diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java index df2d9afe8..2855df7d7 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java @@ -26,14 +26,15 @@ import org.apache.commons.lang3.StringUtils; /** *

- * Simple object to track the parts of a version number. The parts are contained in a List such that version 1.2.3 will - * be stored as: versionParts[0] = 1; + * Simple object to track the parts of a version number. The parts are contained + * in a List such that version 1.2.3 will be stored as: versionParts[0] = 1; * versionParts[1] = 2; * versionParts[2] = 3; *

*

- * Note, the parser contained in this class expects the version numbers to be separated by periods. If a different - * separator is used the parser will likely fail.

+ * Note, the parser contained in this class expects the version numbers to be + * separated by periods. If a different separator is used the parser will likely + * fail.

* * @author Jeremy Long */ @@ -47,8 +48,9 @@ public class DependencyVersion implements Iterable, ComparableNote, this should only be used when the version passed in is already known to be a well formatted version - * number. Otherwise, DependencyVersionUtil.parseVersion() should be used instead. + * Note, this should only be used when the version passed in is + * already known to be a well formatted version number. Otherwise, + * DependencyVersionUtil.parseVersion() should be used instead. * * @param version the well formatted version number to parse */ @@ -57,8 +59,9 @@ public class DependencyVersion implements Iterable, ComparableNote, this should only be - * used to parse something that is already known to be a version number. + * Parses a version string into its sub parts: major, minor, revision, + * build, etc. Note, this should only be used to parse something that + * is already known to be a version number. * * @param version the version string to parse */ @@ -133,26 +136,33 @@ public class DependencyVersion implements Iterable, Comparable other.versionParts.size()) + ? this.versionParts.size() : other.versionParts.size(); + + if (minVersionMatchLength==1 && maxVersionMatchLength>=3) { + return false; + } + //TODO steal better version of code from compareTo - for (int i = 0; i < max; i++) { + for (int i = 0; i < minVersionMatchLength; i++) { final String thisPart = this.versionParts.get(i); final String otherPart = other.versionParts.get(i); if (!thisPart.equals(otherPart)) { return false; } } - if (this.versionParts.size() > max) { - for (int i = max; i < this.versionParts.size(); i++) { + if (this.versionParts.size() > minVersionMatchLength) { + for (int i = minVersionMatchLength; i < this.versionParts.size(); i++) { if (!"0".equals(this.versionParts.get(i))) { return false; } } } - if (other.versionParts.size() > max) { - for (int i = max; i < other.versionParts.size(); i++) { + if (other.versionParts.size() > minVersionMatchLength) { + for (int i = minVersionMatchLength; i < other.versionParts.size(); i++) { if (!"0".equals(other.versionParts.get(i))) { return false; } @@ -180,8 +190,9 @@ public class DependencyVersion implements Iterable, Comparablecom\.offbytwo\.jenkins:jenkins-client:.* cpe:/a:jenkins:jenkins + + + ^(?!com.thoughtworks).*xstream.*$ + cpe:/a:x-stream:xstream + diff --git a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl index 332377d10..4bdc1ffba 100644 --- a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl +++ b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl @@ -83,16 +83,50 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. xml += $("#modal-text").text().replace(/\n/g,'\n '); xml += '\n'; $('#modal-text').text(xml).focus().select(); + $('#modal-add-header').toggleClass('active'); }); }); - function copyText(name, sha1, type, val) { + function suppressSwitchTo(switchTo) { + $('#modal-suppress-change-to-sha1').toggleClass('active'); + $('#modal-suppress-change-to-gav').toggleClass('active'); + setCopyText($('#suppress-name').val(), + switchTo, + $('#suppress-'+switchTo).val(), + $('#suppress-type').val(), + $('#suppress-val').val()); + } + function copyText(name, sha1, gav, type, val) { + $('#suppress-name').val(name); + $('#suppress-type').val(type); + $('#suppress-val').val(val); + $('#suppress-sha1').val(sha1); + $('#suppress-gav').val(gav); + if (gav=='') { + if ($('#modal-suppress-change-to-gav').hasClass('active')) { + $('#modal-suppress-change-to-gav').toggleClass('active'); + } + if ($('#modal-suppress-change-to-sha1').hasClass('active')) { + $('#modal-suppress-change-to-sha1').toggleClass('active'); + } + setCopyText(name, 'sha1', sha1, type, val); + } else { + if ($('#modal-suppress-change-to-gav').hasClass('active')) { + $('#modal-suppress-change-to-gav').toggleClass('active'); + } + if (!$('#modal-suppress-change-to-sha1').hasClass('active')) { + $('#modal-suppress-change-to-sha1').toggleClass('active'); + } + setCopyText(name, 'gav', gav, type, val); + } + } + function setCopyText(name, matchType, matchValue, suppressType, suppressVal) { xml = '\n'; xml += ' \n'; - xml += ' ' + sha1 + '\n'; - xml += ' <'+type+'>' + val + '\n'; + xml += ' <'+matchType+'>' + matchValue + '\n'; + xml += ' <'+suppressType+'>' + suppressVal + '\n'; xml += ''; $('#modal-text').text(xml); - $('#modal-content,#modal-background').toggleClass('active'); + $('#modal-content,#modal-background').addClass('active'); $('#modal-text').focus(); $('#modal-text').select(); } @@ -150,6 +184,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. #modal-text:focus { outline: none; } + .suppresstype { + display: none; + } + .suppresstype.active { + display: block; + } .suppressedLabel { cursor: default; padding:1px; @@ -504,6 +544,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
Press CTR-C to copy XML [help]
+ +
+ + +
@@ -515,6 +560,10 @@ the reporting provided constitutes acceptance for use in an AS IS condition, and implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

