refactor(model)!: Generalize the scoring system mapping

sschuberth · sschuberth · commit ea95f4b3e52a · 2024-09-17T18:43:32.000+02:00
Only look for prefixes when matching scoring system names to properly
recognize e.g. "cvssv3.1_qr" as a `Cvss3Rating`.

Signed-off-by: Sebastian Schuberth &lt;sebastian@doubleopen.org&gt;
diff --git a/evaluator/src/main/kotlin/PackageRule.kt b/evaluator/src/main/kotlin/PackageRule.kt
@@ -110,11 +110,12 @@ open class PackageRule(
 
                 val severities = matchingSystems
                     .mapNotNull { it.severity }
-                    .mapNotNull {
-                        when (scoringSystem.uppercase()) {
-                            in Cvss2Rating.NAMES -> enumValueOf<Cvss2Rating>(it)
-                            in Cvss3Rating.NAMES -> enumValueOf<Cvss3Rating>(it)
-                            in Cvss4Rating.NAMES -> enumValueOf<Cvss4Rating>(it)
+                    .mapNotNull { severity ->
+                        val system = scoringSystem.uppercase()
+                        when {
+                            Cvss2Rating.PREFIXES.any { system.startsWith(it) } -> enumValueOf<Cvss2Rating>(severity)
+                            Cvss3Rating.PREFIXES.any { system.startsWith(it) } -> enumValueOf<Cvss3Rating>(severity)
+                            Cvss4Rating.PREFIXES.any { system.startsWith(it) } -> enumValueOf<Cvss4Rating>(severity)
                             else -> null
                         }
                     }
diff --git a/model/src/main/kotlin/vulnerabilities/Cvss2Rating.kt b/model/src/main/kotlin/vulnerabilities/Cvss2Rating.kt
@@ -30,9 +30,9 @@ enum class Cvss2Rating(private val upperBound: Float) {
 
     companion object {
         /**
-         * A set of names that refer to the CVSS version 2 scoring system.
+         * A set of prefixes that refer to the CVSS version 2 scoring system.
          */
-        val NAMES = setOf("CVSS2", "CVSSV2", "CVSS_V2", "CVSS:2.0")
+        val PREFIXES = setOf("CVSS2", "CVSSV2", "CVSS_V2", "CVSS:2")
 
         /**
          * Get the [Cvss2Rating] from a [score], or null if the [score] does not map to any [Cvss2Rating].
diff --git a/model/src/main/kotlin/vulnerabilities/Cvss3Rating.kt b/model/src/main/kotlin/vulnerabilities/Cvss3Rating.kt
@@ -32,9 +32,9 @@ enum class Cvss3Rating(private val upperBound: Float) {
 
     companion object {
         /**
-         * A set of names that refer to the CVSS version 3 scoring system.
+         * A set of prefixes that refer to the CVSS version 3 scoring system.
          */
-        val NAMES = setOf("CVSS3", "CVSSV3", "CVSS_V3", "CVSS:3.0", "CVSS:3.1")
+        val PREFIXES = setOf("CVSS3", "CVSSV3", "CVSS_V3", "CVSS:3")
 
         /**
          * Get the [Cvss3Rating] from a [score], or null if the [score] does not map to any [Cvss3Rating].
diff --git a/model/src/main/kotlin/vulnerabilities/Cvss4Rating.kt b/model/src/main/kotlin/vulnerabilities/Cvss4Rating.kt
@@ -32,9 +32,9 @@ enum class Cvss4Rating(private val upperBound: Float) {
 
     companion object {
         /**
-         * A set of names that refer to the CVSS version 4 scoring system.
+         * A set of prefixes that refer to the CVSS version 4 scoring system.
          */
-        val NAMES = setOf("CVSS4", "CVSSV4", "CVSS_V4", "CVSS:4.0")
+        val PREFIXES = setOf("CVSS4", "CVSSV4", "CVSS_V4", "CVSS:4")
 
         /**
          * Get the [Cvss4Rating] from a [score], or null if the [score] does not map to any [Cvss4Rating].
diff --git a/model/src/main/kotlin/vulnerabilities/VulnerabilityReference.kt b/model/src/main/kotlin/vulnerabilities/VulnerabilityReference.kt
@@ -66,12 +66,14 @@ data class VulnerabilityReference(
         /**
          * Return a qualitative rating that is determined based on the given [scoringSystem] and [score].
          */
-        fun getQualitativeRating(scoringSystem: String?, score: Float?): Enum<*>? =
-            when (scoringSystem?.uppercase()) {
-                in Cvss2Rating.NAMES -> score?.let { Cvss2Rating.fromScore(it) }
-                in Cvss3Rating.NAMES -> score?.let { Cvss3Rating.fromScore(it) }
-                in Cvss4Rating.NAMES -> score?.let { Cvss4Rating.fromScore(it) }
+        fun getQualitativeRating(scoringSystem: String?, score: Float?): Enum<*>? {
+            val system = scoringSystem?.uppercase() ?: return null
+            return when {
+                Cvss2Rating.PREFIXES.any { system.startsWith(it) } -> score?.let { Cvss2Rating.fromScore(it) }
+                Cvss3Rating.PREFIXES.any { system.startsWith(it) } -> score?.let { Cvss3Rating.fromScore(it) }
+                Cvss4Rating.PREFIXES.any { system.startsWith(it) } -> score?.let { Cvss4Rating.fromScore(it) }
                 else -> null
             }
+        }
     }
 }
diff --git a/plugins/advisors/oss-index/src/main/kotlin/OssIndex.kt b/plugins/advisors/oss-index/src/main/kotlin/OssIndex.kt
@@ -138,7 +138,7 @@ class OssIndex(override val descriptor: PluginDescriptor, config: OssIndexConfig
      */
     private fun OssIndexService.Vulnerability.toVulnerability(): Vulnerability {
         // Only CVSS version 2 vectors do not contain the "CVSS:" label and version prefix.
-        val scoringSystem = cvssVector?.substringBefore('/', Cvss2Rating.NAMES.first())
+        val scoringSystem = cvssVector?.substringBefore('/', Cvss2Rating.PREFIXES.first())
 
         val severity = VulnerabilityReference.getQualitativeRating(scoringSystem, cvssScore)?.name
         val reference = VulnerabilityReference(URI(reference), scoringSystem, severity, cvssScore, cvssVector)
