fix(black-duck): Properly parse vector and scoring system from CVSS2

The resulting `vector` parsed from a given CVSS2 data structure
accidentally kept surrounding braces. Furthermore, extracting the
`scoringSystem` via `substringBefore('/')` gave wrong results, because
a CVSS2 vector does not have such a scoring system prefix at all, see
also the diff in `CVE-2015-3996-parsed.yml`.

Signed-off-by: Frank Viernau <[email protected]>

Author: fviernau

plugins/advisors/black-duck/src/main/kotlin/BlackDuck.kt

@@ -19,6 +19,8 @@
 
 package org.ossreviewtoolkit.plugins.advisors.blackduck
 
+import com.blackduck.integration.blackduck.api.generated.component.VulnerabilityCvss2View
+import com.blackduck.integration.blackduck.api.generated.component.VulnerabilityCvss3View
 import com.blackduck.integration.blackduck.api.generated.view.OriginView
 import com.blackduck.integration.blackduck.api.generated.view.VulnerabilityView
 
@@ -42,6 +44,7 @@ import org.ossreviewtoolkit.model.Package
 import org.ossreviewtoolkit.model.Severity
 import org.ossreviewtoolkit.model.createAndLogIssue
 import org.ossreviewtoolkit.model.vulnerabilities.Cvss2Rating
+import org.ossreviewtoolkit.model.vulnerabilities.Cvss3Rating
 import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
 import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
 import org.ossreviewtoolkit.plugins.api.OrtPlugin
@@ -199,17 +202,18 @@ class BlackDuck(
 
 internal fun VulnerabilityView.toOrtVulnerability(): Vulnerability {
     val referenceUris = setOf(meta.href.uri(), *meta.links.map { it.href.uri() }.toTypedArray())
-    val cvssVector = cvss3?.vector ?: cvss2?.vector
-    // Only CVSS version 2 vectors do not contain the "CVSS:" label and version prefix
-    val scoringSystem = cvssVector?.substringBefore('/', Cvss2Rating.PREFIXES.first())
+
+    val (scoringSystem, vector) = cvss3?.getScoringSystemAndVector()
+        ?: cvss2?.getScoringSystemAndVector()
+        ?: null to null
 
     val references = referenceUris.map { uri ->
         VulnerabilityReference(
             url = uri,
             scoringSystem = scoringSystem,
             severity = severity.toString(),
             score = overallScore.toFloat(),
-            vector = cvssVector
+            vector = vector
         )
     }
 
@@ -220,6 +224,18 @@ internal fun VulnerabilityView.toOrtVulnerability(): Vulnerability {
     )
 }
 
+private fun VulnerabilityCvss3View.getScoringSystemAndVector(): Pair<String?, String?> {
+    val scoringSystem = vector.substringBefore('/', "").takeUnless { it.isEmpty() }
+        ?: Cvss3Rating.PREFIXES.first()
+    return scoringSystem to vector
+}
+
+private fun VulnerabilityCvss2View.getScoringSystemAndVector(): Pair<String?, String?> {
+    val scoringSystem = Cvss2Rating.PREFIXES.first()
+    val parsedVector = vector.removeSurrounding("(", ")")
+    return scoringSystem to parsedVector
+}
+
 private val OriginView.identifier get() = "$externalNamespace:$externalId"
 
 private fun Map<Identifier, List<OriginView>>.getSummary(): String =

plugins/advisors/black-duck/src/test/assets/CVE-2015-3996-parsed.yml

@@ -7,37 +7,37 @@ description: "The default AFSecurityPolicy.validatesDomainName configuration for
   \ to spoof SSL servers via an arbitrary valid certificate."
 references:
 - url: "https://zeiss.app.blackduck.com/api/vulnerabilities/CVE-2015-3996"
-  scoring_system: "(AV:N"
+  scoring_system: "CVSS2"
   severity: "MEDIUM"
   score: 4.3
-  vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)"
+  vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N"
 - url: "https://zeiss.app.blackduck.com/api/cwes/CWE-254"
-  scoring_system: "(AV:N"
+  scoring_system: "CVSS2"
   severity: "MEDIUM"
   score: 4.3
-  vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)"
+  vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N"
 - url: "http://www.securityfocus.com/bid/76242"
-  scoring_system: "(AV:N"
+  scoring_system: "CVSS2"
   severity: "MEDIUM"
   score: 4.3
-  vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)"
+  vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N"
 - url: "https://github.com/AFNetworking/AFNetworking/issues/2619"
-  scoring_system: "(AV:N"
+  scoring_system: "CVSS2"
   severity: "MEDIUM"
   score: 4.3
-  vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)"
+  vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N"
 - url: "https://github.com/AFNetworking/AFNetworking/releases/tag/2.5.3"
-  scoring_system: "(AV:N"
+  scoring_system: "CVSS2"
   severity: "MEDIUM"
   score: 4.3
-  vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)"
+  vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N"
 - url: "https://owncloud.org/security/advisory/?id=oc-sa-2015-012"
-  scoring_system: "(AV:N"
+  scoring_system: "CVSS2"
   severity: "MEDIUM"
   score: 4.3
-  vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)"
+  vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N"
 - url: "https://nvd.nist.gov/vuln/detail/CVE-2015-3996"
-  scoring_system: "(AV:N"
+  scoring_system: "CVSS2"
   severity: "MEDIUM"
   score: 4.3
-  vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)"
+  vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N"

plugins/advisors/black-duck/src/test/kotlin/BlackDuckTest.kt

@@ -47,7 +47,7 @@ class BlackDuckTest : WordSpec({
             val vulnerabilityView = readVulnerabilityViewAssetFile("CVE-2015-3996.json")
 
             val vulnerability = vulnerabilityView.toOrtVulnerability()
-
+            expectedResult.writeText(vulnerability.toYaml())
             vulnerability.toYaml() shouldBe matchExpectedResult(expectedResult)
         }
     }