From 39a02a61808928a6abd0dd1f6f11bb7780146641 Mon Sep 17 00:00:00 2001 From: Carlos Feria <2582866+carlosthe19916@users.noreply.github.com> Date: Fri, 19 Sep 2025 13:36:15 +0200 Subject: [PATCH 1/2] feat: exploitIQ integration Signed-off-by: Carlos Feria <2582866+carlosthe19916@users.noreply.github.com> --- client/openapi/trustd.yaml | 105 +- client/src/app/Routes.tsx | 14 + client/src/app/api/models.ts | 202 ++- .../analysis-details/analysis-details.tsx | 218 ++++ .../src/app/pages/analysis-details/index.ts | 1 + .../components/CreateAnalysis.tsx | 46 + .../sbom-details/components/ViewAnalysis.tsx | 42 + .../sbom-details/vulnerabilities-by-sbom.tsx | 57 +- client/src/app/queries/analysis.ts | 64 + client/src/app/queries/mock.ts | 1084 +++++++++++++++++ client/src/app/queries/sboms.ts | 12 +- client/src/app/queries/vulnerabilities.ts | 16 - 12 files changed, 1806 insertions(+), 55 deletions(-) create mode 100644 client/src/app/pages/analysis-details/analysis-details.tsx create mode 100644 client/src/app/pages/analysis-details/index.ts create mode 100644 client/src/app/pages/sbom-details/components/CreateAnalysis.tsx create mode 100644 client/src/app/pages/sbom-details/components/ViewAnalysis.tsx create mode 100644 client/src/app/queries/analysis.ts create mode 100644 client/src/app/queries/mock.ts diff --git a/client/openapi/trustd.yaml b/client/openapi/trustd.yaml index 082207db..ccc7da74 100644 --- a/client/openapi/trustd.yaml +++ b/client/openapi/trustd.yaml @@ -2376,6 +2376,25 @@ paths: items: type: integer format: int64 + /api/v2/sbom/exploitiq/{id}: + get: + tags: + - sbom + summary: Fetch ExploitIQ report + operationId: fetchExploitIQReport + parameters: + - name: id + in: path + description: ExploitIQ report id + required: true + schema: + type: string + responses: + '200': + description: The proxied ExploitIQ report + content: + application/json: + schema: {} /api/v2/sbom/{id}: get: tags: @@ -2463,6 +2482,36 @@ paths: $ref: '#/components/schemas/LicenseRefMapping' '400': description: Invalid UUID format. + /api/v2/sbom/{id}/exploitiq: + post: + tags: + - sbom + summary: Create ExploitIQ report + operationId: createExploitIQReport + parameters: + - name: id + in: path + description: The id of the SBOM + required: true + schema: + $ref: '#/components/schemas/Id' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ReportRequest' + required: true + responses: + '201': + description: Create a report + content: + application/json: + schema: + $ref: '#/components/schemas/ReportResult' + '400': + description: Unable to read advisory list + '404': + description: The SBOM could not be found /api/v2/sbom/{id}/label: put: tags: @@ -3061,22 +3110,6 @@ paths: $ref: '#/components/schemas/VulnerabilityDetails' '404': description: The vulnerability could not be found - delete: - tags: - - vulnerability - summary: Delete vulnerability - operationId: deleteVulnerability - parameters: - - name: id - in: path - description: ID of the vulnerability - required: true - schema: - type: string - responses: - '501': - description: Method not yet implemented - deprecated: true /api/v2/weakness: get: tags: @@ -4648,6 +4681,7 @@ components: - base - advisories - licenses + - licenses_ref_mapping properties: advisories: type: array @@ -4658,7 +4692,11 @@ components: licenses: type: array items: - $ref: '#/components/schemas/PurlLicenseSummary' + $ref: '#/components/schemas/LicenseInfo' + licenses_ref_mapping: + type: array + items: + $ref: '#/components/schemas/LicenseRefMapping' version: $ref: '#/components/schemas/VersionedPurlHead' PurlHead: @@ -4674,18 +4712,6 @@ components: type: string format: uuid description: The ID of the qualified PURL - PurlLicenseSummary: - type: object - required: - - sbom - - licenses - properties: - licenses: - type: array - items: - type: string - sbom: - $ref: '#/components/schemas/SbomHead' PurlStatus: type: object required: @@ -4812,6 +4838,25 @@ components: type: string format: date-time description: Start of the import run + ReportRequest: + type: object + required: + - vulnerabilities + properties: + vulnerabilities: + type: array + items: + type: string + ReportResult: + type: object + required: + - id + - reportId + properties: + id: + type: string + reportId: + type: string Revisioned_Importer: type: object description: |- @@ -5377,4 +5422,4 @@ components: oneOf: - type: 'null' - $ref: '#/components/schemas/Severity' - description: Average (arithmetic mean) severity of the vulnerability aggregated from *all* related advisories. + description: Average (arithmetic mean) severity of the vulnerability aggregated from *all* related advisories. \ No newline at end of file diff --git a/client/src/app/Routes.tsx b/client/src/app/Routes.tsx index dec51c5f..6bc58183 100644 --- a/client/src/app/Routes.tsx +++ b/client/src/app/Routes.tsx @@ -27,6 +27,9 @@ const SBOMList = lazy(() => import("./pages/sbom-list")); const SBOMUpload = lazy(() => import("./pages/sbom-upload")); const SBOMScan = lazy(() => import("./pages/sbom-scan")); const SBOMDetails = lazy(() => import("./pages/sbom-details")); +const AnalysisDetails = lazy( + () => import("./pages/analysis-details"), +); // Others const Search = lazy(() => import("./pages/search")); @@ -37,6 +40,7 @@ export enum PathParam { VULNERABILITY_ID = "vulnerabilityId", SBOM_ID = "sbomId", PACKAGE_ID = "packageId", + ANALYSIS_ID = "analysisId", } export const Paths = { @@ -49,6 +53,7 @@ export const Paths = { sbomUpload: "/sboms/upload", sbomScan: "/sboms/scan", sbomDetails: `/sboms/:${PathParam.SBOM_ID}`, + analysisDetails: `/sboms/:${PathParam.SBOM_ID}/analysis/:${PathParam.ANALYSIS_ID}`, packages: "/packages", packageDetails: `/packages/:${PathParam.PACKAGE_ID}`, search: "/search", @@ -157,6 +162,15 @@ export const AppRoutes = createBrowserRouter([ /> ), }, + { + path: Paths.analysisDetails, + element: ( + } + /> + ), + }, { path: Paths.importers, element: ( diff --git a/client/src/app/api/models.ts b/client/src/app/api/models.ts index 4733bfb5..d12cc5c5 100644 --- a/client/src/app/api/models.ts +++ b/client/src/app/api/models.ts @@ -1,5 +1,4 @@ -import type { Labels } from "@app/client"; -import type { Severity } from "@app/client"; +import type { Labels, Severity } from "@app/client"; export type WithUiId = T & { _ui_unique_id: string }; @@ -74,3 +73,202 @@ export interface Label { key: string; value?: string; } + +// ExploitIQ + +export interface ExploitIQAnalysis { + _id: { $oid: string }; + input: { + scan: { + id: string; + type: string | null; + started_at: string; + completed_at: string; + vulns: Array<{ + vuln_id: string; + description: string | null; + score: number | null; + severity: string | null; + published_date: string | null; + last_modified_date: string | null; + url: string | null; + feed_group: string | null; + package: string | null; + package_version: string | null; + package_name: string | null; + package_type: string | null; + }>; + }; + image: { + name: string; + tag: string; + source_info: Array<{ + type: string; + source_type: string; + git_repo: string; + ref: string; + include: string[]; + exclude: string[]; + }>; + sbom_info: { + _type: string; + packages: unknown[]; + }; + }; + }; + metadata: { + submitted_at: { $date: string }; + user: string; + sent_at: { $date: string }; + }; + info: { + vdb: { + code_vdb_path: string | null; + doc_vdb_path: string; + }; + intel: Array<{ + vuln_id: string; + ghsa: { + ghsa_id: string; + cve_id: string; + summary: string; + description: string; + severity: string; + vulnerabilities: Array<{ + package: { + ecosystem: string; + name: string; + }; + vulnerable_version_range: string; + first_patched_version: string; + vulnerable_functions: string[]; + }>; + cvss: { + score: number; + vector_string: string; + }; + cwes: Array<{ + cwe_id: string; + name: string; + }>; + published_at: string; + updated_at: string; + url: string; + html_url: string; + type: string; + repository_advisory_url: string | null; + source_code_location: string; + identifiers: Array<{ value: string; type: string }>; + references: string[]; + github_reviewed_at: string; + nvd_published_at: string; + withdrawn_at: string | null; + cvss_severities: { + cvss_v3: { vector_string: string; score: number }; + cvss_v4: { vector_string: string | null; score: number }; + }; + credits: unknown[]; + epss: { percentage: number; percentile: number }; + }; + nvd: { + cve_id: string; + cve_description: string; + cvss_vector: string; + cvss_base_score: number; + cvss_severity: string; + cwe_name: string; + cwe_description: string; + cwe_extended_description: string; + configurations: Array<{ + package: string; + system: string | null; + versionStartExcluding: string | null; + versionEndExcluding: string | null; + versionStartIncluding: string | null; + versionEndIncluding: string | null; + }>; + vendor_names: string | null; + references: string[]; + disputed: boolean; + published_at: string; + updated_at: string; + }; + rhsa: { + bugzilla: { description: string; id: string; url: string }; + details: string[]; + statement: string | null; + package_state: Array<{ + product_name: string; + fix_state: string; + package_name: string; + cpe: string; + }>; + upstream_fix: string | null; + cvss3: { + cvss3_base_score: number; + cvss3_scoring_vector: string; + status: string; + }; + threat_severity: string; + public_date: string; + acknowledgement: string; + affected_release: Array<{ + product_name: string; + release_date: string; + advisory: string; + cpe: string; + package?: string; + }>; + references: string[]; + name: string; + mitigation: { value: string; lang: string }; + csaw: boolean; + }; + ubuntu: { + description: string | null; + notes: string | null; + notices: string | null; + priority: string | null; + ubuntu_description: string | null; + impact: string | null; + }; + epss: { + epss: number; + percentile: number; + date: string; + cve: string; + }; + plugin_data: Array<{ + label: string; + description: string; + }>; + intel_score: number; + has_sufficient_intel_for_agent: boolean; + }>; + sbom: { packages: unknown[] }; + vulnerable_dependencies: Array<{ + vuln_id: string; + vuln_package_intel_sources: unknown[]; + vulnerable_sbom_packages: unknown[]; + }>; + }; + output?: Array<{ + vuln_id: string; + checklist: Array<{ + input: string; + response: string; + intermediate_steps: string | null; + }>; + summary: string; + justification: { + label: string; + reason: string; + status: "UNKNOWN" | "TRUE" | "FALSE"; + }; + cvss?: { + score: string; + vector_string: string; + }; + intel_score: number; + }>; +} diff --git a/client/src/app/pages/analysis-details/analysis-details.tsx b/client/src/app/pages/analysis-details/analysis-details.tsx new file mode 100644 index 00000000..a7d63e7e --- /dev/null +++ b/client/src/app/pages/analysis-details/analysis-details.tsx @@ -0,0 +1,218 @@ +import type React from "react"; +import { generatePath, Link } from "react-router-dom"; + +import { + Breadcrumb, + BreadcrumbItem, + Card, + CardBody, + CardTitle, + Content, + DescriptionList, + DescriptionListDescription, + DescriptionListGroup, + DescriptionListTerm, + Grid, + GridItem, + Label, + List, + ListComponent, + ListItem, + OrderType, + PageSection, +} from "@patternfly/react-core"; + +import { LoadingWrapper } from "@app/components/LoadingWrapper"; +import { useFetchAnalysisById } from "@app/queries/analysis"; +import { useFetchSBOMById } from "@app/queries/sboms"; +import { PathParam, Paths, useRouteParams } from "@app/Routes"; +import { formatDate } from "@app/utils/utils"; + +export const AnalysisDetails: React.FC = () => { + const sbomId = useRouteParams(PathParam.SBOM_ID); + const analysisId = useRouteParams(PathParam.ANALYSIS_ID); + + const { sbom } = useFetchSBOMById(sbomId); + + const { + analysis, + isFetching: isFetchingAnalysis, + fetchError: isFetchinErrorAnalysis, + } = useFetchAnalysisById(analysisId, 0); + + return ( + <> + + + + SBOMs + + + + SBOM Details + + + Analysis Report + + + + Analysis Report + {sbom?.name} + + + + + + + {analysis?.output?.map((output) => ( + + + + + Vulnerability ID + + + {output.vuln_id} + + + + Impacted + + {output.justification.status === "FALSE" ? ( + + ) : output.justification.status === "TRUE" ? ( + + ) : ( + + )} + + + + Status + + + + + + Reason + + {output.justification.reason} + + + + Summary + + {output.summary} + + + + + CVSS Vector String + + + {output.summary} + + + + + CVSS Vector String + + + {output.cvss?.vector_string} + + + + CVSS Score + + {output.cvss?.score} + + + + + CVE intel score + + + {output.intel_score} + + + + Checklist + + + {output.checklist.map((check) => ( + + {check.input} + + {check.response} + + + ))} + + + + + + ))} + + + + + Metadata + + + + Image + + {analysis?.input.image.name} + + + + Tag + + {analysis?.input.image.tag} + + + + Submitted + + {formatDate(analysis?.metadata.submitted_at.$date)} + + + + Sent + + {formatDate(analysis?.metadata.sent_at.$date)} + + + + Started + + {formatDate(analysis?.input.scan.started_at)} + + + + Completed + + {formatDate(analysis?.input.scan.completed_at)} + + + + + + + + + + + ); +}; diff --git a/client/src/app/pages/analysis-details/index.ts b/client/src/app/pages/analysis-details/index.ts new file mode 100644 index 00000000..66674fb7 --- /dev/null +++ b/client/src/app/pages/analysis-details/index.ts @@ -0,0 +1 @@ +export { AnalysisDetails as default } from "./analysis-details"; diff --git a/client/src/app/pages/sbom-details/components/CreateAnalysis.tsx b/client/src/app/pages/sbom-details/components/CreateAnalysis.tsx new file mode 100644 index 00000000..d11d9d6f --- /dev/null +++ b/client/src/app/pages/sbom-details/components/CreateAnalysis.tsx @@ -0,0 +1,46 @@ +import React from "react"; + +import { useIsMutating } from "@tanstack/react-query"; + +import { Button } from "@patternfly/react-core"; + +import type { ReportResult } from "@app/client"; +import { NotificationsContext } from "@app/components/NotificationsContext"; +import { useCreateAnalysisMutation } from "@app/queries/analysis"; + +interface ICreateAnalysisProps { + sbomId: string; + vulnerabilityId: string; + onAnalysisCreated: (reportResult?: ReportResult) => void; +} + +export const CreateAnalysis: React.FC = ({ + sbomId, + vulnerabilityId, + onAnalysisCreated, +}) => { + const { pushNotification } = React.useContext(NotificationsContext); + + const isMutating = useIsMutating(); + const { mutate: createAnalysis } = useCreateAnalysisMutation( + (_payload, response) => { + onAnalysisCreated(response); + }, + (_error, payload) => { + pushNotification({ + title: `Could not create an Analysis for ${payload.vulnerabilityId}`, + variant: "danger", + }); + }, + ); + + const