Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VEX Improvements #203

Open
6 tasks
dlg1206 opened this issue Aug 7, 2023 · 0 comments
Open
6 tasks

VEX Improvements #203

dlg1206 opened this issue Aug 7, 2023 · 0 comments
Labels
enhancement New feature or request

Comments

@dlg1206
Copy link
Member

dlg1206 commented Aug 7, 2023

Overview

There could be a number of improvements to the VEXBuilder I found while working with it for the new VEXController / Service for the API

Acceptance Criteria

  • Factory to create new clients
    Current implementation is a switch statement, which worked for the short timeline. We can redevelop this to function similarly to the SerializerFactory
    Example
String client = osv;
VulnerabilityDBClient vc = VulnerabilityDBClientFacotry.createClient(client);

This can help abstract the code and make it expandable for new clients

  • VEX Builders constructors
    Currently the builders are static classes, but they could be made to be their own classes. Cases like this:
        vb.setVEXIdentifier(sbom.getName());
        vb.setDocVersion("1.0");
        vb.setTimeFirstIssued(creationTime);
        vb.setTimeLastUpdated(creationTime);

can be solved with constructors.

  • VEX Builders Factories
    This may be too much but we need a more expandable way to add new VEX standards. The current implementation is limiting
switch (format.toLowerCase()) {
    case "cyclonedx" -> {
        vb.setOriginType(VEXType.CYCLONE_DX);
        vb.setSpecVersion("1.4");
    }
    case "csaf" -> {
        vb.setOriginType(VEXType.CSAF);
        vb.setSpecVersion("2.0");
    }
}
  • Optional Key method
    NVD and future databases may have a key option. All VEX generations statements should be able to handle key or no key cases to prevent if-else trees
if (client.equalsIgnoreCase("nvd") && apiKey != null)
    statements = vc.getVEXStatements((SBOMPackage) c, apiKey);
else
    statements = vc.getVEXStatements((SBOMPackage) c);

A better solution would be:

statements = vc.getVEXStatements((SBOMPackage) c, apiKey);

And let the client handle the key. As a note: the API key should NOT be a field in the client. We want to limit storing the key as much as possible, so the scope should be restricted to the method

  • AddAll VEXStatements method
    Utility in builders to prevent looping through statements to add them one at a time
if (!statements.isEmpty())
    for (VEXStatement vs : statements)
        vb.addVEXStatement(vs);
  • ~80% Code Coverage
@dlg1206 dlg1206 added the enhancement New feature or request label Oct 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dlg1206