diff --git a/src/clj_watson/controller/github/vulnerability.clj b/src/clj_watson/controller/github/vulnerability.clj index 8fbfe35..21bd6d9 100644 --- a/src/clj_watson/controller/github/vulnerability.clj +++ b/src/clj_watson/controller/github/vulnerability.clj @@ -22,7 +22,7 @@ all-dependency-vulnerabilities (diplomat.gh.advisory/vulnerabilities-by-package dependency-name-for-github) reported-vulnerabilities (filterv (partial logic.gh.vulnerability/is-version-vulnerable? dependency-info) all-dependency-vulnerabilities) ; not sure how to use it here and avoid always recommend the latest version (logic.gh.vulnerability/version-not-vulnerable all-dependency-vulnerabilities) - filtered-vulnerabilities (remove (partial logic.rules.allowlist/by-pass? allow-list (time/today)) reported-vulnerabilities) + filtered-vulnerabilities (remove (partial logic.rules.allowlist/by-pass? allow-list (time/now)) reported-vulnerabilities) latest-secure-version (latest-dependency-version dependency all-dependency-vulnerabilities repositories)] (if (seq filtered-vulnerabilities) (assoc dependency-info :vulnerabilities filtered-vulnerabilities :secure-version latest-secure-version) @@ -38,6 +38,6 @@ (def repositories {:mvn/repos {"central" {:url "https://repo1.maven.org/maven2/"} "clojars" {:url "https://repo.clojars.org/"}}}) - (scan-dependencies [{:dependency 'org.jdom/jdom2 :mvn/version "2.0.6"}] repositories {}) + (scan-dependencies [{:dependency 'org.apache.commons/commons-compress :mvn/version "1.21"}] repositories {}) (scan-dependencies [{:dependency 'org.postgresql/postgresql :mvn/version "42.2.10"}] repositories {})) diff --git a/src/clj_watson/diplomat/github/advisory.clj b/src/clj_watson/diplomat/github/advisory.clj index e482a18..b25a31f 100644 --- a/src/clj_watson/diplomat/github/advisory.clj +++ b/src/clj_watson/diplomat/github/advisory.clj @@ -25,6 +25,3 @@ (throw (Exception. "environment GITHUB_TOKEN variable not set.")))) (def vulnerabilities-by-package (memoize vulnerabilities-by-package*)) - -(comment - (vulnerabilities-by-package 'org.postgresql/postgresql)) \ No newline at end of file diff --git a/src/clj_watson/logic/rules/allowlist.clj b/src/clj_watson/logic/rules/allowlist.clj index 5bddc6d..15aacaf 100644 --- a/src/clj_watson/logic/rules/allowlist.clj +++ b/src/clj_watson/logic/rules/allowlist.clj @@ -2,21 +2,17 @@ (:require [clj-time.core :as time])) -(defn match-cve? +(defn not-expired-bypass? ([allowed-cves as-of] - (partial match-cve? allowed-cves as-of)) - ([allowed-cves - as-of - {identifier :value}] - (when-let [expire-date (allowed-cves identifier)] + (partial not-expired-bypass? allowed-cves as-of)) + ([allowed-cves as-of {identifier :value}] + (when-let [expire-date (get allowed-cves identifier)] (time/after? expire-date as-of)))) (defn by-pass? [allowed-cves as-of vulnerability] - (let [allowed? (comp seq (partial filter (match-cve? allowed-cves as-of)) :identifiers :advisory)] - (->> vulnerability - :vulnerabilities - (remove allowed?) - empty?))) + (let [identifiers (-> vulnerability :advisory :identifiers) + by-passable-cves (filter (not-expired-bypass? allowed-cves as-of) identifiers)] + (boolean (seq by-passable-cves)))) diff --git a/test/clj_watson/unit/logic/allowlist_test.clj b/test/clj_watson/unit/logic/allowlist_test.clj deleted file mode 100644 index 3a52d58..0000000 --- a/test/clj_watson/unit/logic/allowlist_test.clj +++ /dev/null @@ -1,63 +0,0 @@ -(ns clj-watson.unit.logic.allowlist-test - (:require - [clj-time.core :as time] - [clj-watson.logic.rules.allowlist :as logic.rules.allowlist] - [clojure.test :refer :all])) - -(deftest by-pass? - (let [expired-date (time/local-date 2020 2 1) - as-of (time/local-date 2022 7 12) - valid-date (time/local-date 2022 7 14)] - (testing "matching CVEs" - (is (= true (logic.rules.allowlist/by-pass? {"CVE-2022-2047" valid-date} - as-of - {:vulnerabilities - [{:advisory - {:identifiers - [{:value "GHSA-cj7v-27pg-wf7q"} - {:value "CVE-2022-2047"}]}}]}))) - (is (= false (logic.rules.allowlist/by-pass? {"CVE-2022-2042" valid-date} - as-of - {:vulnerabilities - [{:advisory - {:identifiers - [{:value "GHSA-cj7v-27pg-wf7q"} - {:value "CVE-DO-NOT-BYPASS"}]}}]})))) - (testing "Multiple vulnerabilities on a single