Solr Indexer for the Extensions Security Vulnerabilities application

Last modified by Admin on 2024/01/29 16:19

cogSolr Indexer for the Extensions Security Vulnerabilities application
TypeJAR
CategoryAPI
Developed by

XWiki Development Team

Rating
0 Votes
LicenseGNU Lesser General Public License 2.1
Bundled With

XWiki Standard

Compatibility

XWiki Standard 15.5RC1+

Installable with the Extension Manager

Description

This module is currently unstable and may report false positives, which should be treated with caution.

This indexer is build on top of the Extensions Index and enrich the indexed extensions with security vulnerabilities related metatada.
Those additional information are then presented by the Extensions Security Vulnerabilities Application.

This extension is part of the Extensions Security Vulnerabilities module.

Scheduling

The security indexation requires the Extensions indexing to have fully finished its indexation.

Once this initial indexation is done, a security vulnerability indexation job is started automatically.

Then, a new job is started at a fixed delay (see the configuration section) to search for newly available security vulnerabilities (i.e. for newly installed extensions, or for newly published vulnerabilities).

Once an extension vulnerability indexation job is finished, Administrators are informed by a notification.

Configuration

See Configuration

API

Analyzer

/**
 * Generic interface to call for the security analysis of an extension.
 *
 * @version $Id: bb457492f4dbfd9cc115ab39a0dcd343ccf1542a $
 * @since 15.5RC1
 */


@Role
@Unstable
public interface ExtensionSecurityAnalyzer
{
   /**
     * Analyze the security vulnerabilities for the given extension.
     *
     * @param extension the extension to analyze
     * @return {@code true} if at least one unknown security issue is found for the extension
     * @throws ExtensionSecurityException in case of issue during the analysis
     */

    ExtensionSecurityAnalysisResult analyze(Extension extension) throws ExtensionSecurityException;
}

The default implementation is using https://osv.dev/ api as it's source of knowledge to populate the Solr index.
Currently, no other implementation are provided. Alternative implementations must implement the ExtensionSecurityAnalyzer role with hint "default" and a priority higher than 1000.

15.6+ 

Reviews

/**
 * Fetches the security vulnerabilities reviews.
 *
 * @since 15.6RC1
 */

@Unstable
@Role
public interface ReviewsFetcher
{
   /**
     * @return {@link Optional#empty()} in case of issue during the fetching, the fetched {@link ReviewsMap} otherwise
     * @throws ExtensionSecurityException in case of issue when fetching the remove false-positive source
     */

    Optional<ReviewsMap> fetch() throws ExtensionSecurityException;
}

The json schema corresponding to ReviewMap, used by the default reviews endpoint (Reviews).
The emitter, explanation, and result are mandatory. filter is optional and is a regex allowing to only display the advisory if a extension id matching the regex pattern is found in the wiki. This is useful in case of contrib extension which are not always installed in the wikis.

{
 "type" : "object",
 "id" : "urn:jsonschema:org:xwiki:extension:index:security:review:ReviewsMap",
 "properties" : {
   "reviewsMap" : {
     "type" : "object",
     "additionalProperties" : {
       "type" : "array",
       "items" : {
         "type" : "object",
         "id" : "urn:jsonschema:org:xwiki:extension:index:security:review:Review",
         "properties" : {
           "emitter" : {
             "type" : "string"
            },
           "explanation" : {
             "type" : "string"
            },
           "filter" : {
             "type" : "string"
            },
           "result" : {
             "type" : "string",
             "enum" : [ "SAFE", "UNSAFE" ]
            }
          }
        }
      }
    }
  }
}

Example:

{
   "reviewsMap": {
       "CVE-ID": [
            {
               "emitter": "Reviewer Name",
               "explanation": "Textual explanation",
               "result": "SAFE",
               "filter": "groupId:artifactId/.*"
            }
        ]
    }   
}

Dependencies

Dependencies for this extension (org.xwiki.platform:xwiki-platform-extension-security-index 16.0.0):

Tags:
    

Get Connected