+

How to read the report | +Suppressing false positives | +Getting Help: google group | +github issues

]]#

Project: $enc.html($applicationName)

@@ -725,6 +774,12 @@ arising out of or in connection with the use of this tool, the analysis performe
  • None
#else ## ($dependency.getIdentifiers().size()>0)
    + #set($suppressGav='') + #foreach($id in $dependency.getIdentifiers()) + #if ($id.type=="maven") + #set($suppressGav=$id.value) + #end + #end #foreach($id in $dependency.getIdentifiers()) #if( $id.url ) ##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here... @@ -737,7 +792,7 @@ arising out of or in connection with the use of this tool, the analysis performe #end #if ($id.type=="cpe") ##yes, we are HTML Encoding into JavaScript... the escape utils don't have a JS Encode and I haven't written one yet -    +    #end #if ($id.description)
    $enc.html($id.description) @@ -753,7 +808,7 @@ arising out of or in connection with the use of this tool, the analysis performe
    #foreach($vuln in $dependency.getVulnerabilities()) #set($vsctr=$vsctr+1) -

    $enc.html($vuln.name)  

    +

    $enc.html($vuln.name)  

    Severity: #if ($vuln.cvssScore<4.0) Low diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java index a53142f89..93dd394d8 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java @@ -96,6 +96,19 @@ public class DependencyVersionTest extends BaseTest { expResult = true; result = instance.equals(obj); assertEquals(expResult, result); + + instance = new DependencyVersion("2.0.0"); + obj = new DependencyVersion("2"); + expResult = false; + result = instance.equals(obj); + assertEquals(expResult, result); + + obj = new DependencyVersion("2.0"); + expResult = true; + result = instance.equals(obj); + assertEquals(expResult, result); + + } /** diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml index c1fe6aa74..fd7232551 100644 --- a/dependency-check-maven/pom.xml +++ b/dependency-check-maven/pom.xml @@ -40,6 +40,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. 3.4 + + 3.1 + diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java deleted file mode 100644 index f1ab7b953..000000000 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java +++ /dev/null @@ -1,335 +0,0 @@ -/* - * This file is part of dependency-check-ant. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * Copyright (c) 2015 The OWASP Foundation. All Rights Reserved. - */ -package org.owasp.dependencycheck.maven.slf4j; - -import org.apache.maven.plugin.logging.Log; -import org.slf4j.helpers.MarkerIgnoringBase; -import org.slf4j.helpers.MessageFormatter; - -/** - * Created on 6/14/15. - * - * @author colezlaw - */ -public class MavenLoggerAdapter extends MarkerIgnoringBase { - - /** - * A reference to the Maven log. - */ - private final Log log; - - /** - * Creates a new Maven Logger Adapter. - * - * @param log the Maven log - */ - public MavenLoggerAdapter(Log log) { - super(); - this.log = log; - } - - /** - * Returns true if trace is enabled. - * - * @return whether or not trace is enabled - */ - @Override - public boolean isTraceEnabled() { - if (log != null) { - return log.isDebugEnabled(); - } - return true; - } - - @Override - public void trace(String msg) { - if (log != null) { - log.debug(msg); - } else { - System.out.println(msg); - } - } - - @Override - public void trace(String format, Object arg) { - final String message = MessageFormatter.format(format, arg).getMessage(); - if (log != null) { - log.debug(message); - } else { - System.out.println(message); - } - } - - @Override - public void trace(String format, Object arg1, Object arg2) { - final String message = MessageFormatter.format(format, arg1, arg2).getMessage(); - if (log != null) { - log.debug(message); - } else { - System.out.println(message); - } - } - - @Override - public void trace(String format, Object... arguments) { - final String message = MessageFormatter.format(format, arguments).getMessage(); - if (log != null) { - log.debug(message); - } else { - System.out.println(message); - } - } - - @Override - public void trace(String msg, Throwable t) { - if (log != null) { - log.debug(msg, t); - } else { - System.out.println(msg); - t.printStackTrace(); - } - } - - @Override - public boolean isDebugEnabled() { - if (log != null) { - return log.isDebugEnabled(); - } - return true; - } - - @Override - public void debug(String msg) { - if (log != null) { - log.debug(msg); - } else { - System.out.println(msg); - } - } - - @Override - public void debug(String format, Object arg) { - final String message = MessageFormatter.format(format, arg).getMessage(); - if (log != null) { - log.debug(message); - } else { - System.out.println(message); - } - } - - @Override - public void debug(String format, Object arg1, Object arg2) { - final String message = MessageFormatter.format(format, arg1, arg2).getMessage(); - if (log != null) { - log.debug(message); - } else { - System.out.println(message); - } - } - - @Override - public void debug(String format, Object... arguments) { - final String message = MessageFormatter.format(format, arguments).getMessage(); - if (log != null) { - log.debug(message); - } else { - System.out.println(message); - } - } - - @Override - public void debug(String msg, Throwable t) { - if (log != null) { - log.debug(msg, t); - } else { - System.out.println(msg); - t.printStackTrace(); - } - } - - @Override - public boolean isInfoEnabled() { - if (log != null) { - return log.isInfoEnabled(); - } - return true; - } - - @Override - public void info(String msg) { - if (log != null) { - log.info(msg); - } else { - System.out.println(msg); - } - } - - @Override - public void info(String format, Object arg) { - final String message = MessageFormatter.format(format, arg).getMessage(); - if (log != null) { - log.info(message); - } else { - System.out.println(message); - } - } - - @Override - public void info(String format, Object arg1, Object arg2) { - final String message = MessageFormatter.format(format, arg1, arg2).getMessage(); - if (log != null) { - log.info(message); - } else { - System.out.println(message); - } - } - - @Override - public void info(String format, Object... arguments) { - final String message = MessageFormatter.format(format, arguments).getMessage(); - if (log != null) { - log.info(message); - } else { - System.out.println(message); - } - } - - @Override - public void info(String msg, Throwable t) { - if (log != null) { - log.info(msg, t); - } else { - System.out.println(msg); - t.printStackTrace(); - } - } - - @Override - public boolean isWarnEnabled() { - if (log != null) { - return log.isWarnEnabled(); - } - return true; - } - - @Override - public void warn(String msg) { - if (log != null) { - log.warn(msg); - } else { - System.out.println(msg); - } - } - - @Override - public void warn(String format, Object arg) { - final String message = MessageFormatter.format(format, arg).getMessage(); - if (log != null) { - log.warn(message); - } else { - System.out.println(message); - } - } - - @Override - public void warn(String format, Object arg1, Object arg2) { - final String message = MessageFormatter.format(format, arg1, arg2).getMessage(); - if (log != null) { - log.warn(message); - } else { - System.out.println(message); - } - } - - @Override - public void warn(String format, Object... arguments) { - final String message = MessageFormatter.format(format, arguments).getMessage(); - if (log != null) { - log.warn(message); - } else { - System.out.println(message); - } - } - - @Override - public void warn(String msg, Throwable t) { - if (log != null) { - log.warn(msg, t); - } else { - System.out.println(msg); - t.printStackTrace(); - } - } - - @Override - public boolean isErrorEnabled() { - if (log != null) { - return log.isErrorEnabled(); - } - return true; - } - - @Override - public void error(String msg) { - if (log != null) { - log.error(msg); - } else { - System.out.println(msg); - } - } - - @Override - public void error(String format, Object arg) { - final String message = MessageFormatter.format(format, arg).getMessage(); - if (log != null) { - log.error(message); - } else { - System.out.println(message); - } - } - - @Override - public void error(String format, Object arg1, Object arg2) { - final String message = MessageFormatter.format(format, arg1, arg2).getMessage(); - if (log != null) { - log.error(message); - } else { - System.out.println(message); - } - } - - @Override - public void error(String format, Object... arguments) { - final String message = MessageFormatter.format(format, arguments).getMessage(); - if (log != null) { - log.error(message); - } else { - System.out.println(message); - } - } - - @Override - public void error(String msg, Throwable t) { - if (log != null) { - log.error(msg, t); - } else { - System.out.println(msg); - t.printStackTrace(); - } - } -} diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerFactory.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerFactory.java deleted file mode 100644 index 639952939..000000000 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerFactory.java +++ /dev/null @@ -1,56 +0,0 @@ -/* - * This file is part of dependency-check-ant. