Merge pull request #17 from org-metaeffekt/AEAA-492-periodic-vulnerab…

…ility-report

AEAA-492: Apply new content identifier system

advisors/example-advisor/context/CTX_resource-exemption.yaml

@@ -1,6 +1,7 @@
 sets:
   - name: resource exemption
     category: external threat
+    notes: The adversary may attempt to exhaust resources of the application service by injecting foreign log messages.
     score: 1.0
     min:
       - amount: 1

advisors/example-advisor/correlation/example.yaml

@@ -7,3 +7,4 @@
     - Id: log4j-*.jar
   append:
     EOL Id: log4j
+    Additional CPE URIs: cpe:/a:gnu:glibc, cpe:/a:gnu:libc

advisors/keycloak-advisor/pom.xml

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.metaeffekt.example.documentation</groupId>
+        <artifactId>ae-advisors</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>ae-keycloak-advisor</artifactId>
+    <packaging>jar</packaging>
+
+    <properties>
+        <input.inventory>${project.basedir}/inventory/ae-example-keycloak-25.0.0.xlsx</input.inventory>
+
+        <dashboard.title>Keycloak</dashboard.title>
+        <dashboard.subtitle>Vulnerability Assessment Dashboard</dashboard.subtitle>
+        <dashboard.footer>Demo Dashboard for Keycloak</dashboard.footer>
+    </properties>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.metaeffekt.core</groupId>
+                <artifactId>ae-inventory-maven-plugin</artifactId>
+            </plugin>
+            <!-- FIXME: fix plugins; remove configuration on project level -->
+            <plugin>
+                <groupId>com.metaeffekt.artifact.analysis</groupId>
+                <artifactId>ae-inventory-enrichment-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.metaeffekt.example.documentation</groupId>
+            <artifactId>ae-inventory-extractor</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
+    </dependencies>
+
+</project>

advisors/keycloak-contextualized-advisor/assessment/inventory-scope.yaml

@@ -0,0 +1,8 @@
+scope: inventory
+
+cvssV4:
+  lower: MAV:A
+cvssV3:
+  lower: MAV:A
+cvssV2:
+  lower: AV:A

advisors/keycloak-contextualized-advisor/pom.xml

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.metaeffekt.example.documentation</groupId>
+        <artifactId>ae-advisors</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>ae-keycloak-contextualized-advisor</artifactId>
+    <packaging>jar</packaging>
+
+    <properties>
+        <input.inventory>${project.basedir}/inventory/ae-example-keycloak-25.0.0.xlsx</input.inventory>
+
+        <dashboard.title>Keycloak</dashboard.title>
+        <dashboard.subtitle>Vulnerability Assessment Dashboard</dashboard.subtitle>
+        <dashboard.footer>Demo Dashboard for Keycloak</dashboard.footer>
+    </properties>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.metaeffekt.core</groupId>
+                <artifactId>ae-inventory-maven-plugin</artifactId>
+            </plugin>
+            <!-- FIXME: fix plugins; remove configuration on project level -->
+            <plugin>
+                <groupId>com.metaeffekt.artifact.analysis</groupId>
+                <artifactId>ae-inventory-enrichment-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.metaeffekt.example.documentation</groupId>
+            <artifactId>ae-inventory-extractor</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
+    </dependencies>
+
+</project>

advisors/pom.xml

@@ -15,6 +15,8 @@
     <modules>
         <module>example-advisor</module>
 
+        <module>keycloak-advisor</module>
+        <module>keycloak-contextualized-advisor</module>
         <module>openssl-1.1-advisor</module>
         <module>openssl-3.0-advisor</module>
         <module>selected-component-advisor</module>
@@ -208,6 +210,7 @@
                                             <active>${activate.correlation}</active>
                                             <yamlFiles>
                                                 <file>${correlation.dir}</file>
+                                                <file>/Users/ywittmann/workspace/metaeffekt-vulnerability-correlation/correlation</file>
                                             </yamlFiles>
                                         </correlationYamlEnrichment>
 

