aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--server/sonar-ce-task-projectanalysis/src/it/java/org/sonar/ce/task/projectanalysis/step/PersistCveStepIT.java178
-rw-r--r--server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReader.java2
-rw-r--r--server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderImpl.java6
-rw-r--r--server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/issue/TrackerRawInputFactory.java3
-rw-r--r--server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/PersistCveStep.java131
-rw-r--r--server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/ReportComputationSteps.java1
-rw-r--r--server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderImplTest.java25
-rw-r--r--server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderRule.java11
-rw-r--r--sonar-plugin-api-impl/src/main/java/org/sonar/api/batch/sensor/issue/internal/DefaultExternalIssue.java10
-rw-r--r--sonar-scanner-engine/src/main/java/org/sonar/scanner/issue/IssuePublisher.java5
-rw-r--r--sonar-scanner-engine/src/testFixtures/java/org/sonar/scanner/mediumtest/AnalysisResult.java4
-rw-r--r--sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/FileStructure.java4
-rw-r--r--sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportReader.java8
-rw-r--r--sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportWriter.java5
-rw-r--r--sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/viewer/ScannerReportViewerApp.java21
-rw-r--r--sonar-scanner-protocol/src/main/protobuf/scanner_report.proto26
-rw-r--r--sonar-scanner-protocol/src/test/java/org/sonar/scanner/protocol/output/ScannerReportWriterTest.java27
17 files changed, 9 insertions, 458 deletions
diff --git a/server/sonar-ce-task-projectanalysis/src/it/java/org/sonar/ce/task/projectanalysis/step/PersistCveStepIT.java b/server/sonar-ce-task-projectanalysis/src/it/java/org/sonar/ce/task/projectanalysis/step/PersistCveStepIT.java
deleted file mode 100644
index faca0e5bfe6..00000000000
--- a/server/sonar-ce-task-projectanalysis/src/it/java/org/sonar/ce/task/projectanalysis/step/PersistCveStepIT.java
+++ /dev/null
@@ -1,178 +0,0 @@
-/*
- * SonarQube
- * Copyright (C) 2009-2024 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- */
-package org.sonar.ce.task.projectanalysis.step;
-
-import java.util.List;
-import java.util.Set;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.RegisterExtension;
-import org.sonar.api.utils.System2;
-import org.sonar.ce.task.projectanalysis.batch.BatchReportReaderRule;
-import org.sonar.ce.task.step.TestComputationStepContext;
-import org.sonar.core.util.UuidFactory;
-import org.sonar.core.util.UuidFactoryImpl;
-import org.sonar.db.DbClient;
-import org.sonar.db.DbSession;
-import org.sonar.db.DbTester;
-import org.sonar.db.dependency.CveCweDto;
-import org.sonar.db.dependency.CveDto;
-import org.sonar.scanner.protocol.output.ScannerReport.Cve;
-
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.assertj.core.api.Assertions.fail;
-
-class PersistCveStepIT {
-
- @RegisterExtension
- private final DbTester db = DbTester.create(System2.INSTANCE);
-
- @RegisterExtension
- private final BatchReportReaderRule batchReportReader = new BatchReportReaderRule();
-
- private final DbSession dbSession = db.getSession();
- private final DbClient dbClient = db.getDbClient();
- private final UuidFactory uuidFactory = UuidFactoryImpl.INSTANCE;
-
- private PersistCveStep persistCveStep;
-
- @BeforeEach
- void setUp() {
- persistCveStep = new PersistCveStep(batchReportReader, dbClient, uuidFactory, System2.INSTANCE);
- }
-
- @Test
- void getDescription_shouldReturnStepDescription() {
- assertThat(persistCveStep.getDescription()).isEqualTo("Persist CVEs");
- }
-
