From 9a86e3400e004bb7008ee5e6b64147a2fc038867 Mon Sep 17 00:00:00 2001 From: "CORP\\mmrzik" Date: Thu, 21 Dec 2023 15:24:46 +0100 Subject: [PATCH] #103: rephrase interaction, mapUtil, LICENCE also SecurityRiskInteraction returns configured version and latest version when possible. conversion between cpe and ulr version more rebust by using map and inverse function where map fails. Added asciidoc --- .../tools/ide/tool/ToolCommandlet.java | 63 ++---- .../tool/terraform/TerraformUrlUpdater.java | 3 - .../url/model/file/UrlSecurityJsonFile.java | 12 +- .../ide/url/updater/AbstractUrlUpdater.java | 15 +- .../com/devonfw/tools/ide/util/MapUtil.java | 34 +++ .../tools/ide/tool/ToolCommandletTest.java | 36 ++- documentation/LICENSE.asciidoc | 207 ++++++++++++++++++ documentation/vulnerabilities.asciidoc | 45 ++++ ...nFile.java => BuildSecurityJsonFiles.java} | 118 +++++++--- ...t.java => BuildSecurityJsonFilesTest.java} | 8 +- 10 files changed, 441 insertions(+), 100 deletions(-) create mode 100644 cli/src/main/java/com/devonfw/tools/ide/util/MapUtil.java create mode 100644 documentation/vulnerabilities.asciidoc rename security/src/main/java/com/devonfw/tools/security/{BuildSecurityJsonFile.java => BuildSecurityJsonFiles.java} (73%) rename security/src/test/java/com/devonfw/tools/security/{BuildSecurityJsonFileTest.java => BuildSecurityJsonFilesTest.java} (74%) diff --git a/cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java b/cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java index f9a88c58a..01803e3ca 100644 --- a/cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java +++ b/cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java @@ -173,16 +173,6 @@ public boolean install(boolean silent) { return doInstall(silent); } - protected String securityRiskInteractionQuestion(String question, String... options) { - - question += "Do you want to"; - for (int i = 0; i < options.length - 1; i++) { - options[i] += " or"; - } - options[options.length - 1] += "?"; - return this.context.question(question, options); - } - /** * Checks if the given {@link VersionIdentifier} has a matching security warning in the {@link UrlSecurityJsonFile}. * @@ -193,16 +183,10 @@ protected String securityRiskInteractionQuestion(String question, String... opti */ protected VersionIdentifier securityRiskInteraction(VersionIdentifier configuredVersion) { - // TODO maybe instead of returning current return configuredVersion if the users chooses "stay" - - // TODO webpage:\nhttps://github.com/devonfw/ide/blob/master/documentation/vulnerabilities.asciidoc\n\n"; - UrlSecurityJsonFile securityFile = this.context.getUrls().getEdition(this.tool, this.getEdition()) .getSecurityJsonFile(); VersionIdentifier current = this.context.getUrls().getVersion(this.tool, this.getEdition(), configuredVersion); - // TODO oder doch eher sowas wie VersionIdentifier resolvedVersion = toolRepository.resolveVersion(this.tool, - // edition, selectedVersion); sollte immer das selbe ergeben if (!securityFile.contains(current, true, this.context)) { return configuredVersion; @@ -212,7 +196,6 @@ protected VersionIdentifier securityRiskInteraction(VersionIdentifier configured VersionIdentifier latest = allVersions.get(0); int currentVersionIndex = allVersions.indexOf(current); - VersionIdentifier nextSafe = null; for (int i = currentVersionIndex - 1; i >= 0; i--) { if (!securityFile.contains(allVersions.get(i), true, this.context)) { @@ -232,10 +215,12 @@ protected VersionIdentifier securityRiskInteraction(VersionIdentifier configured String currentIsUnsafe = "Currently, version " + current + " of " + this.getName() + " is selected, " + "which is has one or more vulnerabilities:\n\n" + cves + "\n\n(See also " + securityFile.getPath() + ")\n\n"; - String stay = "stay with the current unsafe version (" + current + ")"; - String installLatestSafe = "install the latest safe version (" + latestSafe + ")"; - String installSafeLatest = "install the (safe) latest version (" + latest + ")"; - String installNextSafe = "install the next safe version (" + nextSafe + ")"; + String ask = "Which version do you want to install?"; + + String stay = "Stay with the current unsafe version (" + current + ")."; + String installLatestSafe = "Install the latest safe version (" + latestSafe + ")."; + String installSafeLatest = "Install the (safe) latest version (" + latest + ")."; + String installNextSafe = "Install the next safe version (" + nextSafe + ")."; // I don't need to offer "install latest which is unsafe" as option since the user can set to the latest and choose // "stay" @@ -245,38 +230,38 @@ protected VersionIdentifier securityRiskInteraction(VersionIdentifier configured } if (current.equals(latest)) { - String answer = securityRiskInteractionQuestion(currentIsUnsafe + "There are no updates available.", stay, + String answer = this.context.question(currentIsUnsafe + "There are no updates available. " + ask, stay, installLatestSafe); - return answer.startsWith(stay) ? current : latestSafe; + return answer.equals(stay) ? configuredVersion : latestSafe; - } else if (nextSafe == null) { - String answer = securityRiskInteractionQuestion(currentIsUnsafe + " All newer versions are also not safe.", stay, + } else if (nextSafe == null) { // install an older version that is safe or stay with the current unsafe version + String answer = this.context.question(currentIsUnsafe + " All newer versions are also not safe. " + ask, stay, installLatestSafe); - return answer.startsWith(stay) ? current : latestSafe; + return answer.equals(stay) ? configuredVersion : latestSafe; } else if (nextSafe.equals(latest)) { - String answer = securityRiskInteractionQuestion( - currentIsUnsafe + " Of the newer versions, only the latest is safe.", stay, installSafeLatest); - return answer.startsWith(stay) ? current : latestSafe; + String answer = this.context.question(currentIsUnsafe + " Of the newer versions, only the latest is safe. " + ask, + stay, installSafeLatest); + return answer.equals(stay) ? configuredVersion : VersionIdentifier.LATEST; } else if (nextSafe.equals(latestSafe)) { - String answer = securityRiskInteractionQuestion(currentIsUnsafe + " Of the newer versions, only the version " - + nextSafe + " is safe, Which is not the latest.", stay, "Install the safe version (" + nextSafe + ")"); - return answer.startsWith(stay) ? current : nextSafe; + String answer = this.context.question( + currentIsUnsafe + " Of the newer versions, only the version " + nextSafe + + " is safe, which is however not the latest." + ask, + stay, "Install the safe version (" + nextSafe + ")"); + return answer.equals(stay) ? configuredVersion : nextSafe; } else { if (latestSafe.equals(latest)) { - String answer = securityRiskInteractionQuestion(currentIsUnsafe, stay, installNextSafe, installSafeLatest); - return answer.startsWith(stay) ? current : answer.startsWith(installNextSafe) ? nextSafe : latestSafe; + String answer = this.context.question(currentIsUnsafe + ask, stay, installNextSafe, installSafeLatest); + return answer.equals(stay) ? configuredVersion + : answer.equals(installNextSafe) ? nextSafe : VersionIdentifier.LATEST; } else { - String answer = securityRiskInteractionQuestion(currentIsUnsafe, stay, installNextSafe, installLatestSafe); - return answer.startsWith(stay) ? current : answer.startsWith(installNextSafe) ? nextSafe : latestSafe; + String answer = this.context.question(currentIsUnsafe + ask, stay, installNextSafe, installLatestSafe); + return answer.equals(stay) ? configuredVersion : answer.equals(installNextSafe) ? nextSafe : latestSafe; } } - - // VersionIdentifier chosenVersion = securityRiskInteraction(configuredVersion); - // setVersion(chosenVersion, silent); } /** diff --git a/cli/src/main/java/com/devonfw/tools/ide/tool/terraform/TerraformUrlUpdater.java b/cli/src/main/java/com/devonfw/tools/ide/tool/terraform/TerraformUrlUpdater.java index 37f182e21..623c4b824 100644 --- a/cli/src/main/java/com/devonfw/tools/ide/tool/terraform/TerraformUrlUpdater.java +++ b/cli/src/main/java/com/devonfw/tools/ide/tool/terraform/TerraformUrlUpdater.java @@ -53,7 +53,4 @@ public String getCpeProduct() { return "terraform"; } - // add matche cpe the the warning and print it in ide, to to wether the vul maybe oinly applies to the enterprise - // edition - // or can I filter this enterpsrise version by adding overriding the eidtion methiod with the normal edition string? } diff --git a/cli/src/main/java/com/devonfw/tools/ide/url/model/file/UrlSecurityJsonFile.java b/cli/src/main/java/com/devonfw/tools/ide/url/model/file/UrlSecurityJsonFile.java index a75d8702d..771a4ebc5 100644 --- a/cli/src/main/java/com/devonfw/tools/ide/url/model/file/UrlSecurityJsonFile.java +++ b/cli/src/main/java/com/devonfw/tools/ide/url/model/file/UrlSecurityJsonFile.java @@ -28,9 +28,8 @@ */ public class UrlSecurityJsonFile extends AbstractUrlFile { - /*** + /** * A simple container with the information about a security warning. - * */ public static class UrlSecurityWarning { @@ -62,6 +61,8 @@ public UrlSecurityWarning() { * * @param versionRange the version range, specifying the versions of the tool to which the security risk applies. * @param matchedCpe the matched CPE. + * @param interval the interval of vulnerability that was used to determine the {@link VersionRange}. This is used + * to check if the mapping from CPE version to UrlVersion was correct. * @param severity the severity of the security risk. * @param severityVersion Indicating from which version the {@code severity} was obtained. As of