@Override
public Vulnerability retrieveById(int id) {
Vulnerability vuln =
(Vulnerability) sessionFactory.getCurrentSession().get(Vulnerability.class, id);
if (vuln != null && !vuln.isExpired()) {
return vuln;
} else {
assert false : "Attempted to retrieve invalid vulnerability id.";
return null;
}
}
@SuppressWarnings("unchecked")
@Override
public void markAllOpen(List<Vulnerability> vulns) {
for (Vulnerability vuln : vulns) {
if (vuln != null && !vuln.isActive()) {
vuln.setActive(true);
vuln.setFoundByScanner(true);
determineVulnerabilityDefectConsistencyState(vuln);
saveOrUpdate(vuln);
}
}
}
@Override
@SuppressWarnings("unchecked")
public List<Vulnerability> retrieveAllByGenericVulnerabilityAndApp(Vulnerability vulnerability) {
return sessionFactory
.getCurrentSession()
.createQuery(
"from Vulnerability vuln where vuln.application = :appId "
+ "and vuln.genericVulnerability = :gvId and vuln.expired = :false")
.setInteger("gvId", vulnerability.getGenericVulnerability().getId())
.setInteger("appId", vulnerability.getApplication().getId())
.setBoolean("false", false)
.list();
}
@SuppressWarnings("unchecked")
@Override
public void markAllClosed(List<Vulnerability> vulns) {
for (Vulnerability vuln : vulns) {
if (vuln != null && vuln.isActive()) {
vuln.setActive(false);
vuln.setCloseTime(Calendar.getInstance());
vuln.setFoundByScanner(false);
determineVulnerabilityDefectConsistencyState(vuln);
saveOrUpdate(vuln);
}
}
}
@Override
public VulnerabilityDefectConsistencyState determineVulnerabilityDefectConsistencyState(
Vulnerability vulnerability) {
VulnerabilityDefectConsistencyState vulnerabilityDefectConsistencyState = null;
Defect defect = vulnerability.getDefect();
if (defect != null) {
if (vulnerability.isActive() == defect.isOpen()) {
vulnerabilityDefectConsistencyState = VulnerabilityDefectConsistencyState.CONSISTENT;
} else if (defect.isOpen()) {
vulnerabilityDefectConsistencyState =
VulnerabilityDefectConsistencyState.VULN_CLOSED_DEFECT_OPEN_NEEDS_SCAN;
} else {
Calendar latestScanDate = null;
for (Finding finding : vulnerability.getFindings()) {
Calendar scanDate = finding.getScan().getImportTime();
if ((latestScanDate == null) || scanDate.after(latestScanDate)) {
latestScanDate = scanDate;
}
if (finding.getScanRepeatFindingMaps() != null) {
for (ScanRepeatFindingMap scanRepeatFindingMap : finding.getScanRepeatFindingMaps()) {
Scan scan = scanRepeatFindingMap.getScan();
if (scan != null) {
scanDate = scan.getImportTime();
if ((latestScanDate == null) || scanDate.after(latestScanDate)) {
latestScanDate = scanDate;
}
}
}
}
}
Calendar defectStatusUpdatedDate = defect.getStatusUpdatedDate();
if (defectStatusUpdatedDate == null) {
defectStatusUpdatedDate = Calendar.getInstance();
defectStatusUpdatedDate.setTime(defect.getModifiedDate());
}
if ((latestScanDate != null) && latestScanDate.after(defectStatusUpdatedDate)) {
vulnerabilityDefectConsistencyState =
VulnerabilityDefectConsistencyState.VULN_OPEN_DEFECT_CLOSED_STILL_IN_SCAN;
} else {
vulnerabilityDefectConsistencyState =
VulnerabilityDefectConsistencyState.VULN_OPEN_DEFECT_CLOSED_NEEDS_SCAN;
}
}
}
vulnerability.setVulnerabilityDefectConsistencyState(vulnerabilityDefectConsistencyState);
return vulnerabilityDefectConsistencyState;
}
@Override
@SuppressWarnings("unchecked")
public List<Vulnerability> retrieveSimilarHashes(Vulnerability vulnerability) {
return sessionFactory
.getCurrentSession()
.createQuery(
"from Vulnerability vuln where vuln.application = :appId "
+ "and vuln.expired = :false "
+ "and (vuln.locationVariableHash = :lvHash or "
+ "vuln.locationHash = :lHash or vuln.variableHash = :vHash)")
.setString("lvHash", vulnerability.getLocationVariableHash())
.setString("lHash", vulnerability.getLocationHash())
.setString("vHash", vulnerability.getVariableHash())
.setInteger("appId", vulnerability.getApplication().getId())
.setBoolean("false", false)
.list();
}
@Override
public void delete(Vulnerability vulnerability) {
if (vulnerability.getDocuments() != null) {
for (Document document : vulnerability.getDocuments()) {
sessionFactory.getCurrentSession().delete(document);
}
}
if (vulnerability.getEvents() != null) {
for (Event event : vulnerability.getEvents()) {
event.setVulnerability(null);
sessionFactory.getCurrentSession().save(event);
}
}
sessionFactory.getCurrentSession().save(new DeletedVulnerability(vulnerability));
sessionFactory.getCurrentSession().delete(vulnerability);
}
public static Vulnerabilities.Vulnerability convertTFVulnToSSVLVuln(Vulnerability tfVuln) {
Vulnerabilities.Vulnerability ssvlVuln = factory.createVulnerabilitiesVulnerability();
ssvlVuln.setDescription(tfVuln.getGenericVulnName());
if (tfVuln.getDefect() != null) ssvlVuln.setIssueID(tfVuln.getDefect().getNativeId());
ssvlVuln.setCWE(tfVuln.getGenericVulnerability().getDisplayId());
ssvlVuln.setSeverity(Severities.fromValue(tfVuln.getSeverityName()));
ssvlVuln.setApplication(tfVuln.getAppName());
if (tfVuln.getFindings() != null) {
for (Finding tfFinding : tfVuln.getFindings()) {
ssvlVuln.getFinding().add(convertTFFindingToSSVLFinding(tfFinding));
}
}
return ssvlVuln;
}