Skip to content

Reduce number of CVE collisions dependency-check/dependency-check-son…#763

Open
jordannstrong wants to merge 2 commits intodependency-check:masterfrom
jordannstrong:master
Open

Reduce number of CVE collisions dependency-check/dependency-check-son…#763
jordannstrong wants to merge 2 commits intodependency-check:masterfrom
jordannstrong:master

Conversation

@jordannstrong
Copy link

@jordannstrong jordannstrong commented Feb 24, 2023

…ar-plugin#682

Uses the CVE number as a line offset to reduce overlap.

@Reamer
Copy link
Member

Reamer commented Feb 24, 2023

Can you please provide a screenshot of how the offset affects the SonarQube UI?

@jordannstrong
Copy link
Author

jordannstrong commented Feb 24, 2023

image

Please let me know if this isn't what you meant, or if you'd like any other screenshots or information.

Reamer
Reamer reviewed Feb 27, 2023
View reviewed changes
Copy link
Member

@Reamer Reamer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that I don't like the solution. If I'm looking over the changes correctly, then take the vulnerability e.g. CVE-2022-23305, make it 202223305 and use this number as a direct text offset (202223305) or as a text offset + 1 (202223306). Do I understand the approach correctly?

...ency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/GradleDependencyReason.java Outdated
putDependencyMap(dependency, new TextRangeConfidence(buildGradle.selectLine(linenumber), Confidence.HIGHEST));
putDependencyMap(dependency, vulnerability, new TextRangeConfidence(buildGradle.selectLine(linenumber), Confidence.HIGHEST));
return;
} else {
Copy link
Member

@Reamer Reamer Feb 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The else is unnecessary because we have a return in the if.

@jordannstrong
Copy link
Author

jordannstrong commented Feb 27, 2023

Yes, with the result of the issue being attached to the lines at offset 202223305, instead of the entire line, allowing for multiple vulnerabilities on the same line without colliding. It's certainly not a complete solution, since if the vulnerability has no numbers in the name it will default to offset 0, allowing for collisions. Or if one line has multiple vulnerabilities with the same CVE. Otherwise, nothing changes visually, just the location that the issues are tracked internally by SonarQube.

@Reamer Reamer added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. enhancement labels May 5, 2023
@Reamer
Copy link
Member

Reamer commented May 5, 2023

I don't like the solution with the offsets because it has an unclean taste. Since the solution probably works, I leave the pull request open for people who also want to solve the problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Reamer Reamer Reamer left review comments

Assignees

No one assigned

Labels

enhancement lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jordannstrong @Reamer