github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-18 17:47:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Lots of updates, incorporated nvd cve data.

Browse Source 
Former-commit-id: d54b2964cf11776521ee7114f536c8c3d9e14028
This commit is contained in:
jeremylong
2012-10-23 14:57:50 -04:00
parent 65700a5a08
commit 2f9b1f6314
156 changed files with 12925 additions and 194795 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/main/resources/META-INF/services/org.codesecure.dependencycheck.analyzer.Analyzer
View File

@@ -1,3 +1,4 @@
org.codesecure.dependencycheck.analyzer.JarAnalyzer
org.codesecure.dependencycheck.analyzer.FileNameAnalyzer
org.codesecure.dependencycheck.data.cpe.CPEAnalyzer
org.codesecure.dependencycheck.data.cpe.CPEAnalyzer
org.codesecure.dependencycheck.data.nvdcve.NvdCveAnalyzer

2
src/main/resources/META-INF/services/org.codesecure.dependencycheck.data.CachedWebDataSource Normal file
View File

@@ -0,0 +1,2 @@
org.codesecure.dependencycheck.data.nvdcve.Index
org.codesecure.dependencycheck.data.cpe.Index

27
src/main/resources/configuration/dependencycheck.properties
View File

@@ -1,7 +1,34 @@
application.name=${pom.name}
application.version=${pom.version}
# the path to the lucene index to store the cpe data
cpe=data/cpe
# the path to the cpe xml file
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz
# the path to the cpe meta data file.
cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.meta
# the path to the lucene index to store the nvd cve data
cve=data/cve
# the path to the nvd cve "meta" page where the timestamps for the last update files can be found.
cve.url.meta=http://nvd.nist.gov/download.cfm
# the path to the modified nvd cve xml file.
cve.url.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
# the number of days that the modified nvd cve data holds data for. We don't need
# to update the other files if we are within this timespan. Per NIST this file
# holds 8 days of updates, we are using 7 just to be safe.
cve.url.modified.validfordays=7
# the number of cve.urls
cve.url.count=11
# the paths to the various nvd cve files.
cve.url.1=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2002.xml
cve.url.2=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2003.xml
cve.url.3=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2004.xml
cve.url.4=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2005.xml
cve.url.5=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2006.xml
cve.url.6=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2007.xml
cve.url.7=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2008.xml
cve.url.8=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2009.xml
cve.url.9=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2010.xml
cve.url.10=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2011.xml
cve.url.11=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2012.xml

