package com.vaadin.appsec.backend;

import com.vaadin.appsec.backend.model.AppSecData;
import com.vaadin.appsec.backend.model.analysis.AffectedVersion;
import com.vaadin.appsec.backend.model.analysis.Assessment;
import com.vaadin.appsec.backend.model.analysis.VulnerabilityDetails;
import com.vaadin.appsec.backend.model.dto.Dependency;
import com.vaadin.appsec.backend.model.dto.SeverityLevel;
import com.vaadin.appsec.backend.model.dto.SeverityLevelComparator;
import com.vaadin.appsec.backend.model.dto.Vulnerability;
import com.vaadin.appsec.backend.model.osv.response.Affected;
import com.vaadin.appsec.backend.model.osv.response.Ecosystem;
import com.vaadin.appsec.backend.model.osv.response.Event;
import com.vaadin.appsec.backend.model.osv.response.OpenSourceVulnerability;
import com.vaadin.appsec.backend.model.osv.response.Range;
import com.vaadin.appsec.backend.model.osv.response.Severity;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import org.apache.maven.artifact.versioning.ArtifactVersion;
import org.apache.maven.artifact.versioning.DefaultArtifactVersion;
import org.commonmark.parser.Parser;
import org.commonmark.renderer.html.HtmlRenderer;
import org.cyclonedx.model.Component;
import org.cyclonedx.model.Property;
import us.springett.cvss.Cvss;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/vaadin/appsec/backend/AppSecDTOProvider.class */
public class AppSecDTOProvider {
    private static final String INTRODUCED = "introduced";
    private static final String FIXED = "fixed";
    private static final String LAST_AFFECTED = "last_affected";
    private static final String LIMIT = "limit";
    private final VulnerabilityStore vulnerabilityStore;
    private final BillOfMaterialsStore bomStore;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AppSecDTOProvider(VulnerabilityStore vulnerabilityStore, BillOfMaterialsStore billOfMaterialsStore) {
        this.vulnerabilityStore = vulnerabilityStore;
        this.bomStore = billOfMaterialsStore;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<Dependency> getDependencies() {
        List<OpenSourceVulnerability> vulnerabilities = this.vulnerabilityStore.getVulnerabilities();
        ArrayList arrayList = new ArrayList(this.bomStore.getBom(Ecosystem.MAVEN).getDependencies());
        if (this.bomStore.getBom(Ecosystem.NPM) != null) {
            arrayList.addAll(this.bomStore.getBom(Ecosystem.NPM).getDependencies());
        }
        ArrayList arrayList2 = new ArrayList(this.bomStore.getBom(Ecosystem.MAVEN).getComponents());
        if (this.bomStore.getBom(Ecosystem.NPM) != null) {
            arrayList2.addAll(this.bomStore.getBom(Ecosystem.NPM).getComponents());
        }
        return arrayList2.stream().map(component -> {
            Dependency dependency = new Dependency(AppSecUtils.getEcosystem(component), component.getGroup(), component.getName(), component.getVersion());
            arrayList.stream().filter(dependency2 -> {
                return Objects.nonNull(dependency2.getDependencies()) && dependency2.getDependencies().stream().anyMatch(dependency2 -> {
                    return dependency2.getRef().equals(component.getBomRef());
                });
            }).findFirst().ifPresent(dependency3 -> {
                dependency.setParentBomRef(dependency3.getRef());
            });
            if (dependency.getEcosystem() == Ecosystem.NPM) {
                dependency.setDevDependency(isDevDependency(component));
            }
            updateVulnerabilityStatistics(dependency, vulnerabilities);
            return dependency;
        }).toList();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<Vulnerability> getVulnerabilities() {
        List<Dependency> dependencies = getDependencies();
        List<OpenSourceVulnerability> vulnerabilities = this.vulnerabilityStore.getVulnerabilities();
        ArrayList arrayList = new ArrayList();
        for (OpenSourceVulnerability openSourceVulnerability : vulnerabilities) {
            for (Affected affected : openSourceVulnerability.getAffected()) {
                if (isMavenEcosystem(affected) || isNpmEcosystem(affected)) {
                    for (Dependency dependency : dependencies) {
                        if (isVulnerable(dependency, affected)) {
                            arrayList.add(createVulnerabilityDTO(openSourceVulnerability, dependency, affected));
                        }
                    }
                }
            }
        }
        return arrayList;
    }

    private boolean isMavenEcosystem(Affected affected) {
        return Ecosystem.MAVEN.value().equalsIgnoreCase(affected.getPackage().getEcosystem());
    }

    private boolean isNpmEcosystem(Affected affected) {
        return Ecosystem.NPM.value().equalsIgnoreCase(affected.getPackage().getEcosystem());
    }

    private boolean isVulnerable(Dependency dependency, Affected affected) {
        return isSameGroup(dependency.getGroup(), AppSecUtils.getVulnDepGroup(affected)) && isSameName(dependency.getName(), AppSecUtils.getVulnDepName(affected)) && isVersionAffected(dependency.getVersion(), affected.getVersions(), affected.getRanges());
    }