- @Test
- void execute_shouldInsertNewCVEs() {
- Cve cve1 = buildCve("1").build();
- Cve cve2 = buildCve("2").build();
- Cve cveAllOptionalEmpty = Cve.newBuilder().setCveId("CVE-empty").setDescription("Empty CVE").build();
- batchReportReader.putCves(List.of(cve1, cve2, cveAllOptionalEmpty));
-
- persistCveStep.execute(new TestComputationStepContext());
-
- assertCvePersistedInDatabase(cve1);
- assertCvePersistedInDatabase(cve2);
- assertCvePersistedInDatabase(cveAllOptionalEmpty);
- }
-
- private void assertCvePersistedInDatabase(Cve cve) {
- CveDto cveDto = dbClient.cveDao().selectById(dbSession, cve.getCveId())
- .orElseGet(() -> fail(String.format("CVE with id %s not found", cve.getCveId())));
- assertThat(cveDto.id()).isEqualTo(cve.getCveId());
- assertThat(cveDto.description()).isEqualTo(cve.getDescription());
- if (cve.hasCvssScore()) {
- assertThat(cveDto.cvssScore()).isEqualTo(cve.getCvssScore());
- } else {
- assertThat(cveDto.cvssScore()).isNull();
- }
- if (cve.hasEpssScore()) {
- assertThat(cveDto.epssScore()).isEqualTo(cve.getEpssScore());
- } else {
- assertThat(cveDto.epssScore()).isNull();
- }
- if (cve.hasEpssPercentile()) {
- assertThat(cveDto.epssPercentile()).isEqualTo(cve.getEpssPercentile());
- } else {
- assertThat(cveDto.epssPercentile()).isNull();
- }
- if (cve.hasPublishedDate()) {
- assertThat(cveDto.publishedAt()).isEqualTo(cve.getPublishedDate());
- } else {
- assertThat(cveDto.publishedAt()).isNull();
- }
- if (cve.hasLastModifiedDate()) {
- assertThat(cveDto.lastModifiedAt()).isEqualTo(cve.getLastModifiedDate());
- } else {
- assertThat(cveDto.lastModifiedAt()).isNull();
- }
- assertThat(cveDto.uuid()).isNotBlank();
- assertThat(cveDto.createdAt()).isNotNull();
- assertThat(cveDto.updatedAt()).isNotNull();
- }
-
- @Test
- void execute_shoudUpdateExistingCves() {
- dbClient.cveDao().insert(dbSession, new CveDto("cve-uuid-1", "CVE-1", "Old description 1", 10.0, 20.0, 30.0, 0L, 0L, 0L, 0L));
- dbClient.cveDao().insert(dbSession, new CveDto("cve-uuid-2", "CVE-2", "Old description 2", null, null, null, null, null, 0L, 0L));
- db.commit();
- Cve cve1 = buildCve("1").build();
- Cve cve2 = buildCve("2").build();
- batchReportReader.putCves(List.of(cve1, cve2));
-
- persistCveStep.execute(new TestComputationStepContext());
-
- assertThat(db.countRowsOfTable(dbSession, "cves")).isEqualTo(2);
- assertCvePersistedInDatabase(cve1);
- assertCvePersistedInDatabase(cve2);
- }
-
- @Test
- void execute_shouldInsertCwes_whenNewCVEs() {
- Cve cve1 = buildCve("1").addCwe("CWE-11").addCwe("CWE-12").build();
- Cve cve2 = buildCve("2").addCwe("CWE-11").build();
- batchReportReader.putCves(List.of(cve1, cve2));
-
- persistCveStep.execute(new TestComputationStepContext());
-
- assertCveHasExactlyCwes(cve1, "CWE-11", "CWE-12");
- assertCveHasExactlyCwes(cve2, "CWE-11");
- }
-
- @Test
- void execute_shouldUpdateExistingCwesAndInsertNewOnes_whenUpdatingCVEs() {
- dbClient.cveDao().insert(dbSession, new CveDto("cve-uuid-1", "CVE-1", "Old description 1", 0.0, 0.0, 0.0, 0L, 0L, 0L, 0L));
- dbClient.cveCweDao().insert(dbSession, new CveCweDto("cve-uuid-1", "CWE-1"));
- dbClient.cveCweDao().insert(dbSession, new CveCweDto("cve-uuid-1", "CWE-2"));
- db.commit();
- Cve cve = buildCve("1").addCwe("CWE-2").addCwe("CWE-3").build();
- batchReportReader.putCves(List.of(cve));
-
- persistCveStep.execute(new TestComputationStepContext());
-
- assertCveHasExactlyCwes(cve, "CWE-2", "CWE-3");
- }
-
- private void assertCveHasExactlyCwes(Cve cve, String... cwes) {
- Set<String> cweInDb = dbClient.cveCweDao().selectByCveUuid(dbSession, getCveUuid(cve.getCveId()));
- assertThat(cweInDb).containsExactlyInAnyOrder(cwes);
- }
-
- private String getCveUuid(String cveId) {