handleCreateAnalysis = () => { + createAnalysis({ sbomId, vulnerabilityId }); + }; + + return ( + + ); +}; diff --git a/client/src/app/pages/sbom-details/components/ViewAnalysis.tsx b/client/src/app/pages/sbom-details/components/ViewAnalysis.tsx new file mode 100644 index 00000000..685f252e --- /dev/null +++ b/client/src/app/pages/sbom-details/components/ViewAnalysis.tsx @@ -0,0 +1,42 @@ +import type React from "react"; + +import { IconedStatus } from "@app/components/IconedStatus"; +import { useFetchAnalysisById } from "@app/queries/analysis"; +import { Paths } from "@app/Routes"; +import { Button } from "@patternfly/react-core"; +import { generatePath, useNavigate } from "react-router-dom"; + +interface IViewAnalysisProps { + sbomId: string; + analysisId: string; +} + +export const ViewAnalysis: React.FC = ({ + sbomId, + analysisId, +}) => { + const navigate = useNavigate(); + + const { analysis } = useFetchAnalysisById(analysisId); + + const handleOnViewAnalysis = () => { + navigate( + generatePath(Paths.analysisDetails, { + sbomId, + analysisId, + }), + ); + }; + + return ( + <> + {analysis && !analysis.output ? ( + + ) : ( + + )} + + ); +}; diff --git a/client/src/app/pages/sbom-details/vulnerabilities-by-sbom.tsx b/client/src/app/pages/sbom-details/vulnerabilities-by-sbom.tsx index 77c05111..2df3de79 100644 --- a/client/src/app/pages/sbom-details/vulnerabilities-by-sbom.tsx +++ b/client/src/app/pages/sbom-details/vulnerabilities-by-sbom.tsx @@ -58,6 +58,10 @@ import { Paths } from "@app/Routes"; import { useWithUiId } from "@app/utils/query-utils"; import { decomposePurl, formatDate } from "@app/utils/utils"; +import { useLocalStorage } from "usehooks-ts"; +import { CreateAnalysis } from "./components/CreateAnalysis"; +import { ViewAnalysis } from "./components/ViewAnalysis"; + interface TableData { vulnerability: SbomStatus; vulnerabilityStatus: VulnerabilityStatus; @@ -78,6 +82,23 @@ interface VulnerabilitiesBySbomProps { export const VulnerabilitiesBySbom: React.FC = ({ sbomId, }) => { + const [analysisMap, setAnalysisMap] = useLocalStorage( + "analysis", + new Map(), + { + serializer: (value) => { + return JSON.stringify([...value]); + }, + deserializer: (value) => { + const obj = JSON.parse(value); + return new Map(obj); + }, + initializeWithValue: true, + }, + ); + + // + const { sbom, isFetching: isFetchingSbom, @@ -135,6 +156,7 @@ export const VulnerabilitiesBySbom: React.FC = ({ affectedDependencies: "Affected dependencies", published: "Published", updated: "Updated", + analysis: "Analysis", }, hasActionsColumn: false, isSortEnabled: true, @@ -247,6 +269,7 @@ export const VulnerabilitiesBySbom: React.FC = ({ + @@ -269,7 +292,7 @@ export const VulnerabilitiesBySbom: React.FC = ({ rowIndex={rowIndex} > @@ -315,7 +338,7 @@ export const VulnerabilitiesBySbom: React.FC = ({ /> = ({ > {formatDate(item.vulnerability?.modified)} + + {analysisMap.has(item.vulnerability.identifier) ? ( + + ) : ( + { + if (response?.id) { + const newMap = new Map(analysisMap); + newMap.set( + item.vulnerability.identifier, + response.id, + ); + + setAnalysisMap(() => newMap); + } + }} + /> + )} + {isCellExpanded(item) ? ( diff --git a/client/src/app/queries/analysis.ts b/client/src/app/queries/analysis.ts new file mode 100644 index 00000000..0e44f2f3 --- /dev/null +++ b/client/src/app/queries/analysis.ts @@ -0,0 +1,64 @@ +import { useMutation, useQuery } from "@tanstack/react-query"; +import type { AxiosError } from "axios"; + +import type { ExploitIQAnalysis } from "@app/api/models"; +import { client } from "@app/axios-config/apiInit"; +import { + createExploitIqReport, + fetchExploitIqReport, + type ReportResult, +} from "@app/client"; + +export interface IAdvisoriesQueryParams { + filterText?: string; + offset?: number; + limit?: number; + sort_by?: string; +} + +export const AnalysisQueryKey = "analysis"; + +export const useFetchAnalysisById = (id: string, refetchInterval = 10_000) => { + const { data, isLoading, error } = useQuery({ + queryKey: [AnalysisQueryKey, id], + queryFn: () => fetchExploitIqReport({ client, path: { id } }), + enabled: id !== undefined, + refetchInterval, + }); + + return { + analysis: data?.data as ExploitIQAnalysis | undefined, + isFetching: isLoading, + fetchError: error as AxiosError, + }; +}; + +export const useCreateAnalysisMutation = ( + onSuccess: ( + payload: { sbomId: string; vulnerabilityId: string }, + response?: ReportResult, + ) => void, + onError: ( + err: AxiosError, + payload: { + sbomId: string; + vulnerabilityId: string; + }, + ) => void, +) => { + return useMutation({ + mutationFn: (payload: { sbomId: string; vulnerabilityId: string }) => { + return createExploitIqReport({ + client, + path: { id: payload.sbomId }, + body: { + vulnerabilities: [payload.vulnerabilityId], + }, + }); + }, + onSuccess: async (response, payload) => { + onSuccess(payload, response.data); + }, + onError, + }); +}; diff --git a/client/src/app/queries/mock.ts b/client/src/app/queries/mock.ts new file mode 100644 index 00000000..046b67d3 --- /dev/null +++ b/client/src/app/queries/mock.ts @@ -0,0 +1,1084 @@ +import type { SbomAdvisory } from "@app/client"; + +export const SBOM_MOCK: Array = [ + { + uuid: "urn:uuid:16641287-e783-437f-ae44-fbb9added8ff", + identifier: "https://www.redhat.com/#CVE-2023-20862", + document_id: "CVE-2023-20862", + issuer: { + id: "c187f598-3c71-4977-b547-7e388a7c9db9", + name: "Red Hat Product Security", + cpe_key: null, + website: null, + }, + published: "2023-04-19T00:00:00Z", + modified: "2023-11-14T22:09:12Z", + withdrawn: null, + title: + "spring-security: Empty SecurityContext Is Not Properly Saved Upon Logout", + labels: { + type: "csaf", + }, + status: [ + { + normative: false, + identifier: "CVE-2023-20862", + title: + "spring-security: Empty SecurityContext Is Not Properly Saved Upon Logout", + description: null, + reserved: null, + published: "2023-04-19T00:00:00Z", + modified: "2024-08-02T09:21:32.378Z", + withdrawn: null, + discovered: "2023-07-31T00:00:00Z", + released: "2023-04-19T00:00:00Z", + cwes: ["CWE-459"], + average_severity: "medium", + average_score: 6.3, + status: "affected", + context: { + cpe: "cpe:/a:redhat:quarkus:2:*:*:*", + }, + packages: [ + { + id: "SPDXRef-a3be0ff6-a286-4a04-91f9-7812df6702e1", + name: "quarkus-spring-security", + group: null, + version: "2.13.8.Final-redhat-00004", + purl: [ + { + uuid: "6a1d83c6-a770-5d88-9215-fdbf79bcc710", + purl: "pkg:maven/io.quarkus/quarkus-spring-security@2.13.8.Final-redhat-00004?repository_url=https://maven.repository.redhat.com/ga/&type=jar", + base: { + uuid: "2b632501-d073-58f0-89a7-0654a3f4a1ba", + purl: "pkg:maven/io.quarkus/quarkus-spring-security", + }, + version: { + uuid: "daa90c50-b765-590b-be8b-bd34bd7fdfda", + purl: "pkg:maven/io.quarkus/quarkus-spring-security@2.13.8.Final-redhat-00004", + version: "2.13.8.Final-redhat-00004", + }, + qualifiers: { + repository_url: "https://maven.repository.redhat.com/ga/", + type: "jar", + }, + }, + ], + cpe: [], + licenses: [], + licenses_ref_mapping: [], + }, + ], + }, + ], + }, + { + uuid: "urn:uuid:d4d249c3-333c-4b15-b1d3-ce6a74b3198b", + identifier: "GHSA-9ph3-v2vh-3qx7", + document_id: "GHSA-9ph3-v2vh-3qx7", + issuer: null, + published: "2024-04-02T09:30:42Z", + modified: "2024-07-25T21:31:19Z", + withdrawn: null, + title: "Eclipse Vert.x