Merge branch 'reportmodifier1' of https://github.com/Prakhash/DependencyCheck into Prakhash-reportmodifier1

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java

@@ -94,6 +94,10 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
      * Whether or not all previous versions were affected.
      */
     private String matchedAllPreviousCPE;
+    /**
+     * The notes for the vulnerability.
+     */
+    private String notes;
 
     /**
      * Get the value of name.
@@ -118,6 +122,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
      *
      * @return the value of description
      */
+
     public String getDescription() {
         return description;
     }
@@ -279,6 +284,28 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
         this.cwe = cwe;
     }
 
+    /**
+     * Get the value of notes from suppression notes.
+     *
+     * @return the value of notes
+     */
+    public String getNotes() {
+        return notes;
+    }
+
+    /**
+     * Set the value of notes.
+     *
+     * @param notes new value of cwe
+     */
+    public void setNotes(String notes) {
+        this.notes = notes;
+    }
+
+    /**
+     * CVSS Score.
+     */
+
     /**
      * Get the value of cvssScore.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java

@@ -28,6 +28,8 @@ import java.io.OutputStream;
 import java.io.OutputStreamWriter;
 import java.io.UnsupportedEncodingException;
 import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
 import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
 import org.apache.velocity.context.Context;
@@ -38,8 +40,12 @@ import org.joda.time.format.DateTimeFormatter;
 import org.owasp.dependencycheck.analyzer.Analyzer;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.exception.ReportException;
 import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.xml.suppression.SuppressionParseException;
+import org.owasp.dependencycheck.xml.suppression.SuppressionParser;
+import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -116,15 +122,55 @@ public class ReportGenerator {
         final String scanDateXML = dateFormatXML.print(dt);
 
         context.put("applicationName", applicationName);
-        context.put("dependencies", dependencies);
         context.put("analyzers", analyzers);
         context.put("properties", properties);
         context.put("scanDate", scanDate);
         context.put("scanDateXML", scanDateXML);
         context.put("enc", enc);
+        context.put("dependencies", addNotesToReport(dependencies));
         context.put("version", Settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
     }
 
+    /**
+     * creates a suppression note adder to dependency
+     *
+     * @param dependencies the list of dependencies
+     * @return dependencies with notes added suppressed vulnerabilities
+     */
+
+    public List<Dependency> addNotesToReport(List<Dependency> dependencies){
+        final String suppressionFilePath = Settings.getString(Settings.KEYS.SUPPRESSION_FILE);
+
+        if(StringUtils.isBlank(suppressionFilePath)){
+            return dependencies;
+        }
+
+        final SuppressionParser parser1 = new SuppressionParser();
+        List<SuppressionRule> suppressionRule=null;
+
+        if(!suppressionFilePath.isEmpty()){
+            try {
+                suppressionRule=parser1.parseSuppressionRules(new File(suppressionFilePath));
+            } catch (SuppressionParseException e) {
+                e.printStackTrace();
+            }
+        }
+
+        for(Dependency dependency:dependencies){
+            for(Vulnerability suppressedVulnerability: dependency.getSuppressedVulnerabilities()){
+                for(SuppressionRule suppressionRule1:suppressionRule){
+                    for(String cve: suppressionRule1.getCve()){
+                        if(suppressedVulnerability.getName().equals(cve)){
+                            suppressedVulnerability.setNotes(suppressionRule1.getNotes());
+                        }
+
+                    }
+                }
+            }
+        }
+        return dependencies;
+    }
+
     /**
      * Creates a new Velocity Engine.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java

@@ -46,6 +46,12 @@ public class SuppressionHandler extends DefaultHandler {
      * The CVE element name.
      */
     public static final String CVE = "cve";
+
+    /**
+     * The CVE element name.
+     */
+    public static final String NOTES = "notes";
+
     /**
      * The CPE element name.
      */
@@ -65,7 +71,16 @@ public class SuppressionHandler extends DefaultHandler {
     /**
      * A list of suppression rules.
      */
-    private final List<SuppressionRule> suppressionRules = new ArrayList<>();
+    private final List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
+
+    /**
+     * Get the value of suppressionRules.
+     *
+     * @return the value of suppressionRules
+     */
+    public List<SuppressionRule> getSuppressionRules() {
+        return suppressionRules;
+    }
     /**
      * The current rule being read.
      */
@@ -79,15 +94,6 @@ public class SuppressionHandler extends DefaultHandler {
      */
     private StringBuilder currentText;
 
