Issue Mixeway#105 - Vulnerability History - extend to history of seve…

…rities

src/main/java/io/mixeway/db/entity/VulnHistory.java

@@ -29,8 +29,20 @@
 public class VulnHistory {
 	private Long id;
 	private Long infrastructureVulnHistory;
+	private Long infrastructureVulnCriticalHistory;
+	private Long infrastructureVulnHighHistory;
+	private Long infrastructureVulnMediumHistory;
+	private Long infrastructureVulnLowHistory;
 	private Long webAppVulnHistory;
+	private Long webAppVulnCriticalHistory;
+	private Long webAppVulnHighHistory;
+	private Long webAppVulnMediumHistory;
+	private Long webAppVulnLowHistory;
 	private Long codeVulnHistory;
+	private Long codeVulnCriticalHistory;
+	private Long codeVulnHighHistory;
+	private Long codeVulnMediumHistory;
+	private Long codeVulnLowHistory;
 	private Long auditVulnHistory;
 	private Long softwarePacketVulnNumber;
 	private String name;
@@ -79,6 +91,114 @@ public void setAuditVulnHistory(Long auditVulnHistory) {
 		this.auditVulnHistory = auditVulnHistory;
 	}
 
+	@Column(name="infrastructurevulnnumbercritical")
+	public Long getInfrastructureVulnCriticalHistory() {
+		return infrastructureVulnCriticalHistory;
+	}
+
+	public void setInfrastructureVulnCriticalHistory(Long infrastructureVulnCriticalHistory) {
+		this.infrastructureVulnCriticalHistory = infrastructureVulnCriticalHistory;
+	}
+
+	@Column(name="infrastructurevulnnumberhigh")
+	public Long getInfrastructureVulnHighHistory() {
+		return infrastructureVulnHighHistory;
+	}
+
+	public void setInfrastructureVulnHighHistory(Long infrastructureVulnHighHistory) {
+		this.infrastructureVulnHighHistory = infrastructureVulnHighHistory;
+	}
+
+	@Column(name="infrastructurevulnnumbermedium")
+	public Long getInfrastructureVulnMediumHistory() {
+		return infrastructureVulnMediumHistory;
+	}
+
+	public void setInfrastructureVulnMediumHistory(Long infrastructureVulnMediumHistory) {
+		this.infrastructureVulnMediumHistory = infrastructureVulnMediumHistory;
+	}
+
+	@Column(name="infrastructurevulnnumberlow")
+	public Long getInfrastructureVulnLowHistory() {
+		return infrastructureVulnLowHistory;
+	}
+
+	public void setInfrastructureVulnLowHistory(Long infrastructureVulnLowHistory) {
+		this.infrastructureVulnLowHistory = infrastructureVulnLowHistory;
+	}
+
+	@Column(name="codevulnnumbercritical")
+	public Long getWebAppVulnCriticalHistory() {
+		return webAppVulnCriticalHistory;
+	}
+
+	public void setWebAppVulnCriticalHistory(Long webAppVulnCriticalHistory) {
+		this.webAppVulnCriticalHistory = webAppVulnCriticalHistory;
+	}
+
+	@Column(name="codevulnnumberhigh")
+	public Long getWebAppVulnHighHistory() {
+		return webAppVulnHighHistory;
+	}
+
+	public void setWebAppVulnHighHistory(Long webAppVulnHighHistory) {
+		this.webAppVulnHighHistory = webAppVulnHighHistory;
+	}
+
+	@Column(name="codevulnnumbermedium")
+	public Long getWebAppVulnMediumHistory() {
+		return webAppVulnMediumHistory;
+	}
+
+	public void setWebAppVulnMediumHistory(Long webAppVulnMediumHistory) {
+		this.webAppVulnMediumHistory = webAppVulnMediumHistory;
+	}
+
+	@Column(name="codevulnnumberlow")
+	public Long getWebAppVulnLowHistory() {
+		return webAppVulnLowHistory;
+	}
+
+	public void setWebAppVulnLowHistory(Long webAppVulnLowHistory) {
+		this.webAppVulnLowHistory = webAppVulnLowHistory;
+	}
+
+	@Column(name="webappvulnnumbercritical")
+	public Long getCodeVulnCriticalHistory() {
+		return codeVulnCriticalHistory;
+	}
+
+	public void setCodeVulnCriticalHistory(Long codeVulnCriticalHistory) {
+		this.codeVulnCriticalHistory = codeVulnCriticalHistory;
+	}
+
+	@Column(name="webappvulnnumberhigh")
+	public Long getCodeVulnHighHistory() {
+		return codeVulnHighHistory;
+	}
+
+	public void setCodeVulnHighHistory(Long codeVulnHighHistory) {
+		this.codeVulnHighHistory = codeVulnHighHistory;
+	}
+
+	@Column(name="webappvulnnumbermedium")
+	public Long getCodeVulnMediumHistory() {
+		return codeVulnMediumHistory;
+	}
+
+	public void setCodeVulnMediumHistory(Long codeVulnMediumHistory) {
+		this.codeVulnMediumHistory = codeVulnMediumHistory;
+	}
+
+	@Column(name="webappvulnnumberlow")
+	public Long getCodeVulnLowHistory() {
+		return codeVulnLowHistory;
+	}
+
+	public void setCodeVulnLowHistory(Long codeVulnLowHistory) {
+		this.codeVulnLowHistory = codeVulnLowHistory;
+	}
+
 	@Id
     @GeneratedValue(strategy = GenerationType.IDENTITY)
 	public Long getId() {