December 2023, this * is either v2 or v3. @@ -258,12 +259,13 @@ public boolean addSecurityWarning(VersionRange versionRange) { return added; } - /*** + /** * Adds a new security warning to the security json file. * * @param versionRange the version range, specifying the versions of the tool to which the security risk applies. * @param matchedCpe the matched CPE. - * @param interval the interval of vulnerability that was used to determine the version range. + * @param interval the interval of vulnerability that was used to determine the {@link VersionRange}. This is used to + * check if the mapping from CPE version to UrlVersion was correct. * @param severity the severity of the security risk. * @param severityVersion Indicating from which version the {@code severity} was obtained. As of December 2023, this * is either v2 or v3. @@ -283,7 +285,7 @@ public boolean addSecurityWarning(VersionRange versionRange, String matchedCpe, return added; } - /*** + /** * For a given version, returns whether there is a security risk by locking at the warnings in the security json file. * * @param version the version to check for security risks. diff --git a/cli/src/main/java/com/devonfw/tools/ide/url/updater/AbstractUrlUpdater.java b/cli/src/main/java/com/devonfw/tools/ide/url/updater/AbstractUrlUpdater.java index 0e6cec0d1..2468ab415 100644 --- a/cli/src/main/java/com/devonfw/tools/ide/url/updater/AbstractUrlUpdater.java +++ b/cli/src/main/java/com/devonfw/tools/ide/url/updater/AbstractUrlUpdater.java @@ -97,8 +97,7 @@ protected final String getToolWithEdition() { return tool + "/" + edition; } - /*** - * + /** * @return the vendor of the tool as specified in the CPE (Common Platform Enumeration) */ public String getCpeVendor() { @@ -106,7 +105,7 @@ public String getCpeVendor() { return null; } - /*** + /** * @return the product name of the tool as specified in the CPE (Common Platform Enumeration) */ public String getCpeProduct() { @@ -114,7 +113,7 @@ public String getCpeProduct() { return null; } - /*** + /** * @return the edition of the tool as specified in the CPE (Common Platform Enumeration) */ public String getCpeEdition() { @@ -132,7 +131,13 @@ public String mapUrlVersionToCpeVersion(String version) { } /** - * @return maps the cpe version to the version as specified in the CPE (Common Platform Enumeration). + * This method is only used as fallback if the passed version is not in the image of + * {@link #mapUrlVersionToCpeVersion(String)}. This doesn't have to be inverse of + * {@link #mapUrlVersionToCpeVersion(String)}. It must only be sufficient to get the correct VersionRange from the + * matched vulnerable software. + * + * @return maps the version as specified in the CPE (Common Platform Enumeration) to the version as specified by the + * directory name in the url repository */ public String mapCpeVersionToUrlVersion(String version) { diff --git a/cli/src/main/java/com/devonfw/tools/ide/util/MapUtil.java b/cli/src/main/java/com/devonfw/tools/ide/util/MapUtil.java new file mode 100644 index 000000000..89d0d37f4 --- /dev/null +++ b/cli/src/main/java/com/devonfw/tools/ide/util/MapUtil.java @@ -0,0 +1,34 @@ +package com.devonfw.tools.ide.util; + +import java.util.HashMap; +import java.util.Iterator; +import java.util.List; +import java.util.Map; + +/** + * Utility class for operations on maps. + */ +public class MapUtil { + + /** + * Creates a {@link HashMap} with the given {@code keys} and {@code values} which are passed as {@link List lists}. + * The map is populated by iterating through both lists simultaneously until one of the list is exhausted. + */ + public static Map createMapWithLists(List keys, List values) { + + Map resultMap = new HashMap<>(); + + // Create iterators for both lists + Iterator keysIterator = keys.iterator(); + Iterator valuesIterator = values.iterator(); + + // Iterate through both iterators simultaneously + while (keysIterator.hasNext() && valuesIterator.hasNext()) { + K key = keysIterator.next(); + V value = valuesIterator.next(); + resultMap.put(key, value); + } + + return resultMap; + } +} diff --git a/cli/src/test/java/com/devonfw/tools/ide/tool/ToolCommandletTest.java b/cli/src/test/java/com/devonfw/tools/ide/tool/ToolCommandletTest.java index 8e71db7da..a279403fd 100644 --- a/cli/src/test/java/com/devonfw/tools/ide/tool/ToolCommandletTest.java +++ b/cli/src/test/java/com/devonfw/tools/ide/tool/ToolCommandletTest.java @@ -12,12 +12,12 @@ import com.devonfw.tools.ide.version.VersionIdentifier; import com.devonfw.tools.ide.version.VersionRange; -/*** +/** * Test of {@link ToolCommandlet}. */ public class ToolCommandletTest extends AbstractIdeContextTest { - /*** + /** * Test of {@link ToolCommandlet#securityRiskInteraction(VersionIdentifier)} where no safe version