XWIKI-23646: Security vulnerability application improvments (#4722)

  * Allow computation of CVSS v4
  * Only limit displays of vulnerabilities based on CVE ID and no longer
    on max severity
  * Support multiple severities and prioritize them

---------

Co-authored-by: Manuel Leduc <[email protected]>
(cherry picked from commit c3b71ba)

Author: surli

pom.xml

@@ -67,7 +67,8 @@
     <netty.version>4.2.7.Final</netty.version>
     <hibernate.version>5.6.15.Final</hibernate.version>
     <dockerJava.version>3.5.0</dockerJava.version>
-    <cvssCalculator.version>1.4.3</cvssCalculator.version>
+    <!-- Used for CVSS score calculation -->
+    <metaeffekt.version>0.147.0</metaeffekt.version>
     <solr.major.version>9</solr.major.version>
     <solr.version>9.4.1</solr.version>
     <lucene.version>9.8.0</lucene.version>

xwiki-platform-core/xwiki-platform-extension/xwiki-platform-extension-index/pom.xml

@@ -59,9 +59,9 @@
       <version>${project.version}</version>
     </dependency>
     <dependency>
-      <groupId>us.springett</groupId>
-      <artifactId>cvss-calculator</artifactId>
-      <version>${cvssCalculator.version}</version>
+      <groupId>org.metaeffekt.core</groupId>
+      <artifactId>ae-security</artifactId>
+      <version>${metaeffekt.version}</version>
     </dependency>
 
     <!-- Test dependencies -->

xwiki-platform-core/xwiki-platform-extension/xwiki-platform-extension-index/src/main/java/org/xwiki/extension/index/security/SecurityVulnerabilityDescriptor.java

@@ -25,11 +25,10 @@
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.builder.EqualsBuilder;
 import org.apache.commons.lang3.builder.HashCodeBuilder;
+import org.metaeffekt.core.security.cvss.CvssVector;
 import org.xwiki.extension.version.Version;
 import org.xwiki.text.XWikiToStringBuilder;
 
-import us.springett.cvss.Cvss;
-
 /**
  * An individual security vulnerability descriptor.
  *
@@ -98,7 +97,7 @@ public String getURL()
     public SecurityVulnerabilityDescriptor setSeverityScore(String vector)
     {
         if (StringUtils.isNotEmpty(vector)) {
-            this.score = Cvss.fromVector(vector).calculateScore().getBaseScore();
+            this.score = CvssVector.parseVector(vector).getBaseScore();
         }
         return this;
     }

xwiki-platform-core/xwiki-platform-extension/xwiki-platform-extension-security/xwiki-platform-extension-security-api/src/main/java/org/xwiki/extension/security/internal/ExtensionSecuritySolrClient.java

@@ -170,7 +170,7 @@ private static void initFilter(SolrQuery solrQuery)
         }
         // Only include extensions with a computed CVSS score, meaning that they have at least one known security
         // vulnerability.
-        solrQuery.addFilterQuery(String.format("%s:{0 TO 10]", SECURITY_MAX_CVSS));
+        solrQuery.addFilterQuery(String.format("%s:[* TO *]", SECURITY_CVE_ID));
         solrQuery.addFilterQuery(String.format("(%s:[* TO *] OR %s:true)",
             FIELD_INSTALLED_NAMESPACES, IS_CORE_EXTENSION));
     }

xwiki-platform-core/xwiki-platform-extension/xwiki-platform-extension-security/xwiki-platform-extension-security-api/src/main/java/org/xwiki/extension/security/internal/SolrToLiveDataEntryMapper.java

@@ -227,7 +227,11 @@ private String buildFixVersion(SolrDocument doc)
 
     private Double buildMaxCVSS(SolrDocument doc)
     {
-        return this.solrUtils.get(SECURITY_MAX_CVSS, doc);
+        Double result = this.solrUtils.get(SECURITY_MAX_CVSS, doc);
+        if (result == null) {
+            result = 0.0;
+        }
+        return result;
     }
 
     private String buildExtensionId(SolrDocument doc)

xwiki-platform-core/xwiki-platform-extension/xwiki-platform-extension-security/xwiki-platform-extension-security-api/src/test/java/org/xwiki/extension/security/internal/ExtensionSecuritySolrClientTest.java

@@ -89,7 +89,7 @@ void getExtensionsCount() throws Exception
         assertEquals(42, this.solrClient.getVulnerableExtensionsCount());
 
         SolrQuery params = new SolrQuery();
-        params.addFilterQuery(String.format("%s:{0 TO 10]", SECURITY_MAX_CVSS));
+        params.addFilterQuery(SECURITY_CVE_ID + ":[* TO *]");
         params.addFilterQuery(getNamespaceFilterQuery());
         params.addFilterQuery(String.format("%s:false", IS_REVIEWED_SAFE));
         verify(this.extensionIndexStore)
@@ -111,7 +111,7 @@ void solrQuery() throws Exception
         this.solrClient.solrQuery(liveDataQuery);
 
