sap-jenkins-library/pkg/protecode/analysis.go

package protecode

import "strconv"

const (
	vulnerabilitySeverityThreshold = 7.0
)

// HasFailed checks the return status of the provided result
func HasFailed(result ResultData) bool {
	//TODO: check this in PollForResult and return error once
	return len(result.Result.Status) > 0 && result.Result.Status == statusFailed
}

// HasSevereVulnerabilities checks if any non-historic, non-triaged, non-excluded vulnerability has a CVSS score above the defined threshold
func HasSevereVulnerabilities(result Result, excludeCVEs string) bool {
	for _, component := range result.Components {
		for _, vulnerability := range component.Vulns {
			if isSevere(vulnerability) &&
				!isTriaged(vulnerability) &&
				!isExcluded(vulnerability, excludeCVEs) &&
				isExact(vulnerability) {
				return true
			}
		}
	}
	return false
}

func isSevere(vulnerability Vulnerability) bool {
	cvss3, _ := strconv.ParseFloat(vulnerability.Vuln.Cvss3Score, 64)
	if cvss3 >= vulnerabilitySeverityThreshold {
		return true
	}
	// CVSS v3 not set, fallback to CVSS v2
	if cvss3 == 0 && vulnerability.Vuln.Cvss >= vulnerabilitySeverityThreshold {
		return true
	}
	return false
}
fix(protecode): respect failOnSevereVulnerabilities parameter (#1969) * fix redundant type issues * cleanup * extract report function for protecode package * use speaking status constant for API results * remove unconsidered return value * correct switch statement * handle severe vulnerabilities * Apply suggestions from code review Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * correct test name * return errors from WriteReport function * expose ReportData struct * set Error Category * refactor constant visibility * change type name * describe type * change type name * fail after report generation * do not fail on report write errors * add error as return value * fix typo * use require statements * assert major vulnerabilities Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> 2020-09-02 10:41:12 +02:00			`package protecode`

			`import "strconv"`

			`const (`
			`vulnerabilitySeverityThreshold = 7.0`
			`)`

chore: update formatting (#4111) 2022-11-08 08:47:38 +01:00			`// HasFailed checks the return status of the provided result`
fix(protecode): respect failOnSevereVulnerabilities parameter (#1969) * fix redundant type issues * cleanup * extract report function for protecode package * use speaking status constant for API results * remove unconsidered return value * correct switch statement * handle severe vulnerabilities * Apply suggestions from code review Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * correct test name * return errors from WriteReport function * expose ReportData struct * set Error Category * refactor constant visibility * change type name * describe type * change type name * fail after report generation * do not fail on report write errors * add error as return value * fix typo * use require statements * assert major vulnerabilities Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> 2020-09-02 10:41:12 +02:00			`func HasFailed(result ResultData) bool {`
			`//TODO: check this in PollForResult and return error once`
			`return len(result.Result.Status) > 0 && result.Result.Status == statusFailed`
			`}`

chore: update formatting (#4111) 2022-11-08 08:47:38 +01:00			`// HasSevereVulnerabilities checks if any non-historic, non-triaged, non-excluded vulnerability has a CVSS score above the defined threshold`
fix(protecode): respect failOnSevereVulnerabilities parameter (#1969) * fix redundant type issues * cleanup * extract report function for protecode package * use speaking status constant for API results * remove unconsidered return value * correct switch statement * handle severe vulnerabilities * Apply suggestions from code review Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> * correct test name * return errors from WriteReport function * expose ReportData struct * set Error Category * refactor constant visibility * change type name * describe type * change type name * fail after report generation * do not fail on report write errors * add error as return value * fix typo * use require statements * assert major vulnerabilities Co-authored-by: Stephan Aßmus <stephan.assmus@sap.com> 2020-09-02 10:41:12 +02:00			`func HasSevereVulnerabilities(result Result, excludeCVEs string) bool {`
			`for _, component := range result.Components {`
			`for _, vulnerability := range component.Vulns {`
			`if isSevere(vulnerability) &&`
			`!isTriaged(vulnerability) &&`
			`!isExcluded(vulnerability, excludeCVEs) &&`
			`isExact(vulnerability) {`
			`return true`
			`}`
			`}`
			`}`
			`return false`
			`}`

			`func isSevere(vulnerability Vulnerability) bool {`
			`cvss3, _ := strconv.ParseFloat(vulnerability.Vuln.Cvss3Score, 64)`
			`if cvss3 >= vulnerabilitySeverityThreshold {`
			`return true`
			`}`
			`// CVSS v3 not set, fallback to CVSS v2`
			`if cvss3 == 0 && vulnerability.Vuln.Cvss >= vulnerabilitySeverityThreshold {`
			`return true`
			`}`
			`return false`
			`}`