vulnerable to a memory leak in TCP servers", + labels: { + type: "osv", + }, + status: [ + { + normative: false, + identifier: "CVE-2024-1300", + title: "Eclipse Vert.x vulnerable to a memory leak in TCP servers", + description: + "A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.", + reserved: null, + published: "2024-04-02T07:33:05.215Z", + modified: "2025-03-03T16:41:15.639Z", + withdrawn: null, + discovered: null, + released: null, + cwes: [], + average_severity: "medium", + average_score: 5.4, + status: "affected", + context: null, + packages: [ + { + id: "SPDXRef-be82eb7e-1c7a-4526-9d88-8b5cc19ea137", + name: "vertx-core", + group: null, + version: "4.3.4.redhat-00008", + purl: [ + { + uuid: "14c5c4d4-e5b4-5d8c-848e-f360b5affcad", + purl: "pkg:maven/io.vertx/vertx-core@4.3.4.redhat-00008?repository_url=https://maven.repository.redhat.com/ga/&type=jar", + base: { + uuid: "228c4da2-cdbc-5430-8cb5-0cffb49ccf42", + purl: "pkg:maven/io.vertx/vertx-core", + }, + version: { + uuid: "4c2be4ec-89e9-5dff-8d91-2da504ce2a06", + purl: "pkg:maven/io.vertx/vertx-core@4.3.4.redhat-00008", + version: "4.3.4.redhat-00008", + }, + qualifiers: { + repository_url: "https://maven.repository.redhat.com/ga/", + type: "jar", + }, + }, + ], + cpe: [], + licenses: [], + licenses_ref_mapping: [], + }, + ], + }, + ], + }, + { + uuid: "urn:uuid:7c9b7142-00ce-481a-b56f-6332b0752c25", + identifier: "https://www.redhat.com/#CVE-2023-1664", + document_id: "CVE-2023-1664", + issuer: { + id: "c187f598-3c71-4977-b547-7e388a7c9db9", + name: "Red Hat Product Security", + cpe_key: null, + website: null, + }, + published: "2023-03-27T00:00:00Z", + modified: "2023-11-14T17:39:21Z", + withdrawn: null, + title: "keycloak: Untrusted Certificate Validation", + labels: { + type: "csaf", + }, + status: [ + { + normative: false, + identifier: "CVE-2023-1664", + title: "keycloak: Untrusted Certificate Validation", + description: null, + reserved: null, + published: "2023-05-26T00:00:00Z", + modified: "2024-08-02T05:57:24.969Z", + withdrawn: null, + discovered: "2023-03-27T00:00:00Z", + released: "2023-03-27T00:00:00Z", + cwes: ["CWE-295"], + average_severity: "medium", + average_score: 6.5, + status: "affected", + context: { + cpe: "cpe:/a:redhat:quarkus:2:*:*:*", + }, + packages: [ + { + id: "SPDXRef-cb213b59-6979-4bd2-990d-8d1eed88e165", + name: "keycloak-core", + group: null, + version: "18.0.6.redhat-00001", + purl: [ + { + uuid: "52697784-2369-5ac2-b53a-3a3afa2c464a", + purl: "pkg:maven/org.keycloak/keycloak-core@18.0.6.redhat-00001?repository_url=https://maven.repository.redhat.com/ga/&type=jar", + base: { + uuid: "62a9d42e-ae59-51d3-835f-2e898069eb53", + purl: "pkg:maven/org.keycloak/keycloak-core", + }, + version: { + uuid: "10c74b04-fcc3-5c4c-b778-a746fd45d629", + purl: "pkg:maven/org.keycloak/keycloak-core@18.0.6.redhat-00001", + version: "18.0.6.redhat-00001", + }, + qualifiers: { + repository_url: "https://maven.repository.redhat.com/ga/", + type: "jar", + }, + }, + ], + cpe: [], + licenses: [], + licenses_ref_mapping: [], + }, + ], + }, + ], + }, + { + uuid: "urn:uuid:544db4b9-c4f6-43ca-afd5-00c12e3b6882", + identifier: "https://www.redhat.com/#CVE-2023-2976", + document_id: "CVE-2023-2976", + issuer: { + id: "c187f598-3c71-4977-b547-7e388a7c9db9", + name: "Red Hat Product Security", + cpe_key: null, + website: null, + }, + published: "2023-06-14T00:00:00Z", + modified: "2023-11-14T21:31:33Z", + withdrawn: null, + title: "guava: insecure temporary directory creation", + labels: { + type: "csaf", + }, + status: [ + { + normative: false, + identifier: "CVE-2023-2976", + title: "guava: insecure temporary directory creation", + description: null, + reserved: null, + published: "2023-06-14T17:36:40.64Z", + modified: "2024-08-02T06:41:03.778Z", + withdrawn: null, + discovered: "2023-06-15T00:00:00Z", + released: "2023-06-14T00:00:00Z", + cwes: ["CWE-552"], + average_severity: "medium", + average_score: 4.95, + status: "affected", + context: { + cpe: "cpe:/a:redhat:quarkus:2:*:*:*", + }, + packages: [ + { + id: "SPDXRef-2162d8be-0f8c-42ce-8ded-0003566fc076", + name: "guava", + group: null, + version: "31.1.0.jre-redhat-00004", + purl: [ + { + uuid: "bfb052a5-011e-533a-bd18-806445f6d9d9", + purl: "pkg:maven/com.google.guava/guava@31.1.0.jre-redhat-00004?repository_url=https://maven.repository.redhat.com/ga/&type=jar", + base: { + uuid: "6c75680f-b140-59c3-9b52-397243d2b489", + purl: "pkg:maven/com.google.guava/guava", + }, + version: { + uuid: "7ede0c6f-105b-5966-a852-502c45f19844", + purl: "pkg:maven/com.google.guava/guava@31.1.0.jre-redhat-00004", + version: "31.1.0.jre-redhat-00004", + }, + qualifiers: { + repository_url: "https://maven.repository.redhat.com/ga/", + type: "jar", + }, + }, + ], + cpe: [], + licenses: [], + licenses_ref_mapping: [], + }, + ], + }, + ], + }, + { + uuid: "urn:uuid:b496af43-81f4-411c-a195-874a0c4a0a9d", + identifier: "https://www.redhat.com/#CVE-2023-33201", + document_id: "CVE-2023-33201", + issuer: { + id: "c187f598-3c71-4977-b547-7e388a7c9db9", + name: "Red Hat Product Security", + cpe_key: null, + website: null, + }, + published: "2023-06-16T00:00:00Z", + modified: "2023-11-14T21:51:12Z", + withdrawn: null, + title: + "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", + labels: { + type: "csaf", + }, + status: [ + { + normative: false, + identifier: "CVE-2023-33201", + title: + "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", + description: null, + reserved: null, + published: "2023-07-05T00:00:00Z", + modified: "2024-08-02T15:39:35.708Z", + withdrawn: null, + discovered: "2023-06-16T00:00:00Z", + released: "2023-06-16T00:00:00Z", + cwes: ["CWE-200"], + average_severity: "medium", + average_score: 5.3, + status: "affected", + context: { + cpe: "cpe:/a:redhat:quarkus:2:*:*:*", + }, + packages: [ + { + id: "SPDXRef-a71fb1aa-3541-4406-8b45-1f9f1ed37e84", + name: "bcprov-jdk15on", + group: null, + version: "1.70", + purl: [ + { + uuid: "46ca2115-c0c2-54ff-b528-7ff675dacd06", + purl: "pkg:maven/org.bouncycastle/bcprov-jdk15on@1.70?type=jar", + base: { + uuid: "7642fc54-068f-51d8-8a95-345b6b889e51", + purl: "pkg:maven/org.bouncycastle/bcprov-jdk15on", + }, + version: { + uuid: "8e026edb-4e41-5a6a-84a1-539ff4eac077", + purl: "pkg:maven/org.bouncycastle/bcprov-jdk15on@1.70", + version: "1.70", + }, + qualifiers: { + type: "jar", + }, + }, + ], + cpe: [], + licenses: [], + licenses_ref_mapping: [], + }, + ], + }, + ], + }, + { + uuid: "urn:uuid:7b587acc-04fb-4b40-804b-1016825326bb", + identifier: "GHSA-57m8-f3v5-hm5m", + document_id: "GHSA-57m8-f3v5-hm5m", + issuer: null, + published: "2023-10-04T12:30:14Z", + modified: "2023-11-01T17:54:21Z", + withdrawn: "2023-11-01T17:54:21Z", + title: + "Withdrawn Advisory: Netty-handler does not validate host names by default", + labels: { + type: "osv", + }, + status: [ + { + normative: false, + identifier: "CVE-2023-4586", + title: + "Withdrawn Advisory: Netty-handler does not validate host names by default", + description: + "## Withdrawn Advisory\nThis advisory has been withdrawn because the underlying vulnerability only concerns Red Hat's Hot Rod client, which is not in one of the GitHub Advisory Database's [supported ecosystems](https://github.com/github/advisory-database/blob/main/README.md#supported-ecosystems). This link is maintained to preserve external references.