Merge pull request #489 from nscuro/backport-to-4.8.1

Backport fixes to 4.8.1

Author: nscuro

src/shared/common.js

@@ -35,11 +35,11 @@ $common.formatNotificationLabel = function formatNotificationLabel(violationStat
 /**
  * Formats and returns a specialized label for a project tag.
  */
-$common.formatProjectTagLabel = function formatProjectTagLabel(tag) {
+$common.formatProjectTagLabel = function formatProjectTagLabel(router, tag) {
   if (! tag) {
     return "";
   }
-  return `<a href="../projects/?tag=${xssFilters.uriComponentInUnQuotedAttr(tag.name)}" class="badge badge-tag text-lowercase mr-1">${xssFilters.inHTMLData(tag.name)}</a>`
+  return `<a href="${router.resolve({name: 'Projects', query: {'tag': tag.name}}).href}" class="badge badge-tag text-lowercase mr-1">${xssFilters.inHTMLData(tag.name)}</a>`
 };
 
 /**
@@ -191,32 +191,55 @@ $common.resolveSourceVulnInfo = function resolveSourceVulnInfo(vulnSource, vulnI
   return sourceInfo;
 }
 
-/**
- * Given the source of a vulnerability (vulnSource) and an alias of the vulnerability, normalizes
- * the return object.
- * @param vulnSource the source of a Vulnerability object
- * @param alias a VulnerabilityAlias response object for the given Vulnerability
- * @returns A resolved and normalized object with metadata
- */
-$common.resolveVulnAliasInfo = function resolveVulnAliasInfo(vulnSource, alias) {
-  if (!vulnSource || !alias) return;
-  if (vulnSource !== "INTERNAL" && alias.internalId) {
-    return $common.resolveSourceVulnInfo("INTERNAL", alias.internalId);
-  } else if (vulnSource !== "NVD" && alias.cveId) {
-    return $common.resolveSourceVulnInfo("NVD", alias.cveId);
-  } else if (vulnSource !== "GITHUB" && alias.ghsaId) {
-    return $common.resolveSourceVulnInfo("GITHUB", alias.ghsaId);
-  } else if (vulnSource !== "OSSINDEX" && alias.sonatypeId) {
-    return $common.resolveSourceVulnInfo("OSSINDEX", alias.sonatypeId);
-  } else if (vulnSource !== "SNYK" && alias.snykId) {
-    return $common.resolveSourceVulnInfo("SNYK", alias.snykId);
-  } else if (vulnSource !== "OSV" && alias.osvId) {
-    return $common.resolveSourceVulnInfo("OSV", alias.osvId);
-  } else if (vulnSource !== "GSD" && alias.gsdId) {
-    return $common.resolveSourceVulnInfo("GSD", alias.gsdId);
-  } else if (vulnSource !== "VULNDB" && alias.vulnDbId) {
-    return $common.resolveSourceVulnInfo("VULNDB", alias.vulnDbId);
+$common.resolveVulnAliases = function resolveVulnAliases(vulnSource, aliases) {
+  if (!vulnSource || !aliases) {
+    return [];
   }
+
+  let resolvedAliases = aliases
+    .flatMap((alias) => {
+      const _resolvedAliases = [];
+      if (vulnSource !== "INTERNAL" && alias.internalId) {
+        _resolvedAliases.push($common.resolveSourceVulnInfo("INTERNAL", alias.internalId));
+      }
+      if (vulnSource !== "NVD" && alias.cveId) {
+        _resolvedAliases.push($common.resolveSourceVulnInfo("NVD", alias.cveId));
+      }
+      if (vulnSource !== "GITHUB" && alias.ghsaId) {
+        _resolvedAliases.push($common.resolveSourceVulnInfo("GITHUB", alias.ghsaId));
+      }
+      if (vulnSource !== "OSSINDEX" && alias.sonatypeId) {
+        _resolvedAliases.push($common.resolveSourceVulnInfo("OSSINDEX", alias.sonatypeId));
+      }
+      if (vulnSource !== "SNYK" && alias.snykId) {
+        _resolvedAliases.push($common.resolveSourceVulnInfo("SNYK", alias.snykId));
+      }
+      if (vulnSource !== "OSV" && alias.osvId) {
+        _resolvedAliases.push($common.resolveSourceVulnInfo("OSV", alias.osvId));
+      }
+      if (vulnSource !== "GSD" && alias.gsdId) {
+        _resolvedAliases.push($common.resolveSourceVulnInfo("GSD", alias.gsdId));
+      }
+      if (vulnSource !== "VULNDB" && alias.vulnDbId) {
+        _resolvedAliases.push($common.resolveSourceVulnInfo("VULNDB", alias.vulnDbId));
+      }
+      return _resolvedAliases;
+    });
+
+  // Deduplicate by vulnerability ID, so we're not showing the same ID more than once.
+  resolvedAliases = [...new Map(resolvedAliases.map(alias => [alias.vulnId, alias])).values()];
+
+  // Sort aliases by vulnerability ID to achieve consistent output.
+  return resolvedAliases
+    .sort((a, b) => {
+      if (a.vulnId < b.vulnId) {
+        return -1;
+      }
+      if (a.vulnId > b.vulnId) {
+        return 1;
+      }
+      return 0;
+    });
 }
 