- return dbClient.cveDao().selectById(dbSession, cveId)
- .map(CveDto::uuid)
- .orElseGet(() -> fail("CVE not found"));
- }
-
- private static Cve.Builder buildCve(String suffix) {
- return Cve.newBuilder()
- .setCveId("CVE-"+suffix)
- .setCvssScore(7.5F)
- .setEpssScore(0.1F)
- .setEpssPercentile(0.4F)
- .setDescription("Some CVE description "+suffix)
- .setLastModifiedDate(5L)
- .setPublishedDate(4L);
- }
-}
diff --git a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReader.java b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReader.java
index f59adf02fd0..990a2c4fda6 100644
--- a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReader.java
+++ b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReader.java
@@ -71,8 +71,6 @@ public interface BatchReportReader {
CloseableIterator<ScannerReport.AnalysisWarning> readAnalysisWarnings();
- CloseableIterator<ScannerReport.Cve> readCves();
-
CloseableIterator<ScannerReport.TelemetryEntry> readTelemetryEntries();
CloseableIterator<ScannerReport.Dependency> readDependencies();
diff --git a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderImpl.java b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderImpl.java
index ee5ac203150..da93123366e 100644
--- a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderImpl.java
+++ b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderImpl.java
@@ -229,12 +229,6 @@ public class BatchReportReaderImpl implements BatchReportReader {
}
@Override
- public CloseableIterator<ScannerReport.Cve> readCves() {
- ensureInitialized();
- return delegate.readCves();
- }
-
- @Override
public CloseableIterator<ScannerReport.TelemetryEntry> readTelemetryEntries() {
ensureInitialized();
return delegate.readTelemetryEntries();
diff --git a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/issue/TrackerRawInputFactory.java b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/issue/TrackerRawInputFactory.java
index 4f014fde255..3100a1368b6 100644
--- a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/issue/TrackerRawInputFactory.java
+++ b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/issue/TrackerRawInputFactory.java
@@ -270,9 +270,6 @@ public class TrackerRawInputFactory {
}
issue.setIsFromExternalRuleEngine(true);
issue.setLocations(dbLocationsBuilder.build());
- if (reportExternalIssue.hasCveId()) {
- issue.setCveId(reportExternalIssue.getCveId());
- }
return issue;
}
diff --git a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/PersistCveStep.java b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/PersistCveStep.java
deleted file mode 100644
index 304c7280e7a..00000000000
--- a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/PersistCveStep.java
+++ /dev/null
@@ -1,131 +0,0 @@
-/*
- * SonarQube
- * Copyright (C) 2009-2024 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- */
-package org.sonar.ce.task.projectanalysis.step;
-
-import java.util.HashSet;
-import java.util.Set;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.sonar.api.utils.System2;
-import org.sonar.ce.task.projectanalysis.batch.BatchReportReader;
-import org.sonar.ce.task.step.ComputationStep;
-import org.sonar.core.util.CloseableIterator;
-import org.sonar.core.util.UuidFactory;
-import org.sonar.db.DbClient;
-import org.sonar.db.DbSession;
-import org.sonar.db.dependency.CveCweDto;
-import org.sonar.db.dependency.CveDto;
-import org.sonar.scanner.protocol.output.ScannerReport;
-
-/**
- * Step that persists CVEs and their CWEs in the database.
- * CVEs are inserted or updated in the database based on the information from the scanner report.
- * If CWEs need to be updated, we simply remove all CWEs from the CVE and insert what is sent by the scanner.
