SONAR-22914 Define CVE message in the scanner report

6 files changed, 83 insertions, 17 deletions

diff --git a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/FileStructure.java b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/FileStructure.java
index f1d2f5cae80..a3fb8835fba 100644
--- a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/FileStructure.java
+++ b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/FileStructure.java
@@ -82,6 +82,10 @@ public class FileStructure {
     return new File(dir, "adhocrules.pb");
   }
 
+  public File cves() {
+    return new File(dir, "cves.pb");
+  }
+
   public File fileFor(Domain domain, int componentRef) {
     return new File(dir, domain.filePrefix + componentRef + domain.fileSuffix);
   }
diff --git a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportReader.java b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportReader.java
index 422690db2b7..4569a347891 100644
--- a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportReader.java
+++ b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportReader.java
@@ -61,6 +61,14 @@ public class ScannerReportReader {
     return Protobuf.readStream(file, ScannerReport.AdHocRule.parser());
   }
 
+  public CloseableIterator<ScannerReport.Cve> readCves() {
+    File file = fileStructure.cves();
+    if (!fileExists(file)) {
+      return emptyCloseableIterator();
+    }
+    return Protobuf.readStream(file, ScannerReport.Cve.parser());
+  }
+
   public CloseableIterator<ScannerReport.Measure> readComponentMeasures(int componentRef) {
     File file = fileStructure.fileFor(FileStructure.Domain.MEASURES, componentRef);
     if (fileExists(file)) {
diff --git a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportWriter.java b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportWriter.java
index 07990c803e8..20e5f30a1f0 100644
--- a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportWriter.java
+++ b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportWriter.java
@@ -19,6 +19,7 @@
  */
 package org.sonar.scanner.protocol.output;
 
+import com.google.protobuf.AbstractMessageLite;
 import java.io.BufferedOutputStream;
 import java.io.File;
 import java.io.FileOutputStream;
@@ -77,11 +78,7 @@ public class ScannerReportWriter {
 
   public void appendComponentIssue(int componentRef, ScannerReport.Issue issue) {
     File file = fileStructure.fileFor(FileStructure.Domain.ISSUES, componentRef);
-    try (OutputStream out = new BufferedOutputStream(new FileOutputStream(file, true))) {
-      issue.writeDelimitedTo(out);
-    } catch (Exception e) {
-      throw ContextException.of("Unable to write issue", e).addContext("file", file);
-    }
+    appendDelimitedTo(file, issue, "issue");
   }
 
   public File writeComponentChangedLines(int componentRef, ScannerReport.ChangedLines changedLines) {
@@ -92,28 +89,29 @@ public class ScannerReportWriter {
 
   public void appendComponentExternalIssue(int componentRef, ScannerReport.ExternalIssue issue) {
     File file = fileStructure.fileFor(FileStructure.Domain.EXTERNAL_ISSUES, componentRef);
-    try (OutputStream out = new BufferedOutputStream(new FileOutputStream(file, true))) {
-      issue.writeDelimitedTo(out);
-    } catch (Exception e) {
-      throw ContextException.of("Unable to write external issue", e).addContext("file", file);
-    }
+    appendDelimitedTo(file, issue, "external issue");
   }
 
   public void appendAdHocRule(ScannerReport.AdHocRule adHocRule) {
     File file = fileStructure.adHocRules();
-    try (OutputStream out = new BufferedOutputStream(new FileOutputStream(file, true))) {
-      adHocRule.writeDelimitedTo(out);
-    } catch (Exception e) {
-      throw ContextException.of("Unable to write ad hoc rule", e).addContext("file", file);
-    }
+    appendDelimitedTo(file, adHocRule, "ad hoc rule");
+  }
+
+  public void appendCve(ScannerReport.Cve cve) {
+    File file = fileStructure.cves();
+    appendDelimitedTo(file, cve, "cve");
   }
 
   public void appendComponentMeasure(int componentRef, ScannerReport.Measure measure) {
     File file = fileStructure.fileFor(FileStructure.Domain.MEASURES, componentRef);
+    appendDelimitedTo(file, measure, "measure");
+  }
+
+  private static void appendDelimitedTo(File file, AbstractMessageLite<?, ?> msg, String msgName) {
     try (OutputStream out = new BufferedOutputStream(new FileOutputStream(file, true))) {
-      measure.writeDelimitedTo(out);
+      msg.writeDelimitedTo(out);
     } catch (Exception e) {
-      throw ContextException.of("Unable to write measure", e).addContext("file", file);
+      throw ContextException.of("Unable to write " + msgName, e).addContext("file", file);
     }
   }
 
