feat: add CVE checking in java upgrade promotion (#948)

* add CVE checking

* fix comments

* update changelog and fix comments

* Remove patched version from CVE issue  && fix commets

* Remove patchedVersion checking

* Fix copilot comments

* Add pagination for CVE fetch from github

* Fix comments

---------

Co-authored-by: Changyong Gong <chagon@microsoft.com>

Author: yezhu6

CHANGELOG.md

@@ -4,6 +4,10 @@ All notable changes to the "vscode-java-dependency" extension will be documented
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## 0.27.0
+
+- feat  - Add CVE checking to notify users to fix the critical/high-severity CVE issues in https://github.com/microsoft/vscode-java-dependency/pull/948
+
 ## 0.26.5
 
 - Enhancement - Register Context Provider after Java LS ready in https://github.com/microsoft/vscode-java-dependency/pull/939

package.json

@@ -1111,6 +1111,7 @@
   },
   "dependencies": {
     "@github/copilot-language-server": "^1.388.0",
+    "@octokit/rest": "^21.1.1",
     "await-lock": "^2.2.2",
     "fmtr": "^1.1.4",
     "fs-extra": "^10.1.0",

src/upgrade/assessmentManager.ts

@@ -10,6 +10,7 @@ import { Upgrade } from '../constants';
 import { buildPackageId } from './utility';
 import metadataManager from './metadataManager';
 import { sendInfo } from 'vscode-extension-telemetry-wrapper';
+import { batchGetCVEIssues } from './cve';
 
 function packageNodeToDescription(node: INodeData): PackageDescription | null {
     const version = node.metaData?.["maven.version"];
@@ -121,51 +122,29 @@ function getDependencyIssue(pkg: PackageDescription): UpgradeIssue | null {
     return getUpgradeForDependency(version, supportedVersionDefinition, packageId);
 }
 
-async function getDependencyIssues(projectNode: INodeData): Promise<UpgradeIssue[]> {
-    const projectStructureData = await Jdtls.getPackageData({ kind: NodeKind.Project, projectUri: projectNode.uri });
-    const packageContainerIssues = await Promise.allSettled(
-        projectStructureData
-            .filter(x => x.kind === NodeKind.Container)
-            .map(async (packageContainer) => {
-                const packageNodes = await Jdtls.getPackageData({
-                    kind: NodeKind.Container,
-                    projectUri: projectNode.uri,
-                    path: packageContainer.path,
-                });
-                const packages = packageNodes.map(packageNodeToDescription).filter((x): x is PackageDescription => Boolean(x));
-
-                const issues = packages.map(getDependencyIssue).filter((x): x is UpgradeIssue => Boolean(x));
-                const versionRangeByGroupId = collectVersionRange(packages.filter(getPackageUpgradeMetadata));
-                if (Object.keys(versionRangeByGroupId).length > 0) {
-                    sendInfo("", {
-                        operationName: "java.dependency.assessmentManager.getDependencyVersionRange",
-                        versionRangeByGroupId: JSON.stringify(versionRangeByGroupId),
-                    });
-                }
-
-                return issues;
-            })
-    );
+async function getDependencyIssues(dependencies: PackageDescription[]): Promise<UpgradeIssue[]> {
 
-    return packageContainerIssues
-        .map(x => {
-            if (x.status === "fulfilled") {
-                return x.value;
-            }
+    const issues = dependencies.map(getDependencyIssue).filter((x): x is UpgradeIssue => Boolean(x));
+    const versionRangeByGroupId = collectVersionRange(dependencies.filter(pkg => getPackageUpgradeMetadata(pkg)));
+    if (Object.keys(versionRangeByGroupId).length > 0) {
+        sendInfo("", {
+            operationName: "java.dependency.assessmentManager.getDependencyVersionRange",
+            versionRangeByGroupId: JSON.stringify(versionRangeByGroupId),
+        });
+    }
 