- */
-public class PersistCveStep implements ComputationStep {
-
- private static final Logger LOG = LoggerFactory.getLogger(PersistCveStep.class);
-
- private final BatchReportReader batchReportReader;
- private final DbClient dbClient;
- private final UuidFactory uuidFactory;
- private final System2 system2;
-
- public PersistCveStep(BatchReportReader batchReportReader, DbClient dbClient, UuidFactory uuidFactory, System2 system2) {
- this.batchReportReader = batchReportReader;
- this.dbClient = dbClient;
- this.uuidFactory = uuidFactory;
- this.system2 = system2;
- }
-
- @Override
- public String getDescription() {
- return "Persist CVEs";
- }
-
- @Override
- public void execute(Context context) {
- int count = 0;
- try (DbSession dbSession = dbClient.openSession(false);
- CloseableIterator<ScannerReport.Cve> batchCves = batchReportReader.readCves()) {
- while (batchCves.hasNext()) {
- updateOrInsertCve(dbSession, batchCves.next());
- count++;
- }
- LOG.debug("{} CVEs were imported/updated", count);
- dbSession.commit();
- } catch (Exception exception) {
- throw new IllegalStateException(String.format("CVEs import failed after processing %d CVEs successfully", count), exception);
- }
- }
-
- private void updateOrInsertCve(DbSession dbSession, ScannerReport.Cve scannerCve) {
- dbClient.cveDao().selectById(dbSession, scannerCve.getCveId())
- .ifPresentOrElse(
- cveDto -> updateCve(dbSession, cveDto, scannerCve),
- () -> insertCve(dbSession, scannerCve));
- }
-
- private void updateCve(DbSession dbSession, CveDto cveInDb, ScannerReport.Cve scannerCve) {
- CveDto dtoForUpdate = toDtoForUpdate(scannerCve, cveInDb);
- dbClient.cveDao().update(dbSession, dtoForUpdate);
- String cveUuid = cveInDb.uuid();
- deleteThenInsertCwesIfUpdated(dbSession, scannerCve, cveUuid);
- }
-
- private CveDto toDtoForUpdate(ScannerReport.Cve cve, CveDto cveInDb) {
- return toDto(cve, cveInDb.uuid(), cveInDb.createdAt(), system2.now());
- }
-
- private void deleteThenInsertCwesIfUpdated(DbSession dbSession, ScannerReport.Cve scannerCve, String cveUuid) {
- Set<String> cweInDb = dbClient.cveCweDao().selectByCveUuid(dbSession, cveUuid);
- Set<String> cweFromReport = new HashSet<>(scannerCve.getCweList());
- if (!cweInDb.equals(cweFromReport)) {
- dbClient.cveCweDao().deleteByCveUuid(dbSession, cveUuid);
- cweFromReport.forEach(cwe -> dbClient.cveCweDao().insert(dbSession, new CveCweDto(cveUuid, cwe)));
- }
- }
-
- private void insertCve(DbSession dbSession, ScannerReport.Cve scannerCve) {
- CveDto dtoForInsert = toDtoForInsert(scannerCve);
- dbClient.cveDao().insert(dbSession, dtoForInsert);
- scannerCve.getCweList().forEach(cwe -> dbClient.cveCweDao().insert(dbSession, new CveCweDto(dtoForInsert.uuid(), cwe)));
- }
-
- private CveDto toDtoForInsert(ScannerReport.Cve cve) {
- long now = system2.now();
- return toDto(cve, uuidFactory.create(), now, now);
- }
-
- private static CveDto toDto(ScannerReport.Cve cve, String uuid, Long createdAt, Long updatedAt) {
- return new CveDto(
- uuid,
- cve.getCveId(),
- cve.getDescription(),
- cve.hasCvssScore() ? cve.getCvssScore() : null,
- cve.hasEpssScore() ? cve.getEpssScore() : null,
- cve.hasEpssPercentile() ? cve.getEpssPercentile() : null,
- cve.hasPublishedDate() ? cve.getPublishedDate() : null,
- cve.hasLastModifiedDate() ? cve.getLastModifiedDate() : null,
- createdAt,
- updatedAt);
- }
-
-}
diff --git a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/ReportComputationSteps.java b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/ReportComputationSteps.java
index 2b03acf02aa..d5004afc420 100644
--- a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/ReportComputationSteps.java
+++ b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/ReportComputationSteps.java