\n\n## Original Description\nNetty-handler has been found to no validate hostnames when using TLS in its default configuration. As a result netty-handler is vulnerable to man-in-the-middle attacks. Users would need to set the protocol to \"HTTPS\" in the SSLParameters of the SSLEngine to opt in to host name validation. A change in default behavior is expected in the `5.x` release branch with no backport planned.\n\nIn the interim users are advised to enable host name validation in their configurations.\nSee https://github.com/netty/netty/issues/8537 for details on the forthcoming change in default behavior.", + reserved: null, + published: null, + modified: null, + withdrawn: null, + discovered: null, + released: null, + cwes: [], + average_severity: "medium", + average_score: 5.3, + status: "affected", + context: null, + packages: [ + { + id: "SPDXRef-430d898a-9b8b-456c-9151-e2b4e0783056", + name: "netty-handler", + group: null, + version: "4.1.86.Final-redhat-00002", + purl: [ + { + uuid: "48f562d1-fdfd-59b7-bd23-861503f31e5d", + purl: "pkg:maven/io.netty/netty-handler@4.1.86.Final-redhat-00002?repository_url=https://maven.repository.redhat.com/ga/&type=jar", + base: { + uuid: "d3f4c0dd-ef9c-54fe-b6dd-b37380718a57", + purl: "pkg:maven/io.netty/netty-handler", + }, + version: { + uuid: "a6382423-1382-51d7-bcd6-cfb2eab7d764", + purl: "pkg:maven/io.netty/netty-handler@4.1.86.Final-redhat-00002", + version: "4.1.86.Final-redhat-00002", + }, + qualifiers: { + repository_url: "https://maven.repository.redhat.com/ga/", + type: "jar", + }, + }, + ], + cpe: [], + licenses: [], + licenses_ref_mapping: [], + }, + ], + }, + ], + }, + { + uuid: "urn:uuid:e1cc1eb0-671c-43ea-ac2e-8e2456421315", + identifier: "https://www.redhat.com/#CVE-2023-4853", + document_id: "CVE-2023-4853", + issuer: { + id: "c187f598-3c71-4977-b547-7e388a7c9db9", + name: "Red Hat Product Security", + cpe_key: null, + website: null, + }, + published: "2023-09-08T00:00:00Z", + modified: "2023-11-10T12:57:35Z", + withdrawn: null, + title: "quarkus: HTTP security policy bypass", + labels: { + type: "csaf", + }, + status: [ + { + normative: false, + identifier: "CVE-2023-4853", + title: "quarkus: HTTP security policy bypass", + description: null, + reserved: null, + published: "2023-09-20T09:47:32.15Z", + modified: "2024-08-20T15:26:14.044Z", + withdrawn: null, + discovered: "2023-09-08T00:00:00Z", + released: "2023-09-08T00:00:00Z", + cwes: ["CWE-148"], + average_severity: "high", + average_score: 8.1, + status: "affected", + context: { + cpe: "cpe:/a:redhat:quarkus:2.13:*:el8:*", + }, + packages: [ + { + id: "SPDXRef-86d9d71d-1c84-4148-a1ce-ea15349aba4d", + name: "quarkus-vertx-http", + group: null, + version: "2.13.8.Final-redhat-00004", + purl: [ + { + uuid: "528a575d-5ed9-5aaa-9882-14701d64b51e", + purl: "pkg:maven/io.quarkus/quarkus-vertx-http@2.13.8.Final-redhat-00004?repository_url=https://maven.repository.redhat.com/ga/&type=jar", + base: { + uuid: "e883632e-4401-5912-a5c7-de4c7af2ae01", + purl: "pkg:maven/io.quarkus/quarkus-vertx-http", + }, + version: { + uuid: "c040304d-22b4-5d85-9b32-55ae9bfffa52", + purl: "pkg:maven/io.quarkus/quarkus-vertx-http@2.13.8.Final-redhat-00004", + version: "2.13.8.Final-redhat-00004", + }, + qualifiers: { + repository_url: "https://maven.repository.redhat.com/ga/", + type: "jar", + }, + }, + ], + cpe: [], + licenses: [], + licenses_ref_mapping: [], + }, + { + id: "SPDXRef-466c1ab1-7bf1-4a11-b7c8-0d03cb34d1c5", + name: "quarkus-undertow", + group: null, + version: "2.13.8.Final-redhat-00004", + purl: [ + { + uuid: "4a538551-22ec-5fa5-b898-a991f552c2ee", + purl: "pkg:maven/io.quarkus/quarkus-undertow@2.13.8.Final-redhat-00004?repository_url=https://maven.repository.redhat.com/ga/&type=jar", + base: { + uuid: "22c33f8e-bd68-5cee-af99-cc09b1d811d9", + purl: "pkg:maven/io.quarkus/quarkus-undertow", + }, + version: { + uuid: "722a7259-2cf9-5f77-947a-42ae541244ab", + purl: "pkg:maven/io.quarkus/quarkus-undertow@2.13.8.Final-redhat-00004", + version: "2.13.8.Final-redhat-00004", + }, + qualifiers: { + repository_url: "https://maven.repository.redhat.com/ga/", + type: "jar", + }, + }, + ], + cpe: [], + licenses: [], + licenses_ref_mapping: [], + }, + { + id: "SPDXRef-9d10c8fa-d8b6-4e41-85ef-e5f90624f1e1", + name: "quarkus-keycloak-authorization", + group: null, + version: "2.13.8.Final-redhat-00004", + purl: [ + { + uuid: "ed321301-2d42-5939-aa96-70930a231979", + purl: "pkg:maven/io.quarkus/quarkus-keycloak-authorization@2.13.8.Final-redhat-00004?repository_url=https://maven.repository.redhat.com/ga/&type=jar", + base: { + uuid: "4be678d1-5f0d-5d97-88b4-968f4f4bb532", + purl: "pkg:maven/io.quarkus/quarkus-keycloak-authorization", + }, + version: { + uuid: "e8c56f6c-62b3-5d14-a5f0-b2c921be6bdb", + purl: "pkg:maven/io.quarkus/quarkus-keycloak-authorization@2.13.8.Final-redhat-00004", + version: "2.13.8.Final-redhat-00004", + }, + qualifiers: { + repository_url: "https://maven.repository.redhat.com/ga/", + type: "jar", + }, + }, + ], + cpe: [], + licenses: [], + licenses_ref_mapping: [], + }, + ], + }, + ], + }, + { + uuid: "urn:uuid:c3ae6fb8-79b4-47ab-aac8-3da9835642bd", + identifier: "https://www.redhat.com/#CVE-2023-44487", + document_id: "CVE-2023-44487", + issuer: { + id: "c187f598-3c71-4977-b547-7e388a7c9db9", + name: "Red Hat Product Security", + cpe_key: null, + website: null, + }, + published: "2023-10-10T00:00:00Z", + modified: "2023-11-21T11:59:10Z", + withdrawn: null, + title: + "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)", + labels: { + type: "csaf", + }, + status: [ + { + normative: false, + identifier: "CVE-2023-44487", + title: + "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)", + description: null, + reserved: null, + published: "2023-10-10T00:00:00Z", + modified: "2024-08-19T07:48:04.546Z", + withdrawn: null, + discovered: "2023-10-09T00:00:00Z", + released: "2023-10-10T00:00:00Z", + cwes: ["CWE-400"], + average_severity: "high", + average_score: 7.5, + status: "affected", + context: { + cpe: "cpe:/a:redhat:quarkus:2.13:*:el8:*", + }, + packages: [ + { + id: "SPDXRef-21db41a7-5d44-46b7-87fc-95f3417a784a", + name: "netty-codec-http2", + group: null, + version: "4.1.86.Final-redhat-00002", + purl: [ + { + uuid: "b5d0e298-efc7-55b5-a7dd-b78996689fb7", + purl: "pkg:maven/io.netty/netty-codec-http2@4.1.86.Final-redhat-00002?repository_url=https://maven.repository.redhat.com/ga/&type=jar", + base: { + uuid: "ef580dbe-9fdf-522f-93a7-aef4219fb71a", + purl: "pkg:maven/io.netty/netty-codec-http2", + }, + version: { + uuid: "9accb509-993f-5f93-a36c-cf507582f098", + purl: "pkg:maven/io.netty/netty-codec-http2@4.1.86.Final-redhat-00002", + version: "4.1.86.Final-redhat-00002", + }, + qualifiers: { + repository_url: "https://maven.repository.redhat.com/ga/", + type: "jar", + }, + }, + ], + cpe: [], + licenses: [], + licenses_ref_mapping: [], + }, + ], + }, + ], + }, + { + uuid: "urn:uuid:266e85e3-39cd-437e-97fb-096512e0d70c", + identifier: "https://www.redhat.com/#CVE-2023-34454", + document_id: "CVE-2023-34454", + issuer: { + id: "c187f598-3c71-4977-b547-7e388a7c9db9", + name: "Red Hat Product Security", + cpe_key: null, + website: null, + }, + published: "2023-06-15T00:00:00Z", + modified: "2023-11-14T21:46:49Z", + withdrawn: null, + title: "snappy-java: Integer overflow in