Skip to content

Commit

Permalink
Adds link to security advisory to security probe and scoring display (#…
Browse files Browse the repository at this point in the history
…446)

Co-authored-by: aayushRedHat <aaayush@redhat.com>
Co-authored-by: Adrien Lecharpentier <alecharpentier@cloudbees.com>
  • Loading branch information
3 people authored Apr 23, 2024
1 parent 1ec8f97 commit 386bb70
Show file tree
Hide file tree
Showing 6 changed files with 232 additions and 168 deletions.
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/*
* MIT License
*
* Copyright (c) 2023 Jenkins Infra
* Copyright (c) 2023-2024 Jenkins Infra
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
Expand All @@ -21,14 +21,8 @@
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/

package io.jenkins.pluginhealth.scoring.model.updatecenter;

import java.util.List;

public record SecurityWarning(
String id,
String name,
List<SecurityWarningVersion> versions
) {
}
public record SecurityWarning(String id, String name, String url, List<SecurityWarningVersion> versions) {}
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/*
* MIT License
*
* Copyright (c) 2023 Jenkins Infra
* Copyright (c) 2023-2024 Jenkins Infra
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
Expand All @@ -21,7 +21,6 @@
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/

package io.jenkins.pluginhealth.scoring.probes;

import java.util.List;
Expand All @@ -46,21 +45,19 @@ public class KnownSecurityVulnerabilityProbe extends Probe {
protected ProbeResult doApply(Plugin plugin, ProbeContext context) {
final List<SecurityWarning> warnings = context.getUpdateCenter().warnings();
final String issues = warnings.stream()
.filter(w -> w.name().equals(plugin.getName()))
.filter(w -> w.versions().stream().anyMatch(securityWarningVersion -> {
if (securityWarningVersion.lastVersion() != null) {
return plugin.getVersion().isOlderThanOrEqualTo(securityWarningVersion.lastVersion());
}
final Pattern pattern = Pattern.compile(securityWarningVersion.pattern());
final Matcher matcher = pattern.matcher(plugin.getVersion().toString());
return matcher.find();
}))
.map(SecurityWarning::id)
.collect(Collectors.joining(", "));
.filter(w -> w.name().equals(plugin.getName()))
.filter(w -> w.versions().stream().anyMatch(securityWarningVersion -> {
if (securityWarningVersion.lastVersion() != null) {
return plugin.getVersion().isOlderThanOrEqualTo(securityWarningVersion.lastVersion());
}
final Pattern pattern = Pattern.compile(securityWarningVersion.pattern());
final Matcher matcher = pattern.matcher(plugin.getVersion().toString());
return matcher.find();
}))
.map(warning -> warning.id() + "|" + warning.url())
.collect(Collectors.joining(", "));

return !issues.isBlank() ?
this.success(issues) :
this.success("No known security vulnerabilities.");
return !issues.isBlank() ? this.success(issues) : this.success("No known security vulnerabilities.");
}

@Override
Expand All @@ -75,6 +72,6 @@ public String getDescription() {

@Override
public long getVersion() {
return 1;
return 2;
}
}
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/*
* MIT License
*
* Copyright (c) 2023 Jenkins Infra
* Copyright (c) 2023-2024 Jenkins Infra
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
Expand All @@ -21,14 +21,15 @@
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/

package io.jenkins.pluginhealth.scoring.scores;

import java.util.Arrays;
import java.util.List;
import java.util.Map;

import io.jenkins.pluginhealth.scoring.model.Plugin;
import io.jenkins.pluginhealth.scoring.model.ProbeResult;
import io.jenkins.pluginhealth.scoring.model.Resolution;
import io.jenkins.pluginhealth.scoring.model.ScoringComponentResult;
import io.jenkins.pluginhealth.scoring.probes.KnownSecurityVulnerabilityProbe;

Expand All @@ -41,31 +42,39 @@ public class SecurityWarningScoring extends Scoring {

@Override
public List<ScoringComponent> getComponents() {
return List.of(
new ScoringComponent() {
@Override
public String getDescription() {
return "The plugin must not have on-going security advisory.";
}
return List.of(new ScoringComponent() {
@Override
public String getDescription() {
return "The plugin must not have on-going security advisory.";
}

@Override
public ScoringComponentResult getScore(Plugin $, Map<String, ProbeResult> probeResults) {
final ProbeResult probeResult = probeResults.get(KnownSecurityVulnerabilityProbe.KEY);
if (probeResult == null || ProbeResult.Status.ERROR.equals(probeResult.status())) {
return new ScoringComponentResult(-100, 100, List.of("Cannot determine if plugin has on-going security advisory."));
}
if ("No known security vulnerabilities.".equals(probeResult.message())) {
return new ScoringComponentResult(100, getWeight(), List.of("Plugin does not seem to have on-going security advisory."));
}
return new ScoringComponentResult(0, getWeight(), List.of("Plugin seem to have on-going security advisory.", probeResult.message()));
@Override
public ScoringComponentResult getScore(Plugin $, Map<String, ProbeResult> probeResults) {
final ProbeResult probeResult = probeResults.get(KnownSecurityVulnerabilityProbe.KEY);
if (probeResult == null || ProbeResult.Status.ERROR.equals(probeResult.status())) {
return new ScoringComponentResult(
-100, 100, List.of("Cannot determine if plugin has on-going security advisory."));
}

@Override
public int getWeight() {
return 1;
if ("No known security vulnerabilities.".equals(probeResult.message())) {
return new ScoringComponentResult(
100, getWeight(), List.of("Plugin does not seem to have on-going security advisory."));
}
final List<Resolution> resolutions = Arrays.stream(
probeResult.message().split(","))
.map(m -> {
final String[] parts = m.trim().split("\\|");
return new Resolution(parts[0], parts[1]);
})
.toList();
return new ScoringComponentResult(
0, getWeight(), List.of("Plugin seem to have on-going security advisory."), resolutions);
}

@Override
public int getWeight() {
return 1;
}
);
});
}

@Override
Expand All @@ -85,6 +94,6 @@ public String description() {

@Override
public int version() {
return 1;
return 2;
}
}
Loading

0 comments on commit 386bb70

Please sign in to comment.