-            sendInfo("", {
-                operationName: "java.dependency.assessmentManager.getDependencyIssues.packageDataFailure",
-            });
-            return [];
-        })
-        .reduce((a, b) => [...a, ...b]);
+    return issues;
 }
 
 async function getProjectIssues(projectNode: INodeData): Promise<UpgradeIssue[]> {
     const issues: UpgradeIssue[] = [];
+    const dependencies = await getAllDependencies(projectNode);
+    issues.push(...await getCVEIssues(dependencies));
     issues.push(...getJavaIssues(projectNode));
-    issues.push(...(await getDependencyIssues(projectNode)));
+    issues.push(...await getDependencyIssues(dependencies));
+
     return issues;
+
 }
 
 async function getWorkspaceIssues(workspaceFolderUri: string): Promise<UpgradeIssue[]> {
@@ -184,11 +163,42 @@ async function getWorkspaceIssues(workspaceFolderUri: string): Promise<UpgradeIs
             operationName: "java.dependency.assessmentManager.getWorkspaceIssues",
         });
         return [];
-    }).reduce((a, b) => [...a, ...b]);
+    }).flat();
 
     return workspaceIssues;
 }
 
+async function getAllDependencies(projectNode: INodeData): Promise<PackageDescription[]> {
+    const projectStructureData = await Jdtls.getPackageData({ kind: NodeKind.Project, projectUri: projectNode.uri });
+    const packageContainers = projectStructureData.filter(x => x.kind === NodeKind.Container);
+
+    const allPackages = await Promise.allSettled(
+        packageContainers.map(async (packageContainer) => {
+            const packageNodes = await Jdtls.getPackageData({
+                kind: NodeKind.Container,
+                projectUri: projectNode.uri,
+                path: packageContainer.path,
+            });
+            return packageNodes.map(packageNodeToDescription).filter((x): x is PackageDescription => Boolean(x));
+        })
+    );
+
+    const fulfilled = allPackages.filter((x): x is PromiseFulfilledResult<PackageDescription[]> => x.status === "fulfilled");
+    const failedPackageCount = allPackages.length - fulfilled.length;
+    if (failedPackageCount > 0) {
+        sendInfo("", {
+            operationName: "java.dependency.assessmentManager.getAllDependencies.rejected",
+            failedPackageCount: String(failedPackageCount),
+        });
+    }
+    return fulfilled.map(x => x.value).flat();
+}
+
+async function getCVEIssues(dependencies: PackageDescription[]): Promise<UpgradeIssue[]> {
+    const gavCoordinates = dependencies.map(pkg => `${pkg.groupId}:${pkg.artifactId}:${pkg.version}`);
+    return batchGetCVEIssues(gavCoordinates);
+}
+
 export default {
     getWorkspaceIssues,
 };