advisors/security-policy-dashboard.json

@@ -1,11 +1,16 @@
 {
   "insignificantThreshold": 7.0,
   "includeScoreThreshold": -1.0,
-  "includeVulnerabilitiesWithAdvisoryProviders": [{"implementation":"all","name":"all"}],
-  "includeAdvisoryProviders": [{"implementation":"all","name":"all"}],
+  "includeVulnerabilitiesWithAdvisoryProviders": [
+    {"name": "all", "implementation": "all"}
+  ],
+  "includeAdvisoryProviders": [
+    {"name": "all", "implementation": "all"}
+  ],
   "includeAdvisoryTypes": ["all"],
   "vulnerabilityStatusDisplayMapperName": "abstracted",
-  "cvssSeverityRanges": "None:pastel-gray:0.0:0.0,Low:strong-yellow:0.1:3.9,Medium:strong-light-orange:4.0:6.9,High:strong-dark-orange:7.0:8.9,Critical:strong-red:9.0:100.0",
+  "cvssSeverityRanges": "None:pastel-gray::0.0,Low:strong-yellow:0.1:3.9,Medium:strong-light-orange:4.0:6.9,High:strong-dark-orange:7.0:8.9,Critical:strong-red:9.0:",
+  "priorityScoreSeverityRanges": "escalate:strong-red:9.0:,due:strong-dark-orange:7.0:8.9,elevated:strong-light-orange::6.9",
   "cvssVersionSelectionPolicy": ["LATEST"],
   "initialCvssSelector": {"stats":[],"rules":[{"method":"ALL","stats":[],"selector":[{"host":["NVD"],"issuerRole":["CNA"],"issuer":["NVD"]},{"host":["Microsoft Corporation"],"issuerRole":["*"],"issuer":["*"]},{"host":["NVD"],"issuerRole":["CNA"],"issuer":["Microsoft Corporation"]},{"host":["GitHub, Inc."],"issuerRole":["*"],"issuer":["*"]},{"host":["NVD"],"issuerRole":["CNA"],"issuer":["GitHub, Inc."]},{"host":["NVD"],"issuerRole":["*"],"issuer":["*"]},{"host":["CERT-SEI"],"issuerRole":["*"],"issuer":["*"]},{"host":["not:Assessment"],"issuerRole":["*"],"issuer":["*"]}],"vectorEval":[]}],"vectorEval":[]},
   "contextCvssSelector": {"stats":[{"comparator":"EQUAL","action":"RETURN_NULL","attribute":"assessment","value":0}],"rules":[{"method":"ALL","stats":[],"selector":[{"host":["NVD"],"issuerRole":["CNA"],"issuer":["NVD"]},{"host":["Microsoft Corporation"],"issuerRole":["*"],"issuer":["*"]},{"host":["NVD"],"issuerRole":["CNA"],"issuer":["Microsoft Corporation"]},{"host":["GitHub, Inc."],"issuerRole":["*"],"issuer":["*"]},{"host":["NVD"],"issuerRole":["CNA"],"issuer":["GitHub, Inc."]},{"host":["NVD"],"issuerRole":["*"],"issuer":["*"]},{"host":["CERT-SEI"],"issuerRole":["*"],"issuer":["*"]},{"host":["not:Assessment"],"issuerRole":["*"],"issuer":["*"]}],"vectorEval":[]},{"method":"ALL","stats":[{"provider":"PRESENCE","attribute":"assessment","setType":"ADD"}],"selector":[{"host":["Assessment"],"issuerRole":["*"],"issuer":["all"]}],"vectorEval":[]},{"method":"LOWER","stats":[{"provider":"PRESENCE","attribute":"assessment","setType":"ADD"}],"selector":[{"host":["Assessment"],"issuerRole":["*"],"issuer":["lower"]}],"vectorEval":[]},{"method":"HIGHER","stats":[{"provider":"PRESENCE","attribute":"assessment","setType":"ADD"}],"selector":[{"host":["Assessment"],"issuerRole":["*"],"issuer":["higher"]}],"vectorEval":[]}],"vectorEval":[{"and":["not:IS_BASE_FULLY_DEFINED"],"action":"RETURN_NULL"}]},

documents/reports/example-report/pom.xml

@@ -109,7 +109,9 @@
                         <failOnMissingNotice>false</failOnMissingNotice>
                         <failOnMissingSources>false</failOnMissingSources>
 
-                        <generateOverviewTablesForAdvisories>CERT_SEI</generateOverviewTablesForAdvisories>
+                        <generateOverviewTablesForAdvisories>
+                            [ {"name":"CERT_SEI"} ]
+                        </generateOverviewTablesForAdvisories>
                     </configuration>
 