is available. But * there is a warning that affects all versions. This warning is then ignored, but the other warnings are considered. */ @@ -26,7 +26,7 @@ public void testSecurityRiskInteractionAllVersionAffectedBySingleWarning() { // arrange Class dummyTool = Azure.class; - String[] answers = {"1", "2", "3"}; + String[] answers = { "1", "2", "3" }; IdeContext context = getContextForSecurityJsonTests(dummyTool, answers); ToolCommandlet tool = context.getCommandletManager().getCommandlet(dummyTool); UrlSecurityJsonFile securityFile = context.getUrls().getEdition(tool.getName(), tool.getEdition()) @@ -44,11 +44,10 @@ public void testSecurityRiskInteractionAllVersionAffectedBySingleWarning() { // answer to the interaction is 2 assertThat(tool.securityRiskInteraction(VersionIdentifier.of("2"))).isEqualTo(VersionIdentifier.of("6")); // answer to the interaction is 3 - assertThat(tool.securityRiskInteraction(VersionIdentifier.of("2"))).isEqualTo(VersionIdentifier.of("9")); + assertThat(tool.securityRiskInteraction(VersionIdentifier.of("2"))).isEqualTo(VersionIdentifier.of("*")); } - - /*** + /** * Test of {@link ToolCommandlet#securityRiskInteraction(VersionIdentifier)} where no safe version is available. Only * the warnings all considered together cover all versions and there is no single warning that affects all versions. */ @@ -70,7 +69,8 @@ public void testSecurityRiskInteractionAllVersionAffectedByMultipleWarning() { assertThat(tool.securityRiskInteraction(VersionIdentifier.of("9"))).isEqualTo(VersionIdentifier.of("9")); assertThat(tool.securityRiskInteraction(VersionIdentifier.of("*"))).isEqualTo(VersionIdentifier.of("*")); } - /*** + + /** * Test of {@link ToolCommandlet#securityRiskInteraction(VersionIdentifier)} where the set version is the latest but * vulnerable. */ @@ -89,12 +89,12 @@ public void testSecurityRiskInteractionCurrentIsLatest() { // act & assert // answer to the interaction is 1 - assertThat(tool.securityRiskInteraction(VersionIdentifier.of("*"))).isEqualTo(VersionIdentifier.of("9")); + assertThat(tool.securityRiskInteraction(VersionIdentifier.of("*"))).isEqualTo(VersionIdentifier.of("*")); // answer to the interaction is 2 assertThat(tool.securityRiskInteraction(VersionIdentifier.of("*"))).isEqualTo(VersionIdentifier.of("6")); } - /*** + /** * Test of {@link ToolCommandlet#securityRiskInteraction(VersionIdentifier)} where there are no newer versions that * are safe, but there is a previous version that is safe. */ @@ -119,7 +119,7 @@ public void testSecurityRiskInteractionNextSafeIsNull() { assertThat(tool.securityRiskInteraction(VersionIdentifier.of("6"))).isEqualTo(VersionIdentifier.of("5")); } - /*** + /** * Test of {@link ToolCommandlet#securityRiskInteraction(VersionIdentifier)} where the next safe version is also the * latest. */ @@ -141,10 +141,10 @@ public void testSecurityRiskInteractionNextSafeIsLatest() { // answer to the interaction is 1 assertThat(tool.securityRiskInteraction(VersionIdentifier.of("7"))).isEqualTo(VersionIdentifier.of("7")); // answer to the interaction is 2 - assertThat(tool.securityRiskInteraction(VersionIdentifier.of("7"))).isEqualTo(VersionIdentifier.of("9")); + assertThat(tool.securityRiskInteraction(VersionIdentifier.of("7"))).isEqualTo(VersionIdentifier.of("*")); } - /*** + /** * Test of {@link ToolCommandlet#securityRiskInteraction(VersionIdentifier)} where the next safe version is also the * latest safe version, and the overall latest version is not safe. */ @@ -169,7 +169,7 @@ public void testSecurityRiskInteractionNextSafeIsLatestSafe() { assertThat(tool.securityRiskInteraction(VersionIdentifier.of("5"))).isEqualTo(VersionIdentifier.of("7")); } - /*** + /** * Test of {@link ToolCommandlet#securityRiskInteraction(VersionIdentifier)} where the next safe version differs from * the latest safe, which is also the overall latest version. */ @@ -193,10 +193,10 @@ public void testSecurityRiskInteractionLatestSafeDiffersFromNextSafeButIsLatest( // answer to the interaction is 2 assertThat(tool.securityRiskInteraction(VersionIdentifier.of("5"))).isEqualTo(VersionIdentifier.of("7")); // answer to the interaction is 3 - assertThat(tool.securityRiskInteraction(VersionIdentifier.of("5"))).isEqualTo(VersionIdentifier.of("9")); + assertThat(tool.securityRiskInteraction(VersionIdentifier.of("5"))).isEqualTo(VersionIdentifier.of("*")); } - /*** + /** * Test of {@link ToolCommandlet#securityRiskInteraction(VersionIdentifier)} where the next safe version differs from * the latest safe, and the overall latest version is not safe. */ @@ -223,7 +223,7 @@ public void testSecurityRiskInteractionLatestSafeDiffersFromNextSafeAndLatest() assertThat(tool.securityRiskInteraction(VersionIdentifier.of("3"))).isEqualTo(VersionIdentifier.of("7")); } - /*** + /** * Test