156
src/main/resources/schema/cpe/cpe-dictionary_2.2.xsd Normal file
View File

@@ -0,0 +1,156 @@
<?xml version="1.0" encoding="UTF-8"?>
<xsd:schema targetNamespace="http://cpe.mitre.org/dictionary/2.0" xmlns:cpe_dict="http://cpe.mitre.org/dictionary/2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xml="http://www.w3.org/XML/1998/namespace" elementFormDefault="qualified" attributeFormDefault="unqualified">
<xsd:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>
<xsd:annotation>
<xsd:documentation xml:lang="en">This is an XML Schema for the CPE Dictionary. It is used to transfer a collection of official CPE Names along with any necessary supporting information (title, references, automated check, etc.). For more information, consult the CPE Specification document.</xsd:documentation>
<xsd:appinfo>
<schema>CPE Dictionary</schema>
<author>Neal Ziring, Andrew Buttner</author>
<version>2.2</version>
<date>03/11/2009 09:00:00 AM</date>
</xsd:appinfo>
</xsd:annotation>
<!-- =============================================================================== -->
<!-- =============================================================================== -->
<!-- =============================================================================== -->
<xsd:element name="cpe-list" type="cpe_dict:ListType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The cpe-list element acts as a top-level container for CPE Name items. Each individual item must be unique. Please refer to the description of ListType for additional information about the sturcture of this element.</xsd:documentation>
</xsd:annotation>
<xsd:key name="itemURIKey">
<xsd:selector xpath="./cpe_dict:cpe-item"/>
<xsd:field xpath="@name"/>
</xsd:key>
</xsd:element>
<xsd:element name="cpe-item" type="cpe_dict:ItemType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The cpe-item element denotes a single CPE Name. Please refer to the description of ItemType for additional information about the sturcture of this element.</xsd:documentation>
</xsd:annotation>
<xsd:unique name="titleLangKey">
<xsd:selector xpath="./cpe_dict:title"/>
<xsd:field xpath="@xml:lang"/>
</xsd:unique>
<xsd:unique name="notesLangKey">
<xsd:selector xpath="./cpe_dict:notes"/>
<xsd:field xpath="@xml:lang"/>
</xsd:unique>
<xsd:unique name="checkSystemKey">
<xsd:selector xpath="./cpe_dict:check"/>
<xsd:field xpath="@system"/>
</xsd:unique>
</xsd:element>
<!-- =============================================================================== -->
<!-- ============================= SUPPORTING TYPES ============================== -->
<!-- =============================================================================== -->
<xsd:complexType name="GeneratorType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The GeneratorType complex type defines an element that is used to hold information about when a particular document was compiled, what version of the schema was used, what tool compiled the document, and what version of that tools was used. Additional generator information is also allowed although it is not part of the official schema. Individual organizations can place generator information that they feel are important and these will be skipped during the validation. All that this schema really cares about is that the stated generator information is there.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="product_name" type="xsd:string" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation xml:lang="en">The optional product_name element specifies the name of the application used to generate the file.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="product_version" type="xsd:string" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation xml:lang="en">The optional product_version element specifies the version of the application used to generate the file.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="schema_version" type="xsd:decimal" minOccurs="1" maxOccurs="1">
<xsd:annotation>
<xsd:documentation xml:lang="en">The required schema_version element specifies the version of the schema that the document has been written against and that should be used for validation.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="timestamp" type="xsd:dateTime" minOccurs="1" maxOccurs="1">
<xsd:annotation>
<xsd:documentation xml:lang="en">The required timestamp element specifies when the particular document was compiled. The format for the timestamp is yyyy-mm-ddThh:mm:ss. Note that the timestamp element does not specify item in the document was created or modified but rather when the actual XML document that contains the items was created. For example, a document might pull a bunch of existing items together, each of which having been created at some point in the past. The timestamp in this case would be when this combined document was created.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:any minOccurs="0" maxOccurs="unbounded" namespace="##other" processContents="lax"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="ItemType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The ItemType complex type defines an element that represents a single CPE Name. The required name attribute is a URI which must be a unique key and should follow the URI structure outlined in the CPE Specification. The optional title element is used to provide a human-readable title for the platform. To support uses intended for multiple languages, this element supports the xml:lang attribute. At most one title element can appear for each language. The notes element holds optional descriptive material. Multiple notes elements are allowed, but only one per language should be used. Note that the language associated with the notes element applies to all child note elements. The optional references element holds external info references. The optional check element is used to call out an OVAL Definition that can confirm or reject an IT system as an instance of the named platform. Additional elements not part of the CPE namespace are allowed and are just skipped by validation. In essence, a dictionary file can contain additional information the a user can choose to use or not, but this information is not required to be used or understood.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="title" type="cpe_dict:TextType" minOccurs="1" maxOccurs="unbounded"/>
<xsd:element name="notes" type="cpe_dict:NotesType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="references" type="cpe_dict:ReferencesType" minOccurs="0" maxOccurs="1"/>
<xsd:element name="check" type="cpe_dict:CheckType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:any minOccurs="0" maxOccurs="unbounded" namespace="##other" processContents="lax"/>
</xsd:sequence>
<xsd:attribute name="name" type="cpe_dict:namePattern" use="required"/>
<xsd:attribute name="deprecated" type="xsd:boolean" use="optional" default="false"/>
<xsd:attribute name="deprecated_by" type="cpe_dict:namePattern" use="optional"/>
<xsd:attribute name="deprecation_date" type="xsd:dateTime" use="optional"/>
</xsd:complexType>
<xsd:complexType name="ListType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The ListType complex type defines an element that is used to hold a collection of individual items. The required generator section provides information about when the definition file was compiled and under what version. Additional elements not part of the CPE namespace are allowed and are just skipped by validation. In essence, a dictionary file can contain additional information the a user can choose to use or not, but this information is not required to be used or understood.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="generator" type="cpe_dict:GeneratorType" minOccurs="0" maxOccurs="1"/>
<xsd:element ref="cpe_dict:cpe-item" minOccurs="1" maxOccurs="unbounded"/>
<xsd:any minOccurs="0" maxOccurs="unbounded" namespace="##other" processContents="lax"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="TextType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The TextType complex type allows the xml:lang attribute to associate a specific language with an element's string content.</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:extension base="xsd:string">
<xsd:attribute ref="xml:lang"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<xsd:complexType name="NotesType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The notesType complex type defines an element that consists of one or more child note elements. It is assumed that each of these note elements are representative of the same language as defined by their parent.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="note" type="xsd:string" minOccurs="1" maxOccurs="unbounded"/>
</xsd:sequence>
<xsd:attribute ref="xml:lang"/>
</xsd:complexType>
<xsd:complexType name="ReferencesType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The ReferencesType complex type defines an element used to hold a collection of individual references. Each reference consists of a piece of text (intended to be human-readable) and a URI (intended to be a URL, and point to a real resource) and is used to point to extra descriptive material, for example a supplier's web site or platform documentation.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="reference" minOccurs="1" maxOccurs="unbounded">
<xsd:complexType>
<xsd:simpleContent>
<xsd:extension base="xsd:string">
<xsd:attribute name="href" type="xsd:anyURI"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
</xsd:element>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="CheckType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The CheckType complex type is used to define an element for hold information about an individual check. It includes a checking system specification URI, string content, and an optional external file reference. The checking system specification should be the URI for a particular version of OVAL or a related system testing language, and the content will be an identifier of a test written in that language. The external file reference could be used to point to the file in which the content test identifier is defined.</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:extension base="xsd:string">
<xsd:attribute name="system" type="xsd:anyURI" use="required"/>
<xsd:attribute name="href" type="xsd:anyURI" use="optional"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- =============================================================================== -->
<!-- ================================ ID PATTERNS ================================ -->
<!-- =============================================================================== -->
<xsd:simpleType name="namePattern">
<xsd:annotation>
<xsd:documentation xml:lang="en">Define the format for acceptable CPE Names. A URN format is used with the id starting with the word cpe followed by :/ and then some number of individual components separated by colons.</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:anyURI">
<xsd:pattern value="[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6}"/>
</xsd:restriction>
</xsd:simpleType>
</xsd:schema>

