependencyTrack/hyades-apiserver#1928 here, since v5 dev moved to this repo (asked by @nscuro: DependencyTrack/hyades-apiserver#1928 (comment)).
Same change as the original PR, just rebased on main. Only thing that changed: renamed the migration so it runs after the latest one on main instead of in the middle.
Addressed Issue
No separate issue — this is the re-target of DependencyTrack/hyades-apiserver#1928 onto this repo, as requested by @nscuro for the v5 GA move.
Additional Details
Checklist
docs/adr/