From 300222fa6100cf5342a84980279ce35c90016c11 Mon Sep 17 00:00:00 2001
From: Tamas Mak <tamas@vaadin.com>
Date: Fri, 12 Jul 2024 17:37:20 +0200
Subject: [PATCH] Add check for supported CVSS versions (#182)

---
 .../appsec/backend/AppSecDTOProvider.java     | 19 ++++++++++++------
 .../appsec/backend/AppSecDTOProviderTest.java | 20 +++++++++++++------
 2 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/appsec-kit-backend/src/main/java/com/vaadin/appsec/backend/AppSecDTOProvider.java b/appsec-kit-backend/src/main/java/com/vaadin/appsec/backend/AppSecDTOProvider.java
index b2fe451..159f989 100644
--- a/appsec-kit-backend/src/main/java/com/vaadin/appsec/backend/AppSecDTOProvider.java
+++ b/appsec-kit-backend/src/main/java/com/vaadin/appsec/backend/AppSecDTOProvider.java
@@ -351,6 +351,7 @@ private Double findScoreIfHigher(OpenSourceVulnerability vulnerability,
     private Double getHighestCvssScoreNumber(
             OpenSourceVulnerability vulnerability) {
         return vulnerability.getSeverity().stream()
+                .filter(severity -> isSupportedCvssType(severity.getType()))
                 .map(severity -> Cvss.fromVector(severity.getScore()))
                 .filter(Objects::nonNull)
                 .map(cvss -> cvss.calculateScore().getBaseScore())
@@ -367,12 +368,14 @@ private String getHighestCvssScoreString(
         String cvssString = "";
         double tempBaseScore = 0.0;
         for (Severity severity : vulnerability.getSeverity()) {
-            Cvss cvss = Cvss.fromVector(severity.getScore());
-            if (cvss != null) {
-                double baseScore = cvss.calculateScore().getBaseScore();
-                if (baseScore > tempBaseScore) {
-                    tempBaseScore = baseScore;
-                    cvssString = severity.getScore();
+            if (isSupportedCvssType(severity.getType())) {
+                Cvss cvss = Cvss.fromVector(severity.getScore());
+                if (cvss != null) {
+                    double baseScore = cvss.calculateScore().getBaseScore();
+                    if (baseScore > tempBaseScore) {
+                        tempBaseScore = baseScore;
+                        cvssString = severity.getScore();
+                    }
                 }
             }
         }
@@ -381,6 +384,10 @@ private String getHighestCvssScoreString(
                 : highestScoreString;
     }
 
+    private boolean isSupportedCvssType(Severity.Type type) {
+        return type == Severity.Type.CVSS_V2 || type == Severity.Type.CVSS_V3;
+    }
+
     private Optional<String> getPatchedVersion(Affected affected) {
         Optional<String> semVer = getFixed(affected, Range.Type.SEMVER);
         if (semVer.isPresent()) {
diff --git a/appsec-kit-backend/src/test/java/com/vaadin/appsec/backend/AppSecDTOProviderTest.java b/appsec-kit-backend/src/test/java/com/vaadin/appsec/backend/AppSecDTOProviderTest.java
index c1d978d..2afdb5d 100644
--- a/appsec-kit-backend/src/test/java/com/vaadin/appsec/backend/AppSecDTOProviderTest.java
+++ b/appsec-kit-backend/src/test/java/com/vaadin/appsec/backend/AppSecDTOProviderTest.java
@@ -30,6 +30,7 @@
 import com.vaadin.appsec.backend.model.osv.response.Package;
 import com.vaadin.appsec.backend.model.osv.response.Range;
 import com.vaadin.appsec.backend.model.osv.response.Reference;
+import com.vaadin.appsec.backend.model.osv.response.Severity;
 
 import static org.mockito.ArgumentMatchers.anyList;
 import static org.mockito.Mockito.mock;
@@ -158,15 +159,20 @@ private List<OpenSourceVulnerability> createVulnerabilities()
                     }
                 });
 
+        Severity severity1 = new Severity(Severity.Type.CVSS_V3,
+                "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
+        Severity severity2 = new Severity(Severity.Type.CVSS_V4,
+                "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N");
+
         OpenSourceVulnerability vulnerability1 = createVulnerability(
                 "GHSA-mjmj-j48q-9wg2", "CVE-2022-1471", reference,
-                List.of(affected1));
+                List.of(affected1), List.of(severity1, severity2));
         OpenSourceVulnerability vulnerability2 = createVulnerability(
                 "GHSA-9j49-mfvp-vmhm", "CVE-2021-23406", reference,
-                List.of(affected2, affected3));
+                List.of(affected2, affected3), List.of());
         OpenSourceVulnerability vulnerability3 = createVulnerability(
                 "GHSA-9j49-mfvp-vmhm", "CVE-2021-23406", reference,
-                List.of(affected2, affected3));
+                List.of(affected2, affected3), List.of());
 
         return Arrays.asList(vulnerability1, vulnerability2, vulnerability3);
     }
@@ -194,21 +200,23 @@ private List<OpenSourceVulnerability> createVulnerabilitiesWithUnsupportedEcosys
 
         OpenSourceVulnerability vulnerability1 = createVulnerability(
                 "GHSA-mjmj-j48q-9wg2", "CVE-2022-1471", reference,
-                List.of(affected1));
+                List.of(affected1), List.of());
         OpenSourceVulnerability vulnerability2 = createVulnerability(
                 "GHSA-9j49-mfvp-vmhm", "CVE-2021-23406", reference,
-                List.of(affected2));
+                List.of(affected2), List.of());
 
         return Arrays.asList(vulnerability1, vulnerability2);
     }
 
     private OpenSourceVulnerability createVulnerability(String id, String alias,
-            Reference reference, List<Affected> affected) {
+            Reference reference, List<Affected> affected,
+            List<Severity> severity) {
         OpenSourceVulnerability vulnerability = new OpenSourceVulnerability();
         vulnerability.setId(id);
         vulnerability.setAliases(Collections.singletonList(alias));
         vulnerability.setReferences(Collections.singletonList(reference));
         vulnerability.setAffected(affected);
+        vulnerability.setSeverity(severity);
         return vulnerability;
     }