vrt 0.1

data/lib/generators/vrt.rb

@@ -0,0 +1,3 @@
+# Pre-warm the in-memory store of these class instance vars when we launch the
+# server. Prevents unnecessary file I/O per-request.
+VRT.reload!

data/lib/generators/vrt/install_generator.rb

@@ -0,0 +1,12 @@
+require 'rails/generators/base'
+
+module Vrt
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      source_root(File.expand_path(File.dirname(__FILE__)))
+      def create_initializer_file
+        copy_file '../vrt.rb', 'config/initializers/vrt.rb'
+      end
+    end
+  end
+end

data/lib/vrt.rb

@@ -0,0 +1,123 @@
+# The 'guts' of the VRT library. Probably in need of refactoring in future.
+# Will do file I/O the first time it's accessed, and will thereafter hold
+# VRT versions in-memory.
+
+require 'vrt/map'
+require 'vrt/node'
+require 'vrt/cross_version_mapping'
+
+require 'date'
+require 'json'
+require 'pathname'
+
+module VRT
+  DIR = Pathname.new(__dir__).join('data')
+  OTHER_OPTION = { 'id' => 'other',
+                   'name' => 'Other',
+                   'priority' => nil,
+                   'type' => 'category' }.freeze
+
+  @version_json = {}
+  @last_update = {}
+
+  module_function
+
+  extend CrossVersionMapping
+
+  # Infer the available versions of the VRT from the names of the files
+  # in the repo.
+  # The returned list is in semver order with the current version first.
+  def versions
+    @versions ||= json_dir_names.sort_by { |v| Gem::Version.new(v) }.reverse!
+  end
+
+  # Get the most recent version of the VRT.
+  def current_version
+    versions.first
+  end
+
+  def current_version?(version)
+    version == current_version
+  end
+
+  # Get the last updated timestamp of the VRT data (not schema!)
+  # Passing nil for version will return the latest version.
+  def last_updated(version = nil)
+    version ||= current_version
+    return @last_update[version] if @last_update[version]
+    metadata = JSON.parse(json_pathname(version).read)['metadata']
+    @last_update[version] = Date.parse(metadata['release_date'])
+  end
+
+  def current_categories
+    Map.new(current_version).categories
+  end
+
+  # Get all deprecated ids that would match in the given categories from the current version
+  def all_matching_categories(categories)
+    cross_version_category_mapping.select { |key, _value| categories.include?(key) }.values.flatten
+  end
+
+  # Finds the best match valid node. First looks at valid nodes in the given new version or finds
+  # the appropriate deprecated mapping. If neither is found it will walk up the tree to find a
+  # valid parent node before giving up and returning nil.
+  #
+  # @param [String] A valid vrt_id
+  # @param [String] (Optional - recommended) A valid vrt_version that the vrt_id exists in
+  # @param [string] (Optional) The preferred new vrt_version to find a match in
+  # @param [String] (Optional) The maximum depth to match in
+  # @return [VRT::Node|Nil] A valid VRT::Node object or nil if no best match could be found
+  def find_node(vrt_id:, version: nil, preferred_version: nil, max_depth: 'variant')
+    new_version = preferred_version || current_version
+    if Map.new(new_version).valid?(vrt_id)
+      Map.new(new_version).find_node(vrt_id, max_depth: max_depth)
+    elsif deprecated_node?(vrt_id)
+      find_deprecated_node(vrt_id, preferred_version, max_depth)
+    else
+      return nil unless version
+      find_valid_parent_node(vrt_id, version, new_version, max_depth)
+    end
+  end
+
+  # Load the VRT from text files, and parse it as JSON.
+  # If other: true, we append the OTHER_OPTION hash at runtime (not cached)
+  def get_json(version: nil, other: true)
+    version ||= current_version
+    @version_json[version] ||= json_for_version(version)
+    other ? @version_json[version] + [OTHER_OPTION] : @version_json[version]
+  end
+
+  # Get names of directories matching lib/data/<major>-<minor>/
+  def json_dir_names
+    DIR.entries
+       .map(&:basename)
+       .map(&:to_s)
+       .select { |dirname| dirname =~ /^[0-9]+\.[0-9]/ }.sort
+  end
+
+  # Get the Pathname for a particular version
+  def json_pathname(version)
+    DIR.join(version, 'vulnerability-rating-taxonomy.json')
+  end
+
+  # Load and parse JSON for some VRT version
+  def json_for_version(version)
+    JSON.parse(json_pathname(version).read)['content']
+  end
+
+  # Cache the VRT contents in-memory, so we're not hitting File I/O multiple times per
+  # request that needs it.
+  def reload!
+    unload!
+    versions
+    get_json
+    last_updated
+  end
+
+  # We separate unload! out, as we need to call it in test environments.
+  def unload!
+    @versions = nil
+    @version_json = {}
+    @last_update = {}
+  end
+end

