From 6daea41af1053cba74de23e5fa888e67c3455add Mon Sep 17 00:00:00 2001 From: "Amir M. Mir" Date: Fri, 25 Mar 2022 16:54:55 +0100 Subject: [PATCH 1/3] Fix finding vulnerable packages versions given package version id in MetadataDao --- .../java/eu/fasten/core/data/metadatadb/MetadataDao.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/core/src/main/java/eu/fasten/core/data/metadatadb/MetadataDao.java b/core/src/main/java/eu/fasten/core/data/metadatadb/MetadataDao.java index 22cf69697..e42d11e1d 100644 --- a/core/src/main/java/eu/fasten/core/data/metadatadb/MetadataDao.java +++ b/core/src/main/java/eu/fasten/core/data/metadatadb/MetadataDao.java @@ -22,9 +22,9 @@ import com.google.gson.Gson; import com.google.gson.GsonBuilder; import eu.fasten.core.data.Constants; -import eu.fasten.core.data.FastenPythonURI; -import eu.fasten.core.data.FastenJavaURI; import eu.fasten.core.data.FastenCURI; +import eu.fasten.core.data.FastenJavaURI; +import eu.fasten.core.data.FastenPythonURI; import eu.fasten.core.data.FastenURI; import eu.fasten.core.data.metadatadb.codegen.Keys; import eu.fasten.core.data.metadatadb.codegen.enums.Access; @@ -1590,9 +1590,9 @@ public String getArtifactName(long packageVersionId) { public Set findVulnerablePackageVersions(Set packageVersionIDs) { var result = context .select(PackageVersions.PACKAGE_VERSIONS.ID) - .from(PackageVersions.PACKAGE_VERSIONS) + .from(PackageVersions.PACKAGE_VERSIONS, VulnerabilitiesXPackageVersions.VULNERABILITIES_X_PACKAGE_VERSIONS) .where(PackageVersions.PACKAGE_VERSIONS.ID.in(packageVersionIDs)) - .and("package_versions.metadata::jsonb->'vulnerabilities' is not null") + .and(PackageVersions.PACKAGE_VERSIONS.ID.eq(VulnerabilitiesXPackageVersions.VULNERABILITIES_X_PACKAGE_VERSIONS.PACKAGE_VERSION_ID)) .fetch(); return new HashSet<>(result.map(Record1::value1)); } From d9465f3b51ede1d2052709916efa217ff253b0f2 Mon Sep 17 00:00:00 2001 From: "Amir M. Mir" Date: Fri, 25 Mar 2022 16:57:17 +0100 Subject: [PATCH 2/3] Fix finding vulnerable callables given pkg. versions IDs and callable IDs --- .../fasten/core/data/metadatadb/MetadataDao.java | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/core/src/main/java/eu/fasten/core/data/metadatadb/MetadataDao.java b/core/src/main/java/eu/fasten/core/data/metadatadb/MetadataDao.java index e42d11e1d..80b8e1893 100644 --- a/core/src/main/java/eu/fasten/core/data/metadatadb/MetadataDao.java +++ b/core/src/main/java/eu/fasten/core/data/metadatadb/MetadataDao.java @@ -1602,21 +1602,26 @@ public Map findVulnerableCallables(Set vulnerablePackage PackageVersions pv = PackageVersions.PACKAGE_VERSIONS; Modules m = Modules.MODULES; Callables c = Callables.CALLABLES; + Vulnerabilities v = Vulnerabilities.VULNERABILITIES; + VulnerabilitiesXPackageVersions vxp = VulnerabilitiesXPackageVersions.VULNERABILITIES_X_PACKAGE_VERSIONS; + VulnerabilitiesXCallables vxc = VulnerabilitiesXCallables.VULNERABILITIES_X_CALLABLES; var result = context - .select(c.ID, c.METADATA) - .from(c) + .select(vxc.CALLABLE_ID, v.STATEMENT) + .from(c, v, vxp, vxc) .join(m) .on(c.MODULE_ID.eq(m.ID)) .join(pv) .on(m.PACKAGE_VERSION_ID.eq(pv.ID)) .where(pv.ID.in(vulnerablePackageVersions)) - .and(c.ID.in(callableIDs)) - .and("callables.metadata::jsonb->'vulnerabilities' is not null") + .and(pv.ID.eq(vxp.PACKAGE_VERSION_ID)) + .and(vxc.VULNERABILITY_ID.eq(vxp.VULNERABILITY_ID)) + .and(v.ID.eq(vxc.VULNERABILITY_ID)) + .and(vxc.CALLABLE_ID.in(callableIDs)) .fetch(); var map = new HashMap(result.size()); for (var record : result) { - map.put(record.value1(), new JSONObject(record.value2().data()).getJSONObject("vulnerabilities")); + map.put(record.value1(), new JSONObject(record.value2().data())); } return map; } From fdb91f03fe289e0eda456b78e1c88edb3ea1b939 Mon Sep 17 00:00:00 2001 From: "Amir M. Mir" Date: Mon, 28 Mar 2022 11:34:40 +0200 Subject: [PATCH 3/3] Simplify the method for finding vulnerable callables and their vulnerability statements + comments. --- .../core/data/metadatadb/MetadataDao.java | 39 +++++++++++-------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/core/src/main/java/eu/fasten/core/data/metadatadb/MetadataDao.java b/core/src/main/java/eu/fasten/core/data/metadatadb/MetadataDao.java index 80b8e1893..e1ca68b50 100644 --- a/core/src/main/java/eu/fasten/core/data/metadatadb/MetadataDao.java +++ b/core/src/main/java/eu/fasten/core/data/metadatadb/MetadataDao.java @@ -74,6 +74,7 @@ import java.sql.Timestamp; import java.util.ArrayList; import java.util.Collection; +import java.util.Collections; import java.util.Date; import java.util.HashMap; import java.util.HashSet; @@ -1587,6 +1588,10 @@ public String getArtifactName(long packageVersionId) { return result.value1() + Constants.mvnCoordinateSeparator + result.value2(); } + /** + * Finds a set of vulnerable package version ID given a set of package version IDs. + * If none of given package version IDs are vulnerable, it returns an empty set. + */ public Set findVulnerablePackageVersions(Set packageVersionIDs) { var result = context .select(PackageVersions.PACKAGE_VERSIONS.ID) @@ -1597,31 +1602,31 @@ public Set findVulnerablePackageVersions(Set packageVersionIDs) { return new HashSet<>(result.map(Record1::value1)); } - public Map findVulnerableCallables(Set vulnerablePackageVersions, Set callableIDs) { + /** + * Given a set of vulnerable package version IDs and a set of callable IDs, it returns a map of vulnerable callable IDs + * and their corresponding vulnerability JSON statement (if any). + */ + public Map> findVulnerableCallables(Set vulnerablePackageVersions, Set callableIDs) { - PackageVersions pv = PackageVersions.PACKAGE_VERSIONS; - Modules m = Modules.MODULES; - Callables c = Callables.CALLABLES; Vulnerabilities v = Vulnerabilities.VULNERABILITIES; VulnerabilitiesXPackageVersions vxp = VulnerabilitiesXPackageVersions.VULNERABILITIES_X_PACKAGE_VERSIONS; VulnerabilitiesXCallables vxc = VulnerabilitiesXCallables.VULNERABILITIES_X_CALLABLES; - var result = context - .select(vxc.CALLABLE_ID, v.STATEMENT) - .from(c, v, vxp, vxc) - .join(m) - .on(c.MODULE_ID.eq(m.ID)) - .join(pv) - .on(m.PACKAGE_VERSION_ID.eq(pv.ID)) - .where(pv.ID.in(vulnerablePackageVersions)) - .and(pv.ID.eq(vxp.PACKAGE_VERSION_ID)) - .and(vxc.VULNERABILITY_ID.eq(vxp.VULNERABILITY_ID)) - .and(v.ID.eq(vxc.VULNERABILITY_ID)) + var result = context. + select(vxc.CALLABLE_ID, v.STATEMENT) + .from(v, vxp, vxc) + .where(vxp.PACKAGE_VERSION_ID.in(vulnerablePackageVersions)) + .and(v.ID.eq(vxp.VULNERABILITY_ID)) .and(vxc.CALLABLE_ID.in(callableIDs)) .fetch(); - var map = new HashMap(result.size()); + + var map = new HashMap>(result.size()); for (var record : result) { - map.put(record.value1(), new JSONObject(record.value2().data())); + if (!map.containsKey(record.value1())) { + map.put(record.value1(), new ArrayList<>(Collections.singletonList(new JSONObject(record.value2().data())))); + } else { + map.get(record.value1()).add(new JSONObject(record.value2().data())); + } } return map; }