src/upgrade/cve.ts

@@ -0,0 +1,192 @@
+import { UpgradeIssue, UpgradeReason } from "./type";
+import { Octokit } from "@octokit/rest";
+import * as semver from "semver";
+
+/**
+ * Severity levels ordered by criticality (higher number = more critical)
+ * The official doc about the severity levels can be found at:
+ * https://docs.github.com/en/rest/security-advisories/global-advisories?apiVersion=2022-11-28
+ */
+export enum Severity {
+  unknown = 0,
+  low = 1,
+  medium = 2,
+  high = 3,
+  critical = 4,
+}
+
+export interface CVE {
+  id: string;
+  ghsa_id: string;
+  severity: keyof typeof Severity;
+  summary: string;
+  description: string;
+  html_url: string;
+  affectedDeps: {
+    name?: string | null;
+    vulVersions?: string | null;
+    patchedVersion?: string | null;
+  }[];
+}
+
+export type CveUpgradeIssue = UpgradeIssue & {
+  reason: UpgradeReason.CVE;
+  severity: string;
+  link: string;
+};
+
+export async function batchGetCVEIssues(
+  coordinates: string[]
+): Promise<CveUpgradeIssue[]> {
+  // Split dependencies into smaller batches to avoid URL length limit
+  const BATCH_SIZE = 30;
+  const allCVEUpgradeIssues: CveUpgradeIssue[] = [];
+
+  // Process dependencies in batches
+  for (let i = 0; i < coordinates.length; i += BATCH_SIZE) {
+    const batchCoordinates = coordinates.slice(i, i + BATCH_SIZE);
+    const cveUpgradeIssues = await getCveUpgradeIssues(batchCoordinates);
+    allCVEUpgradeIssues.push(...cveUpgradeIssues);
+  }
+
+  return allCVEUpgradeIssues;
+}
+
+async function getCveUpgradeIssues(
+  coordinates: string[]
+): Promise<CveUpgradeIssue[]> {
+  if (coordinates.length === 0) {
+    return [];
+  }
+  const deps = coordinates
+    .map((d) => d.split(":", 3))
+    .map((p) => ({ name: `${p[0]}:${p[1]}`, version: p[2] }))
+    .filter((d) => d.version);
+
+  const depsCves = await fetchCves(deps);
+  return mapCvesToUpgradeIssues(depsCves);
+}
+
+async function fetchCves(deps: { name: string; version: string }[]) {
+  if (deps.length === 0) {
+    return [];
+  }
+  try {
+    const allCves: CVE[] = await retrieveVulnerabilityData(deps);
+
+    if (allCves.length === 0) {
+      return [];
+    }
+    // group the cves by coordinate
+    const depsCves: { dep: string; version: string; cves: CVE[] }[] = [];
+
+    for (const dep of deps) {
+      const depCves: CVE[] = allCves.filter((cve) =>
+        isCveAffectingDep(cve, dep.name, dep.version)
+      );
+
+      if (depCves.length < 1) {
+        continue;
+      }
+
+      depsCves.push({
+        dep: dep.name,
+        version: dep.version,
+        cves: depCves,
+      });
+    }
+
+    return depsCves;
+  } catch (error) {
+    return [];
+  }
+}
+
+async function retrieveVulnerabilityData(
+  deps: { name: string; version: string }[]
+) {
+  if (deps.length === 0) {
+    return [];
+  }
+  const octokit = new Octokit();
+
+  // Use paginate to fetch all pages of results
+  const allAdvisories = await octokit.paginate(
+    octokit.securityAdvisories.listGlobalAdvisories,
+    {
+      ecosystem: "maven",
+      affects: deps.map((p) => `${p.name}@${p.version}`),
+      direction: "asc",
+      sort: "published",
+      per_page: 100,
+    }
+  );
+
+  const allCves: CVE[] = allAdvisories
+    .filter(
+      (c) =>
+        !c.withdrawn_at?.trim() &&
+        (c.severity === "critical" || c.severity === "high")
+    ) // only consider critical and high severity CVEs
+    .map((cve) => ({
+      id: cve.cve_id || cve.ghsa_id,
+      ghsa_id: cve.ghsa_id,
+      severity: cve.severity,
+      summary: cve.summary,
+      description: cve.description || cve.summary,
+      html_url: cve.html_url,
+      affectedDeps: (cve.vulnerabilities ?? []).map((v) => ({
+        name: v.package?.name,
+        vulVersions: v.vulnerable_version_range,
+        patchedVersion: v.first_patched_version,
+      })),
+    }));
+  return allCves;
+}
+
+function mapCvesToUpgradeIssues(
+  depsCves: { dep: string; version: string; cves: CVE[] }[]
+) {
+  if (depsCves.length === 0) {
+    return [];
+  }
+  const upgradeIssues = depsCves.map((depCve) => {
+    const mostCriticalCve = [...depCve.cves]
+      .sort((a, b) => Severity[b.severity] - Severity[a.severity])[0];
+    return {
+      packageId: depCve.dep,
+      packageDisplayName: depCve.dep,
+      currentVersion: depCve.version || "unknown",
+      name: `${mostCriticalCve.id || "CVE"}`,
+      reason: UpgradeReason.CVE as const,
+      suggestedVersion: {
+        name: "",
+        description: "",
+      },
+      severity: mostCriticalCve.severity,
+      description:
+        mostCriticalCve.description ||
+        mostCriticalCve.summary ||
+        "Security vulnerability detected",
+      link: mostCriticalCve.html_url,
+    };
+  });
+  return upgradeIssues;
+}
+
+function isCveAffectingDep(
+  cve: CVE,
+  depName: string,
+  depVersion: string
+): boolean {
+  if (!cve.affectedDeps || cve.affectedDeps.length === 0) {
+    return false;
+  }
+  return cve.affectedDeps.some((d) => {
+    if (d.name !== depName || !d.vulVersions) {
+      return false;
+    }
+
+    return semver.satisfies(depVersion || "0.0.0", d.vulVersions);
+  });
+}