 /**
@@ -473,7 +496,7 @@ export default {
   formatCweShortLabel: $common.formatCweShortLabel,
   formatAnalyzerLabel: $common.formatAnalyzerLabel,
   resolveSourceVulnInfo: $common.resolveSourceVulnInfo,
-  resolveVulnAliasInfo: $common.resolveVulnAliasInfo,
+  resolveVulnAliases: $common.resolveVulnAliases,
   makeAnalysisStateLabelFormatter: $common.makeAnalysisStateLabelFormatter,
   makeAnalysisJustificationLabelFormatter: $common.makeAnalysisJustificationLabelFormatter,
   componentClassifierLabelFormatter: $common.componentClassifierLabelFormatter,

src/views/portfolio/projects/ComponentVulnerabilities.vue

@@ -45,11 +45,12 @@
             formatter(value, row, index) {
               if (typeof value !== 'undefined') {
                 let label = "";
-                for (let i=0; i<value.length; i++) {
-                  let alias = common.resolveVulnAliasInfo(row.source, value[i]);
-                  let url = xssFilters.uriInUnQuotedAttr("../vulnerabilities/" + alias.source + "/" + alias.vulnId);
+                const aliases = common.resolveVulnAliases(row.source, value);
+                for (let i=0; i<aliases.length; i++) {
+                  let alias = aliases[i];
+                  let url = xssFilters.uriInUnQuotedAttr("../../vulnerabilities/" + alias.source + "/" + alias.vulnId);
                   label += common.formatSourceLabel(alias.source) + ` <a href="${url}">${xssFilters.inHTMLData(alias.vulnId)}</a>`
-                  if (i < value.length-1) label += "<br/><br/>"
+                  if (i < aliases.length-1) label += "<br/><br/>"
                 }
                 return label;
               }

src/views/portfolio/projects/Project.vue

@@ -12,7 +12,7 @@
                   <a href="#" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false"><i class="fa fa-caret-down" aria-hidden="true" style="padding-left:10px; padding-right:10px; padding-top:3px; padding-bottom:3px;"></i></a>
                   <ul class="dropdown-menu">
                     <span v-for="p in availableProjectVersions">
-                      <b-dropdown-item :to="p.uuid">{{ p.version }}</b-dropdown-item>
+                      <b-dropdown-item :to="{name: 'Project', params: {'uuid': p.uuid}}">{{ p.version }}</b-dropdown-item>
                       </span>
                   </ul>
                 </li>
@@ -21,7 +21,7 @@
             </div>
             <div class="text-muted text-lowercase font-weight-bold font-xs">
               <span v-for="tag in project.tags">
-                <b-badge :to="{path: '../projects/', query: {'tag': tag.name}}" variant="tag">{{ tag.name }}</b-badge>
+                <b-badge :to="{name: 'Projects', query: {'tag': tag.name}}" variant="tag">{{ tag.name }}</b-badge>
               </span>
             </div>
           </b-col>

src/views/portfolio/projects/ProjectFindings.vue

@@ -144,11 +144,12 @@
             formatter(value, row, index) {
               if (typeof value !== 'undefined') {
                 let label = "";
-                for (let i=0; i<value.length; i++) {
-                  let alias = common.resolveVulnAliasInfo(row.vulnerability.source, value[i]);
+                const aliases = common.resolveVulnAliases(row.vulnerability.source, value);
+                for (let i=0; i<aliases.length; i++) {
+                  let alias = aliases[i];
                   let url = xssFilters.uriInUnQuotedAttr("../../../vulnerabilities/" + alias.source + "/" + alias.vulnId);
                   label += common.formatSourceLabel(alias.source) + ` <a href="${url}">${xssFilters.inHTMLData(alias.vulnId)}</a>`
-                  if (i < value.length-1) label += "<br/><br/>"
+                  if (i < aliases.length-1) label += "<br/><br/>"
                 }
                 return label;
               }
@@ -248,9 +249,9 @@
                     <label>Aliases</label>
                       <b-card class="font-weight-bold">
                         <b-card-text>
-                          <span v-for="alias in finding.vulnerability.aliases">
-                          <b-link style="margin-right:1.0rem" :href="'/vulnerabilities/' + aliasLabel(finding.vulnerability.source, alias).source + '/' + aliasLabel(finding.vulnerability.source, alias).vulnId">{{aliasLabel(finding.vulnerability.source, alias).vulnId}}</b-link>
-                         </span>
+                          <span v-for="alias in resolveVulnAliases(finding.vulnerability.aliases)">
+                          <b-link style="margin-right:1.0rem" :href="'/vulnerabilities/' + alias.source + '/' + alias.vulnId">{{ alias.vulnId }}</b-link>
+                          </span>
                         </b-card-text>
                      </b-card>
                     </div>
@@ -364,8 +365,8 @@
               },
               mixins: [permissionsMixin],
               methods: {
-                aliasLabel: function(vulnSource, alias) {
-                  return common.resolveVulnAliasInfo(vulnSource, alias);
+                resolveVulnAliases: function(aliases) {
+                  return common.resolveVulnAliases(this.source, aliases);
                 },
                 getAnalysis: function() {
                   let queryString = "?project=" + projectUuid + "&component=" + this.finding.component.uuid + "&vulnerability=" + this.finding.vulnerability.uuid;