@@ -114,7 +114,6 @@ public class ReportComputationSteps extends AbstractComputationSteps {
PersistProjectMeasuresStep.class,
PersistMeasuresStep.class,
PersistAdHocRulesStep.class,
- PersistCveStep.class,
PersistIssuesStep.class,
CleanIssueChangesStep.class,
PersistProjectLinksStep.class,
diff --git a/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderImplTest.java b/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderImplTest.java
index 7019e756d2a..d181d85263f 100644
--- a/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderImplTest.java
+++ b/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderImplTest.java
@@ -30,7 +30,6 @@ import org.sonar.api.impl.utils.JUnitTempFolder;
import org.sonar.core.util.CloseableIterator;
import org.sonar.scanner.protocol.output.FileStructure;
import org.sonar.scanner.protocol.output.ScannerReport;
-import org.sonar.scanner.protocol.output.ScannerReport.Cve;
import org.sonar.scanner.protocol.output.ScannerReportWriter;
import static com.google.common.collect.ImmutableList.of;
@@ -301,28 +300,4 @@ public class BatchReportReaderImplTest {
assertThat(res).toIterable().containsExactlyElementsOf(warnings);
res.close();
}
-
- @Test
- public void readCves_shouldReturnCves() {
- Cve cve1 = builCve("1").build();
- writer.appendCve(cve1);
- Cve cve2 = builCve("2").build();
- writer.appendCve(cve2);
-
- CloseableIterator<Cve> cveCloseableIterator = underTest.readCves();
-
- assertThat(cveCloseableIterator).toIterable().containsExactlyInAnyOrder(cve1, cve2);
- }
-
- private Cve.Builder builCve(String suffix) {
- return Cve.newBuilder()
- .setCveId("CVE-" + suffix)
- .addCwe("CWE-" + suffix)
- .setDescription("Some CVE description " + suffix)
- .setCvssScore(7.5F)
- .setEpssScore(0.1F)
- .setEpssPercentile(0.1F)
- .setLastModifiedDate(1L)
- .setPublishedDate(2L);
- }
}
diff --git a/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderRule.java b/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderRule.java
index a87484dcffc..d57b4026eb7 100644
--- a/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderRule.java
+++ b/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderRule.java
@@ -62,7 +62,6 @@ public class BatchReportReaderRule implements TestRule, BatchReportReader, After
private Map<Integer, ScannerReport.ChangedLines> changedLines = new HashMap<>();
private List<ScannerReport.AnalysisWarning> analysisWarnings = Collections.emptyList();
private byte[] analysisCache;
- private List<ScannerReport.Cve> cves = new ArrayList<>();
private List<ScannerReport.TelemetryEntry> telemetryEntries = new ArrayList<>();
private List<ScannerReport.Dependency> dependencies = new ArrayList<>();
@@ -331,11 +330,6 @@ public class BatchReportReaderRule implements TestRule, BatchReportReader, After
}
@Override
- public CloseableIterator<ScannerReport.Cve> readCves() {
- return CloseableIterator.from(cves.iterator());
- }
-
- @Override
public CloseableIterator<ScannerReport.TelemetryEntry> readTelemetryEntries() {
return CloseableIterator.from(telemetryEntries.iterator());
}
@@ -345,11 +339,6 @@ public class BatchReportReaderRule implements TestRule, BatchReportReader, After
return this;
}
- public BatchReportReaderRule putCves(List<ScannerReport.Cve> cves) {
- this.cves = cves;
- return this;
- }
-
@Override
public CloseableIterator<ScannerReport.Dependency> readDependencies() {
return CloseableIterator.from(dependencies.iterator());
diff --git a/sonar-plugin-api-impl/src/main/java/org/sonar/api/batch/sensor/issue/internal/DefaultExternalIssue.java b/sonar-plugin-api-impl/src/main/java/org/sonar/api/batch/sensor/issue/internal/DefaultExternalIssue.java
index 6a904f15ee5..449c272c8df 100644
