From d6481aafad137ac4d89bf4458ef670f553c27bce Mon Sep 17 00:00:00 2001
From: Phil Pinel <35564100+EdgewareRoad@users.noreply.github.com>
Date: Fri, 7 Jun 2024 10:40:51 +0100
Subject: [PATCH] Release 3.0.3 fixed bug caused by EPSS changing response
 format. Better diagnostic output in exception cases.

---
 CHANGELOG.txt                                 |  6 +++++
 ...anCouldNotRetrieveEPSSScoresException.java |  4 ++--
 .../trivysummary/TrivySummary.java            |  4 ++--
 .../trivysummary/TrivySummaryApp.java         | 22 ++++++++++++++++++-
 .../dto/firstapiv1/EPSSResponse.java          |  2 ++
 src/main/resources/application.properties     |  2 +-
 6 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 8d9d233..1bd4a14 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,3 +1,9 @@
+Release 3.0.3:
+
+Fixed bug caused by EPSS API changing response format - now ignores new fields
+Better diagnostics in exception conditions (separate message for files not found, error trace when EPSS API
+generates exception)
+
 Release 3.0.2:
 
 If the scan date is today, TrivySummary now omits the date from the EPSS Query as this
diff --git a/src/main/java/com/fujitsu/edgewareroad/trivysummary/TrivyScanCouldNotRetrieveEPSSScoresException.java b/src/main/java/com/fujitsu/edgewareroad/trivysummary/TrivyScanCouldNotRetrieveEPSSScoresException.java
index fe80e96..d1b73ca 100644
--- a/src/main/java/com/fujitsu/edgewareroad/trivysummary/TrivyScanCouldNotRetrieveEPSSScoresException.java
+++ b/src/main/java/com/fujitsu/edgewareroad/trivysummary/TrivyScanCouldNotRetrieveEPSSScoresException.java
@@ -1,8 +1,8 @@
 package com.fujitsu.edgewareroad.trivysummary;
 
 public class TrivyScanCouldNotRetrieveEPSSScoresException extends Exception {
-    public TrivyScanCouldNotRetrieveEPSSScoresException(String message)
+    public TrivyScanCouldNotRetrieveEPSSScoresException(String message, Exception e)
     {
-        super(message);
+        super(message, e);
     }
 }
diff --git a/src/main/java/com/fujitsu/edgewareroad/trivysummary/TrivySummary.java b/src/main/java/com/fujitsu/edgewareroad/trivysummary/TrivySummary.java
index eeaaac6..40943a7 100644
--- a/src/main/java/com/fujitsu/edgewareroad/trivysummary/TrivySummary.java
+++ b/src/main/java/com/fujitsu/edgewareroad/trivysummary/TrivySummary.java
@@ -166,7 +166,7 @@ public boolean summariseTrivyHistory(String title) throws IOException, TrivyScan
 					updateEPSSScores(openVulnerabilities, false, epssQueryDate);
 					openVulnerabilities.prioritiseForRemediation(configuration.getPriorityModel());
 				} catch (Exception e) {
-					throw new TrivyScanCouldNotRetrieveEPSSScoresException(String.format("Could not retrieve EPSS scores for open vulnerabilities; Cannot create graph or prioritise vulnerabilities. Please check connectivity to %s or re-run TrivySummary with --offline.", BASE_EPSS_API_URL));
+					throw new TrivyScanCouldNotRetrieveEPSSScoresException(String.format("Could not retrieve EPSS scores for open vulnerabilities; Cannot create graph or prioritise vulnerabilities. Please check connectivity to %s or re-run TrivySummary with --offline.", BASE_EPSS_API_URL), e);
 				}
 				// Now update EPSS scores for closed vulnerabilities.
 				try {
@@ -251,7 +251,7 @@ else if (history.getScanHistory().size() == 1)
 					updateEPSSScores(openVulnerabilities, false, epssQueryDate);
 					openVulnerabilities.prioritiseForRemediation(configuration.getPriorityModel());
 				} catch (Exception e) {
-					throw new TrivyScanCouldNotRetrieveEPSSScoresException(String.format("Could not retrieve EPSS scores for open vulnerabilities; Cannot create graph or prioritise vulnerabilities. Please check connectivity to %s or re-run TrivySummary with --offline.", BASE_EPSS_API_URL));
+					throw new TrivyScanCouldNotRetrieveEPSSScoresException(String.format("Could not retrieve EPSS scores for open vulnerabilities; Cannot create graph or prioritise vulnerabilities. Please check connectivity to %s or re-run TrivySummary with --offline.", BASE_EPSS_API_URL), e);
 				}
 				// Now update EPSS scores for whitelisted vulnerabilities.
 				try {
diff --git a/src/main/java/com/fujitsu/edgewareroad/trivysummary/TrivySummaryApp.java b/src/main/java/com/fujitsu/edgewareroad/trivysummary/TrivySummaryApp.java
index fd35cae..c4b452b 100644
--- a/src/main/java/com/fujitsu/edgewareroad/trivysummary/TrivySummaryApp.java
+++ b/src/main/java/com/fujitsu/edgewareroad/trivysummary/TrivySummaryApp.java
@@ -24,6 +24,7 @@
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
 