of {@link ToolCommandlet#securityRiskInteraction(VersionIdentifier)} where set version is safe. */ @Test @@ -243,9 +243,7 @@ public void testSecurityRiskInteractionCurrentVersionIsSafe() { assertThat(tool.securityRiskInteraction(VersionIdentifier.of("9"))).isEqualTo(VersionIdentifier.of("9")); } - - - /*** + /** * Creates the context and data for the tests of {@link ToolCommandlet#securityRiskInteraction(VersionIdentifier)}. * * @param dummyTool the dummy tool to be used for the tests. The diff --git a/documentation/LICENSE.asciidoc b/documentation/LICENSE.asciidoc index 4e22d69b6..31bc2c3e5 100644 --- a/documentation/LICENSE.asciidoc +++ b/documentation/LICENSE.asciidoc @@ -24,6 +24,7 @@ The following table shows the components that may be used. The column `inclusion |======================= |*Component*|*Inclusion*|*License* |https://github.com/devonfw/IDEasy[IDEasy] | Directly included |https://github.com/devonfw/IDEasy/blob/master/LICENSE[ASL 2.0] +|https://owasp.org/www-project-dependency-check/[OWASP] | Directly included |https://github.com/devonfw/IDEasy/blob/master/LICENSE[ASL 2.0] |https://github.com/eclipse-ee4j/jsonp[JSON-P] API | Directly included |https://github.com/eclipse-ee4j/jsonp/blob/master/LICENSE.md[EPL 2.0] |https://github.com/eclipse-ee4j/jsonp[JSON-P] Implementation | Directly included |https://github.com/eclipse-ee4j/jsonp/blob/master/LICENSE.md[EPL 2.0] |https://openjdk.java.net/[OpenJDK] / https://adoptopenjdk.net/[AdoptOpenJDK] (Java) |Default Setup| https://openjdk.java.net/legal/gplv2+ce.html[GPLv2] @@ -2652,6 +2653,212 @@ The externally maintained libraries used by Node.js are: OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. """ + + - OWASP, located at security/security, is licensed as follows: + """ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + """ ``` == MICROSOFT SOFTWARE LICENSE TERMS diff --git a/documentation/vulnerabilities.asciidoc b/documentation/vulnerabilities.asciidoc new file mode 100644 index 000000000..cb8c964ea --- /dev/null +++ b/documentation/vulnerabilities.asciidoc @@ -0,0 +1,45 @@ +:toc: +toc::[] + += Vulnerabilities + +We support you with automatic downloads and "installations" of arbitrary software. +However, security is also very important, and therefore we implemented various security features like e.g. verification of checksums (SHA-256) of downloaded files from a different source to prevent man-in-the-middle attacks. +Also, a tool version that you want to use for your project may have severe https://owasp.org/www-community/vulnerabilities/[vulnerabilities]. +Therefore, we maintain a list of known https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures[CVEs] for the tools we support. Take a look at the `_ide/urls/«tool»/«edition»/security.json` file. +In case you are reading this page, you most probably got a security warning because you are using a vulnerable software. +In that case your attention and action is required, and you should consider an update as soon as possible and follow the suggestions prompted by IDEasy. + +Please note that if you are using the vulnerable tool on your own behalf you alone are responsible (e.g. for central tools like `git` or tools that you did setup by yourself via our IDE product). +However, in case you are team-mate of a project and did not choose the tool and its version yourself, you should first run `update` to ensure you have the latest settings and tool versions. +If that already fixes the security warnings, you are done. +Otherwise, contact your IDE-admin, who is responsible for maintaining your settings git repository. +NOTE: You can find it in the `settings` folder of your IDE installation next to the `workspaces` folder. +You may open a shell in this settings folder and call `git remote -v` to figure out the git URL and navigate there to find our your IDE-admin. + +Please note that for each tool that is setup via our IDE product, you can call `set-version «tool» latest` to configure it to the latest version. +Also note that you can use the asterisk in a tool version. +So e.g. if you do `set-version java 17*` you will configure to always get the latest `17.x` version of `java`. +Further, do not forget to call `install «tool»` after you have configured a new version to actually install the update. +If you are an IDE admin you then should test your changes and after some QA process push them to the settings git repo. +After that, instruct your team to run `update` so all developers get the updates automatically and the vulnerabilities are gone for your team. +Thank you for caring about IT security and keeping us safe!!! + +== Git + +Git is a link:setup.asciidoc#prerequisites[prerequisite] of our IDE product and therefore not managed by it. +In other words: You