report" - (testing "all CVEs must be allowed" - (is (= true (logic.rules.allowlist/by-pass? {"CVE-2022-2047" valid-date - "CVE-1234-56789" valid-date} - as-of - {:vulnerabilities - [{:advisory - {:identifiers - [{:value "CVE-1234-56789"}]}} - {:advisory - {:identifiers - [{:value "GHSA-cj7v-27pg-wf7q"} - {:value "CVE-2022-2047"}]}}]}))) - (is (= false (logic.rules.allowlist/by-pass? {"CVE-2022-2047" valid-date} - as-of - {:vulnerabilities - [{:advisory - {:identifiers - [{:value "CVE-1234-56789"}]}} - {:advisory - {:identifiers - [{:value "GHSA-cj7v-27pg-wf7q"} - {:value "CVE-2022-2047"}]}}]}))))) - (testing "expired allowlist" - (is (= false (logic.rules.allowlist/by-pass? {"CVE-2022-2047" expired-date} - as-of - {:vulnerabilities - [{:advisory - {:identifiers - [{:value "GHSA-cj7v-27pg-wf7q"} - {:value "CVE-2022-2047"}]}}]}))) - (is (= false (logic.rules.allowlist/by-pass? {"CVE-2022-2042" expired-date} - as-of - {:vulnerabilities - [{:advisory - {:identifiers - [{:value "GHSA-cj7v-27pg-wf7q"} - {:value "CVE-DO-NOT-BYPASS"}]}}]})))))) diff --git a/test/clj_watson/unit/logic/rules/allowlist_test.clj b/test/clj_watson/unit/logic/rules/allowlist_test.clj new file mode 100644 index 0000000..0f4de27 --- /dev/null +++ b/test/clj_watson/unit/logic/rules/allowlist_test.clj @@ -0,0 +1,74 @@ +(ns clj-watson.unit.logic.rules.allowlist-test + (:require + [clj-time.core :as time] + [clj-watson.logic.rules.allowlist :as logic.rules.allowlist] + [clojure.test :refer :all])) + +(def expired-as-of (time/date-time 2023 3 3)) +(def as-of (time/date-time 2024 4 4)) +(def valid-as-of (time/date-time 2025 5 5)) + +(deftest empty-bypass? + (is (nil? + (logic.rules.allowlist/not-expired-bypass? + {} + as-of + {:value "GHSA-4265-ccf5-phj5"})))) + +(deftest not-expired-bypass? + (is (true? + (logic.rules.allowlist/not-expired-bypass? + {"GHSA-4265-ccf5-phj5" valid-as-of} + as-of + {:value "GHSA-4265-ccf5-phj5"}))) + (is (false? + (logic.rules.allowlist/not-expired-bypass? + {"GHSA-4265-ccf5-phj5" expired-as-of} + as-of + {:value "GHSA-4265-ccf5-phj5"})))) + +(deftest by-pass? + (is (false? (logic.rules.allowlist/by-pass? {} as-of {:vulnerableVersionRange ">= 1.21, < 1.26.0", + :advisory {:description "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.21 before 1.26. + + Users are recommended to upgrade to version 1.26, which fixes the issue. + + ", + :summary "Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file", + :severity "HIGH", + :cvss {:score 7.5}, + :identifiers [{:value "GHSA-4265-ccf5-phj5"} {:value "CVE-2024-26308"}]}, + :firstPatchedVersion {:identifier "1.26.0"}}))) + (is (false? (logic.rules.allowlist/by-pass? {"GHSA-4265-ccf5-phj5" expired-as-of} as-of {:vulnerableVersionRange ">= 1.21, < 1.26.0", + :advisory {:description "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.21 before 1.26. + + Users are recommended to upgrade to version 1.26, which fixes the issue. + + ", + :summary "Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file", + :severity "HIGH", + :cvss {:score 7.5}, + :identifiers [{:value "GHSA-4265-ccf5-phj5"} {:value "CVE-2024-26308"}]}, + :firstPatchedVersion {:identifier "1.26.0"}}))) + (is (true? (logic.rules.allowlist/by-pass? {"GHSA-4265-ccf5-phj5" valid-as-of} as-of {:vulnerableVersionRange ">= 1.21, < 1.26.0", + :advisory {:description "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.21 before 1.26. + + Users are recommended to upgrade to version 1.26, which fixes the issue. + + ", + :summary "Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file", + :severity "HIGH", + :cvss {:score 7.5}, + :identifiers [{:value "GHSA-4265-ccf5-phj5"}]}, + :firstPatchedVersion {:identifier "1.26.0"}}))) + (is (true? (logic.rules.allowlist/by-pass? {"GHSA-4265-ccf5-phj5" valid-as-of} as-of {:vulnerableVersionRange ">= 1.21, < 1.26.0", + :advisory {:description "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.21 before 1.26. + + Users are recommended to upgrade to version 1.26, which fixes the issue. + + ", + :summary "Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file", + :severity "HIGH", + :cvss {:score 7.5}, + :identifiers [{:value "GHSA-4265-ccf5-phj5"} {:value "CVE-2024-26308"}]}, + :firstPatchedVersion {:identifier "1.26.0"}}))))