fix: ensure we can serialize/deserialize the ghsa model (#35)

* fix: ensure we can serialize/deserialize the ghsa model

* chore: bump version

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Change Log
 
+## 2.0.2 - 2023-02-22
+
+### Fixed
+
+- Ensure GHSA model can be serialized and deserialized ([#35](https://github.com/jeremylong/vuln-tools/pull/35)).
+
 ## 2.0.1 - 2023-02-21
 
 ### Fixed

buildSrc/src/main/groovy/vuln.tools.java-common-conventions.gradle

@@ -12,7 +12,7 @@ plugins {
 }
 
 group 'io.github.jeremylong'
-version = '2.0.1'
+version = '2.0.2'
 
 repositories {
     mavenCentral()

gh-advisory-lib/README.md

@@ -12,14 +12,14 @@ The client requires a GitHub Personal Access Token to access the API.
 <dependency>
    <groupId>io.github.jeremylong</groupId>
    <artifactId>gh-advisory-lib</artifactId>
-   <version>2.0.1</version>
+   <version>2.0.2</version>
 </dependency>
 ```
 
 ### gradle
 
 ```groovy
-implementation 'io.github.jeremylong:gh-advisory-lib:2.0.1'
+implementation 'io.github.jeremylong:gh-advisory-lib:2.0.2'
 ```
 
 ### building from source

gh-advisory-lib/src/main/java/io/github/jeremylong/ghsa/CWE.java

@@ -17,13 +17,15 @@
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonPropertyOrder;
 
 import java.util.Objects;
 
 /**
  * Common weakness enumeration.
  */
 @JsonIgnoreProperties(ignoreUnknown = true)
+@JsonPropertyOrder({"cweId", "name", "description"})
 public class CWE {
 
     @JsonProperty(value = "node", access = JsonProperty.Access.WRITE_ONLY)
@@ -35,27 +37,57 @@ public class CWE {
      * @return the id of the CWE
      */
     public String getCweId() {
+        if (node == null) {
+            return null;
+        }
         return node.cweId;
     }
 
+    void setCweId(String cweId) {
+        if (node == null) {
+            this.node = new CWERecord();
+        }
+        node.cweId = cweId;
+    }
+
     /**
      * Returns a detailed description of this CWE.
      *
      * @return a detailed description of this CWE.
      */
     public String getDescription() {
+        if (node == null) {
+            return null;
+        }
         return node.description;
     }
 
+    void setDescription(String description) {
+        if (node == null) {
+            node = new CWERecord();
+        }
+        node.description = description;
+    }
+
     /**
      * The name of this CWE.
      *
      * @return the name of this CWE.
      */
     public String getName() {
+        if (node == null) {
+            return null;
+        }
         return node.name;
     }
 
+    void setName(String name) {
+        if (node == null) {
+            node = new CWERecord();
+        }
+        node.name = name;
+    }
+
     @Override
     public String toString() {
         if (node == null) {

gh-advisory-lib/src/main/java/io/github/jeremylong/ghsa/CWEPage.java → gh-advisory-lib/src/main/java/io/github/jeremylong/ghsa/CWEs.java

@@ -22,21 +22,21 @@
 import java.util.List;
 import java.util.Objects;
 
-public class CWEPage extends AbstractPageable {
+public class CWEs extends AbstractPageable {
 
     @JsonProperty("edges")
     private List<CWE> cwes;
 
     @SuppressFBWarnings(value = {"EI_EXPOSE_REP",
             "EI_EXPOSE_REP2"}, justification = "I prefer to suppress these FindBugs warnings")
     @JsonIgnore
-    public List<CWE> getPage() {
+    public List<CWE> getEdges() {
         return cwes;
     }
 
     @Override
     public String toString() {
-        return "CWEPage{" + "cwes=" + cwes + ", totalCount=" + getTotalCount() + "}";
+        return "CWEs{" + "cwes=" + cwes + ", totalCount=" + getTotalCount() + "}";
     }
 
     @Override
@@ -45,7 +45,7 @@ public boolean equals(Object o) {
             return true;
         if (o == null || getClass() != o.getClass())
             return false;
-        CWEPage cwePage = (CWEPage) o;
+        CWEs cwePage = (CWEs) o;
         return Objects.equals(cwes, cwePage.cwes);
     }
 
@@ -54,7 +54,8 @@ public int hashCode() {
         return Objects.hash(cwes);
     }
 
-    public boolean addCwes(List<CWE> c) {
+    boolean addCwes(List<CWE> c) {
         return this.cwes.addAll(c);
     }
+
 }

gh-advisory-lib/src/main/java/io/github/jeremylong/ghsa/GitHubSecurityAdvisoryClient.java

