Skip to content

feat: bom.vulnerabilities JSON normalization #548

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 20 commits into from
May 9, 2023
Merged

feat: bom.vulnerabilities JSON normalization #548

merged 20 commits into from
May 9, 2023

Conversation

xmasoracle
Copy link
Contributor

@xmasoracle xmasoracle commented Mar 16, 2023
edited
Loading

Introduce normalization of vulnerabilities for JSON for CDX>=1.4 .
This is part of #164 .

⚠️ Note that:
* It only adds support for a subset of properties of Models.Vulnerability.
* I made some Models.Vulnerability.* comparable, to be able to copy the implementation of normalizeIterable, but I am not really confident in what I did, and was unsure how to test it.

@xmasoracle xmasoracle requested a review from a team as a code owner March 16, 2023 11:01
jkowalleck
jkowalleck requested changes Mar 16, 2023
View reviewed changes
Copy link
Member

@jkowalleck jkowalleck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

quick review.
marked with ❌ are wrong and need to be fixed.

@jkowalleck
Copy link
Member

jkowalleck commented Mar 16, 2023
edited
Loading

Thank you for your work, @xmasoracle .

Your implementation appears promising, please continue.
Your test method is sufficient, just some cases are missing.

Please be informed: I will not merge this into master, unless

  • all properties are normalized as expected
  • normalization for XML and JSON is in place

I'll set this PR to "draft" until it is finished.

jkowalleck
jkowalleck reviewed Mar 16, 2023
View reviewed changes
@jkowalleck jkowalleck changed the title feat: bom.vulnerabilities JSON normalization/serialization (#164) feat: bom.vulnerabilities JSON normalization Mar 16, 2023
@jkowalleck jkowalleck marked this pull request as draft March 16, 2023 17:44
@jkowalleck jkowalleck changed the title feat: bom.vulnerabilities JSON normalization [WIP] feat: bom.vulnerabilities JSON normalization Mar 16, 2023
@jkowalleck
Copy link
Member

@xmasoracle,
could you sign-off you commits? Read more here: https://github.com/CycloneDX/cyclonedx-javascript-library/blob/main/CONTRIBUTING.md#sign-off-your-commits
You can sign-off previous commits as described here: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/548/checks?check_run_id=12055103222

@jkowalleck
Copy link
Member

implementation detail: as new rendering for BomRefs is added, they need to be discriminated.
add them to the existing collector:

cyclonedx-javascript-library/src/serialize/baseSerializer.ts

Lines 25 to 41 in b2abc1b

#getAllBomRefs (bom: Bom): Iterable<BomRef> {
const bomRefs = new Set<BomRef>()
function iterComponents (cs: Iterable<Component>): void {
for (const { bomRef, components } of cs) {
bomRefs.add(bomRef)
iterComponents(components)
}
}
if (bom.metadata.component !== undefined) {
bomRefs.add(bom.metadata.component.bomRef)
iterComponents(bom.metadata.component.components)
}
iterComponents(bom.components)
return bomRefs.values()
}

@xmasoracle xmasoracle force-pushed the feat/vulnerabilities_json branch from 04b963d to 3b491b7 Compare March 20, 2023 09:22
xmasoracle added 12 commits March 20, 2023 10:28
@xmasoracle
feat: bom.vulnerabilities JSON normalization/serialization (Cyclone…
7ffdd82 
…DX#164)

