fix: reviewing code and fixing EPSS Data attribute naming issue

org-metaeffekt · Oct 1, 2024 · b5f29d9 · b5f29d9
1 parent 5293dc8
commit b5f29d9
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 47 deletions.
diff --git a/...va/org/metaeffekt/core/inventory/processor/report/adapter/VulnerabilityReportAdapter.java b/...va/org/metaeffekt/core/inventory/processor/report/adapter/VulnerabilityReportAdapter.java
@@ -123,12 +123,23 @@ public List<AeaaVulnerability> getEffectiveVulnerabilitiesForDetails() {
                 .collect(Collectors.toList());
     }
 
+    // FIXME-KKL: check whether the current condition is sufficient
     public boolean shouldVulnerabilityBeDisplayedInDetails(AeaaVulnerability vulnerability) {
-        if (!vulnerability.getOrCreateNewVulnerabilityStatus().getStatusHistory().isEmpty()) {
+
+        // check whether there are security advisories
+        // DISCUSS: this should also affect the priority
+        if (!vulnerability.getSecurityAdvisories().isEmpty()) {
             return true;
-        } else if (!vulnerability.getSecurityAdvisories().isEmpty()) {
+        }
+
+        // check whether we have a status change
+        final Optional<AeaaVulnerabilityStatus> vulnerabilityStatus = vulnerability.optVulnerabilityStatus();
+        if (vulnerabilityStatus.isPresent() && !vulnerabilityStatus.get().getStatusHistory().isEmpty()) {
             return true;
         }
+
+        // TODO: check whether priority is equal or beyond either elevated, due or escalate; what is expected?
+
         return false;
     }
 
@@ -379,32 +390,6 @@ public List<String> getVulnerabilityStatusLabels(AeaaVulnerability vulnerability
 
         final List<String> labels = new ArrayList<>();
 
-        /* the mapped status shoud not be used here; discuss
-        if (mappedStatus.equalsIgnoreCase(VulnerabilityMetaData.STATUS_VALUE_IN_REVIEW)) {
-            labels.add("In Review");
-        } else if (mappedStatus.equalsIgnoreCase(VulnerabilityMetaData.STATUS_VALUE_APPLICABLE)) {
-            labels.add("Applicable");
-        } else if (mappedStatus.equalsIgnoreCase(VulnerabilityMetaData.STATUS_VALUE_NOTAPPLICABLE)) {
-            labels.add("Not Applicable");
-        } else if (mappedStatus.equalsIgnoreCase(VulnerabilityMetaData.STATUS_VALUE_INSIGNIFICANT)) {
-            labels.add("Insignificant");
-        } else if (mappedStatus.equalsIgnoreCase(VulnerabilityMetaData.STATUS_VALUE_VOID) || mappedStatus.equalsIgnoreCase("unset")) { // when would the value be "unset"?
-            labels.add("Void Vulnerability");
-        } else if (mappedStatus.equalsIgnoreCase("potentially affected")) {
-            labels.add("Potentially Affected");
-        } else if (mappedStatus.equalsIgnoreCase("affected")) {
-            // labels.add("Affected");
-            labels.add("Applicable");
-        } else if (mappedStatus.equalsIgnoreCase("not affected")) {
-            // labels.add("Not Affected");
-            labels.add("Not Applicable");
-        } else {
-            // fallback in case
-            labels.add("In Review");
-        }
-
-        if (!mappedStatus.equalsIgnoreCase(baseStatus)) {
-        */
         if (baseStatus.equalsIgnoreCase(VulnerabilityMetaData.STATUS_VALUE_IN_REVIEW)) {
             labels.add("In Review");
         } else if (baseStatus.equalsIgnoreCase(VulnerabilityMetaData.STATUS_VALUE_APPLICABLE)) {
@@ -418,9 +403,6 @@ public List<String> getVulnerabilityStatusLabels(AeaaVulnerability vulnerability
         } else {
             labels.add("In Review");
         }
-        /*
-        }
-        */
 
         // priority score
         final AeaaVulnerabilityPriorityCalculator.AeaaPriorityScoreResult priorityScore = vulnerability.calculatePriorityScore(this.securityPolicy);

diff --git a/...ekt/core/inventory/processor/report/configuration/CentralSecurityPolicyConfiguration.java b/...ekt/core/inventory/processor/report/configuration/CentralSecurityPolicyConfiguration.java
@@ -121,6 +121,7 @@ public class CentralSecurityPolicyConfiguration extends ProcessConfiguration {
      * Default: <code>7.0</code>
      */
     private double insignificantThreshold = 7.0;
+
     /**
      * includeScoreThreshold<br>
      * <code>double</code><p>
@@ -878,8 +879,11 @@ public VulnerabilityStatusMapper withName(String name) {
 