                 </plugin>

documents/reports/keycloak-contextualized-report/pom.xml

@@ -0,0 +1,164 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.metaeffekt.example.documentation</groupId>
+        <artifactId>ae-reports</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>keycloak-contextualized-report</artifactId>
+    <packaging>jar</packaging>
+
+    <properties>
+        <document.version>00.01</document.version>
+        <document.status_en>Draft</document.status_en>
+
+        <asset.id>Keycloak</asset.id>
+        <asset.name>Keycloak</asset.name>
+        <asset.version>${project.version}</asset.version>
+
+        <document.id>XXXX-YYY-ZZ-VR</document.id>
+
+        <document.version>0.1</document.version>
+        <document.status_en>Preview</document.status_en>
+        <document.classifier>vulnerability-report_en</document.classifier>
+    </properties>
+
+    <build>
+        <pluginManagement>
+            <plugins>
+
+				<plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-dependency-plugin</artifactId>
+                    <executions>
+                        <execution>
+                            <id>unpack-inventories</id>
+                            <goals>
+                                <goal>unpack-dependencies</goal>
+                            </goals>
+                            <phase>generate-sources</phase>
+                            <configuration>
+                                <outputDirectory>${project.build.directory}/inventories</outputDirectory>
+                                <includeScope>provided</includeScope>
+                                <includes>**/*-inventory*.xls</includes>
+                                <overWriteSnapshots>true</overWriteSnapshots>
+                            </configuration>
+                        </execution>
+                        <execution>
+                            <id>unpack-advisor-resource</id>
+                            <goals>
+                                <goal>unpack-dependencies</goal>
+                            </goals>
+                            <phase>generate-sources</phase>
+                            <configuration>
+                                <outputDirectory>${project.basedir}/src/main/dita/${project.artifactId}/gen</outputDirectory>
+                                <includeScope>provided</includeScope>
+                                <includes>**/resources/**/*.*</includes>
+                                <overWriteSnapshots>true</overWriteSnapshots>
+                            </configuration>
+                        </execution>
+					</executions>
+				</plugin>
+
+                <plugin>
+                    <groupId>org.metaeffekt.core</groupId>
+                    <artifactId>ae-inventory-maven-plugin</artifactId>
+                    <executions>
+                        <execution>
+                            <id>create-report-ae</id>
+                            <goals>
+                                <goal>create-inventory-report</goal>
+                            </goals>
+                            <phase>process-sources</phase>
+                            <configuration>
+                                <sourceInventoryDir>${project.build.directory}/inventories/inventory</sourceInventoryDir>
+                                <sourceInventoryIncludes>ae-keycloak-contextualized-advisor-inventory.xls</sourceInventoryIncludes>
+                                <inventory>${project.build.directory}/inventories/inventory/ae-keycloak-contextualized-advisor-inventory.xls</inventory>
+                                <targetReportDir>${basedir}/src/main/dita/${project.artifactId}/gen</targetReportDir>
+                            </configuration>
+                        </execution>
+                    </executions>
+
+                    <configuration>
+                        <sourceInventoryDir>${project.build.directory}/inventory-base</sourceInventoryDir>
+                        <sourceInventoryIncludes>**/*.xls</sourceInventoryIncludes>
+
+                        <inventory>${project.inventory}</inventory>
+
+                        <targetReportDir>${basedir}/src/main/dita/${project.artifactId}/gen</targetReportDir>
+
+                        <securityPolicyFile>${project.basedir}/../../security-policy-report.json</securityPolicyFile>
+
+                        <enableVulnerabilityReport>true</enableVulnerabilityReport>
+                        <enableVulnerabilityStatisticsReport>true</enableVulnerabilityStatisticsReport>
+
+                        <failOnError>false</failOnError>
+                        <failOnBanned>false</failOnBanned>
+                        <failOnInternal>false</failOnInternal>
+                        <failOnUnknownVersion>false</failOnUnknownVersion>
+                        <failOnUnknown>false</failOnUnknown>
+                        <failOnUpgrade>false</failOnUpgrade>
+                        <failOnDowngrade>false</failOnDowngrade>
+                        <failOnDevelopment>false</failOnDevelopment>
+                        <failOnMissingLicense>false</failOnMissingLicense>
+                        <failOnMissingLicenseFile>false</failOnMissingLicenseFile>
+                        <failOnMissingNotice>false</failOnMissingNotice>
+                        <failOnMissingSources>false</failOnMissingSources>
+
+                        <generateOverviewTablesForAdvisories>
+                            [ {"name":"CERT_SEI"} ]
+                        </generateOverviewTablesForAdvisories>
+                    </configuration>
+
+                </plugin>
+            </plugins>
+        </pluginManagement>
+
+        <plugins>
+            <plugin>
+                <groupId>org.metaeffekt.core</groupId>
+                <artifactId>ae-inventory-maven-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-resources-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.metaeffekt.dita</groupId>
+                <artifactId>ae-dita-maven-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-antrun-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>buildnumber-maven-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-assembly-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+
+    <dependencies>
+
+        <dependency>
+            <groupId>org.metaeffekt.example.documentation</groupId>
+            <artifactId>ae-keycloak-contextualized-advisor</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
+
+    </dependencies>
+
+</project>

