VEX Improvements #203
Description
Overview
There could be a number of improvements to the VEXBuilder I found while working with it for the new VEXController / Service for the API
Acceptance Criteria
- Factory to create new clients
Current implementation is a switch statement, which worked for the short timeline. We can redevelop this to function similarly to theSerializerFactory
Example
String client = osv;
VulnerabilityDBClient vc = VulnerabilityDBClientFacotry.createClient(client);This can help abstract the code and make it expandable for new clients
-
VEXBuilders constructors
Currently the builders are static classes, but they could be made to be their own classes. Cases like this:
vb.setVEXIdentifier(sbom.getName());
vb.setDocVersion("1.0");
vb.setTimeFirstIssued(creationTime);
vb.setTimeLastUpdated(creationTime);can be solved with constructors.
-
VEXBuilders Factories
This may be too much but we need a more expandable way to add new VEX standards. The current implementation is limiting
switch (format.toLowerCase()) {
case "cyclonedx" -> {
vb.setOriginType(VEXType.CYCLONE_DX);
vb.setSpecVersion("1.4");
}
case "csaf" -> {
vb.setOriginType(VEXType.CSAF);
vb.setSpecVersion("2.0");
}
}- Optional Key method
NVD and future databases may have a key option. All VEX generations statements should be able to handle key or no key cases to prevent if-else trees
if (client.equalsIgnoreCase("nvd") && apiKey != null)
statements = vc.getVEXStatements((SBOMPackage) c, apiKey);
else
statements = vc.getVEXStatements((SBOMPackage) c);A better solution would be:
statements = vc.getVEXStatements((SBOMPackage) c, apiKey);And let the client handle the key. As a note: the API key should NOT be a field in the client. We want to limit storing the key as much as possible, so the scope should be restricted to the method
- AddAll VEXStatements method
Utility in builders to prevent looping through statements to add them one at a time
if (!statements.isEmpty())
for (VEXStatement vs : statements)
vb.addVEXStatement(vs);- ~80% Code Coverage