vulnerability.go

package dtrack

import (
	"context"
	"fmt"
	"net/http"
	"strconv"

	"github.com/google/uuid"
)

type Vulnerability struct {
	UUID                         uuid.UUID            `json:"uuid"`
	VulnID                       string               `json:"vulnId"`
	Source                       string               `json:"source"`
	Aliases                      []VulnerabilityAlias `json:"aliases"`
	Title                        string               `json:"title"`
	SubTitle                     string               `json:"subTitle"`
	Description                  string               `json:"description"`
	Recommendation               string               `json:"recommendation"`
	References                   string               `json:"references"`
	Credits                      string               `json:"credits"`
	Created                      string               `json:"created"`
	Published                    string               `json:"published"`
	Updated                      string               `json:"updated"`
	CWE                          CWE                  `json:"cwe"`
	CWEs                         []CWE                `json:"cwes"`
	CVSSV2BaseScore              float64              `json:"cvssV2BaseScore"`
	CVSSV2ImpactSubScore         float64              `json:"cvssV2ImpactSubScore"`
	CVSSV2ExploitabilitySubScore float64              `json:"cvssV2ExploitabilitySubScore"`
	CVSSV2Vector                 string               `json:"cvssV2Vector"`
	CVSSV3BaseScore              float64              `json:"cvssV3BaseScore"`
	CVSSV3ImpactSubScore         float64              `json:"cvssV3ImpactSubScore"`
	CVSSV3ExploitabilitySubScore float64              `json:"cvssV3ExploitabilitySubScore"`
	CVSSV3Vector                 string               `json:"cvssV3Vector"`
	OWASPRRBusinessImpactScore   float64              `json:"owaspRRBusinessImpactScore"`
	OWASPRRLikelihoodScore       float64              `json:"owaspRRLikelihoodScore"`
	OWASPRRTechnicalImpactScore  float64              `json:"owaspRRTechnicalImpactScore"`
	OWASPRRVector                string               `json:"owaspRRVector"`
	Severity                     string               `json:"severity"`
	EPSSScore                    float64              `json:"epssScore"`
	EPSSPercentile               float64              `json:"epssPercentile"`
	VulnerableVersions           string               `json:"vulnerableVersions"`
	PatchedVersions              string               `json:"patchedVersions"`
	Components                   *[]Component         `json:"components,omitempty"`
}

type VulnerabilityAlias struct {
	CveID      string `json:"cveId"`      // ID of the vuln in the NVD
	GhsaID     string `json:"ghsaId"`     // ID of the vuln in GitHub
	GsdID      string `json:"gsdId"`      // ID of the vuln in the GSD
	InternalID string `json:"internalId"` // ID of the vuln in DT's internal database
	OsvID      string `json:"osvId"`      // ID of the vuln in OSV
	SonatypeId string `json:"sonatypeId"` // ID of the vuln in Sonatype's database
	SnykID     string `json:"snykId"`     // ID of the vuln in Snyk's database
	VulnDbID   string `json:"vulnDbId"`   // ID of the vuln in VulnDB
}

type CWE struct {
	ID   int    `json:"cweId"`
	Name string `json:"name"`
}

type VulnerabilityService struct {
	client *Client
}

func (vs VulnerabilityService) Get(ctx context.Context, vulnUUID uuid.UUID) (v Vulnerability, err error) {
	req, err := vs.client.newRequest(ctx, http.MethodGet, fmt.Sprintf("/api/v1/vulnerability/%s", vulnUUID))
	if err != nil {
		return
	}

	_, err = vs.client.doRequest(req, &v)
	return
}

func (vs VulnerabilityService) GetAllForComponent(ctx context.Context, componentUUID uuid.UUID, suppressed bool, po PageOptions) (p Page[Vulnerability], err error) {
	params := map[string]string{
		"suppressed": strconv.FormatBool(suppressed),
	}

	req, err := vs.client.newRequest(ctx, http.MethodGet, fmt.Sprintf("/api/v1/vulnerability/component/%s", componentUUID), withParams(params), withPageOptions(po))
	if err != nil {
		return
	}

	res, err := vs.client.doRequest(req, &p.Items)
	if err != nil {
		return
	}

	p.TotalCount = res.TotalCount
	return
}

func (vs VulnerabilityService) GetAllForProject(ctx context.Context, projectUUID uuid.UUID, suppressed bool, po PageOptions) (p Page[Vulnerability], err error) {
	params := map[string]string{
		"suppressed": strconv.FormatBool(suppressed),
	}

	req, err := vs.client.newRequest(ctx, http.MethodGet, fmt.Sprintf("/api/v1/vulnerability/project/%s", projectUUID), withParams(params), withPageOptions(po))
	if err != nil {
		return
	}

	res, err := vs.client.doRequest(req, &p.Items)
	if err != nil {
		return
	}

	p.TotalCount = res.TotalCount
	return
}

func (vs VulnerabilityService) Assign(ctx context.Context, vulnUUID, componentUUID uuid.UUID) (err error) {
	req, err := vs.client.newRequest(ctx, http.MethodPost, fmt.Sprintf("/api/v1/vulnerability/%s/component/%s", vulnUUID, componentUUID))
	if err != nil {
		return
	}

	_, err = vs.client.doRequest(req, nil)
	return
}

func (vs VulnerabilityService) Unassign(ctx context.Context, vulnUUID, componentUUID uuid.UUID) (err error) {
	req, err := vs.client.newRequest(ctx, http.MethodDelete, fmt.Sprintf("/api/v1/vulnerability/%s/component/%s", vulnUUID, componentUUID))
	if err != nil {
		return
	}

	_, err = vs.client.doRequest(req, nil)
	return
}