data/lib/vrt/cross_version_mapping.rb

@@ -0,0 +1,45 @@
+module VRT
+  module CrossVersionMapping
+    # Maps new_category_id: deprecated_node_id
+    def cross_version_category_mapping
+      category_map = {}
+      deprecated_node_json.each do |key, value|
+        latest_version = value.keys.sort_by { |n| Gem::Version.new(n) }.last
+        id = value[latest_version].split('.')[0]
+        category_map[id] ? category_map[id] << key : category_map[id] = [key]
+      end
+      category_map
+    end
+
+    # Map shape: { deprecated_id: { version: new_mapped_id } }
+    def deprecated_node_json
+      filename = VRT::DIR.join(current_version, 'deprecated-node-mapping.json')
+      File.file?(filename) ? JSON.parse(File.read(filename)) : {}
+    end
+
+    def deprecated_node?(vrt_id)
+      deprecated_node_json[vrt_id]
+    end
+
+    def latest_version_for_deprecated_node(vrt_id)
+      deprecated_node_json[vrt_id].keys.sort_by { |n| Gem::Version.new(n) }.last
+    end
+
+    def find_deprecated_node(vrt_id, new_version = nil, max_depth = 'variant')
+      version = latest_version_for_deprecated_node(vrt_id)
+      node_id = deprecated_node_json[vrt_id][new_version] || deprecated_node_json[vrt_id][version]
+      VRT::Map.new(new_version).find_node(node_id, max_depth: max_depth)
+    end
+
+    def find_valid_parent_node(vrt_id, old_version, new_version, max_depth)
+      old_node = VRT::Map.new(old_version).find_node(vrt_id)
+      new_map = VRT::Map.new(new_version)
+      if new_map.valid?(vrt_id)
+        new_map.find_node(vrt_id, max_depth: max_depth)
+      else
+        return nil if old_node.parent.nil?
+        find_valid_parent_node(old_node.parent.qualified_vrt_id, old_version, new_version, max_depth)
+      end
+    end
+  end
+end