@@ -271,7 +271,7 @@ public List<SecurityAdvisory> next() {
                 if (body == null) {
                     body = new String(response.getBodyBytes(), StandardCharsets.UTF_8);
                 }
-                SecurityAdvisoriesResult results = objectMapper.readValue(body, SecurityAdvisoriesResult.class);
+                SecurityAdvisories results = objectMapper.readValue(body, SecurityAdvisories.class);
                 List<SecurityAdvisory> list = results.getSecurityAdvisories();
                 totalCount += list.size();
                 if (results.getPageInfo().isHasNextPage() || totalCount < results.getTotalCount()) {
@@ -343,12 +343,12 @@ private void ensureSubPages(List<SecurityAdvisory> list) throws ExecutionExcepti
                 int max = sa.getCwes().getTotalCount();
                 String after = sa.getCwes().getPageInfo().getEndCursor();
                 while (count < max) {
-                    SecurityAdvisoryResult results = fetch(cwesTemplate, sa.getGhsaId(), after);
-                    CWEPage cwes = results.getSecurityAdvisory().getCwes();
-                    count += cwes.getPage().size();
+                    SecurityAdvisoryResponse results = fetch(cwesTemplate, sa.getGhsaId(), after);
+                    CWEs cwes = results.getSecurityAdvisory().getCwes();
+                    count += cwes.getEdges().size();
                     max = cwes.getTotalCount();
                     after = cwes.getPageInfo().getEndCursor();
-                    sa.getCwes().addCwes(cwes.getPage());
+                    sa.getCwes().addCwes(cwes.getEdges());
                 }
             }
             if (sa.getVulnerabilities().getPageInfo().isHasNextPage()
@@ -358,12 +358,12 @@ private void ensureSubPages(List<SecurityAdvisory> list) throws ExecutionExcepti
                 int max = sa.getVulnerabilities().getTotalCount();
                 String after = sa.getVulnerabilities().getPageInfo().getEndCursor();
                 while (count < max) {
-                    SecurityAdvisoryResult results = fetch(vulnerabilitiesTemplate, sa.getGhsaId(), after);
-                    VulnerabilityPage vulnerability = results.getSecurityAdvisory().getVulnerabilities();
-                    count += vulnerability.getPage().size();
+                    SecurityAdvisoryResponse results = fetch(vulnerabilitiesTemplate, sa.getGhsaId(), after);
+                    Vulnerabilities vulnerability = results.getSecurityAdvisory().getVulnerabilities();
+                    count += vulnerability.getEdges().size();
                     max = vulnerability.getTotalCount();
                     after = vulnerability.getPageInfo().getEndCursor();
-                    sa.getVulnerabilities().addVulnerabilties(vulnerability.getPage());
+                    sa.getVulnerabilities().addVulnerabilties(vulnerability.getEdges());
                 }
             }
         }
@@ -379,9 +379,9 @@ private void ensureSubPages(List<SecurityAdvisory> list) throws ExecutionExcepti
      * @throws ExecutionException thrown if there is a problem.
      * @throws InterruptedException thrown if interrupted.
      */
-    private SecurityAdvisoryResult fetch(Template template, String ghsaId, String after)
+    private SecurityAdvisoryResponse fetch(Template template, String ghsaId, String after)
             throws InterruptedException, ExecutionException {
-        SecurityAdvisoryResult results = null;
+        SecurityAdvisoryResponse results = null;
         try {
             Map<String, String> data = new HashMap<String, String>();
             data.put("ghsaId", ghsaId);
@@ -392,7 +392,7 @@ private SecurityAdvisoryResult fetch(Template template, String ghsaId, String af
             if (body == null) {
                 body = new String(response.getBodyBytes(), StandardCharsets.UTF_8);
             }
-            results = objectMapper.readValue(body, SecurityAdvisoryResult.class);
+            results = objectMapper.readValue(body, SecurityAdvisoryResponse.class);
         } catch (JsonProcessingException e) {
             LOG.debug("Deserialization Error", e);
             throw new GitHubSecurityAdvisoryException(e);

gh-advisory-lib/src/main/java/io/github/jeremylong/ghsa/Identifier.java

@@ -17,17 +17,19 @@
