oss-review-toolkit · fviernau · Jan 29, 2025 · Jan 29, 2025 · Jan 29, 2025 · Jan 29, 2025
@@ -19,6 +19,8 @@
 
 package org.ossreviewtoolkit.plugins.advisors.blackduck
 
+import com.blackduck.integration.blackduck.api.generated.component.VulnerabilityCvss2View
+import com.blackduck.integration.blackduck.api.generated.component.VulnerabilityCvss3View
 import com.blackduck.integration.blackduck.api.generated.view.OriginView
 import com.blackduck.integration.blackduck.api.generated.view.VulnerabilityView
 
@@ -42,6 +44,7 @@ import org.ossreviewtoolkit.model.Package
 import org.ossreviewtoolkit.model.Severity
 import org.ossreviewtoolkit.model.createAndLogIssue
 import org.ossreviewtoolkit.model.vulnerabilities.Cvss2Rating
+import org.ossreviewtoolkit.model.vulnerabilities.Cvss3Rating
 import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
 import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
 import org.ossreviewtoolkit.plugins.api.OrtPlugin
@@ -200,17 +203,17 @@ class BlackDuck(
 internal fun VulnerabilityView.toOrtVulnerability(): Vulnerability {
     val referenceUris = setOf(meta.href.uri(), *meta.links.map { it.href.uri() }.toTypedArray())
 
-    val references = referenceUris.map { uri ->
-        val cvssVector = cvss3?.vector ?: cvss2?.vector
-        // Only CVSS version 2 vectors do not contain the "CVSS:" label and version prefix
-        val scoringSystem = cvssVector?.substringBefore('/', Cvss2Rating.PREFIXES.first())
+    val (scoringSystem, vector) = cvss3?.getScoringSystemAndVector()
+        ?: cvss2?.getScoringSystemAndVector()
+        ?: (null to null)
 
+    val references = referenceUris.map { uri ->
         VulnerabilityReference(
             url = uri,
             scoringSystem = scoringSystem,
             severity = severity.toString(),
             score = overallScore.toFloat(),
-            vector = cvssVector
+            vector = vector
         )
     }
 
@@ -221,6 +224,17 @@ internal fun VulnerabilityView.toOrtVulnerability(): Vulnerability {
     )
 }
 
+private fun VulnerabilityCvss3View.getScoringSystemAndVector(): Pair<String, String> {
+    val scoringSystem = vector.substringBefore('/', "").ifEmpty { Cvss3Rating.PREFIXES.first() }
+    return scoringSystem to vector
+}
+
+private fun VulnerabilityCvss2View.getScoringSystemAndVector(): Pair<String, String> {
+    val scoringSystem = Cvss2Rating.PREFIXES.first()
+    val parsedVector = vector.removeSurrounding("(", ")")
+    return scoringSystem to parsedVector
+}
+
 private val OriginView.identifier get() = "$externalNamespace:$externalId"
 
