Added new ODC scans for Java libraries. Those can scan even transitive dependencies and can be run before adding a new library to a project.

app/services/OdcDbService.scala

@@ -0,0 +1,132 @@
+package services
+
+import java.lang.{Boolean => JBoolean}
+import java.sql.{Array => _, _}
+import java.util.{Properties, Map => JMap}
+
+import _root_.org.owasp.dependencycheck.data.nvdcve.CveDB
+import _root_.org.owasp.dependencycheck.dependency.{VulnerableSoftware => OdcVulnerableSoftware}
+import _root_.org.owasp.dependencycheck.utils.{DependencyVersion, DependencyVersionUtil, Settings}
+import com.github.nscala_time.time.Imports._
+import com.google.inject.Inject
+import com.mockrunner.mock.jdbc.MockConnection
+import models.odc.tables._
+import models.odc.{OdcProperty, Vulnerabilities}
+import play.api.Logger
+import play.api.db.slick.{DatabaseConfigProvider, HasDatabaseConfigProvider}
+import play.db.NamedDatabase
+
+import scala.concurrent.{ExecutionContext, Future}
+
+class OdcDbService @Inject()(@NamedDatabase("odc") protected val dbConfigProvider: DatabaseConfigProvider)(implicit executionContext: ExecutionContext) extends HasDatabaseConfigProvider[models.odc.profile.type]{
+
+  import dbConfig.driver.api._
+
+  private def getVulnerableSoftware(id: Int): Future[Seq[com.ysoft.odc.VulnerableSoftware]] = {
+    db.run(softwareVulnerabilities.joinLeft(cpeEntries).on((sv, ce) => sv.cpeEntryId === ce.id).filter{case (sv, ceo) => sv.vulnerabilityId === id}.result).map{rawRefs =>
+      rawRefs.map{
+        case (softVuln, Some((_, cpeEntry))) => com.ysoft.odc.VulnerableSoftware(allPreviousVersion = softVuln.includesAllPreviousVersions, name=cpeEntry.cpe)
+      }
+    }
+  }
+
+  private def getReferences(id: Int): Future[Seq[com.ysoft.odc.Reference]] = db.run(references.filter(_.cveId === id).map(_.base).result)
+
+  def getVulnerabilityDetails(id: Int): Future[Option[com.ysoft.odc.Vulnerability]] = getVulnerabilityDetails(_.id === id)
+
+  def getVulnerabilityDetails(name: String): Future[Option[com.ysoft.odc.Vulnerability]] = getVulnerabilityDetails(_.cve === name)
+
+  private def getVulnerabilityDetails(cond: Vulnerabilities => Rep[Boolean]): Future[Option[com.ysoft.odc.Vulnerability]] = {
+    db.run(vulnerabilities.filter(cond).result).map(_.headOption) flatMap { bareVulnOption =>
+      bareVulnOption.fold[Future[Option[com.ysoft.odc.Vulnerability]]](Future.successful(None)) { case (id, bareVuln) =>
+        for {
+          vulnerableSoftware <- getVulnerableSoftware(id)
+          references <- getReferences(id)
+        } yield Some(
+          com.ysoft.odc.Vulnerability(
+            name = bareVuln.cve,
+            cweOption = bareVuln.cweOption,
+            cvss = bareVuln.cvss,
+            description = bareVuln.description,
+            vulnerableSoftware = vulnerableSoftware,
+            references = references
+          )
+        )
+      }
+    }
+  }
+
+  private def parseCpe(cpe: String) = {
+    val sw = new OdcVulnerableSoftware()
+    sw.parseName(cpe)
+    sw
+  }
+
+  private def parseVersion(version: String): DependencyVersion = {
+    DependencyVersionUtil.parseVersion(version)
+  }
+
+  def findRelevantCpes(versionlessCpe: String, version: String) = {
+    println(s"versionlessCpe: $versionlessCpe")
+    val Seq("cpe", "/a", vendor, product, rest @ _*) = versionlessCpe.split(':').toSeq
+    val cpesFuture = db.run(
+      cpeEntries.filter(c =>
+        c.vendor === vendor && c.product === product
+      ).result
+    )
+    for(cpes <- cpesFuture){println(s"cpes: $cpes")}
+    val cpesMapFuture = cpesFuture.map(_.toMap)
+    val cpeIdsFuture = cpesFuture.map(_.map(_._1))
+    val parsedVersion = parseVersion(version)
+    val res = for{
+      cpeIds <- cpeIdsFuture
+      relevantVulnerabilities <- db.run(
+        softwareVulnerabilities.join(vulnerabilities).on( (sv, v) => sv.vulnerabilityId === v.id)
+          .filter{case (sv, v) => sv.cpeEntryId inSet cpeIds}.map{case (sv, v) ⇒ sv}.result
+      ).map(_.groupBy(_.vulnerabilityId).mapValues(_.toSet))
+      cpesMap <- cpesMapFuture
+      //relevantVulnerabilities <- db.run(vulnerabilities.filter(_.id inSet relevantVulnerabilityIds).result)
+    } yield relevantVulnerabilities.filter{case (vulnId, sv) => Option(CveDbHelper.matchSofware(
+      vulnerableSoftware = sv.map(sv => cpesMap(sv.cpeEntryId).cpe -> sv.includesAllPreviousVersions).toMap,
+      vendor = vendor,
+      product = product,
+      identifiedVersion = parsedVersion
+    )).isDefined}
+    res.map(_.values.toSet.flatten)
+  }
+
+  private def loadUpdateProperties(): Future[Map[String, Long]] = db.run(properties.filter(_.id like "NVD CVE%").result).map(_.map{case OdcProperty(id, value) => (id, value.toLong)}.toMap)
+
+  def loadLastDbUpdate(): Future[DateTime] = loadUpdateProperties().map(vals => new DateTime(vals.values.max)) // TODO: timezone (I don't care much, though)
+
+}
+
+private[services] object CveDbHelper {
+
+  class DummyDriver extends Driver{
+    override def acceptsURL(url: String): Boolean = {url.startsWith("jdbc:dummy:")}
+    override def jdbcCompliant(): Boolean = false
+    override def connect(url: String, info: Properties): Connection = new MockConnection()
+    override def getParentLogger = throw new SQLFeatureNotSupportedException()
+    override def getPropertyInfo(url: String, info: Properties): Array[DriverPropertyInfo] = {Array()}
+    override def getMinorVersion: Int = 1
+    override def getMajorVersion: Int = 1
+  }
+
+  org.apache.geronimo.jdbc.DelegatingDriver.registerDriver(new DummyDriver())
+
+  def matchSofware(vulnerableSoftware: Map[String, Boolean], vendor: String, product: String, identifiedVersion: DependencyVersion) = {
+    if(Settings.getInstance() == null){
+      Settings.initialize()// Initiallize ODC environment on first use; Needed for each thread.
+      Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, "jdbc:dummy:")
+      // Workaround: At first initialization, it will complain that the DB is empty. On next initializations, it will not complain.
+      try{new CveDB()}catch {case e: Throwable => Logger.info("A workaround-related exception, safe to ignore", e)}
+    }
+    val cd = new CveDB()
+    import scala.collection.JavaConversions._
+    val method = cd.getClass.getDeclaredMethod("getMatchingSoftware", classOf[JMap[String, JBoolean]], classOf[String], classOf[String], classOf[DependencyVersion])
+    method.setAccessible(true)
+    method.invoke(cd, mapAsJavaMap(vulnerableSoftware).asInstanceOf[JMap[String, JBoolean]], vendor, product, identifiedVersion)
+  }
+}
+