public static Vulnerabilities.Vulnerability.Finding convertTFFindingToSSVLFinding(
Finding tfFinding) {
Vulnerabilities.Vulnerability.Finding ssvlFinding =
factory.createVulnerabilitiesVulnerabilityFinding();
ssvlFinding.setFindingDescription(tfFinding.getChannelVulnerability().getName());
ssvlFinding.setLongDescription(tfFinding.getLongDescription());
ssvlFinding.setNativeID(tfFinding.getNativeId());
ssvlFinding.setAttackString(tfFinding.getAttackString());
ssvlFinding.setScanner(tfFinding.getChannelNameOrNull());
ssvlFinding.setSeverity(tfFinding.getChannelSeverity().getName());
ssvlFinding.setIdentifiedTimestamp(getTimestamp(tfFinding.getScan().getImportTime()));
if (!tfFinding.getIsStatic())
ssvlFinding.setSurfaceLocation(
convertTFSurfaceLocationToSSVL(tfFinding.getSurfaceLocation()));
if (tfFinding.getDataFlowElements() != null)
for (DataFlowElement tfDataFlow : tfFinding.getDataFlowElements()) {
ssvlFinding.getDataFlowElement().add(convertTFDataFlowElementToSSVL(tfDataFlow));
}
ssvlFinding.setDependency(convertTFDependencyToSSVL(tfFinding.getDependency()));
return ssvlFinding;
}
private static Vulnerabilities.Vulnerability.Finding.SurfaceLocation
convertTFSurfaceLocationToSSVL(SurfaceLocation tfSurfaceLocation) {
if (tfSurfaceLocation == null) return null;
Vulnerabilities.Vulnerability.Finding.SurfaceLocation ssvlSurfaceLocation =
factory.createVulnerabilitiesVulnerabilityFindingSurfaceLocation();
ssvlSurfaceLocation.setParameter(tfSurfaceLocation.getParameter());
ssvlSurfaceLocation.setUrl(tfSurfaceLocation.getUrl().toString());
return ssvlSurfaceLocation;
}
private static Vulnerabilities.Vulnerability.Finding.DataFlowElement
convertTFDataFlowElementToSSVL(DataFlowElement tfDataFlowElement) {
Vulnerabilities.Vulnerability.Finding.DataFlowElement ssvlDataFlowElement =
factory.createVulnerabilitiesVulnerabilityFindingDataFlowElement();
ssvlDataFlowElement.setLineText(tfDataFlowElement.getLineText());
ssvlDataFlowElement.setSourceFileName(tfDataFlowElement.getSourceFileName());
ssvlDataFlowElement.setLineNumber(BigInteger.valueOf(tfDataFlowElement.getLineNumber()));
ssvlDataFlowElement.setColumnNumber(BigInteger.valueOf(tfDataFlowElement.getColumnNumber()));
ssvlDataFlowElement.setSequence(BigInteger.valueOf(tfDataFlowElement.getSequence()));
return ssvlDataFlowElement;
}
public static Vulnerabilities.Vulnerability convertTFVulnToSSVLVuln(Vulnerability tfVuln) {
Vulnerabilities.Vulnerability ssvlVuln = factory.createVulnerabilitiesVulnerability();
ssvlVuln.setDescription(tfVuln.getGenericVulnName());
if (tfVuln.getDefect() != null) ssvlVuln.setIssueID(tfVuln.getDefect().getNativeId());
ssvlVuln.setCWE(tfVuln.getGenericVulnerability().getDisplayId());
ssvlVuln.setSeverity(Severities.fromValue(tfVuln.getSeverityName()));
ssvlVuln.setApplication(tfVuln.getAppName());
if (tfVuln.getFindings() != null) {
for (Finding tfFinding : tfVuln.getFindings()) {
ssvlVuln.getFinding().add(convertTFFindingToSSVLFinding(tfFinding));
}
}
return ssvlVuln;
}
private static Vulnerabilities.Vulnerability.Finding.Dependency convertTFDependencyToSSVL(
Dependency tfDependency) {
if (tfDependency == null) return null;
Vulnerabilities.Vulnerability.Finding.Dependency ssvlDependency =
factory.createVulnerabilitiesVulnerabilityFindingDependency();
ssvlDependency.setCVE(tfDependency.getCve());
ssvlDependency.setComponentName(tfDependency.getComponentName());
ssvlDependency.setComponentFilePath(tfDependency.getComponentFilePath());
ssvlDependency.setRefLink(tfDependency.getRefLink());
ssvlDependency.setSource(tfDependency.getSource());
ssvlDependency.setDescription(tfDependency.getDescription());
return ssvlDependency;
}
private static List<Vulnerabilities.Vulnerability.Finding.DataFlowElement>
convertTFDataFlowElementsToSSVL(List<DataFlowElement> tfDataFlowElements) {
if (tfDataFlowElements == null) return null;
List<Vulnerabilities.Vulnerability.Finding.DataFlowElement> ssvlDataFlowElements =
CollectionUtils.list();
for (DataFlowElement tfDataFlowElement : tfDataFlowElements) {
Vulnerabilities.Vulnerability.Finding.DataFlowElement ssvlDataFlowElement =
factory.createVulnerabilitiesVulnerabilityFindingDataFlowElement();
ssvlDataFlowElement.setLineText(tfDataFlowElement.getLineText());
ssvlDataFlowElement.setSourceFileName(tfDataFlowElement.getSourceFileName());
ssvlDataFlowElement.setLineNumber(BigInteger.valueOf(tfDataFlowElement.getLineNumber()));
ssvlDataFlowElement.setColumnNumber(BigInteger.valueOf(tfDataFlowElement.getColumnNumber()));
ssvlDataFlowElement.setSequence(BigInteger.valueOf(tfDataFlowElement.getSequence()));
ssvlDataFlowElements.add(ssvlDataFlowElement);
}
return ssvlDataFlowElements;
}
public static String parse(List<Vulnerability> tfVulnerabilities) {
Vulnerabilities ssvlVulnerabilities = factory.createVulnerabilities();
if (tfVulnerabilities != null)
for (Vulnerability tfVuln : tfVulnerabilities) {
ssvlVulnerabilities.getVulnerability().add(convertTFVulnToSSVLVuln(tfVuln));
}
ssvlVulnerabilities.setExportTimestamp(getCurrentTimestamp());
ssvlVulnerabilities.setSpecVersion(SSVL_SPEC_VERSION_0_3);
StringWriter stringWriter = new StringWriter();
try {
JAXBContext context =
JAXBContext.newInstance("com.denimgroup.threadfix.data.entities.ssvl.generated");
Marshaller marshaller = context.createMarshaller();
marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, Boolean.TRUE);
marshaller.marshal(ssvlVulnerabilities, stringWriter);
} catch (JAXBException e) {
e.printStackTrace();
}
return stringWriter.toString();
}
