refactor(model)!: Split vulnerability classes to a separate package

sschuberth · sschuberth · commit cd40dd1f6c51 · 2023-10-31T21:51:50.000+01:00
For a better overview, split out CVSS classes to separate files in a new
"vulnerabilities" sub-package of the ORT model. A plural name for the
package was chosen to align with the "licenses" sub-package.

Signed-off-by: Sebastian Schuberth &lt;sschuberth@gmail.com&gt;
diff --git a/advisor/src/main/kotlin/advisors/NexusIq.kt b/advisor/src/main/kotlin/advisors/NexusIq.kt
@@ -39,12 +39,12 @@ import org.ossreviewtoolkit.model.AdvisorResult
 import org.ossreviewtoolkit.model.AdvisorSummary
 import org.ossreviewtoolkit.model.Issue
 import org.ossreviewtoolkit.model.Package
-import org.ossreviewtoolkit.model.Vulnerability
-import org.ossreviewtoolkit.model.VulnerabilityReference
 import org.ossreviewtoolkit.model.config.PluginConfiguration
 import org.ossreviewtoolkit.model.utils.PurlType
 import org.ossreviewtoolkit.model.utils.getPurlType
 import org.ossreviewtoolkit.model.utils.toPurl
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
+import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
 import org.ossreviewtoolkit.utils.common.Options
 import org.ossreviewtoolkit.utils.common.collectMessages
 import org.ossreviewtoolkit.utils.common.enumSetOf
diff --git a/advisor/src/main/kotlin/advisors/OssIndex.kt b/advisor/src/main/kotlin/advisors/OssIndex.kt
@@ -35,10 +35,10 @@ import org.ossreviewtoolkit.model.AdvisorResult
 import org.ossreviewtoolkit.model.AdvisorSummary
 import org.ossreviewtoolkit.model.Issue
 import org.ossreviewtoolkit.model.Package
-import org.ossreviewtoolkit.model.Vulnerability
-import org.ossreviewtoolkit.model.VulnerabilityReference
 import org.ossreviewtoolkit.model.config.PluginConfiguration
 import org.ossreviewtoolkit.model.utils.toPurl
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
+import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
 import org.ossreviewtoolkit.utils.common.Options
 import org.ossreviewtoolkit.utils.common.collectMessages
 import org.ossreviewtoolkit.utils.common.enumSetOf
diff --git a/advisor/src/main/kotlin/advisors/Osv.kt b/advisor/src/main/kotlin/advisors/Osv.kt
@@ -39,8 +39,8 @@ import org.ossreviewtoolkit.model.AdvisorResult
 import org.ossreviewtoolkit.model.AdvisorSummary
 import org.ossreviewtoolkit.model.Identifier
 import org.ossreviewtoolkit.model.Package
-import org.ossreviewtoolkit.model.VulnerabilityReference
 import org.ossreviewtoolkit.model.config.PluginConfiguration
+import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
 import org.ossreviewtoolkit.utils.common.Options
 import org.ossreviewtoolkit.utils.common.collectMessages
 import org.ossreviewtoolkit.utils.common.enumSetOf
@@ -176,7 +176,7 @@ private fun createRequest(pkg: Package): VulnerabilitiesForPackageRequest? {
     return null
 }
 
-private fun Vulnerability.toOrtVulnerability(): org.ossreviewtoolkit.model.Vulnerability {
+private fun Vulnerability.toOrtVulnerability(): org.ossreviewtoolkit.model.vulnerabilities.Vulnerability {
     // OSV uses a list in order to support multiple representations of the severity using different scoring systems.
     // However, only one representation is actually possible currently, because the enum 'Severity.Type' contains just a
     // single element / scoring system. So, picking first severity is fine, in particular because ORT only supports a
@@ -218,7 +218,7 @@ private fun Vulnerability.toOrtVulnerability(): org.ossreviewtoolkit.model.Vulne
         }.getOrNull()
     }
 