+import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -184,6 +185,12 @@ else if (inputFiles.size() == 1)
 						displayHelp();
 						this.exitCode = -1;
 						return;
+					} catch (FileNotFoundException e) {
+						output("ERROR: Priority model not found %s", priorityModelPath.toString());
+						output("");
+						displayHelp();
+						this.exitCode = -1;
+						return;
 					} catch (IOException e) {
 						output("ERROR: File IO exception for priority model %s", priorityModelPath.toString());
 						output("");
@@ -191,7 +198,7 @@ else if (inputFiles.size() == 1)
 						this.exitCode = -1;
 						return;
 					}
-				}
+		}
 			}
 		}
 
@@ -222,6 +229,12 @@ else if (inputFiles.size() == 1)
 					displayHelp();
 					this.exitCode = -1;
 					return;
+				} catch (FileNotFoundException e) {
+					output("ERROR: Whitelist file not found %s", whiteListFilePath.toString());
+					output("");
+					displayHelp();
+					this.exitCode = -1;
+					return;
 				} catch (IOException e) {
 					output("ERROR: File IO exception for whitelist file %s", whiteListFilePath.toString());
 					output("");
@@ -239,6 +252,12 @@ else if (inputFiles.size() == 1)
 
 			try {
 				worker.addTrivyScanFileToHistory(filePath);
+			} catch (FileNotFoundException e) {
+				output("ERROR: Could not find input file %s", filePath.toString());
+				output("");
+				displayHelp();
+				this.exitCode = -1;
+				return;
 			} catch (IOException e) {
 				output("ERROR: Could not read input file %s", filePath.toString());
 				output("");
@@ -273,6 +292,7 @@ else if (inputFiles.size() == 1)
 			return;
 		} catch (TrivyScanCouldNotRetrieveEPSSScoresException e) {
 			output("ERROR: %s", e.getMessage());
+			output("Cause of EPSS score retrieval failure: %s: %s", e.getCause().getClass().getName(), e.getCause().getMessage());
 			this.exitCode = -1;
 			return;
 		}
diff --git a/src/main/java/com/fujitsu/edgewareroad/trivyutils/dto/firstapiv1/EPSSResponse.java b/src/main/java/com/fujitsu/edgewareroad/trivyutils/dto/firstapiv1/EPSSResponse.java
index 96e50e7..1ef0340 100644
--- a/src/main/java/com/fujitsu/edgewareroad/trivyutils/dto/firstapiv1/EPSSResponse.java
+++ b/src/main/java/com/fujitsu/edgewareroad/trivyutils/dto/firstapiv1/EPSSResponse.java
@@ -1,7 +1,9 @@
 package com.fujitsu.edgewareroad.trivyutils.dto.firstapiv1;
 
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 
+@JsonIgnoreProperties(ignoreUnknown = true)
 public class EPSSResponse {
     @JsonProperty
     private String status;
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 3d19170..b4e4474 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -1,4 +1,4 @@
-trivysummary.version=3.0.2
+trivysummary.version=3.0.3
 
 logging.level.root=ERROR