20
src/main/resources/schema/nvdcve/bindings.xml Normal file
View File

@@ -0,0 +1,20 @@
<?xml version="1.0" encoding="UTF-8"?>
<jxb:bindings version="2.1"
xmlns:jxb="http://java.sun.com/xml/ns/jaxb"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xjc="http://java.sun.com/xml/ns/jaxb/xjc"
jxb:extensionBindingPrefixes="xjc">
<jxb:globalBindings>
<xjc:simple/>
</jxb:globalBindings>
<jxb:bindings schemaLocation="cpe-language_2.1.xsd">
<jxb:bindings node="//xs:complexType[@name='TextType']">
<jxb:class name="TextType1"/>
</jxb:bindings>
</jxb:bindings>
<jxb:bindings schemaLocation="scap-core_0.1.xsd">
<jxb:bindings node="//xs:complexType[@name='textType']">
<jxb:class name="TextType2"/>
</jxb:bindings>
</jxb:bindings>
</jxb:bindings>

61
src/main/resources/schema/nvdcve/cce_0.1.xsd Normal file
View File

@@ -0,0 +1,61 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
== Model: Version 0-3 NetD
== Package: cce
-->
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://scap.nist.gov/schema/cce/0.1"
xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.1"
targetNamespace="http://scap.nist.gov/schema/cce/0.1"
elementFormDefault="qualified" attributeFormDefault="unqualified"
version="0.1">
<xsd:annotation>
<xsd:documentation>CCE is at an early phase of adoption. This schema is a work in progress and is far from
final. Additional work with using CCEs in a practical setting is required.</xsd:documentation>
</xsd:annotation>
<xsd:import namespace="http://scap.nist.gov/schema/scap-core/0.1" schemaLocation="scap-core_0.1.xsd"/>
<!-- ================================================== -->
<!-- ===== Simple Type Definitions -->
<!-- ================================================== -->
<xsd:simpleType name="cceNamePatternType">
<xsd:annotation>
<xsd:documentation>The format for a CCE name is CCE-NNNNNNNNNNN, where NNNNNNNNNNN is a sequence number.</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:token">
<xsd:pattern value="CCE-[1-9]\d{0,10}"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ================================================== -->
<!-- ===== Complex Type Definitions -->
<!-- ================================================== -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- CCE -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="cceType">
<xsd:sequence>
<xsd:element name="definition" type="xsd:string" minOccurs="0"/>
<xsd:element name="parameter" type="cceParameterType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="technical-mechanisms" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="references" type="scap-core:referenceType" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
<xsd:attribute name="id" type="cceNamePatternType" use="required"/>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- CCE_Parameter -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="cceParameterType">
<xsd:sequence>
<xsd:element name="value" type="xsd:string" maxOccurs="unbounded"/>
</xsd:sequence>
<xsd:attribute name="identifier" type="xsd:token">
<xsd:annotation>
<xsd:documentation>TODO: What does this identify?</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
<xsd:attribute name="operator" type="xsd:token">
<xsd:annotation>
<xsd:documentation>TODO: should this be an enumeration?</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
</xsd:complexType>
</xsd:schema>