-    return org.ossreviewtoolkit.model.Vulnerability(
+    return org.ossreviewtoolkit.model.vulnerabilities.Vulnerability(
         id = id,
         summary = summary,
         description = details,
diff --git a/advisor/src/main/kotlin/advisors/VulnerableCode.kt b/advisor/src/main/kotlin/advisors/VulnerableCode.kt
@@ -33,11 +33,11 @@ import org.ossreviewtoolkit.model.AdvisorSummary
 import org.ossreviewtoolkit.model.Issue
 import org.ossreviewtoolkit.model.Package
 import org.ossreviewtoolkit.model.Severity
-import org.ossreviewtoolkit.model.Vulnerability
-import org.ossreviewtoolkit.model.VulnerabilityReference
 import org.ossreviewtoolkit.model.config.PluginConfiguration
 import org.ossreviewtoolkit.model.createAndLogIssue
 import org.ossreviewtoolkit.model.utils.toPurl
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
+import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
 import org.ossreviewtoolkit.utils.common.Options
 import org.ossreviewtoolkit.utils.common.collectMessages
 import org.ossreviewtoolkit.utils.common.enumSetOf
diff --git a/advisor/src/test/kotlin/advisors/OssIndexTest.kt b/advisor/src/test/kotlin/advisors/OssIndexTest.kt
@@ -43,9 +43,9 @@ import org.ossreviewtoolkit.model.AdvisorDetails
 import org.ossreviewtoolkit.model.Identifier
 import org.ossreviewtoolkit.model.Package
 import org.ossreviewtoolkit.model.Severity
-import org.ossreviewtoolkit.model.Vulnerability
-import org.ossreviewtoolkit.model.VulnerabilityReference
 import org.ossreviewtoolkit.model.utils.toPurl
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
+import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
 import org.ossreviewtoolkit.utils.common.enumSetOf
 import org.ossreviewtoolkit.utils.test.shouldNotBeNull
 
diff --git a/advisor/src/test/kotlin/advisors/VulnerableCodeTest.kt b/advisor/src/test/kotlin/advisors/VulnerableCodeTest.kt
@@ -46,10 +46,10 @@ import org.ossreviewtoolkit.model.Identifier
 import org.ossreviewtoolkit.model.OrtResult
 import org.ossreviewtoolkit.model.Package
 import org.ossreviewtoolkit.model.Severity
-import org.ossreviewtoolkit.model.Vulnerability
-import org.ossreviewtoolkit.model.VulnerabilityReference
 import org.ossreviewtoolkit.model.readValue
 import org.ossreviewtoolkit.model.utils.toPurl
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
+import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
 import org.ossreviewtoolkit.utils.common.enumSetOf
 import org.ossreviewtoolkit.utils.test.shouldNotBeNull
 
diff --git a/evaluator/src/main/kotlin/PackageRule.kt b/evaluator/src/main/kotlin/PackageRule.kt
@@ -25,12 +25,12 @@ import org.ossreviewtoolkit.model.LicenseSource
 import org.ossreviewtoolkit.model.Package
 import org.ossreviewtoolkit.model.Project
 import org.ossreviewtoolkit.model.Severity
-import org.ossreviewtoolkit.model.Vulnerability
-import org.ossreviewtoolkit.model.VulnerabilityReference
 import org.ossreviewtoolkit.model.config.Excludes
 import org.ossreviewtoolkit.model.licenses.LicenseView
 import org.ossreviewtoolkit.model.licenses.ResolvedLicense
 import org.ossreviewtoolkit.model.licenses.ResolvedLicenseInfo
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
+import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
 import org.ossreviewtoolkit.utils.spdx.SpdxExpression
 import org.ossreviewtoolkit.utils.spdx.SpdxLicenseReferenceExpression
 
diff --git a/evaluator/src/test/kotlin/TestData.kt b/evaluator/src/test/kotlin/TestData.kt
@@ -44,8 +44,6 @@ import org.ossreviewtoolkit.model.Scope
 import org.ossreviewtoolkit.model.TextLocation
 import org.ossreviewtoolkit.model.UnknownProvenance
 import org.ossreviewtoolkit.model.VcsInfo
-import org.ossreviewtoolkit.model.Vulnerability
-import org.ossreviewtoolkit.model.VulnerabilityReference
 import org.ossreviewtoolkit.model.config.AdvisorConfiguration
 import org.ossreviewtoolkit.model.config.AnalyzerConfiguration
 import org.ossreviewtoolkit.model.config.Excludes
@@ -54,6 +52,8 @@ import org.ossreviewtoolkit.model.config.PackageLicenseChoice
 import org.ossreviewtoolkit.model.config.PathExclude
 import org.ossreviewtoolkit.model.config.PathExcludeReason
 import org.ossreviewtoolkit.model.config.RepositoryConfiguration
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
+import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
 import org.ossreviewtoolkit.utils.common.enumSetOf
 import org.ossreviewtoolkit.utils.ort.DeclaredLicenseProcessor
 import org.ossreviewtoolkit.utils.ort.Environment
diff --git a/model/src/main/kotlin/AdvisorRecord.kt b/model/src/main/kotlin/AdvisorRecord.kt
@@ -22,6 +22,8 @@ package org.ossreviewtoolkit.model
 import com.fasterxml.jackson.annotation.JsonIgnore
 import com.fasterxml.jackson.annotation.JsonPropertyOrder
 