documents/reports/keycloak-contextualized-report/src/main/dita/ae-keycloak-contextualized-report/tmp/glossary/en/g_cpe.dita

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glossentry PUBLIC "-//OASIS//DTD DITA Glossary Entry//EN" "glossentry.dtd">
+<glossentry id="cpe">
+    <glossterm>Common Product Enumeration</glossterm>
+    <glossdef>
+        Common Product Enumeration (CPE) is a scheme used by the <abbreviated-form keyref="nvd"/> to identify
+        vulnerable products (software and hardware). A CPE has a defined structure consisting of several parts:
+        <p>
+            <codeblock>cpe:&lt;cpe_version&gt;:&lt;part&gt;:&lt;vendor&gt;:&lt;product&gt;:&lt;version&gt;:&lt;update&gt;:&lt;edition&gt;:
+    &lt;language&gt;:&lt;sw_edition&gt;:&lt;target_sw&gt;:
+        &lt;target_hw&gt;:&lt;other&gt;</codeblock>
+        </p>
+        <p>
+            With a CPE several vulnerabilities (<abbreviated-form keyref="cve"/>) can be associated.
+        </p>
+    </glossdef>
+    <glossBody>
+        <glossSurfaceForm>Common Product Enumeration (CPE)</glossSurfaceForm>
+        <glossAlt>
+            <glossAcronym>CPE</glossAcronym>
+        </glossAlt>
+    </glossBody>
+</glossentry>

documents/reports/keycloak-contextualized-report/src/main/dita/ae-keycloak-contextualized-report/tmp/glossary/en/g_cve.dita

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glossentry PUBLIC "-//OASIS//DTD DITA Glossary Entry//EN" "glossentry.dtd">
+<glossentry id="cpe">
+    <glossterm>Common Vulnerability Exposure</glossterm>
+    <glossdef>
+        A Common Vulnerability Exposure (CVE) is a public representation of a vulnerability. Each CVE covers
+        a description and machine-readable information for version matching.
+    </glossdef>
+    <glossBody>
+        <glossSurfaceForm>Common Vulnerability Exposure (CVE)</glossSurfaceForm>
+        <glossAlt>
+            <glossAcronym>CVE</glossAcronym>
+        </glossAlt>
+    </glossBody>
+</glossentry>

documents/reports/keycloak-contextualized-report/src/main/dita/ae-keycloak-contextualized-report/tmp/glossary/en/g_cvss.dita

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glossentry PUBLIC "-//OASIS//DTD DITA Glossary Entry//EN" "glossentry.dtd">
+<glossentry id="cvss">
+    <glossterm>Common Vulnerability Scoring System</glossterm>
+    <glossdef>
+        The severity of vulnerabilities is commonly measured applying the Common Vulnerability Scoring System (CVSS)
+        scoring system.
+        The scheme uses several individual metrics to capture different aspects of a vulnerability.
+    </glossdef>
+    <glossBody>
+        <glossSurfaceForm>Common Vulnerability Scoring System (CVSS)</glossSurfaceForm>
+        <glossAlt>
+            <glossAcronym>CVSS</glossAcronym>
+        </glossAlt>
+    </glossBody>
+</glossentry>