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonPropertyOrder;
 
 import java.util.Objects;
 
 /**
  * A GitHub Security Advisory Identifier.
- * 
+ *
  * <pre>
  * type SecurityAdvisoryIdentifier
  * </pre>
  */
 @JsonIgnoreProperties(ignoreUnknown = true)
+@JsonPropertyOrder({"type", "value"})
 public class Identifier {
 
     @JsonProperty("type")

gh-advisory-lib/src/main/java/io/github/jeremylong/ghsa/Package.java

@@ -17,6 +17,7 @@
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonPropertyOrder;
 
 import java.util.Objects;
 
@@ -28,7 +29,8 @@
  * </pre>
  */
 @JsonIgnoreProperties(ignoreUnknown = true)
-class Package {
+@JsonPropertyOrder({"ecosystem", "name"})
+public class Package {
 
     @JsonProperty("ecosystem")
     private String ecosystem;

gh-advisory-lib/src/main/java/io/github/jeremylong/ghsa/SecurityAdvisoriesResult.java → gh-advisory-lib/src/main/java/io/github/jeremylong/ghsa/SecurityAdvisories.java

@@ -15,24 +15,29 @@
  */
 package io.github.jeremylong.ghsa;
 
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 
 import java.util.List;
 import java.util.Objects;
 
 @JsonIgnoreProperties(ignoreUnknown = true)
-public class SecurityAdvisoriesResult {
+public class SecurityAdvisories {
 
-    @JsonProperty("data")
+    @JsonProperty(value = "data", access = JsonProperty.Access.WRITE_ONLY)
     private Data data;
 
     /**
      * Returns the current rate limit information.
      *
      * @return the rate limit.
      */
-    public RateLimit getRateLimit() {
+    @JsonIgnore
+    RateLimit getRateLimit() {
+        if (data == null) {
+            return null;
+        }
         return data.rateLimit;
     }
 
@@ -42,15 +47,30 @@ public RateLimit getRateLimit() {
      * @return the security advisories.
      */
     public List<SecurityAdvisory> getSecurityAdvisories() {
+        if (data == null || data.securityAdvisories == null) {
+            return null;
+        }
         return data.securityAdvisories.nodes;
     }
 
+    void setSecurityAdvisories(List<SecurityAdvisory> advisories) {
+        if (data == null) {
+            data = new Data();
+            data.securityAdvisories = new Advisories();
+        }
+        data.securityAdvisories.nodes = advisories;
+    }
+
     /**
      * Returns the current page info.
      *
      * @return the page info.
      */
-    public PageInfo getPageInfo() {
+    @JsonIgnore
+    PageInfo getPageInfo() {
+        if (data == null || data.securityAdvisories == null) {
+            return null;
+        }
         return data.securityAdvisories.getPageInfo();
     }
 
@@ -59,7 +79,11 @@ public PageInfo getPageInfo() {
      *
      * @return the total count.
      */
+    @JsonIgnore
     public int getTotalCount() {
+        if (data == null || data.securityAdvisories == null) {
+            return 0;
+        }
         return data.securityAdvisories.getTotalCount();
     }
 
@@ -77,7 +101,7 @@ public boolean equals(Object o) {
             return true;
         if (o == null || getClass() != o.getClass())
             return false;
-        SecurityAdvisoriesResult that = (SecurityAdvisoriesResult) o;
+        SecurityAdvisories that = (SecurityAdvisories) o;
         return Objects.equals(data, that.data);
     }
 
@@ -94,7 +118,7 @@ static class Data {
         @JsonProperty("rateLimit")
         private RateLimit rateLimit;
         @JsonProperty("securityAdvisories")
-        private SecurityAdvisories securityAdvisories;
+        private Advisories securityAdvisories;
 
         @Override
         public String toString() {
@@ -122,7 +146,7 @@ public int hashCode() {
      * internal security advisories.
      */
     @JsonIgnoreProperties(ignoreUnknown = true)
-    static class SecurityAdvisories extends AbstractPageable {
+    static class Advisories extends AbstractPageable {
 
         @JsonProperty("nodes")
         private List<SecurityAdvisory> nodes;
@@ -138,7 +162,7 @@ public boolean equals(Object o) {
                 return true;
             if (o == null || getClass() != o.getClass())
                 return false;
-            SecurityAdvisories that = (SecurityAdvisories) o;
+            Advisories that = (Advisories) o;
             return Objects.equals(nodes, that.nodes);
         }