feat(advisor): Add BlackDuck as security vulnerability provider

BlackDuck's knowledge base about external components allows the retrieval of vulnerabilities by either a `(component, version)` tuple or an `origin`. The implementation relies on querying the vulnerabilities solely based on the origin, because that is what most closely resembles an ORT identifier or a purl. Relying on (component, version) would lead to unnecessary overreporting, let alone the difficulties with finding a good match. The implementation for now determines the origin by searching for it via the purl. Considering the ecosystems currently present in ORT, this works well for crate, gem, hackage, maven, npm, nuget, pod, pub and pypi, see also [1]. Note: Not all origins do have a purl associated, but they always have a `(externalNamespace, externalId)`. For such cases the implementation should be enhanced to allow specifying the `(externalNamespace, externalId)` via a curation. [1]: #9638 Signed-off-by: Frank Viernau <[email protected]>
oss-review-toolkit · Dec 30, 2024 · e44c522 · e44c522
1 parent fedb94b
commit e44c522
Show file tree

Hide file tree

Showing 12 changed files with 6,212 additions and 1 deletion.
diff --git a/buildSrc/src/main/kotlin/ort-base-conventions.gradle.kts b/buildSrc/src/main/kotlin/ort-base-conventions.gradle.kts
@@ -44,6 +44,27 @@ repositories {
             includeGroup("org.gradle")
         }
     }
+
+    exclusiveContent {
+        forRepository {
+            maven("https://repo.blackduck.com/bds-integrations-release")
+        }
+
+        filter {
+            includeGroup("com.blackduck.integration")
+            includeGroup("com.blackducksoftware.magpie")
+        }
+    }
+
+    exclusiveContent {
+        forRepository {
+            maven("https://sig-repo.synopsys.com/bds-bdio-release")
+        }
+
+        filter {
+            includeGroup("com.blackducksoftware.bdio")
+        }
+    }
 }
 
 tasks.withType<Jar>().configureEach {

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -15,6 +15,8 @@ versionsPlugin = "0.51.0"
 aeSecurity = "0.132.0"
 asciidoctorj = "3.0.0"
 asciidoctorjPdf = "2.3.19"
+blackduckCommon = "67.0.3"
+blackduckCommonApi = "2023.10.0.6"
 clikt = "5.0.2"
 commonsCompress = "1.27.1"
 cyclonedx = "10.1.0"
@@ -25,6 +27,7 @@ exposed = "0.57.0"
 flexmark = "0.64.8"
 freemarker = "2.3.34"
 greenmail = "2.1.2"
+gson = "2.11.0"
 hikari = "6.2.1"
 hoplite = "2.9.0"
 jackson = "2.18.2"
@@ -90,6 +93,8 @@ aeSecurity = { module = "org.metaeffekt.core:ae-security", version.ref = "aeSecu
 asciidoctorj = { module = "org.asciidoctor:asciidoctorj", version.ref = "asciidoctorj" }
 asciidoctorj-pdf = { module = "org.asciidoctor:asciidoctorj-pdf", version.ref = "asciidoctorjPdf" }
 awsS3 = { module = "software.amazon.awssdk:s3", version.ref = "s3" }
+blackduck-common = { module = "com.blackduck.integration:blackduck-common", version.ref = "blackduckCommon" }
+blackduck-common-api = { module = "com.blackduck.integration:blackduck-common-api", version.ref = "blackduckCommonApi" }
 clikt = { module = "com.github.ajalt.clikt:clikt", version.ref = "clikt" }
 commonsCompress = { module = "org.apache.commons:commons-compress", version.ref = "commonsCompress" }
 cyclonedx = { module = "org.cyclonedx:cyclonedx-core-java", version.ref = "cyclonedx" }
@@ -106,6 +111,7 @@ exposed-json = { module = "org.jetbrains.exposed:exposed-json", version.ref = "e
 flexmark = { module = "com.vladsch.flexmark:flexmark", version.ref = "flexmark" }
 freemarker = { module = "org.freemarker:freemarker", version.ref = "freemarker" }
 greenmail = { module = "com.icegreen:greenmail", version.ref = "greenmail" }
+gson = { module = "com.google.code.gson:gson", version.ref = "gson" }
 hikari = { module = "com.zaxxer:HikariCP", version.ref = "hikari" }
 hoplite-core = { module = "com.sksamuel.hoplite:hoplite-core", version.ref = "hoplite" }
 hoplite-yaml = { module = "com.sksamuel.hoplite:hoplite-yaml", version.ref = "hoplite" }

diff --git a/integrations/completions/ort-completion.fish b/integrations/completions/ort-completion.fish
@@ -25,7 +25,7 @@ complete -c ort -n "__fish_seen_subcommand_from advise" -l output-dir -s o -r -F
 complete -c ort -n "__fish_seen_subcommand_from advise" -l output-formats -s f -r -fa "JSON YAML" -d 'The list of output formats to be used for the ORT result file(s).'
 complete -c ort -n "__fish_seen_subcommand_from advise" -l label -s l -r -d 'Set a label in the ORT result, overwriting any existing label of the same name. Can be used multiple times. For example: --label distribution=external'
 complete -c ort -n "__fish_seen_subcommand_from advise" -l resolutions-file -r -F -d 'A file containing issue and rule violation resolutions.'
-complete -c ort -n "__fish_seen_subcommand_from advise" -l advisors -s a -r -d 'The comma-separated advisors to use, any of [OSSIndex, OSV, VulnerableCode].'
+complete -c ort -n "__fish_seen_subcommand_from advise" -l advisors -s a -r -d 'The comma-separated advisors to use, any of [BlackDuck, OSSIndex, OSV, VulnerableCode].'
 complete -c ort -n "__fish_seen_subcommand_from advise" -l skip-excluded -d 'Do not check excluded projects or packages.'
 complete -c ort -n "__fish_seen_subcommand_from advise" -s h -l help -d 'Show this message and exit'
 

diff --git a/plugins/advisors/black-duck/build.gradle.kts b/plugins/advisors/black-duck/build.gradle.kts
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2024 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+plugins {
+    // Apply precompiled plugins.
+    id("ort-plugin-conventions")
+}
+
+dependencies {
+    api(libs.blackduck.common.api)
+
+    api(projects.advisor)
+    api(projects.model)
+
+    implementation(libs.blackduck.common)
+    implementation(libs.kotlinx.coroutines)
+
+    implementation(projects.utils.commonUtils)
+
+    funTestImplementation(libs.gson)
+
+    ksp(projects.advisor)
+}