src/main/java/io/mixeway/db/projection/ProjectVulnSeveritiesProjection.java

@@ -0,0 +1,10 @@
+package io.mixeway.db.projection;
+
+import io.mixeway.db.entity.VulnerabilitySource;
+
+public interface ProjectVulnSeveritiesProjection {
+        String getVulnerabilitySourceName();
+        String getAnalysis();
+        String getSeverity();
+        Long getCount();
+}

src/main/java/io/mixeway/db/repository/ProjectVulnerabilityRepository.java

@@ -2,6 +2,7 @@
 
 import io.mixeway.db.entity.*;
 import io.mixeway.db.projection.CommonVulns;
+import io.mixeway.db.projection.ProjectVulnSeveritiesProjection;
 import io.mixeway.db.projection.VulnBarChartProjection;
 import io.mixeway.db.projection.VulnerableProjects;
 import org.springframework.data.jpa.repository.*;
@@ -182,4 +183,7 @@ int countRiskForCodeProject(@Param("codeProject_id")Long codeProject_id,@Param("
     List<VulnerableProjects> top10VulnerableProjects();
     @Query(value="select v.id, count(pv.id) from vulnerability v, projectvulnerability pv where (v. severity is null or v.severity!='skip') and pv.vulnerability_id = v.id and pv.severity in ('Critical', 'High', 'Medium') group by v.id order by count desc limit 10", nativeQuery = true)
     List<CommonVulns> top10Vulnerabilities();
+
+    @Query(value="select v.name as vulnerabilitySourceName, pv.analysis, pv.severity, count(*) as count from projectvulnerability pv left join vulnerabilitysource v on pv.vulnerabilitysource_id=v.id where projectvulnerability.project_id= :project group by v.name, pv.analysis, pv.severity")
+    List<ProjectVulnSeveritiesProjection> getSeveritiesByProject(Project project);
 }

src/main/java/io/mixeway/domain/service/vulnhistory/CreateVulnHistoryService.java

@@ -3,20 +3,20 @@
 import io.mixeway.config.Constants;
 import io.mixeway.db.entity.Project;
 import io.mixeway.db.entity.VulnHistory;
+import io.mixeway.db.projection.ProjectVulnSeveritiesProjection;
 import io.mixeway.db.repository.NodeAuditRepository;
 import io.mixeway.db.repository.VulnHistoryRepository;
 import io.mixeway.domain.service.vulnmanager.VulnTemplate;
 import lombok.RequiredArgsConstructor;
 import org.springframework.stereotype.Service;
-import org.springframework.transaction.annotation.Transactional;
 
 import java.text.DateFormat;
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
 import java.util.Objects;
-import java.util.stream.Collectors;
+import java.util.function.Predicate;
 
 
 /**
@@ -46,11 +46,68 @@ public class CreateVulnHistoryService {
     private DateFormat format = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
 