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * Copyright (c) 2015 The OWASP Foundation. All Rights Reserved. - */ -package org.owasp.dependencycheck.maven.slf4j; - -import org.apache.maven.plugin.logging.Log; -import org.slf4j.ILoggerFactory; -import org.slf4j.Logger; - -/** - * Created on 6/14/15. - * - * @author colezlaw - */ -public class MavenLoggerFactory implements ILoggerFactory { - - /** - * A reference to the Maven log adapter. - */ - private final MavenLoggerAdapter mavenLoggerAdapter; - - /** - * Constructs a new logger factory. - * - * @param log a reference to the Maven log - */ - public MavenLoggerFactory(Log log) { - super(); - this.mavenLoggerAdapter = new MavenLoggerAdapter(log); - } - - /** - * Returns the Maven Logger Adapter. - * - * @param name ignored in this implementation - * @return the maven logger adapter - */ - @Override - public Logger getLogger(String name) { - return mavenLoggerAdapter; - } -} diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/package-info.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/package-info.java deleted file mode 100644 index ea82c377b..000000000 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/package-info.java +++ /dev/null @@ -1,4 +0,0 @@ -/** - * This package contains the the slf4j adapter that wraps the maven logger. - */ -package org.owasp.dependencycheck.maven.slf4j; diff --git a/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java b/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java deleted file mode 100644 index af66c7ee3..000000000 --- a/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java +++ /dev/null @@ -1,113 +0,0 @@ -/* - * This file is part of dependency-check-ant. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * Copyright (c) 2015 The OWASP Foundation. All Rights Reserved. - */ -package org.slf4j.impl; - -import org.apache.maven.plugin.logging.Log; -import org.owasp.dependencycheck.maven.slf4j.MavenLoggerFactory; -import org.slf4j.ILoggerFactory; -import org.slf4j.spi.LoggerFactoryBinder; - -/** - * The binding of org.slf4j.LoggerFactory class with an actual instance of - * org.slf4j.ILoggerFactory is performed using information returned by this - * class. - * - * @author colezlaw - */ -//CSOFF: FinalClass -public class StaticLoggerBinder implements LoggerFactoryBinder { -//CSON: FinalClass - - /** - * The unique instance of this class - */ - private static final StaticLoggerBinder SINGLETON = new StaticLoggerBinder(); - - /** - * Return the singleton of this class. - * - * @return the StaticLoggerBinder singleton - */ - public static final StaticLoggerBinder getSingleton() { - return SINGLETON; - } - - /** - * Maven mojos have their own logger, so we'll use one of those. - */ - private Log log = null; - - /** - * Set the Task which will this is to log through. - * - * @param log the task through which to log - */ - public void setLog(Log log) { - this.log = log; - loggerFactory = new MavenLoggerFactory(log); - } - - /** - * Declare the version of the SLF4J API this implementation is compiled - * against. The value of this filed is usually modified with each release. - */ - // to avoid constant folding by the compiler, this field must *not* be final - //CSOFF: StaticVariableName - //CSOFF: VisibilityModifier - public static String REQUESTED_API_VERSION = "1.7.12"; // final - //CSON: VisibilityModifier - //CSON: StaticVariableName - - /** - * The logger factory class string. - */ - private static final String LOGGER_FACTORY_CLASS = MavenLoggerFactory.class.getName(); - - /** - * The ILoggerFactory instance returned by the {@link #getLoggerFactory} - * method should always be the same object - */ - private ILoggerFactory loggerFactory; - - /** - * Constructs the static logger factory. - */ - private StaticLoggerBinder() { - loggerFactory = new MavenLoggerFactory(log); - } - - /** - * Returns the logger factory. - * - * @return the logger factory - */ - @Override - public ILoggerFactory getLoggerFactory() { - return loggerFactory; - } - - /** - * Returns the logger factory class string. - * - * @return the logger factory class string - */ - @Override - public String getLoggerFactoryClassStr() { - return LOGGER_FACTORY_CLASS; - } -} diff --git a/dependency-check-maven/src/main/java/org/slf4j/impl/package-info.java b/dependency-check-maven/src/main/java/org/slf4j/impl/package-info.java deleted file mode 100644 index cf998d0da..000000000 --- a/dependency-check-maven/src/main/java/org/slf4j/impl/package-info.java +++ /dev/null @@ -1,4 +0,0 @@ -/** - * This package contains the static binder for the slf4j-maven logger. - */ -package org.slf4j.impl; diff --git a/pom.xml b/pom.xml index c44d75cd0..ccdc75fc9 100644 --- a/pom.xml +++ b/pom.xml @@ -149,7 +149,7 @@ Copyright (c) 2012 - Jeremy Long - 3.0 + 3.1