 private fun Map<Identifier, List<OriginView>>.getSummary(): String =

@@ -0,0 +1,43 @@
+---
+id: "CVE-2015-3996"
+description: "The default AFSecurityPolicy.validatesDomainName configuration for AFSSLPinningModeNone\
+  \ in the AFNetworking framework before 2.5.3, as used in the ownCloud iOS Library,\
+  \ disables verification of a server hostname against the domain name in the subject's\
+  \ Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers\
+  \ to spoof SSL servers via an arbitrary valid certificate."
+references:
+- url: "https://zeiss.app.blackduck.com/api/vulnerabilities/CVE-2015-3996"
+  scoring_system: "CVSS2"
+  severity: "MEDIUM"
+  score: 4.3
+  vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N"
+- url: "https://zeiss.app.blackduck.com/api/cwes/CWE-254"
+  scoring_system: "CVSS2"
+  severity: "MEDIUM"
+  score: 4.3
+  vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N"
+- url: "http://www.securityfocus.com/bid/76242"
+  scoring_system: "CVSS2"
+  severity: "MEDIUM"
+  score: 4.3
+  vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N"
+- url: "https://github.com/AFNetworking/AFNetworking/issues/2619"
+  scoring_system: "CVSS2"
+  severity: "MEDIUM"
+  score: 4.3
+  vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N"
+- url: "https://github.com/AFNetworking/AFNetworking/releases/tag/2.5.3"
+  scoring_system: "CVSS2"
+  severity: "MEDIUM"
+  score: 4.3
+  vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N"
+- url: "https://owncloud.org/security/advisory/?id=oc-sa-2015-012"
+  scoring_system: "CVSS2"
+  severity: "MEDIUM"
+  score: 4.3
+  vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N"
+- url: "https://nvd.nist.gov/vuln/detail/CVE-2015-3996"
+  scoring_system: "CVSS2"
+  severity: "MEDIUM"
+  score: 4.3
+  vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N"
@@ -0,0 +1,59 @@
+{
+  "source": "NVD",
+  "name": "CVE-2015-3996",
+  "description": "The default AFSecurityPolicy.validatesDomainName configuration for AFSSLPinningModeNone in the AFNetworking framework before 2.5.3, as used in the ownCloud iOS Library, disables verification of a server hostname against the domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
+  "publishedDate": "2015-10-27T16:59:00.100Z",
+  "updatedDate": "2015-10-28T18:41:26.763Z",
+  "severity": "MEDIUM",
+  "cvss2": {
+    "baseScore": 4.3,
+    "impactSubscore": 2.9,
+    "exploitabilitySubscore": 8.6,
+    "severity": "MEDIUM",
+    "accessVector": "NETWORK",
+    "accessComplexity": "MEDIUM",
+    "authentication": "NONE",
+    "confidentialityImpact": "NONE",
+    "integrityImpact": "PARTIAL",
+    "availabilityImpact": "NONE",
+    "vector": "(AV:N/AC:M/Au:N/C:N/I:P/A:N)"
+  },
+  "useCvss3": false,
+  "classifications": [],
+  "bdsaTags": [],
+  "overallScore": 4.3,
+  "_meta": {
+    "allow": [],
+    "href": "https://zeiss.app.blackduck.com/api/vulnerabilities/CVE-2015-3996",
+    "links": [
+      {
+        "rel": "cwes",
+        "href": "https://zeiss.app.blackduck.com/api/cwes/CWE-254"
+      },
+      {
+        "rel": "reference",
+        "href": "http://www.securityfocus.com/bid/76242",
+        "label": "Reference"
+      },
+      {
+        "rel": "reference",
+        "href": "https://github.com/AFNetworking/AFNetworking/issues/2619",
+        "label": "Reference"
+      },
+      {
+        "rel": "reference",
+        "href": "https://github.com/AFNetworking/AFNetworking/releases/tag/2.5.3",
+        "label": "Reference"
+      },
+      {
+        "rel": "reference",
+        "href": "https://owncloud.org/security/advisory/?id=oc-sa-2015-012",
+        "label": "Vendor Advisory"
+      },
+      {
+        "rel": "nist",
+        "href": "https://nvd.nist.gov/vuln/detail/CVE-2015-3996"
+      }
+    ]
+  }
+}
@@ -34,12 +34,21 @@ import org.ossreviewtoolkit.utils.test.matchExpectedResult
 class BlackDuckTest : WordSpec({
     "toOrtVulnerability()" should {
         "parse a vulnerability with CVSS 3.1 and with duplicate links as expected" {
-            val expectedResult = getAssetFile("BDSA-2024-5272-parsed.yml")
+            val expectedResultFile = getAssetFile("BDSA-2024-5272-parsed.yml")
             val vulnerabilityView = readVulnerabilityViewAssetFile("BDSA-2024-5272.json")
 
             val vulnerability = vulnerabilityView.toOrtVulnerability()
 
-            vulnerability.toYaml() shouldBe matchExpectedResult(expectedResult)
+            vulnerability.toYaml() shouldBe matchExpectedResult(expectedResultFile)
+        }
+
+        "parse a vulnerability with CVSS 2 (only) as expected" {
+            val expectedResultFile = getAssetFile("CVE-2015-3996-parsed.yml")
+            val vulnerabilityView = readVulnerabilityViewAssetFile("CVE-2015-3996.json")
+
+            val vulnerability = vulnerabilityView.toOrtVulnerability()
+
+            vulnerability.toYaml() shouldBe matchExpectedResult(expectedResultFile)
         }
     }
 })