compress leads to DoS", + labels: { + type: "csaf", + }, + status: [ + { + normative: false, + identifier: "CVE-2023-34454", + title: "snappy-java: Integer overflow in compress leads to DoS", + description: null, + reserved: null, + published: "2023-06-15T16:27:45.467Z", + modified: "2024-08-02T16:10:07.3Z", + withdrawn: null, + discovered: "2023-06-15T00:00:00Z", + released: "2023-06-15T00:00:00Z", + cwes: ["CWE-190"], + average_severity: "medium", + average_score: 5.9, + status: "affected", + context: { + cpe: "cpe:/a:redhat:quarkus:2:*:*:*", + }, + packages: [ + { + id: "SPDXRef-56a5a9f5-326a-499f-85de-50f5e2a9de25", + name: "snappy-java", + group: null, + version: "1.1.8.4-redhat-00003", + purl: [ + { + uuid: "52790975-79ce-5ad4-babc-2ad798f2d34f", + purl: "pkg:maven/org.xerial.snappy/snappy-java@1.1.8.4-redhat-00003?repository_url=https://maven.repository.redhat.com/ga/&type=jar", + base: { + uuid: "ea6b0587-4f6f-5b25-861b-32b62f7d3751", + purl: "pkg:maven/org.xerial.snappy/snappy-java", + }, + version: { + uuid: "368c08c8-54b3-5b6e-8a0c-7e5ca22eb6fb", + purl: "pkg:maven/org.xerial.snappy/snappy-java@1.1.8.4-redhat-00003", + version: "1.1.8.4-redhat-00003", + }, + qualifiers: { + repository_url: "https://maven.repository.redhat.com/ga/", + type: "jar", + }, + }, + ], + cpe: [], + licenses: [], + licenses_ref_mapping: [], + }, + ], + }, + ], + }, + { + uuid: "urn:uuid:e7d1ef7d-1732-490c-8f90-5d98fce8051a", + identifier: "GHSA-mv64-86g8-cqq7", + document_id: "GHSA-mv64-86g8-cqq7", + issuer: null, + published: "2024-04-25T18:30:39Z", + modified: "2024-04-25T23:34:44Z", + withdrawn: null, + title: + "Quarkus: security checks in resteasy reactive may trigger a denial of service", + labels: { + type: "osv", + }, + status: [ + { + normative: false, + identifier: "CVE-2024-1726", + title: + "Quarkus: security checks in resteasy reactive may trigger a denial of service", + description: + "A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed while the HTTP request is checked. In certain configurations, if an attacker has knowledge of any POST, PUT, or PATCH request paths, they can potentially identify vulnerable endpoints and trigger excessive resource usage as the endpoints process the requests. This can result in a denial of service.", + reserved: null, + published: "2024-04-25T16:29:04.615Z", + modified: "2025-03-15T04:10:46.621Z", + withdrawn: null, + discovered: null, + released: null, + cwes: [], + average_severity: "medium", + average_score: 5.3, + status: "affected", + context: null, + packages: [ + { + id: "SPDXRef-7fc7c15b-8c3c-4573-8287-23bfde8997a6", + name: "resteasy-reactive", + group: null, + version: "2.13.8.Final-redhat-00004", + purl: [ + { + uuid: "dccda6ae-0f2f-5a0a-ab47-6c03ef2d7b74", + purl: "pkg:maven/io.quarkus.resteasy.reactive/resteasy-reactive@2.13.8.Final-redhat-00004?repository_url=https://maven.repository.redhat.com/ga/&type=jar", + base: { + uuid: "89c6538e-8f5c-5dc4-8bed-e6ed0fc7d21b", + purl: "pkg:maven/io.quarkus.resteasy.reactive/resteasy-reactive", + }, + version: { + uuid: "fab2ee4f-2315-5ad0-bf0a-037f4545a2b6", + purl: "pkg:maven/io.quarkus.resteasy.reactive/resteasy-reactive@2.13.8.Final-redhat-00004", + version: "2.13.8.Final-redhat-00004", + }, + qualifiers: { + repository_url: "https://maven.repository.redhat.com/ga/", + type: "jar", + }, + }, + ], + cpe: [], + licenses: [], + licenses_ref_mapping: [], + }, + ], + }, + ], + }, + { + uuid: "urn:uuid:35bc6f4b-7d70-4c04-b00c-2a008003604d", + identifier: "https://www.redhat.com/#CVE-2023-34455", + document_id: "CVE-2023-34455", + issuer: { + id: "c187f598-3c71-4977-b547-7e388a7c9db9", + name: "Red Hat Product Security", + cpe_key: null, + website: null, + }, + published: "2023-06-16T00:00:00Z", + modified: "2023-11-14T21:49:01Z", + withdrawn: null, + title: "snappy-java: Unchecked chunk length leads to DoS", + labels: { + type: "csaf", + }, + status: [ + { + normative: false, + identifier: "CVE-2023-34455", + title: "snappy-java: Unchecked chunk length leads to DoS", + description: null, + reserved: null, + published: "2023-06-15T17:15:00.311Z", + modified: "2024-08-02T16:10:07.032Z", + withdrawn: null, + discovered: "2023-06-16T00:00:00Z", + released: "2023-06-16T00:00:00Z", + cwes: ["CWE-1285"], + average_severity: "medium", + average_score: 6.7, + status: "affected", + context: { + cpe: "cpe:/a:redhat:quarkus:2:*:*:*", + }, + packages: [ + { + id: "SPDXRef-56a5a9f5-326a-499f-85de-50f5e2a9de25", + name: "snappy-java", + group: null, + version: "1.1.8.4-redhat-00003", + purl: [ + { + uuid: "52790975-79ce-5ad4-babc-2ad798f2d34f", + purl: "pkg:maven/org.xerial.snappy/snappy-java@1.1.8.4-redhat-00003?repository_url=https://maven.repository.redhat.com/ga/&type=jar", + base: { + uuid: "ea6b0587-4f6f-5b25-861b-32b62f7d3751", + purl: "pkg:maven/org.xerial.snappy/snappy-java", + }, + version: { + uuid: "368c08c8-54b3-5b6e-8a0c-7e5ca22eb6fb", + purl: "pkg:maven/org.xerial.snappy/snappy-java@1.1.8.4-redhat-00003", + version: "1.1.8.4-redhat-00003", + }, + qualifiers: { + repository_url: "https://maven.repository.redhat.com/ga/", + type: "jar", + }, + }, + ], + cpe: [], + licenses: [], + licenses_ref_mapping: [], + }, + ], + }, + ], + }, + { + uuid: "urn:uuid:6ad6d65e-1322-4911-97fa-bdddd26ef930", + identifier: "https://www.redhat.com/#CVE-2023-34453", + document_id: "CVE-2023-34453", + issuer: { + id: "c187f598-3c71-4977-b547-7e388a7c9db9", + name: "Red Hat Product Security", + cpe_key: null, + website: null, + }, + published: "2023-06-15T00:00:00Z", + modified: "2023-11-14T21:37:42Z", + withdrawn: null, + title: "snappy-java: Integer overflow in shuffle leads to DoS", + labels: { + type: "csaf", + }, + status: [ + { + normative: false, + identifier: "CVE-2023-34453", + title: "snappy-java: Integer overflow in shuffle leads to DoS", + description: null, + reserved: null, + published: "2023-06-15T16:12:34.119Z", + modified: "2024-08-02T16:10:07.005Z", + withdrawn: null, + discovered: "2023-06-15T00:00:00Z", + released: "2023-06-15T00:00:00Z", + cwes: ["CWE-190"], + average_severity: "medium", + average_score: 5.9, + status: "affected", + context: { + cpe: "cpe:/a:redhat:quarkus:2:*:*:*", + }, + packages: [ + { + id: "SPDXRef-56a5a9f5-326a-499f-85de-50f5e2a9de25", + name: "snappy-java", + group: null, + version: "1.1.8.4-redhat-00003", + purl: [ + { + uuid: "52790975-79ce-5ad4-babc-2ad798f2d34f", + purl: "pkg:maven/org.xerial.snappy/snappy-java@1.1.8.4-redhat-00003?repository_url=https://maven.repository.redhat.com/ga/&type=jar", + base: { + uuid: "ea6b0587-4f6f-5b25-861b-32b62f7d3751", + purl: "pkg:maven/org.xerial.snappy/snappy-java", + }, + version: { + uuid: "368c08c8-54b3-5b6e-8a0c-7e5ca22eb6fb", + purl: "pkg:maven/org.xerial.snappy/snappy-java@1.1.8.4-redhat-00003", + version: "1.1.8.4-redhat-00003", + }, + qualifiers: { + repository_url: "https://maven.repository.redhat.com/ga/", + type: "jar", + }, + }, + ], + cpe: [], + licenses: [], + licenses_ref_mapping: [], + }, + ], + }, + ], + }, + { + uuid: "urn:uuid:75ee725d-38f5-483b-a4f7-f646f1239c60", + identifier: "GHSA-5jpm-x58v-624v", + document_id: "GHSA-5jpm-x58v-624v", + issuer: null, + published: "2024-03-25T19:40:50Z", + modified: "2024-06-22T00:30:55Z", + withdrawn: null, + title: "Netty's HttpPostRequestDecoder can OOM", + labels: { + type: "osv", + }, + status: [ + { + normative: false, + identifier: "CVE-2024-29025", + title: "Netty's HttpPostRequestDecoder can OOM", + description: + "### Summary\nThe `HttpPostRequestDecoder` can be tricked to accumulate data. I have spotted currently two attack vectors \n\n### Details\n1. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list.\n2. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits\n\n### PoC\n\nHere is a Netty branch that provides a fix + tests : https://github.com/vietj/netty/tree/post-request-decoder\n\n\nHere is a reproducer with Vert.x (which uses this decoder) https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3\n\n### Impact\nAny Netty based HTTP server that uses the `HttpPostRequestDecoder` to decode a form.", + reserved: null, + published: null, + modified: null, + withdrawn: null, + discovered: null, + released: null, + cwes: [], + average_severity: "medium", + average_score: 5.3, + status: "affected", + context: null, + packages: [ + { + id: "SPDXRef-9af60960-e683-45e0-8b17-a51483f95706", + name: "netty-codec-http", + group: null, + version: "4.1.86.Final-redhat-00002", + purl: [ + { + uuid: "82ba94c0-71df-584b-86e7-2139624ad86a", + purl: "pkg:maven/io.netty/netty-codec-http@4.1.86.Final-redhat-00002?repository_url=https://maven.repository.redhat.com/ga/&type=jar", + base: { + uuid: "045c6e1d-aa20-5e7c-94f1-21b64e3eca51", + purl: "pkg:maven/io.netty/netty-codec-http", + }, + version: { + uuid: "d54f383c-04df-52c4-bae2-7e9c3cdf9a02", + purl: "pkg:maven/io.netty/netty-codec-http@4.1.86.Final-redhat-00002", + version: "4.1.86.Final-redhat-00002", + }, + qualifiers: { + repository_url: "https://maven.repository.redhat.com/ga/", + type: "jar", + }, + }, + ], + cpe: [], + licenses: [], + licenses_ref_mapping: [], + }, + ], + }, + ], + }, + { + uuid: "urn:uuid:6819701f-a0dd-4797-af0c-51ecd0e4a976", + identifier: "https://www.redhat.com/#CVE-2023-24815", + document_id: "CVE-2023-24815", + issuer: { + id: "c187f598-3c71-4977-b547-7e388a7c9db9", + name: "Red Hat Product Security", + cpe_key: null, + website: null, + }, + published: "2023-02-09T00:00:00Z", + modified: "2023-11-14T21:13:41Z", + withdrawn: null, + title: + "vertx-web: StaticHandler disclosure of classpath resources on Windows when mounted on a wildcard route", + labels: { + type: "csaf", + }, + status: [ + { + normative: false, + identifier: "CVE-2023-24815", + title: + "vertx-web: StaticHandler disclosure of classpath resources on Windows when mounted on a wildcard route", + description: null, + reserved: null, + published: "2023-02-09T17:36:32.589Z", + modified: "2024-08-02T11:03:19.277Z", + withdrawn: null, + discovered: "2023-05-23T00:00:00Z", + released: "2023-02-09T00:00:00Z", + cwes: ["CWE-22"], + average_severity: "medium", + average_score: 5.05, + status: "affected", + context: { + cpe: "cpe:/a:redhat:quarkus:2:*:*:*", + }, + packages: [ + { + id: "SPDXRef-309f41cb-a09f-4575-a0a4-f40ca7d3fb29", + name: "vertx-web", + group: null, + version: "4.3.4.redhat-00008", + purl: [ + { + uuid: "3a5c8e1e-17c4-5715-b74c-f8b61c4d7d8c", + purl: "pkg:maven/io.vertx/vertx-web@4.3.4.redhat-00008?repository_url=https://maven.repository.redhat.com/ga/&type=jar", + base: { + uuid: "d3ff19de-94b7-54bb-830f-3f2dafeaf22c", + purl: "pkg:maven/io.vertx/vertx-web", + }, + version: { + uuid: "65c44891-ea76-5c44-aeca-401c36d216a8", + purl: "pkg:maven/io.vertx/vertx-web@4.3.4.redhat-00008", + version: "4.3.4.redhat-00008", + }, + qualifiers: { + repository_url: "https://maven.repository.redhat.com/ga/", + type: "jar", + }, + }, + ], + cpe: [], + licenses: [], + licenses_ref_mapping: [], + }, + ], + }, + ], + }, + { + uuid: "urn:uuid:77ced22b-7910-4170-b8d1-8d8afe507776", + identifier: "https://www.redhat.com/#CVE-2023-0044", + document_id: "CVE-2023-0044", + issuer: { + id: "c187f598-3c71-4977-b547-7e388a7c9db9", + name: "Red Hat Product Security", + cpe_key: null, + website: null, + }, + published: "2023-01-04T00:00:00Z", + modified: "2023-11-13T11:31:31Z", + withdrawn: null, + title: + "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure", + labels: { + type: "csaf", + }, + status: [ + { + normative: false, + identifier: "CVE-2023-0044", + title: + "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure", + description: null, + reserved: null, + published: "2023-02-23T00:00:00Z", + modified: "2024-08-02T04:54:32.575Z", + withdrawn: null, + discovered: "2023-01-04T00:00:00Z", + released: "2023-01-04T00:00:00Z", + cwes: [], + average_severity: "medium", + average_score: 5.3, + status: "affected", + context: { + cpe: "cpe:/a:redhat:quarkus:2:*:*:*", + }, + packages: [ + { + id: "SPDXRef-86d9d71d-1c84-4148-a1ce-ea15349aba4d", + name: "quarkus-vertx-http", + group: null, + version: "2.13.8.Final-redhat-00004", + purl: [ + { + uuid: "528a575d-5ed9-5aaa-9882-14701d64b51e", + purl: "pkg:maven/io.quarkus/quarkus-vertx-http@2.13.8.Final-redhat-00004?repository_url=https://maven.repository.redhat.com/ga/&type=jar", + base: { + uuid: "e883632e-4401-5912-a5c7-de4c7af2ae01", + purl: "pkg:maven/io.quarkus/quarkus-vertx-http", + }, + version: { + uuid: "c040304d-22b4-5d85-9b32-55ae9bfffa52", + purl: "pkg:maven/io.quarkus/quarkus-vertx-http@2.13.8.Final-redhat-00004", + version: "2.13.8.Final-redhat-00004", + }, + qualifiers: { + repository_url: "https://maven.repository.redhat.com/ga/", + type: "jar", + }, + }, + ], + cpe: [], + licenses: [], + licenses_ref_mapping: [], + }, + ], + }, + ], + }, +]; diff --git a/client/src/app/queries/sboms.ts b/client/src/app/queries/sboms.ts index 6ddbaf2d..fa39253f 100644 --- a/client/src/app/queries/sboms.ts +++ b/client/src/app/queries/sboms.ts @@ -30,6 +30,7 @@ import { labelRequestParamsQuery, requestParamsQuery, } from "../hooks/table-controls"; +import { SBOM_MOCK } from "./mock"; export const SBOMsQueryKey = "sboms"; @@ -203,15 +204,16 @@ export const useFetchSbomsAdvisory = (sbomId: string) => { const { data, isLoading, error } = useQuery({ queryKey: [SBOMsQueryKey, sbomId, "advisory"], queryFn: () => { - return getSbomAdvisories({ - client, - path: { id: sbomId }, - }); + return Promise.resolve(SBOM_MOCK); + // return getSbomAdvisories({ + // client, + // path: { id: sbomId }, + // }); }, }); return { - advisories: data?.data || [], + advisories: data || [], isFetching: isLoading, fetchError: error as AxiosError | null, }; diff --git a/client/src/app/queries/vulnerabilities.ts b/client/src/app/queries/vulnerabilities.ts index e6d3e1e5..55149927 100644 --- a/client/src/app/queries/vulnerabilities.ts +++ b/client/src/app/queries/vulnerabilities.ts @@ -7,7 +7,6 @@ import { type AnalysisResponse, type VulnerabilityDetails, analyze, - deleteVulnerability, getVulnerability, listVulnerabilities, } from "@app/client"; @@ -101,18 +100,3 @@ export const useFetchVulnerabilityById = (id: string) => { fetchError: error as AxiosError, }; }; - -export const useDeleteVulnerabilityMutation = ( - onSuccess?: (payload: VulnerabilityDetails, id: string) => void, - onError?: (err: AxiosError, id: string) => void, -) => { - return useMutation({ - mutationFn: async (id: string) => { - const response = deleteVulnerability({ client, path: { id } }); - return (await response).data as VulnerabilityDetails; - }, - mutationKey: [VulnerabilitiesQueryKey], - onSuccess, - onError, - }); -}; From cedae57be0e300fd7140d56d35d6b585da9d4f12 Mon Sep 17 