Solr Indexer for the Extensions Security Vulnerabilities application
Solr Indexer for the Extensions Security Vulnerabilities application |
Type | JAR |
Category | API |
Developed by | |
Rating | |
License | GNU Lesser General Public License 2.1 |
Bundled With | XWiki Standard |
Compatibility | XWiki Standard 15.5RC1+ |
Table of contents
Description
This indexer is build on top of the Extensions Index and enrich the indexed extensions with security vulnerabilities related metatada.
Those additional information are then presented by the Extensions Security Vulnerabilities Application.
This extension is part of the Extensions Security Vulnerabilities module.
Scheduling
The security indexation requires the Extensions indexing to have fully finished its indexation.
Once this initial indexation is done, a security vulnerability indexation job is started automatically.
Then, a new job is started at a fixed delay (see the configuration section) to search for newly available security vulnerabilities (i.e. for newly installed extensions, or for newly published vulnerabilities).
Once an extension vulnerability indexation job is finished, Administrators are informed by a notification.
Configuration
See Configuration
API
Analyzer
* Generic interface to call for the security analysis of an extension.
*
* @version $Id: bb457492f4dbfd9cc115ab39a0dcd343ccf1542a $
* @since 15.5RC1
*/
@Role
@Unstable
public interface ExtensionSecurityAnalyzer
{
/**
* Analyze the security vulnerabilities for the given extension.
*
* @param extension the extension to analyze
* @return {@code true} if at least one unknown security issue is found for the extension
* @throws ExtensionSecurityException in case of issue during the analysis
*/
ExtensionSecurityAnalysisResult analyze(Extension extension) throws ExtensionSecurityException;
}
The default implementation is using https://osv.dev/ api as it's source of knowledge to populate the Solr index.
Currently, no other implementation are provided. Alternative implementations must implement the ExtensionSecurityAnalyzer role with hint "default" and a priority higher than 1000.
XWiki 15.6+
Reviews
* Fetches the security vulnerabilities reviews.
*
* @since 15.6RC1
*/
@Unstable
@Role
public interface ReviewsFetcher
{
/**
* @return {@link Optional#empty()} in case of issue during the fetching, the fetched {@link ReviewsMap} otherwise
* @throws ExtensionSecurityException in case of issue when fetching the remove false-positive source
*/
Optional<ReviewsMap> fetch() throws ExtensionSecurityException;
}
The json schema corresponding to ReviewMap, used by the default reviews endpoint (Reviews).
The emitter, explanation, and result are mandatory. filter is optional and is a regex allowing to only display the advisory if a extension id matching the regex pattern is found in the wiki. This is useful in case of contrib extension which are not always installed in the wikis.
"type" : "object",
"id" : "urn:jsonschema:org:xwiki:extension:index:security:review:ReviewsMap",
"properties" : {
"reviewsMap" : {
"type" : "object",
"additionalProperties" : {
"type" : "array",
"items" : {
"type" : "object",
"id" : "urn:jsonschema:org:xwiki:extension:index:security:review:Review",
"properties" : {
"emitter" : {
"type" : "string"
},
"explanation" : {
"type" : "string"
},
"filter" : {
"type" : "string"
},
"result" : {
"type" : "string",
"enum" : [ "SAFE", "UNSAFE" ]
}
}
}
}
}
}
}
Example:
"reviewsMap": {
"CVE-ID": [
{
"emitter": "Reviewer Name",
"explanation": "Textual explanation",
"result": "SAFE",
"filter": "groupId:artifactId/.*"
}
]
}
}
Dependencies
Dependencies for this extension (org.xwiki.platform:xwiki-platform-extension-security-index 16.7.1):
- org.xwiki.commons:xwiki-commons-component-api 16.7.1
- org.xwiki.commons:xwiki-commons-job-api 16.7.1
- org.xwiki.platform:xwiki-platform-bridge 16.7.1
- org.xwiki.commons:xwiki-commons-extension-api 16.7.1
- com.fasterxml.jackson.core:jackson-databind 2.17.2
- org.apache.maven:maven-artifact 3.6.3
- org.xwiki.platform:xwiki-platform-extension-index 16.7.1
- org.xwiki.platform:xwiki-platform-extension-security-api 16.7.1
- org.xwiki.commons:xwiki-commons-extension-repository-http 16.7.1