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
+
 /**
  * Type alias for a function that allows filtering of [AdvisorResult]s.
  */
diff --git a/model/src/main/kotlin/AdvisorResult.kt b/model/src/main/kotlin/AdvisorResult.kt
@@ -19,6 +19,8 @@
 
 package org.ossreviewtoolkit.model
 
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
+
 /**
  * The result of a specific advisor execution for a single package.
  *
diff --git a/model/src/main/kotlin/OrtResult.kt b/model/src/main/kotlin/OrtResult.kt
@@ -32,6 +32,7 @@ import org.ossreviewtoolkit.model.config.LicenseFindingCuration
 import org.ossreviewtoolkit.model.config.RepositoryConfiguration
 import org.ossreviewtoolkit.model.config.Resolutions
 import org.ossreviewtoolkit.model.config.orEmpty
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
 import org.ossreviewtoolkit.utils.common.zipWithCollections
 import org.ossreviewtoolkit.utils.spdx.model.SpdxLicenseChoice
 
diff --git a/model/src/main/kotlin/config/VulnerabilityResolution.kt b/model/src/main/kotlin/config/VulnerabilityResolution.kt
@@ -19,7 +19,7 @@
 
 package org.ossreviewtoolkit.model.config
 
-import org.ossreviewtoolkit.model.Vulnerability
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
 
 /**
  * Defines the resolution of an [Vulnerability]. This can be used to silence false positives, or vulnerabilities that
diff --git a/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt b/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt
@@ -19,7 +19,7 @@
 
 package org.ossreviewtoolkit.model.config
 
-import org.ossreviewtoolkit.model.Vulnerability
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
 
 /**
  * Possible reasons for resolving an [Vulnerability] using a [VulnerabilityResolution].
diff --git a/model/src/main/kotlin/utils/ConfigurationResolver.kt b/model/src/main/kotlin/utils/ConfigurationResolver.kt
@@ -30,9 +30,9 @@ import org.ossreviewtoolkit.model.PackageCuration
 import org.ossreviewtoolkit.model.ResolvedPackageCurations
 import org.ossreviewtoolkit.model.RuleViolation
 import org.ossreviewtoolkit.model.ScanResult
-import org.ossreviewtoolkit.model.Vulnerability
 import org.ossreviewtoolkit.model.config.PackageConfiguration
 import org.ossreviewtoolkit.model.config.Resolutions
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
 
 object ConfigurationResolver {
     /**
diff --git a/model/src/main/kotlin/utils/DefaultResolutionProvider.kt b/model/src/main/kotlin/utils/DefaultResolutionProvider.kt
@@ -24,9 +24,9 @@ import java.io.File
 import org.ossreviewtoolkit.model.Issue
 import org.ossreviewtoolkit.model.OrtResult
 import org.ossreviewtoolkit.model.RuleViolation
-import org.ossreviewtoolkit.model.Vulnerability
 import org.ossreviewtoolkit.model.config.Resolutions
 import org.ossreviewtoolkit.model.readValue
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
 
 /**
  * A [ResolutionProvider] that provides the given [resolutions].
diff --git a/model/src/main/kotlin/utils/ResolutionProvider.kt b/model/src/main/kotlin/utils/ResolutionProvider.kt
@@ -21,10 +21,10 @@ package org.ossreviewtoolkit.model.utils
 
 import org.ossreviewtoolkit.model.Issue
 import org.ossreviewtoolkit.model.RuleViolation
-import org.ossreviewtoolkit.model.Vulnerability
 import org.ossreviewtoolkit.model.config.IssueResolution
 import org.ossreviewtoolkit.model.config.RuleViolationResolution
 import org.ossreviewtoolkit.model.config.VulnerabilityResolution
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
 