src/views/portfolio/projects/ProjectList.vue

@@ -184,13 +184,15 @@
             field: "tags",
             sortable: false,
             visible: false,
+            routerFunc: () => this.$router, // Injecting $router directly causes recursion errors in Vue...
             formatter(value, row, index) {
+              const router = this.routerFunc();
               let tag_string = ""
               if (row.tags) {
-                tag_string = row.tags?.slice(0, 2).map(tag => common.formatProjectTagLabel(tag)).join(' ') || '';
+                tag_string = row.tags?.slice(0, 2).map(tag => common.formatProjectTagLabel(router, tag)).join(' ') || '';
                 if (row.tags.length > 2) {
                   tag_string += ` <span class="d-none">`
-                  tag_string += row.tags.slice(2)?.map(tag => common.formatProjectTagLabel(tag)).join(' ');
+                  tag_string += row.tags.slice(2)?.map(tag => common.formatProjectTagLabel(router, tag)).join(' ');
                   tag_string += `</span>`
                   tag_string += `<a href="#" title="show all tags" class="badge badge-tag" onclick="this.previousElementSibling.classList.toggle('d-none')">…</a>`
                 }

src/views/portfolio/vulnerabilities/Vulnerability.vue

@@ -39,8 +39,8 @@
           <span v-if="vulnerability.published" class="font-weight-bold font-xs" style="margin-right:1.2rem">{{prettyTimestamp}}</span>
           <span v-if="vulnerability.aliases && vulnerability.aliases.length > 0" class="font-weight-bold font-xs">
             Aliases:
-            <span v-for="alias in vulnerability.aliases">
-              <b-link style="margin-right:1.0rem" :href="`/vulnerabilities/${aliasLabel(alias).source}/${aliasLabel(alias).vulnId}`">{{ aliasLabel(alias).vulnId }}</b-link>
+            <span v-for="alias in resolveVulnAliases(vulnerability.aliases)">
+              <b-link style="margin-right:1.0rem" :href="`/vulnerabilities/${alias.source}/${alias.vulnId}`">{{ alias.vulnId }}</b-link>
             </span>
           </span>
         </b-card-text>
@@ -274,8 +274,8 @@
       cweLink: function(cwe) {
         return `https://cwe.mitre.org/data/definitions/${cwe.cweId}`;
       },
-      aliasLabel: function(alias) {
-        return common.resolveVulnAliasInfo(this.source, alias);
+      resolveVulnAliases: function(aliases) {
+        return common.resolveVulnAliases(this.source, aliases);
       },
       loadData: function () {
         let url = "";

src/views/portfolio/vulnerabilities/VulnerabilityDetailsModal.vue

@@ -31,8 +31,8 @@
           </b-row>
           <b-form-group :label="this.$t('message.aliases')">
             <div class="list-group">
-                        <span v-for="alias in vulnerability.aliases">
-                          <actionable-list-group-item :value="aliasLabel(alias).vulnId" :delete-icon="false"/>
+                        <span v-for="alias in resolveVulnAliases(vulnerability.aliases)">
+                          <actionable-list-group-item :value="alias.vulnId" :delete-icon="false"/>
                         </span>
               <actionable-list-group-item :add-icon="!isReadonly" v-on:actionClicked="$root.$emit('bv::show::modal', 'selectCweModal')"/>
             </div>
@@ -897,8 +897,8 @@ export default {
     }
   },
   methods: {
-    aliasLabel: function(alias) {
-      return common.resolveVulnAliasInfo(this.vulnerability.source, alias);
+    resolveVulnAliases: function(aliases) {
+      return common.resolveVulnAliases(this.vulnerability.source, aliases);
     },
     onShow: function() {
       this.parseCvssV2Vector();

src/views/portfolio/vulnerabilities/VulnerabilityList.vue

@@ -68,11 +68,12 @@
             formatter(value, row, index) {
               if (typeof value !== 'undefined') {
                 let label = "";
-                for (let i=0; i<value.length; i++) {
-                  let alias = common.resolveVulnAliasInfo(row.source, value[i]);
+                const aliases = common.resolveVulnAliases(value);
+                for (let i=0; i<aliases.length; i++) {
+                  let alias = aliases[i];
                   let url = xssFilters.uriInUnQuotedAttr("../vulnerabilities/" + alias.source + "/" + alias.vulnId);
                   label += common.formatSourceLabel(alias.source) + ` <a href="${url}">${xssFilters.inHTMLData(alias.vulnId)}</a>`
-                  if (i < value.length-1) label += "<br/><br/>"
+                  if (i < aliases.length-1) label += "<br/><br/>"
                 }
                 return label;
               }