Issue Mixeway#105 - Vulnerability History - extend to history of seve…

…rities
majewm15 · Nov 23, 2023 · f68b3f4 · f68b3f4
1 parent 98806af
commit f68b3f4
Show file tree

Hide file tree

Showing 3 changed files with 116 additions and 2 deletions.
diff --git a/src/main/java/io/mixeway/db/repository/ProjectVulnerabilityRepository.java b/src/main/java/io/mixeway/db/repository/ProjectVulnerabilityRepository.java
@@ -191,6 +191,6 @@ int countRiskForCodeProject(@Param("codeProject_id")Long codeProject_id,@Param("
     List<ProjectVulnerability> findByProjectAndVulnerability(Project project, Vulnerability vulnerability);
     long countByProjectAndSeverity(Project project, String severity);
 
-    @Query(value="select v.name as vulnerabilitySourceName, pv.analysis, pv.severity, count(*) as count from ProjectVulnerability pv left join pv.vulnerabilitySource v where pv.project = :project group by v.name, pv.analysis, pv.severity")
+    @Query(value="select v.name as vulnerabilitySourceName, pv.analysis as analysis, pv.severity as severity, count(*) as count from ProjectVulnerability pv left join pv.vulnerabilitySource v where pv.project = :project group by v.name, pv.analysis, pv.severity")
     List<ProjectVulnSeveritiesProjection> getSeveritiesByProject(Project project);
 }
diff --git a/src/main/java/io/mixeway/domain/service/vulnhistory/CreateVulnHistoryService.java b/src/main/java/io/mixeway/domain/service/vulnhistory/CreateVulnHistoryService.java
@@ -44,7 +44,7 @@ public class CreateVulnHistoryService {
 
     public void createScheduled(Project project){
         // Once-fetched list of all vulnerabilities for a given project,
-        // that will be summarized multiple times for each vuln level ALL/Critical/High/Medium/Low.
+        // that will be summarized multiple times for each vuln level Notable/Critical/High/Medium/Low.
         // This approach seems more efficient than 15 separate DB queries,
         // and easier to understand and modify than a single complex DB query.
         List<ProjectVulnSeveritiesProjection> vulnerabilityList = vulnTemplate.projectVulnerabilityRepository.getSeveritiesByProject(project);