 /**
  * An interface to provide resolutions for [Issue]s, [RuleViolation]s and [Vulnerability]s .
diff --git a/model/src/main/kotlin/vulnerabilities/Cvss2Rating.kt b/model/src/main/kotlin/vulnerabilities/Cvss2Rating.kt
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2021 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.model.vulnerabilities
+
+/**
+ * The rating attaches human-readable semantics to the score number according to CVSS version 2, see
+ * https://www.balbix.com/insights/cvss-v2-vs-cvss-v3/#CVSSv3-Scoring-Scale-vs-CVSSv2-6.
+ */
+enum class Cvss2Rating(private val upperBound: Float) {
+    LOW(4.0f),
+    MEDIUM(7.0f),
+    HIGH(10.0f);
+
+    companion object {
+        /**
+         * A set of names that refer to the CVSS version 2 scoring system.
+         */
+        val NAMES = setOf("CVSS2", "CVSSV2", "CVSS:2.0")
+
+        /**
+         * Get the [Cvss2Rating] from a [score], or null if the [score] does not map to any [Cvss2Rating].
+         */
+        fun fromScore(score: Float): Cvss2Rating? =
+            when {
+                score < 0.0f || score > HIGH.upperBound -> null
+                score < LOW.upperBound -> LOW
+                score < MEDIUM.upperBound -> MEDIUM
+                score <= HIGH.upperBound -> HIGH
+                else -> null
+            }
+    }
+}
diff --git a/model/src/main/kotlin/vulnerabilities/Cvss3Rating.kt b/model/src/main/kotlin/vulnerabilities/Cvss3Rating.kt
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2021 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.model.vulnerabilities
+
+/**
+ * The rating attaches human-readable semantics to the score number according to CVSS version 3, see
+ * https://www.first.org/cvss/v3.0/specification-document#Qualitative-Severity-Rating-Scale.
+ */
+enum class Cvss3Rating(private val upperBound: Float) {
+    NONE(0.0f),
+    LOW(4.0f),
+    MEDIUM(7.0f),
+    HIGH(9.0f),
+    CRITICAL(10.0f);
+
+    companion object {
+        /**
+         * A set of names that refer to the CVSS version 3 scoring system.
+         */
+        val NAMES = setOf("CVSS3", "CVSSV3", "CVSS:3.0", "CVSS:3.1")
+
+        /**
+         * Get the [Cvss3Rating] from a [score], or null if the [score] does not map to any [Cvss3Rating].
+         */
+        fun fromScore(score: Float): Cvss3Rating? =
+            when {
+                score < 0.0f || score > CRITICAL.upperBound -> null
+                score == NONE.upperBound -> NONE
+                score < LOW.upperBound -> LOW
+                score < MEDIUM.upperBound -> MEDIUM
+                score < HIGH.upperBound -> HIGH
+                score <= CRITICAL.upperBound -> CRITICAL
+                else -> null
+            }
+    }
+}
diff --git a/model/src/main/kotlin/vulnerabilities/Vulnerability.kt b/model/src/main/kotlin/vulnerabilities/Vulnerability.kt
@@ -17,7 +17,7 @@
  * License-Filename: LICENSE
  */
 
-package org.ossreviewtoolkit.model
+package org.ossreviewtoolkit.model.vulnerabilities
 
 import com.fasterxml.jackson.annotation.JsonInclude
 import com.fasterxml.jackson.annotation.JsonInclude.Include
diff --git a/model/src/main/kotlin/vulnerabilities/VulnerabilityReference.kt b/model/src/main/kotlin/vulnerabilities/VulnerabilityReference.kt
@@ -17,7 +17,7 @@
  * License-Filename: LICENSE
  */
 
