Merge pull request #1305 from DependencyTrack/port-withdrawn-check-fo…

…r-github-advisory Port: withdrawn check for github advisory
DependencyTrack · Jun 6, 2024 · 8d9e628 · 8d9e628
2 parents 4b62b4a + 1eb1ce8
commit 8d9e628
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 2 deletions.
diff --git a/...-service/src/main/java/org/dependencytrack/vulnmirror/datasource/github/GitHubMirror.java b/...-service/src/main/java/org/dependencytrack/vulnmirror/datasource/github/GitHubMirror.java
@@ -106,8 +106,10 @@ void mirrorInternal() throws Exception {
         try (final GitHubSecurityAdvisoryClient apiClient = apiClientFactory.create(lastModified)) {
             while (apiClient.hasNext()) {
                 for (final SecurityAdvisory advisory : apiClient.next()) {
-                    Bom bov = GitHubAdvisoryToCdxParser.parse(advisory, this.config.aliasSyncEnabled().orElse(false));
-                    publishIfChanged(bov);
+                    if (advisory.getWithdrawnAt() == null) {
+                        Bom bov = GitHubAdvisoryToCdxParser.parse(advisory, this.config.aliasSyncEnabled().orElse(false));
+                        publishIfChanged(bov);
+                    }
                 }
             }
 

diff --git a/...vice/src/test/java/org/dependencytrack/vulnmirror/datasource/github/GitHubMirrorTest.java b/...vice/src/test/java/org/dependencytrack/vulnmirror/datasource/github/GitHubMirrorTest.java
@@ -277,4 +277,27 @@ void testMirrorInternal() throws Exception {
         verify(apiClientFactoryMock).create(eq(1679922240L));
     }
 
+    @Test
+    void testMirrorWithdrawnAdvisory() throws Exception {
+        final var advisory = objectMapper.readValue(resourceToByteArray("/datasource/github/advisory-withdrawn.json"), SecurityAdvisory.class);
+        final var apiClientMock = mock(GitHubSecurityAdvisoryClient.class);
+        when(apiClientMock.hasNext())
+                .thenReturn(true)
+                .thenReturn(false);
+        when(apiClientMock.next())
+                .thenReturn(List.of(advisory));
+        when(apiClientMock.getLastUpdated())
+                .thenReturn(ZonedDateTime.ofInstant(Instant.ofEpochSecond(1679922240L), ZoneOffset.UTC));
+        when(apiClientFactoryMock.create(anyLong()))
+                .thenReturn(apiClientMock);
+        githubMirror.mirrorInternal();
+        final List<ConsumerRecord<String, Bom>> vulnRecords = kafkaCompanion
+                .consume(Serdes.String(), new KafkaProtobufSerde<>(Bom.parser()))
+                .withGroupId(TestConstants.CONSUMER_GROUP_ID)
+                .withAutoCommit()
+                .fromTopics(KafkaTopic.NEW_VULNERABILITY.getName(), 1, Duration.ofSeconds(5))
+                .awaitCompletion()
+                .getRecords();
+        assertThat(vulnRecords.size()).isEqualTo(0);
+    }
 }
diff --git a/mirror-service/src/test/resources/datasource/github/advisory-withdrawn.json b/mirror-service/src/test/resources/datasource/github/advisory-withdrawn.json
@@ -0,0 +1,51 @@
+{
+  "databaseId": 1275,
+  "description": "In Bootstrap 4 before 4.3.1 and Bootstrap 3 before 3.4.1, XSS is possible in the tooltip or popover data-template attribute. For more information, see: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/",
+  "ghsaId": "GHSA-fxwm-579q-49qq",
+  "id": "MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZ4d20tNTc5cS00OXFx",
+  "identifiers": [],
+  "notificationsPermalink": "https://github.com/advisories/GHSA-fxwm-579q-49qq/dependabot",
+  "origin": "UNSPECIFIED",
+  "permalink": "https://github.com/advisories/GHSA-fxwm-579q-49qq",
+  "publishedAt": "2019-02-22T20:54:40Z",
+  "references": [],
+  "severity": "MODERATE",
+  "summary": "Moderate severity vulnerability that affects Bootstrap.Less, bootstrap, and bootstrap.sass",
+  "updatedAt": "2021-12-03T14:54:43Z",
+  "vulnerabilities": {
+    "edges": [
+      {
+        "node": {
+          "severity": "MODERATE",
+          "updatedAt": "2019-02-22T20:53:04Z",
+          "firstPatchedVersion": {
+            "identifier": "4.3.1"
+          },
+          "vulnerableVersionRange": ">= 4.0.0, < 4.3.1",
+          "package": {
+            "ecosystem": "NUGET",
+            "name": "bootstrap"
+          }
+        }
+      }
+    ],
+    "totalCount": 4,
+    "pageInfo": {
+      "hasNextPage": false,
+      "endCursor": "Y3Vyc29yOnYyOpK5MjAxOS0wMi0yMlQyMTo1MzowNCswMTowMM0H6w=="
+    }
+  },
+  "cvss": {
+    "score": 0.0,
+    "vectorString": null
+  },
+  "cwes": {
+    "edges": [],
+    "totalCount": 0,
+    "pageInfo": {
+      "hasNextPage": false,
+      "endCursor": null
+    }
+  },
+  "withdrawnAt": "2021-05-04T20:26:20Z"
+}