Osv: Add a fallback for the severity

The server does return vulnerabilities which do not have a severity value in the dedicated property. The unspecified `databaseSpecific` property often times holds a primitive `severity` property with values such as `[HIGH, MEDIUM, LOW]`. Make use of these values as a fallback as these to provide more indication than a `null` value. Note: The data model of 'osv/client' currently uses subtypes of JsonElement to expose a couple of unspecified JSON objects as properties. Accessing these requires the client code to add 'kotlinx.serialization' as dependency which is not nice. A solution to that would be to use "raw" string values containing the JSON, which is unfortunately not yet possible but may become so in the future, see [1][2][3]. So, for now add 'kotlinx.serialization' as dependency to the advisor in order to access the property and leave a FIXME comment as reminder. [1] Kotlin/kotlinx.serialization#1298 [2] Kotlin/kotlinx.serialization#1405 [3] Kotlin/kotlinx.serialization#1058 Signed-off-by: Frank Viernau <frank_viernau@epam.com>
oss-review-toolkit · Jul 13, 2022 · de24761 · de24761
1 parent cb9ae10
commit de24761
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 5 deletions.
diff --git a/advisor/build.gradle.kts b/advisor/build.gradle.kts
@@ -33,6 +33,7 @@ dependencies {
 
     implementation(libs.cvssCalculator)
     implementation(libs.kotlinxCoroutines)
+    implementation(libs.kotlinxSerialization)
     implementation(libs.ktorClientOkHttp)
 
     testImplementation(libs.mockk)

diff --git a/advisor/src/funTest/assets/retrieve-package-findings-expected-result.json b/advisor/src/funTest/assets/retrieve-package-findings-expected-result.json
@@ -65,15 +65,15 @@
       "references" : [ {
         "url" : "https://github.com/amark/gun/security/advisories/GHSA-886v-mm6p-4m66",
         "scoring_system" : null,
-        "severity" : null
+        "severity" : "HIGH"
       }, {
         "url" : "https://github.com/advisories/GHSA-886v-mm6p-4m66",
         "scoring_system" : null,
-        "severity" : null
+        "severity" : "HIGH"
       }, {
         "url" : "https://github.com/amark/gun",
         "scoring_system" : null,
-        "severity" : null
+        "severity" : "HIGH"
       } ]
     } ]
   } ]

diff --git a/advisor/src/main/kotlin/advisors/Osv.kt b/advisor/src/main/kotlin/advisors/Osv.kt
@@ -22,6 +22,9 @@ package org.ossreviewtoolkit.advisor.advisors
 import java.net.URI
 import java.time.Instant
 
+import kotlinx.serialization.json.JsonPrimitive
+import kotlinx.serialization.json.contentOrNull
+
 import org.ossreviewtoolkit.advisor.AbstractAdviceProviderFactory
 import org.ossreviewtoolkit.advisor.AdviceProvider
 import org.ossreviewtoolkit.clients.osv.Ecosystem
@@ -171,7 +174,7 @@ private fun createRequest(pkg: Package): VulnerabilitiesForPackageRequest? {
 }
 
 private fun Vulnerability.toOrtVulnerability(): org.ossreviewtoolkit.model.Vulnerability {
-    val (scoringSystem, severity) = this.severity.firstOrNull()?.let {
+    var (scoringSystem, severity) = this.severity.firstOrNull()?.let {
         Cvss.fromVector(it.score)?.let { cvss ->
             val scoringSystem = when {
                 // Work around for https://github.com/stevespringett/cvss-calculator/issues/56.
@@ -187,7 +190,15 @@ private fun Vulnerability.toOrtVulnerability(): org.ossreviewtoolkit.model.Vulne
         }
     } ?: (null to null)
 
-    // TODO: Consider using the severity in the database specific property as a fallback.
+    if (severity == null && databaseSpecific != null) {
+        // Fallback to the 'severity' property of the unspecified 'databaseSpecific' object.
+        databaseSpecific!!["severity"]?.let {
+            if (it is JsonPrimitive) {
+                severity = it.contentOrNull
+            }
+        }
+    }
+
     return org.ossreviewtoolkit.model.Vulnerability(
         id = id,
         references = references.map {