     public void createScheduled(Project project){
+        List<ProjectVulnSeveritiesProjection> vulnerabilityList = vulnTemplate.projectVulnerabilityRepository.getSeveritiesByProject(project);
+
         VulnHistory vulnHistory = new VulnHistory();
         vulnHistory.setName(Constants.VULN_HISTORY_ALL);
-        vulnHistory.setInfrastructureVulnHistory(createInfraVulnHistory(project));
-        vulnHistory.setWebAppVulnHistory(createWebAppVulnHistory(project));
-        vulnHistory.setCodeVulnHistory(createCodeVulnHistory(project));
+
+        // projectVulnerabilityRepository.findByProjectAndVulnerabilitySourceAndSeverityIn(project, vulnTemplate.SOURCE_NETWORK, severities)
+        vulnHistory.setInfrastructureVulnHistory(sumVulnSeverities(vulnerabilityList,
+                projection -> Constants.VULN_TYPE_NETWORK.equals(projection.getVulnerabilitySourceName()) && severities.contains(projection.getSeverity())
+        ));
+        vulnHistory.setInfrastructureVulnCriticalHistory(sumVulnSeverities(vulnerabilityList,
+                projection -> Constants.VULN_TYPE_NETWORK.equals(projection.getVulnerabilitySourceName()) && Constants.VULN_CRITICALITY_CRITICAL.equals(projection.getSeverity())
+        ));
+        vulnHistory.setInfrastructureVulnHighHistory(sumVulnSeverities(vulnerabilityList,
+                projection -> Constants.VULN_TYPE_NETWORK.equals(projection.getVulnerabilitySourceName()) && Constants.VULN_CRITICALITY_HIGH.equals(projection.getSeverity())
+        ));
+        vulnHistory.setInfrastructureVulnMediumHistory(sumVulnSeverities(vulnerabilityList,
+                projection -> Constants.VULN_TYPE_NETWORK.equals(projection.getVulnerabilitySourceName()) && Constants.VULN_CRITICALITY_MEDIUM.equals(projection.getSeverity())
+        ));
+        vulnHistory.setInfrastructureVulnLowHistory(sumVulnSeverities(vulnerabilityList,
+                projection -> Constants.VULN_TYPE_NETWORK.equals(projection.getVulnerabilitySourceName()) && Constants.VULN_CRITICALITY_LOW.equals(projection.getSeverity())
+        ));
+
+
+        // projectVulnerabilityRepository.findByWebAppInAndVulnerabilitySourceAndSeverityIn(new ArrayList<>(p.getWebapps()),vulnTemplate.SOURCE_WEBAPP, severities)
+        vulnHistory.setWebAppVulnHistory(sumVulnSeverities(vulnerabilityList,
+                projection -> Constants.VULN_TYPE_WEBAPP.equals(projection.getVulnerabilitySourceName()) && severities.contains(projection.getSeverity())
+        ));
+        vulnHistory.setWebAppVulnCriticalHistory(sumVulnSeverities(vulnerabilityList,
+                projection -> Constants.VULN_TYPE_WEBAPP.equals(projection.getVulnerabilitySourceName()) && Constants.VULN_CRITICALITY_CRITICAL.equals(projection.getSeverity())
+        ));
+        vulnHistory.setWebAppVulnHighHistory(sumVulnSeverities(vulnerabilityList,
+                projection -> Constants.VULN_TYPE_WEBAPP.equals(projection.getVulnerabilitySourceName()) && Constants.VULN_CRITICALITY_HIGH.equals(projection.getSeverity())
+        ));
+        vulnHistory.setWebAppVulnMediumHistory(sumVulnSeverities(vulnerabilityList,
+                projection -> Constants.VULN_TYPE_WEBAPP.equals(projection.getVulnerabilitySourceName()) && Constants.VULN_CRITICALITY_MEDIUM.equals(projection.getSeverity())
+        ));
+        vulnHistory.setWebAppVulnLowHistory(sumVulnSeverities(vulnerabilityList,
+                projection -> Constants.VULN_TYPE_WEBAPP.equals(projection.getVulnerabilitySourceName()) && Constants.VULN_CRITICALITY_LOW.equals(projection.getSeverity())
+        ));
+
+
+        // projectVulnerabilityRepository.findByProjectAndVulnerabilitySourceAndAnalysisNot(p,vulnTemplate.SOURCE_SOURCECODE, Constants.FORTIFY_NOT_AN_ISSUE)
+        Predicate<ProjectVulnSeveritiesProjection> codeVulnPred = projection -> Constants.VULN_TYPE_SOURCECODE.equals(projection.getVulnerabilitySourceName()) && !Constants.FORTIFY_NOT_AN_ISSUE.equals(projection.getAnalysis());
+        vulnHistory.setCodeVulnHistory(sumVulnSeverities(vulnerabilityList,
+                codeVulnPred
+        ));
+        vulnHistory.setCodeVulnCriticalHistory(sumVulnSeverities(vulnerabilityList,
+                projection -> codeVulnPred.test(projection) && Constants.VULN_CRITICALITY_CRITICAL.equals(projection.getSeverity())
+        ));
+        vulnHistory.setCodeVulnHighHistory(sumVulnSeverities(vulnerabilityList,
+                projection -> codeVulnPred.test(projection) && Constants.VULN_CRITICALITY_HIGH.equals(projection.getSeverity())
+        ));
+        vulnHistory.setCodeVulnMediumHistory(sumVulnSeverities(vulnerabilityList,
+                projection -> codeVulnPred.test(projection) && Constants.VULN_CRITICALITY_MEDIUM.equals(projection.getSeverity())
+        ));
+        vulnHistory.setCodeVulnLowHistory(sumVulnSeverities(vulnerabilityList,
+                projection -> codeVulnPred.test(projection) && Constants.VULN_CRITICALITY_LOW.equals(projection.getSeverity())
+        ));
+
+        // additional 2 will be added in the nearby future
+
+        // ignore audit
         vulnHistory.setAuditVulnHistory(createAuditHistory(project));
         vulnHistory.setSoftwarePacketVulnNumber((long) createSoftwarePacketHistory(project));
         vulnHistory.setProject(project);
@@ -60,27 +117,25 @@ public void createScheduled(Project project){
     public void create(Project project, String date, Long infra, Long webApp, Long code, Long audit, Long software){
         VulnHistory vulnHistory = new VulnHistory();
         vulnHistory.setName(Constants.VULN_HISTORY_ALL);
+
         vulnHistory.setInfrastructureVulnHistory(infra);
         vulnHistory.setWebAppVulnHistory(webApp);
         vulnHistory.setCodeVulnHistory(code);
+
         vulnHistory.setAuditVulnHistory(audit);
         vulnHistory.setSoftwarePacketVulnNumber(software);
         vulnHistory.setProject(project);
         vulnHistory.setInserted(date);
         vulnHistoryRepository.save(vulnHistory);
     }
-    private Long createWebAppVulnHistory(Project p){
-        return vulnTemplate.projectVulnerabilityRepository
-                .findByWebAppInAndVulnerabilitySourceAndSeverityIn(new ArrayList<>(p.getWebapps()),vulnTemplate.SOURCE_WEBAPP, severities).count();
 