--- a/sonar-plugin-api-impl/src/main/java/org/sonar/api/batch/sensor/issue/internal/DefaultExternalIssue.java
+++ b/sonar-plugin-api-impl/src/main/java/org/sonar/api/batch/sensor/issue/internal/DefaultExternalIssue.java
@@ -44,7 +44,6 @@ public class DefaultExternalIssue extends AbstractDefaultIssue<DefaultExternalIs
private RuleType type;
private String engineId;
private String ruleId;
- private String cveId;
private Map<SoftwareQuality, org.sonar.api.issue.impact.Severity> impacts = new EnumMap<>(SoftwareQuality.class);
private CleanCodeAttribute cleanCodeAttribute;
@@ -85,10 +84,6 @@ public class DefaultExternalIssue extends AbstractDefaultIssue<DefaultExternalIs
return ruleId;
}
- public String cveId() {
- return cveId;
- }
-
@Override
public Severity severity() {
return this.severity;
@@ -136,11 +131,6 @@ public class DefaultExternalIssue extends AbstractDefaultIssue<DefaultExternalIs
return this;
}
- public NewExternalIssue cveId(String cveId) {
- this.cveId = cveId;
- return this;
- }
-
@Override
public DefaultExternalIssue forRule(RuleKey ruleKey) {
this.engineId = ruleKey.repository();
diff --git a/sonar-scanner-engine/src/main/java/org/sonar/scanner/issue/IssuePublisher.java b/sonar-scanner-engine/src/main/java/org/sonar/scanner/issue/IssuePublisher.java
index 47e5f8fe1d7..6de30db7829 100644
--- a/sonar-scanner-engine/src/main/java/org/sonar/scanner/issue/IssuePublisher.java
+++ b/sonar-scanner-engine/src/main/java/org/sonar/scanner/issue/IssuePublisher.java
@@ -39,7 +39,6 @@ import org.sonar.api.batch.sensor.issue.Issue;
import org.sonar.api.batch.sensor.issue.Issue.Flow;
import org.sonar.api.batch.sensor.issue.MessageFormatting;
import org.sonar.api.batch.sensor.issue.NewIssue.FlowType;
-import org.sonar.api.batch.sensor.issue.internal.DefaultExternalIssue;
import org.sonar.api.batch.sensor.issue.internal.DefaultIssueFlow;
import org.sonar.api.issue.impact.SoftwareQuality;
import org.sonar.api.rules.CleanCodeAttribute;
@@ -184,10 +183,6 @@ public class IssuePublisher {
TextRange primaryTextRange = issue.primaryLocation().textRange();
// nullable fields
- var cveId = ((DefaultExternalIssue) issue).cveId();
- if (cveId != null) {
- builder.setCveId(cveId);
- }
CleanCodeAttribute cleanCodeAttribute = issue.cleanCodeAttribute();
if (cleanCodeAttribute != null) {
builder.setCleanCodeAttribute(cleanCodeAttribute.name());
diff --git a/sonar-scanner-engine/src/testFixtures/java/org/sonar/scanner/mediumtest/AnalysisResult.java b/sonar-scanner-engine/src/testFixtures/java/org/sonar/scanner/mediumtest/AnalysisResult.java
index 584bf3dbfd7..21c1cd56c47 100644
--- a/sonar-scanner-engine/src/testFixtures/java/org/sonar/scanner/mediumtest/AnalysisResult.java
+++ b/sonar-scanner-engine/src/testFixtures/java/org/sonar/scanner/mediumtest/AnalysisResult.java
@@ -199,10 +199,6 @@ public class AnalysisResult implements AnalysisObserver {
return readFromReport(ScannerReportReader::readAdHocRules);
}
- public List<ScannerReport.Cve> cves() {
- return readFromReport(ScannerReportReader::readCves);
- }
-
public List<ScannerReport.Dependency> dependencies() {
return readFromReport(ScannerReportReader::readDependencies);
}
diff --git a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/FileStructure.java b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/FileStructure.java
index 5c59f112838..aaf677d55fc 100644
--- a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/FileStructure.java
+++ b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/FileStructure.java
@@ -82,10 +82,6 @@ public class FileStructure {
return new File(dir, "adhocrules.pb");
}
- public File cves() {
- return new File(dir, "cves.pb");
- }
-
public File fileFor(Domain domain, int componentRef) {
