Update OsvAdvisoryParser in order to take into account alias with ano…

…ther keyword "related" for RLSA and DLA
ellipse2v · Mar 2, 2024 · fb7d6f4 · fb7d6f4
1 parent 0726382
commit fb7d6f4
Show file tree

Hide file tree

Showing 3 changed files with 1,075 additions and 0 deletions.
diff --git a/src/main/java/org/dependencytrack/parser/osv/OsvAdvisoryParser.java b/src/main/java/org/dependencytrack/parser/osv/OsvAdvisoryParser.java
@@ -80,6 +80,14 @@ public OsvAdvisory parse(final JSONObject object) {
                 }
             }
 
+            // update for RLSA and DLA
+            final JSONArray related = object.optJSONArray("related");
+            if(related != null) {
+                for (int i=0; i<related.length(); i++) {
+                    advisory.addAlias(related.optString(i));
+                }
+            }
+
             final JSONObject databaseSpecific = object.optJSONObject("database_specific");
             if (databaseSpecific != null) {
                 advisory.setSeverity(databaseSpecific.optString("severity", null));

diff --git a/src/test/java/org/dependencytrack/tasks/OsvDownloadTaskTest.java b/src/test/java/org/dependencytrack/tasks/OsvDownloadTaskTest.java
@@ -177,6 +177,42 @@ public void testUpdateDatasourceWithAliasSyncDisabled() throws Exception {
         assertThat(aliases).isEmpty();
     }
 
+    @Test
+    public void testAliasWithRLSA() throws Exception {
+        // Enable alias synchronization
+        qm.createConfigProperty(
+                ConfigPropertyConstants.VULNERABILITY_SOURCE_GOOGLE_OSV_ALIAS_SYNC_ENABLED.getGroupName(),
+                ConfigPropertyConstants.VULNERABILITY_SOURCE_GOOGLE_OSV_ALIAS_SYNC_ENABLED.getPropertyName(),
+                "true",
+                ConfigPropertyConstants.VULNERABILITY_SOURCE_GOOGLE_OSV_ALIAS_SYNC_ENABLED.getPropertyType(),
+                null
+        );
+
+        prepareJsonObject("src/test/resources/unit/osv.jsons/osv-RLSA-20190981.json");
+        OsvAdvisory advisory = parser.parse(jsonObject);
+        Assert.assertNotNull(advisory);
+        Assert.assertEquals(41, advisory.getAffectedPackages().size());
+
+        // pass the mapped advisory to OSV task to update the database
+        final var task = new OsvDownloadTask();
+        task.updateDatasource(advisory);
+
+        Vulnerability vulnerability = qm.getVulnerabilityByVulnId("OSV", "RLSA-2019:0981", true);
+
+        final List<VulnerabilityAlias> aliases = qm.getVulnerabilityAliases(vulnerability);
+        assertThat(aliases).satisfiesExactly(
+                alias -> {
+                    assertThat(alias.getCveId()).isEqualTo("CVE-2019-7164");
+                },
+                alias -> {
+                    assertThat(alias.getCveId()).isEqualTo("CVE-2019-7548");
+                },
+                alias -> {
+                    assertThat(alias.getCveId()).isEqualTo("CVE-2019-9636");
+                }
+        );
+    }
+
     @Test
     public void testUpdateDatasourceVulnerableVersionRanges() {
         var vs1 = new VulnerableSoftware();