     public final static VulnerabilityStatusMapper VULNERABILITY_STATUS_DISPLAY_MAPPER_UNMODIFIED = new VulnerabilityStatusMapper(
             "unmodified",
-            Arrays.asList(VulnerabilityMetaData.STATUS_VALUE_APPLICABLE, VulnerabilityMetaData.STATUS_VALUE_IN_REVIEW, VulnerabilityMetaData.STATUS_VALUE_NOTAPPLICABLE, VulnerabilityMetaData.STATUS_VALUE_INSIGNIFICANT, VulnerabilityMetaData.STATUS_VALUE_VOID),
-            Arrays.asList(VulnerabilityMetaData.STATUS_VALUE_APPLICABLE, VulnerabilityMetaData.STATUS_VALUE_NOTAPPLICABLE, VulnerabilityMetaData.STATUS_VALUE_VOID),
+            Arrays.asList(VulnerabilityMetaData.STATUS_VALUE_APPLICABLE, VulnerabilityMetaData.STATUS_VALUE_IN_REVIEW,
+                    VulnerabilityMetaData.STATUS_VALUE_NOTAPPLICABLE, VulnerabilityMetaData.STATUS_VALUE_INSIGNIFICANT,
+                    VulnerabilityMetaData.STATUS_VALUE_VOID),
+            Arrays.asList(VulnerabilityMetaData.STATUS_VALUE_APPLICABLE, VulnerabilityMetaData.STATUS_VALUE_NOTAPPLICABLE,
+                    VulnerabilityMetaData.STATUS_VALUE_VOID),
             name -> {
                 if (StringUtils.isEmpty(name)) {
                     return VulnerabilityMetaData.STATUS_VALUE_IN_REVIEW;

diff --git a/...ava/org/metaeffekt/core/inventory/processor/report/model/aeaa/AeaaInventoryAttribute.java b/...ava/org/metaeffekt/core/inventory/processor/report/model/aeaa/AeaaInventoryAttribute.java
@@ -65,7 +65,7 @@ public enum AeaaInventoryAttribute implements AbstractModelBase.Attribute {
     INAPPLICABLE_CVE("Inapplicable CVE"),
     ADDON_CVES("Addon CVEs"),
     KEV_DATA("KEV Data"),
-    EPSS_DATA("Epss Data"),
+    EPSS_DATA("EPSS Data"),
     KEYWORDS("Matched Keyword Sets"),
     KEYWORDS_SCORE("Matched Keyword Total Score"),
     /**

diff --git a/...core/inventory/processor/report/model/aeaa/score/AeaaVulnerabilityPriorityCalculator.java b/...core/inventory/processor/report/model/aeaa/score/AeaaVulnerabilityPriorityCalculator.java
@@ -188,8 +188,7 @@ public JSONObject toJson() {
                     .put("epssReasoning", this.epssReasoning)
                     .put("kevReasoning", this.kevReasoning)
                     .put("keywordReasoning", this.keywordReasoning)
-                    .put("vulnerabilityStatusReasoning", this.vulnerabilityStatusReasoning)
-                    ;
+                    .put("vulnerabilityStatusReasoning", this.vulnerabilityStatusReasoning);
         }
 
         public List<String> toPrintTable() {

diff --git a/.../processor/report/model/aeaa/vulnerabilitystatus/AeaaVulnerabilityStatusHistoryEntry.java b/.../processor/report/model/aeaa/vulnerabilitystatus/AeaaVulnerabilityStatusHistoryEntry.java
@@ -476,7 +476,8 @@ public static List<AeaaVulnerabilityStatusHistoryEntry> parseEntries(JSONArray j
         }
     }
 
-    public static List<AeaaVulnerabilityStatusHistoryEntry> reorderChronologically(AeaaVulnerabilityStatus status, AeaaVulnerability vulnerability, boolean isInsignificant, double insignificantThreshold) {
+    public static List<AeaaVulnerabilityStatusHistoryEntry> reorderChronologically(
+            AeaaVulnerabilityStatus status, AeaaVulnerability vulnerability, boolean isInsignificant, double insignificantThreshold) {
         if (vulnerability == null || status == null) return Collections.emptyList();
 
         final List<AeaaVulnerabilityStatusHistoryEntry> statusHistory = new ArrayList<>(status.getStatusHistory());
@@ -487,6 +488,7 @@ public static List<AeaaVulnerabilityStatusHistoryEntry> reorderChronologically(A
         if (hasNoStatus && isInsignificant) {
             final AeaaVulnerabilityStatusHistoryEntry insignificantEntry = AeaaVulnerabilityStatusHistoryEntry.INSIGNIFICANT.clone();
             if (insignificantEntry.getRationale() != null) {
+                // FIXME-YWI: Locale.GERMANY? Why it this used here?
                 insignificantEntry.setRationale(String.format(Locale.GERMANY, insignificantEntry.getRationale(), insignificantThreshold));
             }
             statusHistory.add(0, insignificantEntry);

diff --git a/...F/templates/en/inventory-report-vulnerability/tpc_inventory-vulnerability-details.dita.vt b/...F/templates/en/inventory-report-vulnerability/tpc_inventory-vulnerability-details.dita.vt
@@ -166,16 +166,6 @@
 
 #vulnerabilityStatusDetails($vulnerability)
 
-## FIXME: DISABLED; causes undetermined issues
-###if ($utils.notEmpty($vulnerability.get("Matched Keyword Sets")))
-##                <section>
-##                    <title>Matched Keywords</title>
-##                    <body>
-##                        #keywordSetList("${vulnerabilityName}_matched_keyword_sets", "$vulnerabilityName Keywords", $vulnerability)
-##                    </body>
-##                </section>
-###end
-
             </body>
         </topic>