return new File(dir, domain.filePrefix + componentRef + domain.fileSuffix);
}
diff --git a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportReader.java b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportReader.java
index 6e48f5b7809..48fdb6b7983 100644
--- a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportReader.java
+++ b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportReader.java
@@ -61,14 +61,6 @@ public class ScannerReportReader {
return Protobuf.readStream(file, ScannerReport.AdHocRule.parser());
}
- public CloseableIterator<ScannerReport.Cve> readCves() {
- File file = fileStructure.cves();
- if (!fileExists(file)) {
- return emptyCloseableIterator();
- }
- return Protobuf.readStream(file, ScannerReport.Cve.parser());
- }
-
public CloseableIterator<ScannerReport.Measure> readComponentMeasures(int componentRef) {
File file = fileStructure.fileFor(FileStructure.Domain.MEASURES, componentRef);
if (fileExists(file)) {
diff --git a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportWriter.java b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportWriter.java
index 1c202ab8605..424b9bebccf 100644
--- a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportWriter.java
+++ b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportWriter.java
@@ -97,11 +97,6 @@ public class ScannerReportWriter {
appendDelimitedTo(file, adHocRule, "ad hoc rule");
}
- public void appendCve(ScannerReport.Cve cve) {
- File file = fileStructure.cves();
- appendDelimitedTo(file, cve, "cve");
- }
-
public void appendComponentMeasure(int componentRef, ScannerReport.Measure measure) {
File file = fileStructure.fileFor(FileStructure.Domain.MEASURES, componentRef);
appendDelimitedTo(file, measure, "measure");
diff --git a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/viewer/ScannerReportViewerApp.java b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/viewer/ScannerReportViewerApp.java
index 33928bb8fe2..e21a64a8bed 100644
--- a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/viewer/ScannerReportViewerApp.java
+++ b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/viewer/ScannerReportViewerApp.java
@@ -101,8 +101,6 @@ public class ScannerReportViewerApp {
private JEditorPane activeRuleEditor;
private JScrollPane adHocRuleTab;
private JEditorPane adHocRuleEditor;
- private JScrollPane cveTab;
- private JEditorPane cveEditor;
private JScrollPane qualityProfileTab;
private JEditorPane qualityProfileEditor;
private JScrollPane pluginTab;
@@ -201,7 +199,6 @@ public class ScannerReportViewerApp {
loadComponents();
updateActiveRules();
updateAdHocRules();
- updateCves();
updateQualityProfiles();
updatePlugins();
updateMetadata();
@@ -405,18 +402,6 @@ public class ScannerReportViewerApp {
}
}
- private void updateCves() {
- cveEditor.setText("");
-
- StringBuilder builder = new StringBuilder();
- try (CloseableIterator<ScannerReport.Cve> cveCloseableIterator = reader.readCves()) {
- while (cveCloseableIterator.hasNext()) {
- builder.append(cveCloseableIterator.next().toString()).append("\n");
- }
- cveEditor.setText(builder.toString());
- }
- }
-
private void updateQualityProfiles() {
qualityProfileEditor.setText("");
@@ -609,12 +594,6 @@ public class ScannerReportViewerApp {
adHocRuleEditor = new JEditorPane();
adHocRuleTab.setViewportView(adHocRuleEditor);
- cveTab = new JScrollPane();
- tabbedPane.addTab("CVEs", null, cveTab, null);
-
- cveEditor = new JEditorPane();
- cveTab.setViewportView(cveEditor);
-
qualityProfileTab = new JScrollPane();
tabbedPane.addTab("Quality Profiles", null, qualityProfileTab, null);
diff --git a/sonar-scanner-protocol/src/main/protobuf/scanner_report.proto b/sonar-scanner-protocol/src/main/protobuf/scanner_report.proto