diff --git a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/viewer/ScannerReportViewerApp.java b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/viewer/ScannerReportViewerApp.java
index e21a64a8bed..33928bb8fe2 100644
--- a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/viewer/ScannerReportViewerApp.java
+++ b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/viewer/ScannerReportViewerApp.java
@@ -101,6 +101,8 @@ public class ScannerReportViewerApp {
   private JEditorPane activeRuleEditor;
   private JScrollPane adHocRuleTab;
   private JEditorPane adHocRuleEditor;
+  private JScrollPane cveTab;
+  private JEditorPane cveEditor;
   private JScrollPane qualityProfileTab;
   private JEditorPane qualityProfileEditor;
   private JScrollPane pluginTab;
@@ -199,6 +201,7 @@ public class ScannerReportViewerApp {
     loadComponents();
     updateActiveRules();
     updateAdHocRules();
+    updateCves();
     updateQualityProfiles();
     updatePlugins();
     updateMetadata();
@@ -402,6 +405,18 @@ public class ScannerReportViewerApp {
     }
   }
 
+  private void updateCves() {
+    cveEditor.setText("");
+
+    StringBuilder builder = new StringBuilder();
+    try (CloseableIterator<ScannerReport.Cve> cveCloseableIterator = reader.readCves()) {
+      while (cveCloseableIterator.hasNext()) {
+        builder.append(cveCloseableIterator.next().toString()).append("\n");
+      }
+      cveEditor.setText(builder.toString());
+    }
+  }
+
   private void updateQualityProfiles() {
     qualityProfileEditor.setText("");
 
@@ -594,6 +609,12 @@ public class ScannerReportViewerApp {
     adHocRuleEditor = new JEditorPane();
     adHocRuleTab.setViewportView(adHocRuleEditor);
 
+    cveTab = new JScrollPane();
+    tabbedPane.addTab("CVEs", null, cveTab, null);
+
+    cveEditor = new JEditorPane();
+    cveTab.setViewportView(cveEditor);
+
     qualityProfileTab = new JScrollPane();
     tabbedPane.addTab("Quality Profiles", null, qualityProfileTab, null);
 
diff --git a/sonar-scanner-protocol/src/main/protobuf/scanner_report.proto b/sonar-scanner-protocol/src/main/protobuf/scanner_report.proto
index ec1ef8d57b6..fddf8881f31 100644
--- a/sonar-scanner-protocol/src/main/protobuf/scanner_report.proto
+++ b/sonar-scanner-protocol/src/main/protobuf/scanner_report.proto
@@ -230,6 +230,17 @@ message AdHocRule {
   repeated Impact defaultImpacts = 8;
 }
 
+message Cve {
+  string cve_id = 1;
+  string description = 2;
+  float cvss_score = 3;
+  float epss_score = 4;
+  float epss_percentile = 5;
+  int64 published_date = 6;
+  int64 last_modified_date = 7;
+  repeated string cwe = 8;
+}
+
 enum IssueType {
   UNSET = 0;
   CODE_SMELL = 1;
diff --git a/sonar-scanner-protocol/src/test/java/org/sonar/scanner/protocol/output/ScannerReportWriterTest.java b/sonar-scanner-protocol/src/test/java/org/sonar/scanner/protocol/output/ScannerReportWriterTest.java
index 613a9e23ffd..368886e2265 100644
--- a/sonar-scanner-protocol/src/test/java/org/sonar/scanner/protocol/output/ScannerReportWriterTest.java
+++ b/sonar-scanner-protocol/src/test/java/org/sonar/scanner/protocol/output/ScannerReportWriterTest.java
@@ -21,6 +21,7 @@ package org.sonar.scanner.protocol.output;
 
 import com.google.common.collect.Iterators;
 import java.io.File;
+import java.time.Instant;
 import java.util.List;
 import org.junit.Before;
 import org.junit.Rule;
@@ -148,6 +149,29 @@ public class ScannerReportWriterTest {
   }
 
   @Test
+  public void write_cve() {
+
+    // write data
+    ScannerReport.Cve cve = ScannerReport.Cve.newBuilder()
+      .setCveId("CVE-2023-20863")
+      .setDescription("In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.")
+      .setCvssScore(6.5f)
+      .setEpssScore(0.00306f)
+      .setEpssPercentile(0.70277f)
+      .setPublishedDate(Instant.parse("2023-04-13T20:15:00Z").toEpochMilli())
+      .setLastModifiedDate(Instant.parse("2024-02-04T02:22:24.474Z").toEpochMilli())
+      .addCwe("CWE-400")
+      .build();
+    underTest.appendCve(cve);
+
+    File file = underTest.getFileStructure().cves();
+    assertThat(file).exists().isFile();
+    try (CloseableIterator<ScannerReport.Cve> read = Protobuf.readStream(file, ScannerReport.Cve.parser())) {
+      assertThat(Iterators.size(read)).isOne();
+    }
+  }
+
+  @Test
   public void write_changed_lines() {
     assertThat(underTest.hasComponentData(FileStructure.Domain.CHANGED_LINES, 1)).isFalse();