@@ -182,43 +182,48 @@ private fun createRequest(pkg: Package): VulnerabilitiesForPackageRequest? {
182182}
183183
184184private fun Vulnerability.toOrtVulnerability (): org.ossreviewtoolkit.model.vulnerabilities.Vulnerability {
185- // OSV uses a list in order to support multiple representations of the severity using different scoring systems.
186- // However, only one representation is actually possible currently, because the enum 'Severity.Type' contains just a
187- // single element / scoring system. So, picking first severity is fine, in particular because ORT only supports a
188- // single severity representation.
189- val (scoringSystem, severity) = severity.firstOrNull()?.let {
185+ // The ORT and OSV vulnerability data models are different in that ORT uses a severity for each reference (assuming
186+ // that different references could use different severities), whereas OSV manages severities and references on the
187+ // same level, which means it is not possible to identify whether a reference belongs to a specific severity.
188+ // To map between these different model, simply use the "cartesian product" to create an ORT reference for each
189+ // combination of an OSV severity and reference.
190+ val ortReferences = mutableListOf<VulnerabilityReference >()
191+
192+ severity.map {
190193 it.type.name to it.score
191- } ? : (null to null )
192-
193- val references = references.mapNotNull { reference ->
194- val url = reference.url.trim().let { if (it.startsWith(" ://" " https$it " else it }
195-
196- url.toUri().onFailure {
197- logger.debug { " Could not parse reference URL for vulnerability '$id ': ${it.collectMessages()} ."
198- }.map {
199- // Use the 'severity' property of the unspecified 'databaseSpecific' object.
200- // See also https://github.com/google/osv.dev/issues/484.
201- val specificSeverity = databaseSpecific?.get(" severity"
202-
203- // Note that the CVSS Calculator does not support CVSS 4.0 yet:
204- // https://github.com/stevespringett/cvss-calculator/issues/78
205- val baseScore = runCatching {
206- Cvss .fromVector(severity)?.calculateScore()?.baseScore?.toFloat()
207- }.onFailure {
208- logger.debug { " Unable to parse CVSS vector '$severity ': ${it.collectMessages()} ."
194+ }.ifEmpty {
195+ listOf (null to null )
196+ }.forEach { (scoringSystem, severity) ->
197+ references.mapNotNullTo(ortReferences) { reference ->
198+ val url = reference.url.trim().let { if (it.startsWith(" ://" " https$it " else it }
199+
200+ url.toUri().onFailure {
201+ logger.debug { " Could not parse reference URL for vulnerability '$id ': ${it.collectMessages()} ."
202+ }.map {
203+ // Use the 'severity' property of the unspecified 'databaseSpecific' object.
204+ // See also https://github.com/google/osv.dev/issues/484.
205+ val specificSeverity = databaseSpecific?.get(" severity"
206+
207+ // Note that the CVSS Calculator does not support CVSS 4.0 yet:
208+ // https://github.com/stevespringett/cvss-calculator/issues/78
209+ val baseScore = runCatching {
210+ Cvss .fromVector(severity)?.calculateScore()?.baseScore?.toFloat()
211+ }.onFailure {
212+ logger.debug { " Unable to parse CVSS vector '$severity ': ${it.collectMessages()} ."
213+ }.getOrNull()
214+
215+ val severityRating = (specificSeverity as ? JsonPrimitive )?.contentOrNull
216+ ? : VulnerabilityReference .getSeverityRating(scoringSystem, baseScore)
217+
218+ VulnerabilityReference (it, scoringSystem, severityRating, baseScore, severity)
209219 }.getOrNull()
210-
211- val severityRating = (specificSeverity as ? JsonPrimitive )?.contentOrNull
212- ? : VulnerabilityReference .getSeverityRating(scoringSystem, baseScore)
213-
214- VulnerabilityReference (it, scoringSystem, severityRating, baseScore, severity)
215- }.getOrNull()
220+ }
216221 }
217222
218223 return org.ossreviewtoolkit.model.vulnerabilities.Vulnerability (
219224 id = id,
220225 summary = summary,
221226 description = details,
222- references = references
227+ references = ortReferences
223228 )
224229}
0 commit comments