have installed Git on your machine, and you alone are responsible for installing updates. +To update your git client simply go to https://git-scm.com/downloads[git downloads] and download the latest version for your operating system and run the installer. +This will automatically update your existing installation. +For security consider the philosophy of "latest is greatest". +Git also does a great job in keeping downward compatible so newer versions typically are better and more secure. + +You can find CVEs for git https://www.cvedetails.com/vulnerability-list/vendor_id-4008/GIT.html[here]. +Please be aware that CVEs like https://www.cvedetails.com/cve/CVE-2022-25648/[CVE-2022-25648] can allow remote code execution and therefore have to be fixed urgently. + +== Maven + +CVEs for maven can be found https://maven.apache.org/security.html[here]. +Maven is not always downward compatible. +Therefore, when changing the major or minor version, please do according testing and QA before pushing changes to your team. + diff --git a/security/src/main/java/com/devonfw/tools/security/BuildSecurityJsonFile.java b/security/src/main/java/com/devonfw/tools/security/BuildSecurityJsonFiles.java similarity index 73% rename from security/src/main/java/com/devonfw/tools/security/BuildSecurityJsonFile.java rename to security/src/main/java/com/devonfw/tools/security/BuildSecurityJsonFiles.java index 640571c4e..e9fecfa4d 100644 --- a/security/src/main/java/com/devonfw/tools/security/BuildSecurityJsonFile.java +++ b/security/src/main/java/com/devonfw/tools/security/BuildSecurityJsonFiles.java @@ -1,15 +1,21 @@ package com.devonfw.tools.security; +import java.io.File; import java.math.BigDecimal; +import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; import java.util.HashSet; import java.util.List; import java.util.Locale; +import java.util.Map; import java.util.Optional; import java.util.Set; import java.util.stream.Collectors; +import com.devonfw.tools.ide.url.model.folder.UrlVersion; +import com.devonfw.tools.ide.util.MapUtil; +import com.devonfw.tools.ide.version.VersionIdentifier; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.AbstractAnalyzer; import org.owasp.dependencycheck.analyzer.AnalysisPhase; @@ -54,17 +60,17 @@ // TODO Doesn't yet work with versions defined like this ///latest -/*** - * This class is used to build the {@link UrlSecurityJsonFile} file for IDEasy. It scans the +/** + * This class is used to build the {@link UrlSecurityJsonFile} files for IDEasy. It scans the * {@link AbstractIdeContext#getUrlsPath() ide-url} folder for all tools, editions and versions and checks for * vulnerabilities by using the OWASP package. For this the * {@link com.devonfw.tools.ide.url.model.file.UrlStatusFile#STATUS_JSON} must be present in the * {@link com.devonfw.tools.ide.url.model.folder.UrlVersion}. If a vulnerability is found, it is added to the * {@link UrlSecurityJsonFile} of the corresponding tool and edition. The previous content of the file is overwritten. */ -public class BuildSecurityJsonFile { +public class BuildSecurityJsonFiles { - private static final Logger logger = LoggerFactory.getLogger(BuildSecurityJsonFile.class); + private static final Logger logger = LoggerFactory.getLogger(BuildSecurityJsonFiles.class); private static final String CVE_BASE_URL = "https://nvd.nist.gov/vuln/detail/"; @@ -109,7 +115,6 @@ private static void run() { initCvesToIgnore(); context = new IdeContextConsole(IdeLogLevel.INFO, null, false); UpdateManager updateManager = new UpdateManager(context.getUrlsPath(), null); - Dependency[] dependencies = getDependenciesWithVulnerabilities(updateManager); Set> foundToolsAndEditions = new HashSet<>(); for (Dependency dependency : dependencies) { @@ -119,19 +124,28 @@ private static void run() { String edition = parent.getParent().getFileName().toString(); AbstractUrlUpdater urlUpdater = updateManager.getUrlUpdater(tool); + System.out.println(tool + ", " + edition); + UrlSecurityJsonFile securityFile = context.getUrls().getEdition(tool, edition).getSecurityJsonFile(); boolean newlyAdded = foundToolsAndEditions.add(new Pair<>(tool, edition)); if (newlyAdded) { // to assure that the file is cleared only once per tool and edition securityFile.clearSecurityWarnings(); } + List sortedVersions = context.getUrls().getSortedVersions(tool, edition).stream() + .map(VersionIdentifier::toString).toList(); + List sortedCpeVersions = sortedVersions.stream().map(urlUpdater::mapUrlVersionToCpeVersion) + .collect(Collectors.toList()); + Map cpeToUrlVersion = MapUtil.createMapWithLists(sortedCpeVersions, sortedVersions); + Set vulnerabilities = dependency.getVulnerabilities(true); for (Vulnerability vulnerability : vulnerabilities) { - addVulnerabilityToSecurityFile(vulnerability, securityFile, urlUpdater); + addVulnerabilityToSecurityFile(vulnerability, securityFile, urlUpdater, cpeToUrlVersion); } securityFile.save(); } actuallyIgnoredCves.forEach(cve -> context.info("Ignored CVE " + cve + " because it is listed in CVES_TO_IGNORE.")); + printAffectedVersions(context); } private static Dependency[] getDependenciesWithVulnerabilities(UpdateManager updateManager) { @@ -159,10 +173,10 @@ private static Dependency[] getDependenciesWithVulnerabilities(UpdateManager upd } private static void addVulnerabilityToSecurityFile(Vulnerability vulnerability, UrlSecurityJsonFile securityFile, - AbstractUrlUpdater urlUpdater) { + AbstractUrlUpdater urlUpdater, Map cpeToUrlVersion) { if (vulnerability.getCvssV2() == null && vulnerability.getCvssV3() == null) { - // if this ever happens, add a case that handles this + // TODO if this ever happens, add a case that handles this throw new RuntimeException("Vulnerability without severity found: " + vulnerability.getName()); } boolean hasV3Severity = vulnerability.getCvssV3() != null; @@ -190,7 +204,7 @@ private static void addVulnerabilityToSecurityFile(Vulnerability vulnerability, if (toLowSeverity) { return; } - VersionRange versionRange = getVersionRangeFromVulnerability(vulnerability, urlUpdater); + VersionRange versionRange = getVersionRangeFromVulnerability(vulnerability, urlUpdater, cpeToUrlVersion); if (versionRange == null) { logger.info( "Vulnerability {} seems to be irrelevant because its affected versions have no overlap with the versions " @@ -199,29 +213,31 @@ private static void addVulnerabilityToSecurityFile(Vulnerability vulnerability, vulnerability.getName()); return; } - // for manual detection of false positives: check of the interval of affected versions is correctly transformed to - // the versionRange VulnerableSoftware matchedVulnerableSoftware = vulnerability.getMatchedVulnerableSoftware(); String matchedCpe = matchedVulnerableSoftware.toCpe23FS(); // the fields of cpe2.3 are: // cpe2.3 part, vendor, product, version, update, edition, language, swEdition, targetSw, targetHw, other; - String interval = String.format(" ( %s, [ %s, ] %s, ) %s", matchedVulnerableSoftware.getVersionStartExcluding(), - matchedVulnerableSoftware.getVersionStartIncluding(), matchedVulnerableSoftware.getVersionEndIncluding(), - matchedVulnerableSoftware.getVersionEndExcluding()); + String interval = String.format( + "start excluding = %s, start including = %s, end including = %s, end excluding = %s, is the interval provided by " + + "OWASP. Manually double check whether the VersionRange was correctly determined.", + matchedVulnerableSoftware.getVersionStartExcluding(), matchedVulnerableSoftware.getVersionStartIncluding(), + matchedVulnerableSoftware.getVersionEndIncluding(), matchedVulnerableSoftware.getVersionEndExcluding()); securityFile.addSecurityWarning(versionRange, matchedCpe, interval, severity, severityVersion, cveName, description, nistUrl, referenceUrls); } - /*** + /** * From the vulnerability determine the {@link VersionRange versionRange} to which the vulnerability applies. * * @param vulnerability the vulnerability determined by OWASP dependency check. - * @param urlUpdater the {@link AbstractUrlUpdater} of the tool to which the vulnerability applies. TODOO + * @param urlUpdater the {@link AbstractUrlUpdater} of the tool to get maps between CPE Version and + * {@link UrlVersion#getName() Url Version}. * @return the {@link VersionRange versionRange} to which the vulnerability applies. */ - static VersionRange getVersionRangeFromVulnerability(Vulnerability vulnerability, AbstractUrlUpdater urlUpdater) { + static VersionRange getVersionRangeFromVulnerability(Vulnerability vulnerability, AbstractUrlUpdater urlUpdater, + Map cpeToUrlVersion) { VulnerableSoftware matchedVulnerableSoftware = vulnerability.getMatchedVulnerableSoftware(); @@ -231,13 +247,13 @@ static VersionRange getVersionRangeFromVulnerability(Vulnerability vulnerability String vEndIncluding = matchedVulnerableSoftware.getVersionEndIncluding(); String singleVersion = matchedVulnerableSoftware.getVersion(); - vEndExcluding = Optional.ofNullable(vEndExcluding).map(urlUpdater::mapCpeVersionToUrlVersion).orElse(null); - vEndIncluding = Optional.ofNullable(vEndIncluding).map(urlUpdater::mapCpeVersionToUrlVersion).orElse(null); - vStartExcluding = Optional.ofNullable(vStartExcluding).map(urlUpdater::mapCpeVersionToUrlVersion).orElse(null); - vStartIncluding = Optional.ofNullable(vStartIncluding).map(urlUpdater::mapCpeVersionToUrlVersion).orElse(null); - singleVersion = Optional.ofNullable(singleVersion).map(urlUpdater::mapCpeVersionToUrlVersion).orElse(null); + vStartExcluding = getUrlVersion(vStartExcluding, urlUpdater, cpeToUrlVersion); + vStartIncluding = getUrlVersion(vStartIncluding, urlUpdater, cpeToUrlVersion); + vEndExcluding = getUrlVersion(vEndExcluding, urlUpdater, cpeToUrlVersion); + vEndIncluding = getUrlVersion(vEndIncluding, urlUpdater, cpeToUrlVersion); + singleVersion = getUrlVersion(singleVersion, urlUpdater, cpeToUrlVersion); - VersionRange affectedRange = null; + VersionRange affectedRange; try { affectedRange = getVersionRangeFromInterval(vStartIncluding, vStartExcluding, vEndExcluding, vEndIncluding, singleVersion); @@ -245,9 +261,22 @@ static VersionRange getVersionRangeFromVulnerability(Vulnerability vulnerability throw new IllegalStateException( "Getting the VersionRange for the vulnerability " + vulnerability.getName() + " failed.", e); } - return affectedRange; + } + private static String getUrlVersion(String cpeVersion, AbstractUrlUpdater urlUpdater, Map cpeToUrlVersion) { + String urlVersion = null; + if (cpeVersion != null) { + if (cpeToUrlVersion.containsKey(cpeVersion)) { + urlVersion = cpeToUrlVersion.get(cpeVersion); + System.out.println("tool mapped using map cpe " + cpeVersion + " -> url " +urlVersion); + } else { + urlVersion = urlUpdater.mapCpeVersionToUrlVersion(cpeVersion); + System.out.println("tool mapped using mapCpeVersionToUrlVersion cpe " + cpeVersion + " -> url " +urlVersion); + + } + } + return urlVersion; } public static VersionRange getVersionRangeFromInterval(String si, String se, String ee, String ei, String s) @@ -258,7 +287,7 @@ public static VersionRange getVersionRangeFromInterval(String si, String se, Str throw new IllegalStateException( "Vulnerability has no interval of affected versions or single affected version."); } - return VersionRange.of(s + ">" + s); + return VersionRange.of(s + VersionRange.getVersionSeparator() + s); } se = Optional.ofNullable(se).orElse(""); si = Optional.ofNullable(si).orElse(""); @@ -274,6 +303,45 @@ public static VersionRange getVersionRangeFromInterval(String si, String se, Str return VersionRange.of(leftBoundary + VersionRange.getVersionSeparator() + rightBoundary); } + private static void printAffectedVersions(IdeContext context) { + + Path urlsPath = context.getUrlsPath(); + for (File tool : urlsPath.toFile().listFiles()) { + if (!Files.isDirectory(tool.toPath())) { + continue; + } + for (File edition : tool.listFiles()) { + if (!edition.isDirectory()) { + continue; + } + List sortedVersions = context.getUrls().getSortedVersions(tool.getName(), edition.getName()); + UrlSecurityJsonFile securityJsonFile = context.getUrls().getEdition(tool.getName(), edition.getName()) + .getSecurityJsonFile(); + + VersionIdentifier min = null; + for (int i = sortedVersions.size() - 1; i >= 0; i--) { + VersionIdentifier version = sortedVersions.get(i); + if (securityJsonFile.contains(version)) { + if (min == null) { + min = version; + } + + } else { + if (min != null) { + System.out.println("Tool " + tool.getName() + " with edition " + edition.getName() + " and versions " + + new VersionRange(min, version, false, true) + " are affected by vulnerabilities."); + min = null; + } + } + } + if (min != null) { + System.out.println("Tool " + tool.getName() + " with edition " + edition.getName() + " and versions " + + new VersionRange(min, null, false, true) + " are affected by vulnerabilities."); + } + } + } + } + private static void printAllOwaspAnalyzers(Engine engine) { engine.getMode().getPhases().forEach(phase -> engine.getAnalyzers(phase) diff --git a/security/src/test/java/com/devonfw/tools/security/BuildSecurityJsonFileTest.java b/security/src/test/java/com/devonfw/tools/security/BuildSecurityJsonFilesTest.java similarity index 74% rename from security/src/test/java/com/devonfw/tools/security/BuildSecurityJsonFileTest.java rename to security/src/test/java/com/devonfw/tools/security/BuildSecurityJsonFilesTest.java index a36350fa8..2b4ba0c8e 100644 --- a/security/src/test/java/com/devonfw/tools/security/BuildSecurityJsonFileTest.java +++ b/security/src/test/java/com/devonfw/tools/security/BuildSecurityJsonFilesTest.java @@ -4,15 +4,15 @@ import org.assertj.core.api.Assertions; import org.junit.jupiter.api.Test; -import static com.devonfw.tools.security.BuildSecurityJsonFile.getVersionRangeFromInterval; +import static com.devonfw.tools.security.BuildSecurityJsonFiles.getVersionRangeFromInterval; /** - * Test of {@link BuildSecurityJsonFile}. + * Test of {@link BuildSecurityJsonFiles}. */ -public class BuildSecurityJsonFileTest extends Assertions { +public class BuildSecurityJsonFilesTest extends Assertions { /** - * Test of {@link BuildSecurityJsonFile#getVersionRangeFromInterval(String, String, String, String, String)}. + * Test of {@link BuildSecurityJsonFiles#getVersionRangeFromInterval(String, String, String, String, String)}. */ @Test public void testGetVersionRangeFromInterval() {