index c062c0ca161..74ff2bc0404 100644
--- a/sonar-scanner-protocol/src/main/protobuf/scanner_report.proto
+++ b/sonar-scanner-protocol/src/main/protobuf/scanner_report.proto
@@ -96,7 +96,7 @@ message ActiveRule {
string rule_repository = 1;
string rule_key = 2;
Severity severity = 3;
- map<string,string> params_by_key = 4;
+ map<string, string> params_by_key = 4;
int64 createdAt = 5;
int64 updatedAt = 6;
string q_profile_key = 7;
@@ -143,8 +143,8 @@ message Component {
enum ComponentType {
UNSET = 0;
PROJECT = 1;
- MODULE = 2 [deprecated=true];
- DIRECTORY = 3 [deprecated=true];
+ MODULE = 2 [deprecated = true];
+ DIRECTORY = 3 [deprecated = true];
FILE = 4;
}
@@ -221,31 +221,19 @@ message ExternalIssue {
repeated MessageFormatting msgFormatting = 9;
repeated Impact impacts = 10;
optional string cleanCodeAttribute = 11;
- optional string cve_id = 12;
}
message AdHocRule {
- string engine_id = 1;
- string rule_id = 2;
- string name = 3;
- string description = 4;
+ string engine_id = 1;
+ string rule_id = 2;
+ string name = 3;
+ string description = 4;
optional Severity severity = 5;
optional IssueType type = 6;
optional string cleanCodeAttribute = 7;
repeated Impact defaultImpacts = 8;
}
-message Cve {
- string cve_id = 1;
- string description = 2;
- optional double cvss_score = 3;
- optional double epss_score = 4;
- optional double epss_percentile = 5;
- optional int64 published_date = 6;
- optional int64 last_modified_date = 7;
- repeated string cwe = 8;
-}
-
enum IssueType {
UNSET = 0;
CODE_SMELL = 1;
diff --git a/sonar-scanner-protocol/src/test/java/org/sonar/scanner/protocol/output/ScannerReportWriterTest.java b/sonar-scanner-protocol/src/test/java/org/sonar/scanner/protocol/output/ScannerReportWriterTest.java
index 61d81401f16..9b72dab0c51 100644
--- a/sonar-scanner-protocol/src/test/java/org/sonar/scanner/protocol/output/ScannerReportWriterTest.java
+++ b/sonar-scanner-protocol/src/test/java/org/sonar/scanner/protocol/output/ScannerReportWriterTest.java
@@ -21,7 +21,6 @@ package org.sonar.scanner.protocol.output;
import com.google.common.collect.Iterators;
import java.io.File;
-import java.time.Instant;
import java.util.List;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
@@ -146,28 +145,6 @@ class ScannerReportWriterTest {
}
@Test
- void write_cve() {
- ScannerReport.Cve cve = ScannerReport.Cve.newBuilder()
- .setCveId("CVE-2023-20863")
- .setDescription("In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a" +
- " specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.")
- .setCvssScore(6.5f)
- .setEpssScore(0.00306f)
- .setEpssPercentile(0.70277f)
- .setPublishedDate(Instant.parse("2023-04-13T20:15:00Z").toEpochMilli())
- .setLastModifiedDate(Instant.parse("2024-02-04T02:22:24.474Z").toEpochMilli())
- .addCwe("CWE-400")
- .build();
- underTest.appendCve(cve);
-
- File file = underTest.getFileStructure().cves();
- assertThat(file).exists().isFile();
- try (CloseableIterator<ScannerReport.Cve> read = Protobuf.readStream(file, ScannerReport.Cve.parser())) {
- assertThat(Iterators.size(read)).isOne();
- }
- }
-
- @Test
void write_changed_lines() {
assertThat(underTest.hasComponentData(FileStructure.Domain.CHANGED_LINES, 1)).isFalse();
@@ -374,8 +351,8 @@ class ScannerReportWriterTest {
underTest.writeTelemetry(input);
- try (CloseableIterator<ScannerReport.TelemetryEntry> telemetryIterator =
- Protobuf.readStream(underTest.getFileStructure().telemetryEntries(), ScannerReport.TelemetryEntry.parser())) {
+ try (CloseableIterator<ScannerReport.TelemetryEntry> telemetryIterator = Protobuf.readStream(underTest.getFileStructure().telemetryEntries(),
+ ScannerReport.TelemetryEntry.parser())) {
assertThat(telemetryIterator).toIterable()
.containsExactlyElementsOf(input)