data/lib/vrt/map.rb

@@ -0,0 +1,82 @@
+module VRT
+  class Map
+    DEPTH_MAP = {
+      'category' => 1,
+      'subcategory' => 2,
+      'variant' => 3
+    }.freeze
+
+    attr_reader :structure, :version
+
+    def initialize(version = nil)
+      @version = version || VRT.current_version
+      @structure = build_structure
+      @found_nodes = {}
+      @lineages = {}
+    end
+
+    def find_node(string, max_depth: 'variant')
+      @found_nodes[string + max_depth] ||= walk_node_tree(string, max_depth: max_depth)
+    end
+
+    def valid?(node)
+      return false unless node =~ /[[:lower]]/
+      node == 'other' || find_node(node)
+    end
+
+    def get_lineage(string, max_depth: 'variant')
+      @lineages[string] ||= construct_lineage(string, max_depth)
+    end
+
+    # Returns list of top level categories in the shape:
+    # [{ value: category_id, label: category_name }]
+    def categories
+      structure.keys.map do |key|
+        node = find_node(key.to_s, max_depth: 'category')
+        { value: node.id, label: node.name }
+      end
+    end
+
+    private
+
+    def construct_lineage(string, max_depth)
+      lineage = ''
+      walk_node_tree(string, max_depth: max_depth) do |ids, node, level|
+        lineage += node.name
+        lineage += ' > ' unless level == ids.length
+      end
+      lineage
+    end
+
+    def walk_node_tree(string, max_depth: 'variant')
+      id_tokens = string.split('.').map(&:to_sym)
+      return nil if id_tokens.size > 3
+      ids = id_tokens.take(DEPTH_MAP[max_depth])
+      node = @structure[ids[0]]
+      ids.each_index do |idx|
+        level = idx + 1
+        yield(ids, node, level) if block_given?
+        node = search(ids, node, level)
+      end
+      node
+    end
+
+    def search(ids, node, level)
+      last_level = level.eql?(ids.length)
+      last_level ? node : node&.children&.fetch(ids[level], false)
+    end
+
+    def build_structure
+      VRT.get_json(version: @version).reduce({}, &method(:build_node))
+    end
+
+    def build_node(memo, vrt, parent = nil)
+      node = Node.new(vrt.merge('version' => @version, 'parent' => parent))
+      if node.children?
+        node.children = vrt['children'].reduce({}) { |m, v| build_node(m, v, node) }
+      end
+      memo[node.id] = node
+      memo
+    end
+  end
+end

data/lib/vrt/node.rb

@@ -0,0 +1,46 @@
+module VRT
+  class Node
+    attr_reader :id, :name, :priority, :type, :version, :parent, :qualified_vrt_id
+    attr_accessor :children
+
+    def initialize(attributes = {})
+      @id = attributes['id'].to_sym
+      @name = attributes['name']
+      @priority = attributes['priority']
+      @type = attributes['type']
+      @has_children = attributes.key?('children')
+      @children = {}
+      @version = attributes['version']
+      @parent = attributes['parent']
+      @qualified_vrt_id = construct_vrt_id
+    end
+
+    def children?
+      @has_children
+    end
+
+    def construct_vrt_id
+      parent ? "#{parent.qualified_vrt_id}.#{id}" : id.to_s
+    end
+
+    # Since this object contains references to parent and children,
+    # as_json must be overridden to avoid unending recursion.
+    def as_json(options = nil)
+      json = {}
+      instance_variables.each do |attribute|
+        attr_name = attribute.to_s.tr('@', '')
+        json[attr_name] = case attr_name
+                          when 'parent'
+                            parent&.qualified_vrt_id
+                          when 'children'
+                            children.inject({}) do |c, (k, v)|
+                              c[k] = v.nil? ? v : v.as_json(options)
+                            end
+                          else
+                            instance_variable_get(attribute)
+                          end
+      end
+      json
+    end
+  end
+end

data/lib/vrt/version.rb

@@ -0,0 +1,3 @@
+module Vrt
+  VERSION = '0.1'.freeze
+end

metadata

@@ -0,0 +1,116 @@
+--- !ruby/object:Gem::Specification
+name: vrt
+version: !ruby/object:Gem::Version
+  version: '0.1'
+platform: ruby
+authors:
+- Barnett Klane
+- Max Schwenk
+- Adam David
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-07-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.48'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.48'
+description: 
+email:
+- barnett@bugcrowd.com
+- max.schwenk@bugcrowd.com
+- adam.david@bugcrowd.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/data/1.0/vrt.schema.json
+- lib/data/1.0/vulnerability-rating-taxonomy.json
+- lib/data/1.1/deprecated-node-mapping.json
+- lib/data/1.1/vrt.schema.json
+- lib/data/1.1/vulnerability-rating-taxonomy.json
+- lib/generators/vrt.rb
+- lib/generators/vrt/install_generator.rb
+- lib/vrt.rb
+- lib/vrt/cross_version_mapping.rb
+- lib/vrt/map.rb
+- lib/vrt/node.rb
+- lib/vrt/version.rb
+homepage: http://rubygems.org/gems/vrt
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.12
+signing_key: 
+specification_version: 4
+summary: Ruby wrapper for Bugcrowd's Vulnerability Rating Taxonomy
+test_files: []