         SolrQuery params = new SolrQuery();
-        params.addFilterQuery(SECURITY_MAX_CVSS + ":{0 TO 10]");
+        params.addFilterQuery(SECURITY_CVE_ID + ":[* TO *]");
         params.addFilterQuery(IS_CORE_EXTENSION + ":false");
         params.addFilterQuery(getNamespaceFilterQuery());
 
@@ -138,7 +138,7 @@ void solrQueryIsFromEnvironment() throws Exception
         this.solrClient.solrQuery(liveDataQuery);
 
         SolrQuery params = new SolrQuery();
-        params.addFilterQuery(SECURITY_MAX_CVSS + ":{0 TO 10]");
+        params.addFilterQuery(SECURITY_CVE_ID + ":[* TO *]");
         params.addFilterQuery(IS_CORE_EXTENSION + ":true");
         params.addFilterQuery(getNamespaceFilterQuery());
 
@@ -168,7 +168,7 @@ void filterByCVEId() throws Exception
 
         SolrQuery expectedSolrQuery = new SolrQuery();
         expectedSolrQuery.addFilterQuery(String.format("%s:*test*", SECURITY_CVE_ID));
-        expectedSolrQuery.addFilterQuery(SECURITY_MAX_CVSS + ":{0 TO 10]");
+        expectedSolrQuery.addFilterQuery(SECURITY_CVE_ID + ":[* TO *]");
         expectedSolrQuery.addFilterQuery(getNamespaceFilterQuery());
         expectedSolrQuery.addFilterQuery(IS_CORE_EXTENSION + ":false");
 
@@ -200,7 +200,7 @@ void filterByMaxCVSS(String value, String convertedValue) throws Exception
 
         SolrQuery expectedSolrQuery = new SolrQuery();
         expectedSolrQuery.addFilterQuery(String.format("%s:[%s TO 10]", SECURITY_MAX_CVSS, convertedValue));
-        expectedSolrQuery.addFilterQuery(SECURITY_MAX_CVSS + ":{0 TO 10]");
+        expectedSolrQuery.addFilterQuery(SECURITY_CVE_ID + ":[* TO *]");
         expectedSolrQuery.addFilterQuery(getNamespaceFilterQuery());
         expectedSolrQuery.addFilterQuery(IS_CORE_EXTENSION + ":false");
 

xwiki-platform-core/xwiki-platform-extension/xwiki-platform-extension-security/xwiki-platform-extension-security-index/src/main/java/org/xwiki/extension/security/internal/analyzer/VulnerabilityIndexer.java

@@ -89,8 +89,7 @@ public boolean update(Extension extension, ExtensionSecurityAnalysisResult analy
                 .anyMatch(vulnerability -> {
                     String vulnerabilityId = vulnerability.getId();
                     Set<String> aliases = vulnerability.getAliases();
-                    return vulnerability.getScore() > 0
-                        && !cveiDs.contains(vulnerabilityId)
+                    return !cveiDs.contains(vulnerabilityId)
                         // To avoid raising a notification for a vulnerability that was already notified with another id
                         && cveiDs.stream().noneMatch(aliases::contains)
                         && isNotSafe(reviewsMap, vulnerabilityId);

xwiki-platform-core/xwiki-platform-extension/xwiki-platform-extension-security/xwiki-platform-extension-security-index/src/main/java/org/xwiki/extension/security/internal/analyzer/osv/OsvResponseAnalyzer.java

@@ -92,7 +92,7 @@ private Optional<SecurityVulnerabilityDescriptor> convert(VulnObject vulnObject,
                 .setId(id)
                 .setAliases(resolveAliases(vulnObject, id))
                 .setURL(vulnObject.getMainURL())
-                .setSeverityScore(vulnObject.getSeverityCCSV3())
+                .setSeverityScore(vulnObject.getSeverityCVSS())
                 .setFixVersion(vulnObject.getMaxFixVersion(currentVersion).orElse(null)));
     }
 

xwiki-platform-core/xwiki-platform-extension/xwiki-platform-extension-security/xwiki-platform-extension-security-index/src/main/java/org/xwiki/extension/security/internal/analyzer/osv/model/response/VulnObject.java

