Osv: Add a fallback for the severity

The server does return vulnerabilities which do not have a severity value in the dedicated property. The unspecified `databaseSpecific` property often times holds a primitive `severity` property with values such as `[HIGH, MEDIUM, LOW]`. Make use of these values as a fallback as these to provide more indication than a `null` value. Note: The data model of 'osv/client' currently uses subtypes of JsonElement to expose a couple of unspecified JSON objects as properties. Accessing these requires the client code to add 'kotlinx.serialization' as dependency which is not nice. A solution to that would be to use "raw" string values containing the JSON, which is unfortunately not yet possible but may become so in the future, see [1][2][3]. So, for now add 'kotlinx.serialization' as dependency to the advisor in order to access the property and leave a FIXME comment as reminder. [1] Kotlin/kotlinx.serialization#1298 [2] Kotlin/kotlinx.serialization#1405 [3] Kotlin/kotlinx.serialization#1058 Signed-off-by: Frank Viernau <frank_viernau@epam.com>
oss-review-toolkit · Jul 12, 2022 · 9a3f197 · 9a3f197
1 parent 6b62ed6
commit 9a3f197
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 8 deletions.
diff --git a/advisor/build.gradle.kts b/advisor/build.gradle.kts
@@ -32,6 +32,7 @@ dependencies {
     api(project(":model"))
 
     implementation(libs.kotlinxCoroutines)
+    implementation(libs.kotlinxSerialization)
     implementation(libs.ktorClientOkHttp)
 
     testImplementation(libs.mockk)

diff --git a/advisor/src/funTest/assets/retrieve-package-findings-expected-result.json b/advisor/src/funTest/assets/retrieve-package-findings-expected-result.json
@@ -65,15 +65,15 @@
       "references" : [ {
         "url" : "https://github.com/amark/gun/security/advisories/GHSA-886v-mm6p-4m66",
         "scoring_system" : null,
-        "severity" : null
+        "severity" : "HIGH"
       }, {
         "url" : "https://github.com/advisories/GHSA-886v-mm6p-4m66",
         "scoring_system" : null,
-        "severity" : null
+        "severity" : "HIGH"
       }, {
         "url" : "https://github.com/amark/gun",
         "scoring_system" : null,
-        "severity" : null
+        "severity" : "HIGH"
       } ]
     } ]
   } ]

diff --git a/advisor/src/main/kotlin/advisors/Osv.kt b/advisor/src/main/kotlin/advisors/Osv.kt
@@ -22,6 +22,9 @@ package org.ossreviewtoolkit.advisor.advisors
 import java.net.URI
 import java.time.Instant
 
+import kotlinx.serialization.json.JsonPrimitive
+import kotlinx.serialization.json.contentOrNull
+
 import org.ossreviewtoolkit.advisor.AbstractAdviceProviderFactory
 import org.ossreviewtoolkit.advisor.AdviceProvider
 import org.ossreviewtoolkit.clients.osv.Ecosystem
@@ -168,19 +171,26 @@ private fun createRequest(pkg: Package): VulnerabilitiesForPackageRequest? {
 }
 
 private fun Vulnerability.toOrtVulnerability(): org.ossreviewtoolkit.model.Vulnerability {
-    val (scoringSystem, severity) = severity.firstOrNull()?.let {
+    var (scoringSystem, score) = severity.firstOrNull()?.let {
         it.type.name to it.score
     } ?: null to null
 
-    // TODO: Improve parsing the severity properties. Parse vectors, e.g. CVSS:3.1 and consider using the severity
-    // in the database specific property as a fallback.
+    if (score == null && databaseSpecific != null) {
+        // Fallback to the 'severity' property of the unspecified 'databaseSpecific' object.
+        databaseSpecific!!["severity"]?.let {
+            if (it is JsonPrimitive) {
+                score = it.contentOrNull
+            }
+        }
+    }
+
     return org.ossreviewtoolkit.model.Vulnerability(
         id = id,
         references = references.map {
             VulnerabilityReference(
                 url = URI.create(it.url),
                 scoringSystem = scoringSystem,
-                severity = severity,
+                severity = score,
             )
         }
     )

diff --git a/clients/osv/src/main/kotlin/Model.kt b/clients/osv/src/main/kotlin/Model.kt
@@ -25,6 +25,15 @@ import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
 import kotlinx.serialization.json.JsonObject
 
+// FIXME: Remove all JsonElement subtypes as property types from the model in favor of raw strings holding JSON.
+// Accessing JsonElement subtypes requires the client code to add 'kotlinx.serialization' as dependency, which is not
+// desired - raw strings would fix that.
+// At the time of writing, that's not (easily) possible to implement due to limitations in the serialization library,
+// see:
+// 1. https://github.com/Kotlin/kotlinx.serialization/issues/1298
+// 2. https://github.com/Kotlin/kotlinx.serialization/issues/1405
+// 3. https://github.com/Kotlin/kotlinx.serialization/issues/1058
+
 /**
  * Implementation of the "Open Source Vulnerability format" according to schema version 1.3.0 (March 24, 2022), see
  * https://ossf.github.io/osv-schema/ which links to
@@ -33,7 +42,6 @@ import kotlinx.serialization.json.JsonObject
  *
  * For the documentation of all entities and properties please refer to above links.
  */
-
 @Serializable
 data class Vulnerability(
     @SerialName("schema_version")