public void add(Finding finding) {
if (finding != null) {
finding.setNativeId(getNativeId(finding));
finding.setIsStatic(false);
saxFindingList.add(finding);
}
}
@Override
public VulnerabilityDefectConsistencyState determineVulnerabilityDefectConsistencyState(
Vulnerability vulnerability) {
VulnerabilityDefectConsistencyState vulnerabilityDefectConsistencyState = null;
Defect defect = vulnerability.getDefect();
if (defect != null) {
if (vulnerability.isActive() == defect.isOpen()) {
vulnerabilityDefectConsistencyState = VulnerabilityDefectConsistencyState.CONSISTENT;
} else if (defect.isOpen()) {
vulnerabilityDefectConsistencyState =
VulnerabilityDefectConsistencyState.VULN_CLOSED_DEFECT_OPEN_NEEDS_SCAN;
} else {
Calendar latestScanDate = null;
for (Finding finding : vulnerability.getFindings()) {
Calendar scanDate = finding.getScan().getImportTime();
if ((latestScanDate == null) || scanDate.after(latestScanDate)) {
latestScanDate = scanDate;
}
if (finding.getScanRepeatFindingMaps() != null) {
for (ScanRepeatFindingMap scanRepeatFindingMap : finding.getScanRepeatFindingMaps()) {
Scan scan = scanRepeatFindingMap.getScan();
if (scan != null) {
scanDate = scan.getImportTime();
if ((latestScanDate == null) || scanDate.after(latestScanDate)) {
latestScanDate = scanDate;
}
}
}
}
}
Calendar defectStatusUpdatedDate = defect.getStatusUpdatedDate();
if (defectStatusUpdatedDate == null) {
defectStatusUpdatedDate = Calendar.getInstance();
defectStatusUpdatedDate.setTime(defect.getModifiedDate());
}
if ((latestScanDate != null) && latestScanDate.after(defectStatusUpdatedDate)) {
vulnerabilityDefectConsistencyState =
VulnerabilityDefectConsistencyState.VULN_OPEN_DEFECT_CLOSED_STILL_IN_SCAN;
} else {
vulnerabilityDefectConsistencyState =
VulnerabilityDefectConsistencyState.VULN_OPEN_DEFECT_CLOSED_NEEDS_SCAN;
}
}
}
vulnerability.setVulnerabilityDefectConsistencyState(vulnerabilityDefectConsistencyState);
return vulnerabilityDefectConsistencyState;
}
public Finding getFinding(final Map<Integer, Map<FindingKey, String>> testcaseInfos) {
findingProperties.putAll(testcaseInfos.get(testcaseID));
final Finding finding = constructFinding(findingProperties);
// be careful, constructFinding can return null if not given enough information
if (finding == null) {
throw new IllegalStateException(
"XML was invalid or we didn't parse out enough information");
}
finding.setIsStatic(true);
// Add data flow
finding.setDataFlowElements(dataflow);
finding.setNativeId(findingProperties.get(FindingKey.NATIVE_ID));
finding.setChannelSeverity(severity);
// Potentially add other parameters
return finding;
}
public static Vulnerabilities.Vulnerability.Finding convertTFFindingToSSVLFinding(
Finding tfFinding) {
Vulnerabilities.Vulnerability.Finding ssvlFinding =
factory.createVulnerabilitiesVulnerabilityFinding();
ssvlFinding.setFindingDescription(tfFinding.getChannelVulnerability().getName());
ssvlFinding.setLongDescription(tfFinding.getLongDescription());
ssvlFinding.setNativeID(tfFinding.getNativeId());
ssvlFinding.setAttackString(tfFinding.getAttackString());
ssvlFinding.setScanner(tfFinding.getChannelNameOrNull());
ssvlFinding.setSeverity(tfFinding.getChannelSeverity().getName());
ssvlFinding.setIdentifiedTimestamp(getTimestamp(tfFinding.getScan().getImportTime()));
if (!tfFinding.getIsStatic())
ssvlFinding.setSurfaceLocation(
convertTFSurfaceLocationToSSVL(tfFinding.getSurfaceLocation()));
if (tfFinding.getDataFlowElements() != null)
for (DataFlowElement tfDataFlow : tfFinding.getDataFlowElements()) {
ssvlFinding.getDataFlowElement().add(convertTFDataFlowElementToSSVL(tfDataFlow));
}
ssvlFinding.setDependency(convertTFDependencyToSSVL(tfFinding.getDependency()));
return ssvlFinding;
}