@@ -37,6 +37,10 @@
  */
 public class VulnObject
 {
+    private static final String CVSS_V4 = "CVSS_V4";
+    private static final String CVSS_V3 = "CVSS_V3";
+    private static final String CVSS_V2 = "CVSS_V2";
+
     private List<AffectObject> affected;
 
     private String id;
@@ -127,18 +131,35 @@ public String getMainURL()
     }
 
     /**
-     * @return the CVSS V3 {@link #getSeverity()}
+     * @return the CVSS {@link #getSeverity()}
      */
-    public String getSeverityCCSV3()
+    public String getSeverityCVSS()
     {
         if (this.severity == null) {
             return "";
         }
         return this.severity.stream()
-            .filter(s -> Objects.equals("CVSS_V3", s.getType()))
-            .map(SeverityObject::getScore)
-            .findFirst()
-            .orElse(null);
+            .filter(s -> s.getType().matches("^(CVSS_V)[2-4]$"))
+            .max((t1, t2) -> {
+                int result;
+                if (t1.getType().equals(t2.getType())) {
+                    result = 0;
+                } else if (CVSS_V4.equals(t1.getType())) {
+                    result = 1;
+                } else if (CVSS_V4.equals(t2.getType())) {
+                    result = -1;
+                } else if (CVSS_V3.equals(t1.getType())) {
+                    result = 1;
+                } else if (CVSS_V3.equals(t2.getType())) {
+                    result = -1;
+                } else if (CVSS_V2.equals(t1.getType())) {
+                    result = 1;
+                } else {
+                    result = -1;
+                }
+                return result;
+            })
+            .map(SeverityObject::getScore).orElse(null);
     }
 
     /**

xwiki-platform-core/xwiki-platform-extension/xwiki-platform-extension-security/xwiki-platform-extension-security-index/src/test/java/org/xwiki/extension/security/internal/analyzer/osv/OsvResponseAnalyzerTest.java

@@ -124,6 +124,62 @@ void fixVersion()
             extensionSecurityAnalysisResult.getSecurityVulnerabilities().get(0).getFixVersion());
     }
 
+    @Test
+    void analyzeCommonsFileuploadOsvResponse()
+    {
+        OsvResponse osvResponse = readJson("commons-fileupload-commons-fileupload-1.5.json");
+        ExtensionSecurityAnalysisResult extensionSecurityAnalysisResult =
+            this.analyzer.analyzeOsvResponse("commons-fileupload:commons-fileupload", "1.5", osvResponse);
+        assertEquals(1, extensionSecurityAnalysisResult.getSecurityVulnerabilities().size());
+        assertEquals(8.7, extensionSecurityAnalysisResult.getMaxCVSS());
+    }
+
+    @Test
+    void analyzeOsvResponseCVSSV2()
+    {
+        OsvResponse osvResponse = readJson("osvResponseCVSSV2.json");
+
+        ExtensionSecurityAnalysisResult expected = new ExtensionSecurityAnalysisResult();
+        SecurityVulnerabilityDescriptor securityVulnerabilityDescriptor = new SecurityVulnerabilityDescriptor();
+        securityVulnerabilityDescriptor.setId("CVE-1");
+        securityVulnerabilityDescriptor.setAliases(Set.of("A1", "VULN_ID"));
+        securityVulnerabilityDescriptor.setURL("https://main.ref/");
+        securityVulnerabilityDescriptor.setScore(7.5);
+        securityVulnerabilityDescriptor.setFixVersion(new DefaultVersion("15.7"));
+        expected.setResults(List.of(securityVulnerabilityDescriptor));
+
+        assertEquals(expected,
+            this.analyzer.analyzeOsvResponse("org.test:my-ext", "7.5", osvResponse));
+    }
+
+    @Test
+    void analyzeOsvResponseMultipleSeverities()
+    {
+        OsvResponse osvResponse = readJson("osvResponseMultipleSeverities.json");
+
+        ExtensionSecurityAnalysisResult expected = new ExtensionSecurityAnalysisResult();
+        SecurityVulnerabilityDescriptor securityVulnerabilityDescriptor = new SecurityVulnerabilityDescriptor();
+        securityVulnerabilityDescriptor.setId("CVE-1");
+        securityVulnerabilityDescriptor.setAliases(Set.of("A1", "VULN_ID"));
+        securityVulnerabilityDescriptor.setURL("https://main.ref/");
+        securityVulnerabilityDescriptor.setScore(8.7);
+        securityVulnerabilityDescriptor.setFixVersion(new DefaultVersion("15.7"));
+        expected.setResults(List.of(securityVulnerabilityDescriptor));
+
+        assertEquals(expected,
+            this.analyzer.analyzeOsvResponse("org.test:my-ext", "7.5", osvResponse));
+    }
+
+    @Test
+    void analyzeCommonsHttpclientOsvResponse()
+    {
+        OsvResponse osvResponse = readJson("commons-httpclient-commons-httpclient-3.1.json");
+        ExtensionSecurityAnalysisResult extensionSecurityAnalysisResult =
+            this.analyzer.analyzeOsvResponse("commons-httpclient:commons-httpclient", "3.1", osvResponse);
+        assertEquals(1, extensionSecurityAnalysisResult.getSecurityVulnerabilities().size());
+        assertEquals(0, extensionSecurityAnalysisResult.getMaxCVSS());
+    }
+
     private OsvResponse readJson(String name)
     {
         InputStream resourceAsStream = getClass().getClassLoader().getResourceAsStream(name);