    private boolean isSameGroup(String str, String str2) {
        return (str == null && str2 == null) || (str != null && str.equals(str2));
    }

    private boolean isSameName(String str, String str2) {
        return str.equals(str2);
    }

    private boolean isVersionAffected(String str, List<String> list, List<Range> list2) {
        return includedInVersions(str, list) || includedInRanges(str, list2);
    }

    private boolean includedInVersions(String str, List<String> list) {
        return list != null && list.contains(str);
    }

    private boolean includedInRanges(String str, List<Range> list) {
        if (list == null) {
            return false;
        }
        DefaultArtifactVersion defaultArtifactVersion = new DefaultArtifactVersion(str);
        Iterator<Range> it = list.iterator();
        while (it.hasNext()) {
            List<Event> events = it.next().getEvents();
            if (beforeLimits(events, defaultArtifactVersion) && evaluateEvents(events, defaultArtifactVersion)) {
                return true;
            }
        }
        return false;
    }

    private boolean evaluateEvents(List<Event> list, ArtifactVersion artifactVersion) {
        boolean z = false;
        for (Event event : list) {
            Optional<ArtifactVersion> versionFromEvent = getVersionFromEvent(event, INTRODUCED);
            Optional<ArtifactVersion> versionFromEvent2 = getVersionFromEvent(event, FIXED);
            Optional<ArtifactVersion> versionFromEvent3 = getVersionFromEvent(event, LAST_AFFECTED);
            if (versionFromEvent.isPresent() && artifactVersion.compareTo(versionFromEvent.get()) >= 0) {
                z = true;
            } else if (versionFromEvent2.isPresent() && artifactVersion.compareTo(versionFromEvent2.get()) >= 0) {
                z = false;
            } else if (versionFromEvent3.isPresent() && artifactVersion.compareTo(versionFromEvent3.get()) > 0) {
                z = false;
            }
        }
        return z;
    }

    private Optional<ArtifactVersion> getVersionFromEvent(Event event, String str) {
        return event.getAdditionalProperties().containsKey(str) ? Optional.of(new DefaultArtifactVersion((String) event.getAdditionalProperties().get(str))) : Optional.empty();
    }

    private boolean beforeLimits(List<Event> list, ArtifactVersion artifactVersion) {
        boolean z = true;
        Iterator<Event> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (it.next().getAdditionalProperties().containsKey(LIMIT)) {
                z = false;
                break;
            }
        }
        if (z) {
            return true;
        }
        Iterator<Event> it2 = list.iterator();
        while (it2.hasNext()) {
            if (artifactVersion.compareTo(new DefaultArtifactVersion((String) it2.next().getAdditionalProperties().get(LIMIT))) < 0) {
                return true;
            }
        }
        return false;
    }

    private Vulnerability createVulnerabilityDTO(OpenSourceVulnerability openSourceVulnerability, Dependency dependency, Affected affected) {
        String vulnerabilityId = getVulnerabilityId(openSourceVulnerability);
        Vulnerability vulnerability = new Vulnerability(vulnerabilityId);
        vulnerability.setDependency(dependency);
        vulnerability.setDatePublished(openSourceVulnerability.getPublished());
        vulnerability.setPatchedVersion(getPatchedVersion(affected).orElse("---"));
        if (openSourceVulnerability.getDetails() != null) {
            vulnerability.setDetails(HtmlRenderer.builder().build().render(Parser.builder().build().parse(openSourceVulnerability.getDetails())));
        }
        Optional<AffectedVersion> affectedVersion = getAffectedVersion(vulnerability);
        Objects.requireNonNull(vulnerability);
        affectedVersion.ifPresent(vulnerability::setAffectedVersion);
        AppSecData.VulnerabilityAssessment vulnerabilityAssessment = AppSecService.getInstance().getData().getVulnerabilities().get(vulnerabilityId);
        if (vulnerabilityAssessment != null) {
            vulnerability.setDeveloperStatus(vulnerabilityAssessment.getStatus());
            vulnerability.setDeveloperAnalysis(vulnerabilityAssessment.getDeveloperAnalysis());
            vulnerability.setDeveloperUpdated(vulnerabilityAssessment.getUpdated());
        }
        HashSet hashSet = new HashSet();
        openSourceVulnerability.getReferences().forEach(reference -> {
            hashSet.add(reference.getUrl().toString());
        });
        vulnerability.setReferenceUrls(hashSet);
        return vulnerability;
    }

    private boolean isDevDependency(Component component) {
        for (Property property : component.getProperties()) {
            if (property.getName().equals("cdx:npm:package:development") && property.getValue().equals("true")) {
                return true;
            }
        }
        return false;
    }

