Composer Repository Vulnerability Mirroring

[valentijnscholten]

Description

Mirrors Security Advisories from Composer Repositories that offer them, such as https://packagist.org and https://packages.drupal.org/8.

Addressed Issue

Fixes #4465
Frontent companion: DependencyTrack/frontend#1130

Checklist

• I have read and understand the contributing guidelines
• This PR fixes a defect, and I have provided tests to verify that the fix is effective
• This PR implements an enhancement, and I have provided tests to verify that it works as intended
• This PR introduces changes to the database model, and I have added corresponding update logic
• This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

[valentijnscholten]

@nscuro It's still in draft as I need to add docs, testcases and some cleanup. Would you be able to look at the overall approach taken?

[valentijnscholten]

There's one thing specifically I need feedback on. It is on how to handle advisories from Composer repositories that are really just a mirror of a CVE or GHSA. Composer, or more specific packagist.org, is merely just a vulnerability aggregator similar to OSV. It aggregates CVEs and GHSAs. But also vulnerabilities from other sources such as FriendsofPHP.

This means a lot of advisories look like this:

    "nilsteampassnet/teampass": [
      {
        "advisoryId": "PKSA-q4rt-5vfc-wksb",
        "packageName": "nilsteampassnet/teampass",
        "remoteId": "GHSA-2697-96mv-3gfm",
        "title": "TeamPass does not properly check whether a folder is in a user's allowed folders list",
        "link": "https://github.com/advisories/GHSA-2697-96mv-3gfm",
        "cve": "CVE-2024-50701",
        "affectedVersions": "\u003C3.1.3.1",
        "source": "GitHub",
        "reportedAt": "2024-12-30 15:31:59",
        "composerRepository": "https://packagist.org",
        "severity": "medium",
        "sources": [
          {
            "name": "GitHub",
            "remoteId": "GHSA-2697-96mv-3gfm"
          }
        ]
      },

Which currently leads to DT creating a new vulnerability with Id PKSA-q4rt-5vfc-wksb.
This is not really an authoritative Id such as CVE/GHSA. You can't google these PKSA ids, you cannot link to them.
In DT it will just be another identical vulnerability linked as alias:

I am wondering if this is the best approach? Osv has similar situation, but they do not put their own Id on these vulnerabilities. They use the CVE or GHSA is Id for their advisories. And DT then does not create a new vulnerability (unless NVD or GHSA mirroring is disabled/lagging behind).

Should we do the same for these Composer advisories? Or should I just accept that DT is not (yet) good at deduplicating aliases and just add a new vulnerability with PKSA Id?

The idea is that VulnerableSoftware and AffectedVersionAttribution (and aliases) should still be synced for these vulnerabilities.

BTW After writing this comment I checked the advisories of packagist.org and it looks like all of them have at least a CVE or GHSA. I believe this is relatively new and it looks like GHSA has started to create advisories for all vulnerabilities of FriendsofPHP. So why enable Packagist advisory sync at all, just for the attribution part?

For other repositories like Drupal8 the mirroring is still valid as they provide their own vulnerabilities in their feed (SA-CORE-xxxx, SA-CONTRIB-yyyy). There maybe more repositories in the future, such as for Magento, Shopware, ...

This question about whether or not to "duplicate" all the CVE/GHSA vulnerabilities applies to more future vulnerability sources, for example Wordfence or WPScan. These are also aggregating from other sources. But they also add their own vulnerabilities to their feed. At some point you may have 5-6 aliases per vulnerability.

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
Report missing for b70ecc81	❌ 65.58% (target: 70.00%)

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (b70ecc8)	Report Missing	Report Missing	Report Missing
Head commit (e7b8e44)	23408	18543	79.22%

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#4515)	430	282	65.58%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

_{Codacy stopped sending the deprecated coverage status on June 5th, 2024. Learn more}

Footnotes

1. Codacy didn't receive coverage data for the commit, or there was an error processing the received data. Check your integration for errors and validate that your coverage setup is correct. ↩