Signed-off-by: Xavier Maso <[email protected]>
@xmasoracle
Address straightforward PR comments
a7a231c 
Signed-off-by: Xavier Maso <[email protected]>
@xmasoracle
Address comments on time-based properties
d8ba1f1 
Signed-off-by: Xavier Maso <[email protected]>
@xmasoracle
Add bom-ref to serialized vulnerability
999270a 
Signed-off-by: Xavier Maso <[email protected]>
@xmasoracle
Correct references of serialized vulnerability
dbb4a7a 
Signed-off-by: Xavier Maso <[email protected]>
@xmasoracle
Add ratings to serialized vulnerability
f93b2e4 
Signed-off-by: Xavier Maso <[email protected]>
@xmasoracle
Add cwes to serialized vulnerability
4650c24 
Signed-off-by: Xavier Maso <[email protected]>
@xmasoracle
Add advisories to serialized vulnerability
39eb58f 
Signed-off-by: Xavier Maso <[email protected]>
@xmasoracle
Add credits to serialized vulnerability
893fdff 
Signed-off-by: Xavier Maso <[email protected]>
@xmasoracle
Add tools to serialized vulnerability
acae6a9 
Signed-off-by: Xavier Maso <[email protected]>
@xmasoracle
Add analysis to serialized vulnerability
bdd43fc 
Signed-off-by: Xavier Maso <[email protected]>
@xmasoracle
Add properties to serialized vulnerability
6c0104a 
Signed-off-by: Xavier Maso <[email protected]>
@xmasoracle xmasoracle force-pushed the feat/vulnerabilities_json branch from 3b491b7 to ab6809f Compare March 20, 2023 09:31
@xmasoracle xmasoracle force-pushed the feat/vulnerabilities_json branch from 8a7f9cc to fad9573 Compare March 20, 2023 13:47
@xmasoracle xmasoracle force-pushed the feat/vulnerabilities_json branch from fad9573 to 3ca1aed Compare March 20, 2023 15:35
@xmasoracle
Copy link
Contributor Author

Hi @jkowalleck, I will not have time to work on the XML serialization part.
Could this be merged? I'm afraid it will linger here for months, and drift away from the main branch...

@jkowalleck
Copy link
Member

jkowalleck commented Apr 4, 2023
edited
Loading

nope, will not be merged any soon.

It contains breaking changes, and I do not want to release a set of breaking changes that is not complete.
Leave it open, and I might consider it for the next major release, if it was complete until then.
Time is not an issue.

PS: this is open source. Others might take it from here and complete the missing part.
Or even try it out and improve it in other ways.

@jkowalleck
Copy link
Member

FYI: i will be working on #620 soon.

@jkowalleck
Copy link
Member

jkowalleck commented Apr 23, 2023
edited
Loading

BOM validators are now in place.
and they are part of existing integration tests. see #652

@jkowalleck
Copy link
Member

jkowalleck commented Apr 26, 2023
edited
Loading

JSON validation is now part of this library and all its test suites.

@xmasoracle please rebase your feature on latest main normalize-vulnerability branch and run the tests, to see if your feature passes the JSON schema. Your efforts are appreciated.

@jkowalleck jkowalleck mentioned this pull request May 8, 2023
Closed
12 tasks
@jkowalleck jkowalleck changed the base branch from main to normalize-vulnerability May 8, 2023 10:11
@jkowalleck
Copy link
Member

adjusted PR target branch to be (normalize-vulnerability)[https://github.com/CycloneDX/cyclonedx-javascript-library/tree/normalize-vulnerability]

reason: multiple smaller PRs will come together to solve #164
see #722

@jkowalleck
Copy link
Member

jkowalleck commented May 9, 2023
edited
Loading

re: #issuecomment-1495568466
FYI: i will work on the XML serialization soon.

@jkowalleck jkowalleck marked this pull request as ready for review May 9, 2023 10:26
@jkowalleck jkowalleck self-requested a review May 9, 2023 10:26
@jkowalleck jkowalleck changed the title [WIP] feat: bom.vulnerabilities JSON normalization feat: bom.vulnerabilities JSON normalization May 9, 2023
@jkowalleck jkowalleck merged commit 37e88ad into CycloneDX:normalize-vulnerability May 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkowalleck jkowalleck jkowalleck requested changes

Assignees
No one assigned
Labels
breaking change
Projects
None yet
Milestone
Vulnerabilities - models, normalize, ...
Development

Successfully merging this pull request may close these issues.
2 participants
@xmasoracle @jkowalleck