    private void updateVulnerabilityStatistics(Dependency dependency, List<OpenSourceVulnerability> list) {
        int i = 0;
        SeverityLevel severityLevel = SeverityLevel.NONE;
        Double valueOf = Double.valueOf(0.0d);
        String str = "";
        for (OpenSourceVulnerability openSourceVulnerability : list) {
            for (Affected affected : openSourceVulnerability.getAffected()) {
                if (isMavenEcosystem(affected) || isNpmEcosystem(affected)) {
                    if (isVulnerable(dependency, affected)) {
                        i++;
                        severityLevel = findSeverityIfHigher(openSourceVulnerability, severityLevel);
                        valueOf = findScoreIfHigher(openSourceVulnerability, valueOf);
                        str = getHighestCvssScoreString(openSourceVulnerability, valueOf, str);
                    }
                }
            }
        }
        dependency.setNumOfVulnerabilities(Integer.valueOf(i));
        dependency.setSeverityLevel(severityLevel);
        dependency.setRiskScore(valueOf);
        dependency.setCvssString(str);
    }

    private SeverityLevel findSeverityIfHigher(OpenSourceVulnerability openSourceVulnerability, SeverityLevel severityLevel) {
        if (openSourceVulnerability.getSeverity() == null) {
            return severityLevel;
        }
        SeverityLevel severityLevelForCvssScore = SeverityLevel.getSeverityLevelForCvssScore(getHighestCvssScoreNumber(openSourceVulnerability));
        return SeverityLevelComparator.compareStatic(severityLevelForCvssScore, severityLevel) > 0 ? severityLevelForCvssScore : severityLevel;
    }

    private Double findScoreIfHigher(OpenSourceVulnerability openSourceVulnerability, Double d) {
        if (openSourceVulnerability.getSeverity() == null) {
            return d;
        }
        Double highestCvssScoreNumber = getHighestCvssScoreNumber(openSourceVulnerability);
        return highestCvssScoreNumber.doubleValue() > d.doubleValue() ? highestCvssScoreNumber : d;
    }

    private Double getHighestCvssScoreNumber(OpenSourceVulnerability openSourceVulnerability) {
        return (Double) openSourceVulnerability.getSeverity().stream().map(severity -> {
            return Cvss.fromVector(severity.getScore());
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).map(cvss -> {
            return Double.valueOf(cvss.calculateScore().getBaseScore());
        }).max(Comparator.naturalOrder()).orElse(Double.valueOf(0.0d));
    }

    private String getHighestCvssScoreString(OpenSourceVulnerability openSourceVulnerability, Double d, String str) {
        if (openSourceVulnerability.getSeverity() == null) {
            return str;
        }
        String str2 = "";
        double d2 = 0.0d;
        for (Severity severity : openSourceVulnerability.getSeverity()) {
            Cvss fromVector = Cvss.fromVector(severity.getScore());
            if (fromVector != null) {
                double baseScore = fromVector.calculateScore().getBaseScore();
                if (baseScore > d2) {
                    d2 = baseScore;
                    str2 = severity.getScore();
                }
            }
        }
        return d2 >= d.doubleValue() ? str2 : str;
    }

    private Optional<String> getPatchedVersion(Affected affected) {
        Optional<String> fixed = getFixed(affected, Range.Type.SEMVER);
        if (fixed.isPresent()) {
            return fixed;
        }
        Optional<String> fixed2 = getFixed(affected, Range.Type.ECOSYSTEM);
        return fixed2.isPresent() ? fixed2 : getFixed(affected, Range.Type.GIT);
    }

    private Optional<String> getFixed(Affected affected, Range.Type type) {
        Optional<Range> findFirst = affected.getRanges().stream().filter(range -> {
            return range.getType().equals(type);
        }).findFirst();
        if (findFirst.isPresent()) {
            Optional findFirst2 = findFirst.get().getEvents().stream().map(event -> {
                return event.getAdditionalProperties().get(FIXED);
            }).filter(Objects::nonNull).findFirst();
            if (findFirst2.isPresent()) {
                return Optional.of((String) findFirst2.get());
            }
        }
        return Optional.empty();
    }

    private String getVulnerabilityId(OpenSourceVulnerability openSourceVulnerability) {
        String id = openSourceVulnerability.getId();
        return (openSourceVulnerability.getAliases() == null || id.startsWith("CVE")) ? id : openSourceVulnerability.getAliases().stream().filter(str -> {
            return str.startsWith("CVE");
        }).findFirst().orElse(openSourceVulnerability.getId());
    }

    private Optional<AffectedVersion> getAffectedVersion(Vulnerability vulnerability) {
        VulnerabilityDetails vulnerabilityDetails = AppSecService.getInstance().getVulnerabilityAnalysis().getVulnerabilities().get(vulnerability.getIdentifier());
        if (vulnerabilityDetails == null) {
            return Optional.empty();
        }
        Dependency dependency = vulnerability.getDependency();
        String parentBomRef = dependency.getParentBomRef();
        Assessment assessment = vulnerabilityDetails.getAssessments().get(dependency.getEcosystem() == Ecosystem.MAVEN ? AppSecUtils.bomRefToMavenGroupAndName(parentBomRef) : AppSecUtils.bomRefToNpmGroupAndName(parentBomRef));
        return assessment == null ? Optional.empty() : assessment.getAffectedVersions().values().stream().filter(affectedVersion -> {
            return affectedVersion.isInRange(AppSecUtils.bomRefToVersion(parentBomRef));
        }).findFirst();
    }
}
