Merge pull request #145 from org-metaeffekt/AE-779-epss-kev-data-json…

…-conversion

 AE-779: Added EPSS and KEV to vulnerability JSON conversion

libraries/ae-inventory-processor/src/main/java/org/metaeffekt/core/inventory/processor/report/model/aeaa/AeaaEpssData.java

@@ -15,11 +15,13 @@
  */
 package org.metaeffekt.core.inventory.processor.report.model.aeaa;
 
+import lombok.EqualsAndHashCode;
 import lombok.NoArgsConstructor;
 import org.json.JSONObject;
 
 
 @NoArgsConstructor
+@EqualsAndHashCode
 public class AeaaEpssData {
 
     private String vulnerability;

libraries/ae-inventory-processor/src/main/java/org/metaeffekt/core/inventory/processor/report/model/aeaa/AeaaKevData.java

@@ -16,16 +16,17 @@
 
 package org.metaeffekt.core.inventory.processor.report.model.aeaa;
 
-import lombok.Getter;
-import lombok.Setter;
+import lombok.*;
 import org.apache.commons.lang3.StringUtils;
 import org.json.JSONObject;
 
 import java.util.Date;
 import java.util.Map;
 
-@Setter
 @Getter
+@Setter
+@AllArgsConstructor(access = AccessLevel.PRIVATE)
+@EqualsAndHashCode
 public class AeaaKevData {
     private String vulnerability;
     private String vendor;
@@ -83,7 +84,16 @@ public static AeaaKevData fromInputMap(Map<String, Object> map) {
         aeaaKevData.setExploitDate(AeaaTimeUtils.tryParse(map.get("exploitDate")));
         aeaaKevData.setDueDate(AeaaTimeUtils.tryParse(map.get("dueDate")));
         if (map.containsKey("knownRansomwareCampaignUse")) {
-            aeaaKevData.setRansomwareState(RansomwareState.valueOf((String) map.get("knownRansomwareCampaignUse")));
+            final Object knownRansomwareCampaignUse = map.get("knownRansomwareCampaignUse");
+            if (knownRansomwareCampaignUse instanceof Boolean) {
+                aeaaKevData.setRansomwareState((Boolean) knownRansomwareCampaignUse ? RansomwareState.KNOWN : RansomwareState.UNKNOWN);
+            } else if (knownRansomwareCampaignUse instanceof String) {
+                aeaaKevData.setRansomwareState(RansomwareState.valueOf((String) knownRansomwareCampaignUse));
+            } else if (knownRansomwareCampaignUse instanceof RansomwareState) {
+                aeaaKevData.setRansomwareState((RansomwareState) knownRansomwareCampaignUse);
+            } else {
+                throw new IllegalArgumentException("Unknown type for knownRansomwareCampaignUse: " + knownRansomwareCampaignUse.getClass() + " on " + map);
+            }
         }
         return aeaaKevData;
     }

libraries/ae-inventory-processor/src/main/java/org/metaeffekt/core/inventory/processor/report/model/aeaa/AeaaVulnerability.java

@@ -796,6 +796,14 @@ public void appendFromMap(Map<String, Object> input) {
         if (input.get("vulnerabilityStatus") != null) {
             this.setVulnerabilityStatus(AeaaVulnerabilityStatusConverter.fromJson(new JSONObject((Map<String, Object>) input.get("vulnerabilityStatus"))));
         }
+
+        if (input.get("kevData") != null) {
+            this.setKevData(AeaaKevData.fromJson(new JSONObject((Map<String, Object>) input.get("kevData"))));
+        }
+
+        if (input.get("epssData") != null) {
+            this.setEpssData(AeaaEpssData.fromJson(new JSONObject((Map<String, Object>) input.get("epssData"))));
+        }
     }
 
     @Override
@@ -817,6 +825,13 @@ public void appendToJson(JSONObject json) {
 
         json.put("tags", getTags());
         json.put("vulnerabilityStatus", getVulnerabilityStatus() != null ? getVulnerabilityStatus().toJson() : null);
+
+        if (this.kevData != null) {
+            json.put("kevData", this.kevData.toJson());
+        }
+        if (this.epssData != null) {
+            json.put("epssData", this.epssData.toJson());
+        }
     }
 
     private static boolean isNoInfoOtherCwe(String value) {

libraries/ae-inventory-processor/src/test/java/org/metaeffekt/core/inventory/processor/model/VulnerabilityMetaDataTest.java

@@ -15,5 +15,30 @@
  */
 package org.metaeffekt.core.inventory.processor.model;
 
+import org.json.JSONObject;
+import org.junit.Assert;
+import org.junit.Test;
+import org.metaeffekt.core.inventory.processor.report.model.aeaa.AeaaEpssData;
+import org.metaeffekt.core.inventory.processor.report.model.aeaa.AeaaKevData;
+import org.metaeffekt.core.inventory.processor.report.model.aeaa.AeaaVulnerability;
+import org.metaeffekt.core.inventory.processor.report.model.aeaa.store.AeaaVulnerabilityTypeStore;
+
 public class VulnerabilityMetaDataTest {
+
+    @Test
+    public void epssKevConversionTest() {
+        final AeaaVulnerability vulnerability = new AeaaVulnerability("CVE-2020-1234");
+        vulnerability.setSourceIdentifier(AeaaVulnerabilityTypeStore.CVE);
+
+        vulnerability.setEpssData(new AeaaEpssData("CVE-2020-1234", 0.5, 0.6));
+        vulnerability.setKevData(new AeaaKevData("CVE-2020-1234", AeaaKevData.RansomwareState.KNOWN));
+
+        final AeaaVulnerability fromJson = AeaaVulnerability.fromJson(new JSONObject(vulnerability.toJson().toString()));
+        Assert.assertEquals(vulnerability.getEpssData(), fromJson.getEpssData());
+        Assert.assertEquals(vulnerability.getKevData(), fromJson.getKevData());
+
+        final AeaaVulnerability fromAmb = AeaaVulnerability.fromVulnerabilityMetaData(vulnerability.toBaseModel());
+        Assert.assertEquals(vulnerability.getEpssData(), fromAmb.getEpssData());
+        Assert.assertEquals(vulnerability.getKevData(), fromAmb.getKevData());
+    }
 }