Vulnerability.kt

package com.depanalyzer.report

import com.depanalyzer.parser.Ecosystem
import com.fasterxml.jackson.annotation.JsonInclude
import com.fasterxml.jackson.annotation.JsonProperty
import java.time.Instant

enum class VulnerabilitySource {
    OSS_INDEX,
    NVD,
    BOTH,
    UNKNOWN
}

data class AffectedDependency(
    val groupId: String,
    val artifactId: String,
    val version: String,
    val ecosystem: Ecosystem = Ecosystem.MAVEN
)

@JsonInclude(JsonInclude.Include.NON_NULL)
data class Vulnerability(
    @JsonProperty("cveId")
    val cveId: String,

    val severity: VulnerabilitySeverity,

    val cvssScore: Double?,

    val description: String?,

    val affectedDependency: AffectedDependency,

    val source: VulnerabilitySource,

    val retrievedAt: Instant?,

    @JsonProperty("referenceUrl")
    val referenceUrl: String?
)

enum class VulnerabilitySeverity {
    CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN;

    companion object {
        fun fromCvssScore(score: Double?): VulnerabilitySeverity {
            return when {
                score == null -> UNKNOWN
                score >= 9.0 -> CRITICAL
                score >= 7.0 -> HIGH
                score >= 4.0 -> MEDIUM
                score > 0 -> LOW
                else -> UNKNOWN
            }
        }
    }
}