+    private long sumVulnSeverities(List<ProjectVulnSeveritiesProjection> vulnerabilityList, Predicate<ProjectVulnSeveritiesProjection> filterPredicate) {
+        return vulnerabilityList.stream()
+                .filter(filterPredicate)
+                .mapToLong(ProjectVulnSeveritiesProjection::getCount)
+                .sum();
     }
 
-    private Long createCodeVulnHistory(Project p){
-        return vulnTemplate.projectVulnerabilityRepository.findByProjectAndVulnerabilitySourceAndAnalysisNot(p,vulnTemplate.SOURCE_SOURCECODE, Constants.FORTIFY_NOT_AN_ISSUE).count();
-    }
-    private Long createInfraVulnHistory(Project p){
-        return getInfraVulnsForProject(p);
-    }
     private Long createAuditHistory(Project p){
         return (long)(nodeAuditRepository.findByNodeInAndScoreIn(p.getNodes(),scores).size());
     }
@@ -89,7 +144,4 @@ private int createSoftwarePacketHistory(Project project) {
         return (int) vulnTemplate.projectVulnerabilityRepository.findByProjectAndVulnerabilitySourceAndSeverityIn(project, vulnTemplate.SOURCE_OPENSOURCE, critSeverities)
                 .stream().filter(pv -> !Objects.equals(pv.getVulnerability().getSeverity(), Constants.SKIP_VULENRABILITY)).count();
     }
-    private long getInfraVulnsForProject(Project project){
-        return vulnTemplate.projectVulnerabilityRepository.findByProjectAndVulnerabilitySourceAndSeverityIn(project, vulnTemplate.SOURCE_NETWORK, severities).size();
-    }
 }

src/main/resources/db/changelog/db.changelog-master.sql

@@ -1205,4 +1205,19 @@ update scannertype set  category='OPENSOURCE' where name='Nexus-IQ';
 alter table codeproject add column remotename text;
 
 --changeset siewer:bugtracker_epic
-alter table bugtracker add column epic text;
+alter table bugtracker add column epic text;
+
+--changeset majewm15:vuln_history_severities
+alter table vulnhistory add column infrastructurevulnnumbercritical int;
+alter table vulnhistory add column infrastructurevulnnumberhigh int;
+alter table vulnhistory add column infrastructurevulnnumbermedium int;
+alter table vulnhistory add column infrastructurevulnnumberlow int;
+alter table vulnhistory add column codevulnnumbercritical int;
+alter table vulnhistory add column codevulnnumberhigh int;
+alter table vulnhistory add column codevulnnumbermedium int;
+alter table vulnhistory add column codevulnnumberlow int;
+alter table vulnhistory add column webappvulnnumbercritical int;
+alter table vulnhistory add column webappvulnnumberhigh int;
+alter table vulnhistory add column webappvulnnumbermedium int;
+alter table vulnhistory add column webappvulnnumberlow int;
+