00:00:00 2001 From: Carlos Feria <2582866+carlosthe19916@users.noreply.github.com> Date: Mon, 22 Sep 2025 11:35:37 +0200 Subject: [PATCH 2/2] fix async statuses Signed-off-by: Carlos Feria <2582866+carlosthe19916@users.noreply.github.com> --- client/src/app/Routes.tsx | 4 +--- .../analysis-details/analysis-details.tsx | 2 +- .../components/CreateAnalysis.tsx | 11 ++++++----- .../sbom-details/components/ViewAnalysis.tsx | 18 +++++++++++++----- .../sbom-details/vulnerabilities-by-sbom.tsx | 19 +++++++++---------- client/src/app/queries/analysis.ts | 16 +++++++++++----- 6 files changed, 41 insertions(+), 29 deletions(-) diff --git a/client/src/app/Routes.tsx b/client/src/app/Routes.tsx index 6bc58183..9ac6a09e 100644 --- a/client/src/app/Routes.tsx +++ b/client/src/app/Routes.tsx @@ -27,9 +27,7 @@ const SBOMList = lazy(() => import("./pages/sbom-list")); const SBOMUpload = lazy(() => import("./pages/sbom-upload")); const SBOMScan = lazy(() => import("./pages/sbom-scan")); const SBOMDetails = lazy(() => import("./pages/sbom-details")); -const AnalysisDetails = lazy( - () => import("./pages/analysis-details"), -); +const AnalysisDetails = lazy(() => import("./pages/analysis-details")); // Others const Search = lazy(() => import("./pages/search")); diff --git a/client/src/app/pages/analysis-details/analysis-details.tsx b/client/src/app/pages/analysis-details/analysis-details.tsx index a7d63e7e..abe0839b 100644 --- a/client/src/app/pages/analysis-details/analysis-details.tsx +++ b/client/src/app/pages/analysis-details/analysis-details.tsx @@ -38,7 +38,7 @@ export const AnalysisDetails: React.FC = () => { analysis, isFetching: isFetchingAnalysis, fetchError: isFetchinErrorAnalysis, - } = useFetchAnalysisById(analysisId, 0); + } = useFetchAnalysisById(analysisId); return ( <> diff --git a/client/src/app/pages/sbom-details/components/CreateAnalysis.tsx b/client/src/app/pages/sbom-details/components/CreateAnalysis.tsx index d11d9d6f..c0ca7bbb 100644 --- a/client/src/app/pages/sbom-details/components/CreateAnalysis.tsx +++ b/client/src/app/pages/sbom-details/components/CreateAnalysis.tsx @@ -1,7 +1,5 @@ import React from "react"; -import { useIsMutating } from "@tanstack/react-query"; - import { Button } from "@patternfly/react-core"; import type { ReportResult } from "@app/client"; @@ -21,8 +19,7 @@ export const CreateAnalysis: React.FC = ({ }) => { const { pushNotification } = React.useContext(NotificationsContext); - const isMutating = useIsMutating(); - const { mutate: createAnalysis } = useCreateAnalysisMutation( + const { mutate: createAnalysis, isPending } = useCreateAnalysisMutation( (_payload, response) => { onAnalysisCreated(response); }, @@ -39,7 +36,11 @@ export const CreateAnalysis: React.FC = ({ }; return ( - ); diff --git a/client/src/app/pages/sbom-details/components/ViewAnalysis.tsx b/client/src/app/pages/sbom-details/components/ViewAnalysis.tsx index 685f252e..b8affa77 100644 --- a/client/src/app/pages/sbom-details/components/ViewAnalysis.tsx +++ b/client/src/app/pages/sbom-details/components/ViewAnalysis.tsx @@ -1,10 +1,13 @@ import type React from "react"; +import { generatePath, useNavigate } from "react-router-dom"; + +import { Button, Skeleton } from "@patternfly/react-core"; import { IconedStatus } from "@app/components/IconedStatus"; +import { LoadingWrapper } from "@app/components/LoadingWrapper"; +import { TableCellError } from "@app/components/TableCellError"; import { useFetchAnalysisById } from "@app/queries/analysis"; import { Paths } from "@app/Routes"; -import { Button } from "@patternfly/react-core"; -import { generatePath, useNavigate } from "react-router-dom"; interface IViewAnalysisProps { sbomId: string; @@ -17,7 +20,7 @@ export const ViewAnalysis: React.FC = ({ }) => { const navigate = useNavigate(); - const { analysis } = useFetchAnalysisById(analysisId); + const { analysis, isFetching, fetchError } = useFetchAnalysisById(analysisId); const handleOnViewAnalysis = () => { navigate( @@ -29,7 +32,12 @@ export const ViewAnalysis: React.FC = ({ }; return ( - <> + } + fetchErrorState={(error) => } + > {analysis && !analysis.output ? ( ) : ( @@ -37,6 +45,6 @@ export const ViewAnalysis: React.FC = ({ View )} - + ); }; diff --git a/client/src/app/pages/sbom-details/vulnerabilities-by-sbom.tsx b/client/src/app/pages/sbom-details/vulnerabilities-by-sbom.tsx index 2df3de79..0d25e877 100644 --- a/client/src/app/pages/sbom-details/vulnerabilities-by-sbom.tsx +++ b/client/src/app/pages/sbom-details/vulnerabilities-by-sbom.tsx @@ -2,6 +2,7 @@ import React from "react"; import { generatePath, Link } from "react-router-dom"; import dayjs from "dayjs"; +import { useLocalStorage } from "usehooks-ts"; import { Card, @@ -58,7 +59,6 @@ import { Paths } from "@app/Routes"; import { useWithUiId } from "@app/utils/query-utils"; import { decomposePurl, formatDate } from "@app/utils/utils"; -import { useLocalStorage } from "usehooks-ts"; import { CreateAnalysis } from "./components/CreateAnalysis"; import { ViewAnalysis } from "./components/ViewAnalysis"; @@ -82,13 +82,12 @@ interface VulnerabilitiesBySbomProps { export const VulnerabilitiesBySbom: React.FC = ({ sbomId, }) => { + // Handles a Map of const [analysisMap, setAnalysisMap] = useLocalStorage( - "analysis", + `analysis-${sbomId}`, new Map(), { - serializer: (value) => { - return JSON.stringify([...value]); - }, + serializer: (value) => JSON.stringify([...value]), deserializer: (value) => { const obj = JSON.parse(value); return new Map(obj); @@ -280,6 +279,8 @@ export const VulnerabilitiesBySbom: React.FC = ({ numRenderedColumns={numRenderedColumns} > {currentPageItems?.map((item, rowIndex) => { + const analysisId = analysisMap.get(item.vulnerability.identifier); + return ( = ({ modifier="truncate" {...getTdProps({ columnKey: "analysis" })} > - {analysisMap.has(item.vulnerability.identifier) ? ( + {analysisId ? ( ) : ( = ({ response.id, ); - setAnalysisMap(() => newMap); + setAnalysisMap(newMap); } }} /> diff --git a/client/src/app/queries/analysis.ts b/client/src/app/queries/analysis.ts index 0e44f2f3..3833e1a8 100644 --- a/client/src/app/queries/analysis.ts +++ b/client/src/app/queries/analysis.ts @@ -18,12 +18,15 @@ export interface IAdvisoriesQueryParams { export const AnalysisQueryKey = "analysis"; -export const useFetchAnalysisById = (id: string, refetchInterval = 10_000) => { +export const useFetchAnalysisById = (id: string) => { const { data, isLoading, error } = useQuery({ queryKey: [AnalysisQueryKey, id], queryFn: () => fetchExploitIqReport({ client, path: { id } }), enabled: id !== undefined, - refetchInterval, + refetchInterval: (query) => { + const data = query.state.data?.data as ExploitIQAnalysis | undefined; + return data?.output ? 0 : 10_000; + }, }); return { @@ -47,8 +50,11 @@ export const useCreateAnalysisMutation = ( ) => void, ) => { return useMutation({ - mutationFn: (payload: { sbomId: string; vulnerabilityId: string }) => { - return createExploitIqReport({ + mutationFn: async (payload: { + sbomId: string; + vulnerabilityId: string; + }) => { + return await createExploitIqReport({ client, path: { id: payload.sbomId }, body: { @@ -56,7 +62,7 @@ export const useCreateAnalysisMutation = ( }, }); }, - onSuccess: async (response, payload) => { + onSuccess: (response, payload) => { onSuccess(payload, response.data); }, onError,