-package org.ossreviewtoolkit.model
+package org.ossreviewtoolkit.model.vulnerabilities
 
 import java.net.URI
 
@@ -63,66 +63,4 @@ data class VulnerabilityReference(
                 else -> severity?.uppercase()?.takeIf { it in CVSS3_SEVERITIES }
             } ?: "UNKNOWN"
     }
-
-    /**
-     * The rating attaches human-readable semantics to the score number according to CVSS version 2, see
-     * https://www.balbix.com/insights/cvss-v2-vs-cvss-v3/#CVSSv3-Scoring-Scale-vs-CVSSv2-6.
-     */
-    enum class Cvss2Rating(private val upperBound: Float) {
-        LOW(4.0f),
-        MEDIUM(7.0f),
-        HIGH(10.0f);
-
-        companion object {
-            /**
-             * A set of names that refer to the CVSS version 2 scoring system.
-             */
-            val NAMES = setOf("CVSS2", "CVSSV2", "CVSS:2.0")
-
-            /**
-             * Get the [Cvss2Rating] from a [score], or null if the [score] does not map to any [Cvss2Rating].
-             */
-            fun fromScore(score: Float): Cvss2Rating? =
-                when {
-                    score < 0.0f || score > HIGH.upperBound -> null
-                    score < LOW.upperBound -> LOW
-                    score < MEDIUM.upperBound -> MEDIUM
-                    score <= HIGH.upperBound -> HIGH
-                    else -> null
-                }
-        }
-    }
-
-    /**
-     * The rating attaches human-readable semantics to the score number according to CVSS version 3, see
-     * https://www.first.org/cvss/v3.0/specification-document#Qualitative-Severity-Rating-Scale.
-     */
-    enum class Cvss3Rating(private val upperBound: Float) {
-        NONE(0.0f),
-        LOW(4.0f),
-        MEDIUM(7.0f),
-        HIGH(9.0f),
-        CRITICAL(10.0f);
-
-        companion object {
-            /**
-             * A set of names that refer to the CVSS version 3 scoring system.
-             */
-            val NAMES = setOf("CVSS3", "CVSSV3", "CVSS:3.0", "CVSS:3.1")
-
-            /**
-             * Get the [Cvss3Rating] from a [score], or null if the [score] does not map to any [Cvss3Rating].
-             */
-            fun fromScore(score: Float): Cvss3Rating? =
-                when {
-                    score < 0.0f || score > CRITICAL.upperBound -> null
-                    score == NONE.upperBound -> NONE
-                    score < LOW.upperBound -> LOW
-                    score < MEDIUM.upperBound -> MEDIUM
-                    score < HIGH.upperBound -> HIGH
-                    score <= CRITICAL.upperBound -> CRITICAL
-                    else -> null
-                }
-        }
-    }
 }
diff --git a/model/src/test/kotlin/AdvisorRecordTest.kt b/model/src/test/kotlin/AdvisorRecordTest.kt
diff --git a/model/src/test/kotlin/config/VulnerabilityResolutionTest.kt b/model/src/test/kotlin/config/VulnerabilityResolutionTest.kt
diff --git a/model/src/test/kotlin/vulnerabilities/Cvss2RatingTest.kt b/model/src/test/kotlin/vulnerabilities/Cvss2RatingTest.kt
diff --git a/model/src/test/kotlin/vulnerabilities/Cvss3RatingTest.kt b/model/src/test/kotlin/vulnerabilities/Cvss3RatingTest.kt
diff --git a/model/src/test/kotlin/vulnerabilities/VulnerabilityReferenceTest.kt b/model/src/test/kotlin/vulnerabilities/VulnerabilityReferenceTest.kt
diff --git a/plugins/reporters/evaluated-model/src/main/kotlin/EvaluatedModelMapper.kt b/plugins/reporters/evaluated-model/src/main/kotlin/EvaluatedModelMapper.kt
diff --git a/plugins/reporters/freemarker/src/main/kotlin/FreemarkerTemplateProcessor.kt b/plugins/reporters/freemarker/src/main/kotlin/FreemarkerTemplateProcessor.kt
diff --git a/plugins/reporters/freemarker/src/test/kotlin/FreeMarkerTemplateProcessorTest.kt b/plugins/reporters/freemarker/src/test/kotlin/FreeMarkerTemplateProcessorTest.kt
diff --git a/reporter/src/main/kotlin/Statistics.kt b/reporter/src/main/kotlin/Statistics.kt
diff --git a/reporter/src/testFixtures/kotlin/TestData.kt b/reporter/src/testFixtures/kotlin/TestData.kt

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,8 @@`
`19`	`19`
`20`	`20`	`package org.ossreviewtoolkit.model`
`21`	`21`
	`22`	`+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability`
	`23`	`+`
`22`	`24`	`/**`
`23`	`25`	`* The result of a specific advisor execution for a single package.`
`24`	`26`	`*`