diff --git a/src/test/java/io/mixeway/domain/service/vulnhistory/CreateVulnHistoryServiceTest.java b/src/test/java/io/mixeway/domain/service/vulnhistory/CreateVulnHistoryServiceTest.java
@@ -0,0 +1,114 @@
+package io.mixeway.domain.service.vulnhistory;
+
+import io.mixeway.api.protocol.OverAllVulnTrendChartData;
+import io.mixeway.config.Constants;
+import io.mixeway.db.entity.*;
+import io.mixeway.db.repository.ProjectVulnerabilityRepository;
+import io.mixeway.db.repository.UserRepository;
+import io.mixeway.db.repository.VulnHistoryRepository;
+import io.mixeway.domain.service.project.GetOrCreateProjectService;
+import io.mixeway.domain.service.vulnmanager.VulnTemplate;
+import lombok.RequiredArgsConstructor;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.TestInstance;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+
+import java.security.Principal;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.stream.IntStream;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+@SpringBootTest
+@RequiredArgsConstructor(onConstructor = @__(@Autowired))
+@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+public class CreateVulnHistoryServiceTest {
+    private final CreateVulnHistoryService createVulnHistoryService;
+    private final VulnHistoryRepository vulnHistoryRepository;
+    private final ProjectVulnerabilityRepository projectVulnerabilityRepository;
+    private final UserRepository userRepository;
+    private final GetOrCreateProjectService getOrCreateProjectService;
+    private final VulnTemplate vulnTemplate;
+
+    @Mock
+    Principal principal;
+
+    @BeforeAll
+    private void prepareDB() {
+        Mockito.when(principal.getName()).thenReturn("find_vulnhistory");
+        User userToCreate = new User();
+        userToCreate.setUsername("find_vulnhistory");
+        userToCreate.setPermisions("ROLE_ADMIN");
+        userToCreate.setProjects(new HashSet<>());
+        userRepository.save(userToCreate);
+    }
+
+    @Test
+    void createScheduledSeveritiesSplitTest() {
+        Mockito.when(principal.getName()).thenReturn("find_vulnhistory");
+        Project project = getOrCreateProjectService.getProjectId("create_sched_vulnhistory","create_sched_vulnhistory",principal);
+        project.setNodes(new HashSet<>());
+
+        List<VulnerabilitySource> vulnSources = Arrays.asList(
+                vulnTemplate.SOURCE_NETWORK,
+                vulnTemplate.SOURCE_WEBAPP,
+                vulnTemplate.SOURCE_SOURCECODE,
+                vulnTemplate.SOURCE_IAC,
+                vulnTemplate.SOURCE_GITLEAKS);
+        List<String> vulnSeverities = Arrays.asList(
+                Constants.VULN_CRITICALITY_CRITICAL,
+                Constants.VULN_CRITICALITY_HIGH,
+                Constants.VULN_CRITICALITY_MEDIUM,
+                Constants.VULN_CRITICALITY_LOW);
+        // 2x Network Critical,  3x Network High,  4x Network Medium,  5x Network Low,
+        // 3x WebApp Critical,   4x WebApp High,   5x WebApp Medium,   6x WebApp Low,
+        // 4x Source Critical,   5x Source High,   6x Source Medium,   7x Source Low,
+        // 5x IAC Critical,      6x IAC High,      7x IAC Medium,      8x IAC Low,
+        // 6x Gitleaks Critical, 7x Gitleaks High, 8x Gitleaks Medium, 9x Gitleaks Low,
+        for (int i = 0; i < vulnSources.size(); i++) {
+            for (int j = 0; j < vulnSeverities.size(); j++) {
+                for (int k = 0; k < (i + 1) + (j + 1); k++) {
+                    ProjectVulnerability projectVulnerability = new ProjectVulnerability();
+                    projectVulnerability.setProject(project);
+                    projectVulnerability.setVulnerabilitySource(vulnSources.get(i));
+                    projectVulnerability.setSeverity(vulnSeverities.get(j));
+                    projectVulnerability.setAnalysis(Constants.FORTIFY_ANALYSIS_EXPLOITABLE);
+                    projectVulnerabilityRepository.save(projectVulnerability);
+                }
+            }
+        }
+        List<ProjectVulnerability> debug = vulnTemplate.projectVulnerabilityRepository.findByProjectList(project.getId());
+
+        createVulnHistoryService.createScheduled(project);
+        List<VulnHistory> vulnHistoryList = vulnHistoryRepository.getVulnHistoryLimit(project.getId(), 7);
+        assertEquals(1, vulnHistoryList.size());
+        VulnHistory vulnHistory = vulnHistoryList.get(0);
+
+        assertEquals(2+3+4, vulnHistory.getInfrastructureVulnHistory());  // this field ignores Low
+        assertEquals(2, vulnHistory.getInfrastructureVulnCriticalHistory());
+        assertEquals(3, vulnHistory.getInfrastructureVulnHighHistory());
+        assertEquals(4, vulnHistory.getInfrastructureVulnMediumHistory());
+        assertEquals(5, vulnHistory.getInfrastructureVulnLowHistory());
+
+        assertEquals(3+4+5, vulnHistory.getWebAppVulnHistory());  // this field ignores Low
+        assertEquals(3, vulnHistory.getWebAppVulnCriticalHistory());
+        assertEquals(4, vulnHistory.getWebAppVulnHighHistory());
+        assertEquals(5, vulnHistory.getWebAppVulnMediumHistory());
+        assertEquals(6, vulnHistory.getWebAppVulnLowHistory());
+
+        // Code includes SourceCode, IAC and Gitleaks sources
+        assertEquals(4+5+6+7 + 5+6+7+8 + 6+7+8+9, vulnHistory.getCodeVulnHistory());  // this field includes Low
+        assertEquals(4+5+6, vulnHistory.getCodeVulnCriticalHistory());
+        assertEquals(5+6+7, vulnHistory.getCodeVulnHighHistory());
+        assertEquals(6+7+8, vulnHistory.getCodeVulnMediumHistory());
+        assertEquals(7+8+9, vulnHistory.getCodeVulnLowHistory());
+    }
+
+}