diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java index 1720edda8..f980936ab 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java @@ -94,6 +94,10 @@ public class Vulnerability implements Serializable, Comparable { * Whether or not all previous versions were affected. */ private String matchedAllPreviousCPE; + /** + * The notes for the vulnerability. + */ + private String notes; /** * Get the value of name. @@ -118,6 +122,7 @@ public class Vulnerability implements Serializable, Comparable { * * @return the value of description */ + public String getDescription() { return description; } @@ -279,6 +284,28 @@ public class Vulnerability implements Serializable, Comparable { this.cwe = cwe; } + /** + * Get the value of notes from suppression notes. + * + * @return the value of notes + */ + public String getNotes() { + return notes; + } + + /** + * Set the value of notes. + * + * @param notes new value of cwe + */ + public void setNotes(String notes) { + this.notes = notes; + } + + /** + * CVSS Score. + */ + /** * Get the value of cvssScore. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java index 4847a43bf..af10abb51 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java @@ -28,6 +28,8 @@ import java.io.OutputStream; import java.io.OutputStreamWriter; import java.io.UnsupportedEncodingException; import java.util.List; + +import org.apache.commons.lang3.StringUtils; import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; import org.apache.velocity.context.Context; @@ -38,8 +40,12 @@ import org.joda.time.format.DateTimeFormatter; import org.owasp.dependencycheck.analyzer.Analyzer; import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.Vulnerability; import org.owasp.dependencycheck.exception.ReportException; import org.owasp.dependencycheck.utils.Settings; +import org.owasp.dependencycheck.xml.suppression.SuppressionParseException; +import org.owasp.dependencycheck.xml.suppression.SuppressionParser; +import org.owasp.dependencycheck.xml.suppression.SuppressionRule; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -116,15 +122,55 @@ public class ReportGenerator { final String scanDateXML = dateFormatXML.print(dt); context.put("applicationName", applicationName); - context.put("dependencies", dependencies); context.put("analyzers", analyzers); context.put("properties", properties); context.put("scanDate", scanDate); context.put("scanDateXML", scanDateXML); context.put("enc", enc); + context.put("dependencies", addNotesToReport(dependencies)); context.put("version", Settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown")); } + /** + * creates a suppression note adder to dependency + * + * @param dependencies the list of dependencies + * @return dependencies with notes added suppressed vulnerabilities + */ + + public List addNotesToReport(List dependencies){ + final String suppressionFilePath = Settings.getString(Settings.KEYS.SUPPRESSION_FILE); + + if(StringUtils.isBlank(suppressionFilePath)){ + return dependencies; + } + + final SuppressionParser parser1 = new SuppressionParser(); + List suppressionRule=null; + + if(!suppressionFilePath.isEmpty()){ + try { + suppressionRule=parser1.parseSuppressionRules(new File(suppressionFilePath)); + } catch (SuppressionParseException e) { + e.printStackTrace(); + } + } + + for(Dependency dependency:dependencies){ + for(Vulnerability suppressedVulnerability: dependency.getSuppressedVulnerabilities()){ + for(SuppressionRule suppressionRule1:suppressionRule){ + for(String cve: suppressionRule1.getCve()){ + if(suppressedVulnerability.getName().equals(cve)){ + suppressedVulnerability.setNotes(suppressionRule1.getNotes()); + } + + } + } + } + } + return dependencies; + } + /** * Creates a new Velocity Engine. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java index 6c7f5f314..f63e00279 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java @@ -46,6 +46,12 @@ public class SuppressionHandler extends DefaultHandler { * The CVE element name. */ public static final String CVE = "cve"; + + /** + * The CVE element name. + */ + public static final String NOTES = "notes"; + /** * The CPE element name. */ @@ -65,7 +71,16 @@ public class SuppressionHandler extends DefaultHandler { /** * A list of suppression rules. */ - private final List suppressionRules = new ArrayList<>(); + private final List suppressionRules = new ArrayList(); + + /** + * Get the value of suppressionRules. + * + * @return the value of suppressionRules + */ + public List getSuppressionRules() { + return suppressionRules; + } /** * The current rule being read. */ @@ -79,15 +94,6 @@ public class SuppressionHandler extends DefaultHandler { */ private StringBuilder currentText; - /** - * Get the value of suppressionRules. - * - * @return the value of suppressionRules - */ - public List getSuppressionRules() { - return suppressionRules; - } - /** * Handles the start element event. * @@ -140,7 +146,11 @@ public class SuppressionHandler extends DefaultHandler { rule.addCwe(currentText.toString()); } else if (CVE.equals(qName)) { rule.addCve(currentText.toString()); - } else if (CVSS_BELOW.equals(qName)) { + } + else if (NOTES.equals(qName)) { + rule.addNotes(currentText.toString()); + } + else if (CVSS_BELOW.equals(qName)) { final float cvss = Float.parseFloat(currentText.toString()); rule.addCvssBelow(cvss); } @@ -160,8 +170,8 @@ public class SuppressionHandler extends DefaultHandler { } /** - * Processes field members that have been collected during the characters - * and startElement method to construct a PropertyType object. + * Processes field members that have been collected during the characters and startElement method to construct a + * PropertyType object. * * @return a PropertyType object */ diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java index 312cfb02b..e253094fd 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java @@ -59,6 +59,11 @@ public class SuppressionRule { * A Maven GAV to suppression. */ private PropertyType gav = null; + /** + * The notes added in suppression file + */ + + private String notes; /** * A flag indicating whether or not the suppression rule is a core/base rule @@ -175,6 +180,42 @@ public class SuppressionRule { return !cvssBelow.isEmpty(); } + /** + * Get the value of notes. + * + * @return the value of notes + */ + public String getNotes() { + return notes; + } + + /** + * Set the value of notes. + * + * @param notes new value of cve + */ + public void setNotes(String notes) { + this.notes = notes; + } + + /** + * Adds the notes to the cve list. + * + * @param notes the cve to add + */ + public void addNotes(String notes) { + this.notes=notes; + } + + /** + * Returns whether this suppression rule has notes entries. + * + * @return whether this suppression rule has notes entries + */ + public boolean hasNotes() { + return !cve.isEmpty(); + } + /** * Get the value of CWE. * diff --git a/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd index 023eb6f15..615844c10 100644 --- a/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd +++ b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd @@ -211,6 +211,7 @@ + diff --git a/dependency-check-core/src/main/resources/templates/XmlReport.vsl b/dependency-check-core/src/main/resources/templates/XmlReport.vsl index 0bfd8c49c..859b0b974 100644 --- a/dependency-check-core/src/main/resources/templates/XmlReport.vsl +++ b/dependency-check-core/src/main/resources/templates/XmlReport.vsl @@ -141,7 +141,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. #end $enc.xml($vuln.description) -#foreach($ref in $vuln.getReferences(true)) +#foreach($ref in $vuln.getReferences()) $enc.xml($ref.source) $enc.xml($ref.url) @@ -150,7 +150,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. #end -#foreach($vs in $vuln.getVulnerableSoftware(true)) +#foreach($vs in $vuln.getVulnerableSoftware()) $enc.xml($vs.name) #end @@ -171,8 +171,9 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. $enc.xml($vuln.cwe) #end $enc.xml($vuln.description) + $enc.xml($vuln.notes) -#foreach($ref in $vuln.getReferences(true)) +#foreach($ref in $vuln.getReferences()) $enc.xml($ref.source) $enc.xml($ref.url) @@ -181,7 +182,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. #end -#foreach($vs in $vuln.getVulnerableSoftware(true)) +#foreach($vs in $vuln.getVulnerableSoftware()) $enc.xml($vs.name) #end