-    /**
-     * Get the value of suppressionRules.
-     *
-     * @return the value of suppressionRules
-     */
-    public List<SuppressionRule> getSuppressionRules() {
-        return suppressionRules;
-    }
-
     /**
      * Handles the start element event.
      *
@@ -140,7 +146,11 @@ public class SuppressionHandler extends DefaultHandler {
             rule.addCwe(currentText.toString());
         } else if (CVE.equals(qName)) {
             rule.addCve(currentText.toString());
-        } else if (CVSS_BELOW.equals(qName)) {
+        }
+        else if (NOTES.equals(qName)) {
+            rule.addNotes(currentText.toString());
+        }
+        else if (CVSS_BELOW.equals(qName)) {
             final float cvss = Float.parseFloat(currentText.toString());
             rule.addCvssBelow(cvss);
         }
@@ -160,8 +170,8 @@ public class SuppressionHandler extends DefaultHandler {
     }
 
     /**
-     * Processes field members that have been collected during the characters
+     * Processes field members that have been collected during the characters and startElement method to construct a
-     * and startElement method to construct a PropertyType object.
+     * PropertyType object.
      *
      * @return a PropertyType object
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java

@@ -59,6 +59,11 @@ public class SuppressionRule {
      * A Maven GAV to suppression.
      */
     private PropertyType gav = null;
+    /**
+     * The notes added in suppression file
+     */
+
+    private String notes;
 
     /**
      * A flag indicating whether or not the suppression rule is a core/base rule
@@ -175,6 +180,42 @@ public class SuppressionRule {
         return !cvssBelow.isEmpty();
     }
 
+    /**
+     * Get the value of notes.
+     *
+     * @return the value of notes
+     */
+    public String getNotes() {
+        return notes;
+    }
+
+    /**
+     * Set the value of notes.
+     *
+     * @param notes new value of cve
+     */
+    public void setNotes(String notes) {
+        this.notes = notes;
+    }
+
+    /**
+     * Adds the notes to the cve list.
+     *
+     * @param notes the cve to add
+     */
+    public void addNotes(String notes) {
+        this.notes=notes;
+    }
+
+    /**
+     * Returns whether this suppression rule has notes entries.
+     *
+     * @return whether this suppression rule has notes entries
+     */
+    public boolean hasNotes() {
+        return !cve.isEmpty();
+    }
+
     /**
      * Get the value of CWE.
      *

dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd

@@ -211,6 +211,7 @@
                                                                     <xs:element name="severity" type="xs:string" minOccurs="1" maxOccurs="1" />
                                                                     <xs:element name="cwe" type="xs:string" minOccurs="0" maxOccurs="1" />
                                                                     <xs:element name="description" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="notes" type="xs:string" minOccurs="1" maxOccurs="1" />
                                                                     <xs:element name="references" minOccurs="0" maxOccurs="1">
                                                                         <xs:complexType>
                                                                             <xs:sequence>

dependency-check-core/src/main/resources/templates/XmlReport.vsl

@@ -141,7 +141,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 #end
                     <description>$enc.xml($vuln.description)</description>
                     <references>
-#foreach($ref in $vuln.getReferences(true))
+#foreach($ref in $vuln.getReferences())
                         <reference>
                             <source>$enc.xml($ref.source)</source>
                             <url>$enc.xml($ref.url)</url>
@@ -150,7 +150,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 #end
                     </references>
                     <vulnerableSoftware>
-#foreach($vs in $vuln.getVulnerableSoftware(true))
+#foreach($vs in $vuln.getVulnerableSoftware())
                         <software#if($vs.hasPreviousVersion()) allPreviousVersion="true"#end>$enc.xml($vs.name)</software>
 #end
                     </vulnerableSoftware>
@@ -171,8 +171,9 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                     <cwe>$enc.xml($vuln.cwe)</cwe>
 #end
                     <description>$enc.xml($vuln.description)</description>
+                    <notes>$enc.xml($vuln.notes)</notes>
                     <references>
-#foreach($ref in $vuln.getReferences(true))
+#foreach($ref in $vuln.getReferences())
                         <reference>
                             <source>$enc.xml($ref.source)</source>
                             <url>$enc.xml($ref.url)</url>
@@ -181,7 +182,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 #end
                     </references>
                     <vulnerableSoftware>
-#foreach($vs in $vuln.getVulnerableSoftware(true))
+#foreach($vs in $vuln.getVulnerableSoftware())
                         <software#if($vs.hasPreviousVersion()) allPreviousVersion="true"#end>$enc.xml($vs.name)</software>
 #end
                     </vulnerableSoftware>