101
src/main/resources/schema/nvdcve/cpe-language_2.1.xsd Normal file
View File

@@ -0,0 +1,101 @@
<?xml version="1.0" encoding="UTF-8"?>
<xsd:schema targetNamespace="http://cpe.mitre.org/language/2.0" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xml="http://www.w3.org/XML/1998/namespace" elementFormDefault="qualified" attributeFormDefault="unqualified">
<xsd:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>
<xsd:annotation>
<xsd:documentation xml:lang="en">This XML Schema defines the CPE Language. An individual CPE Name addresses a single part of an actual system. To identify more complex platform types, there needs to be a way to combine different CPE Names using logical operators. For example, there may be a need to identify a platform with a particular operating system AND a certain application. The CPE Language exists to satisfy this need, enabling the CPE Name for the operating system to be combined with the CPE Name for the application. For more information, consult the CPE Specification document.</xsd:documentation>
<xsd:appinfo>
<schema>CPE Language</schema>
<author>Neal Ziring, Andrew Buttner</author>
<version>2.1</version>
<date>01/31/2008 09:00:00 AM</date>
</xsd:appinfo>
</xsd:annotation>
<!-- =============================================================================== -->
<!-- =============================================================================== -->
<!-- =============================================================================== -->
<xsd:element name="platform-specification">
<xsd:annotation>
<xsd:documentation xml:lang="en">This element is the root element of a CPE Language XML documents and therefore acts as a container for child platform definitions.</xsd:documentation>
</xsd:annotation>
<xsd:complexType>
<xsd:sequence>
<xsd:element name="platform" type="cpe:PlatformType" minOccurs="1" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<xsd:key name="platformKey">
<xsd:selector xpath="cpe:platform"/>
<xsd:field xpath="@id"/>
</xsd:key>
</xsd:element>
<xsd:element name="logical-test" type="cpe:LogicalTestType"/>
<!-- =============================================================================== -->
<!-- ================================== PLATFORM ================================= -->
<!-- =============================================================================== -->
<xsd:complexType name="PlatformType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The platform element represents the description or qualifications of a particular IT platform type. The platform is defined by the logical-test child element. The id attribute holds a locally unique name for the platform. There is no defined format for this id, it just has to be unique to the containing language document.</xsd:documentation>
<xsd:documentation xml:lang="en">The optional title element may appear as a child to a platform element. It provides a human-readable title for it. To support uses intended for multiple languages, this element supports the xml:lang attribute. At most one title element can appear for each language.</xsd:documentation>
<xsd:documentation xml:lang="en">The optional remark element may appear as a child of a platform element. It provides some additional description. Zero or more remark elements may appear. To support uses intended for multiple languages, this element supports the xml:lang attribute. There can be multiple remarks for a single language.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="title" type="cpe:TextType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="remark" type="cpe:TextType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="logical-test" type="cpe:LogicalTestType" minOccurs="1" maxOccurs="1"/>
</xsd:sequence>
<xsd:attribute name="id" type="xsd:anyURI" use="required"/>
</xsd:complexType>
<xsd:complexType name="LogicalTestType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The logical-test element appears as a child of a platform element, and may also be nested to create more complex logical tests. The content consists of one or more elements: fact-ref, and logical-test children are permitted. The operator to be applied, and optional negation of the test, are given as attributes.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="logical-test" type="cpe:LogicalTestType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="fact-ref" type="cpe:FactRefType" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
<xsd:attribute name="operator" type="cpe:operatorEnumeration" use="required"/>
<xsd:attribute name="negate" type="xsd:boolean" use="required"/>
</xsd:complexType>
<xsd:complexType name="FactRefType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The fact-ref element appears as a child of a logical-test element. It is simply a reference to a CPE Name that always evaluates to a Boolean result.</xsd:documentation>
</xsd:annotation>
<xsd:attribute name="name" type="cpe:namePattern" use="required"/>
</xsd:complexType>
<!-- =============================================================================== -->
<!-- =============================== ENUMERATIONS ================================ -->
<!-- =============================================================================== -->
<xsd:simpleType name="operatorEnumeration">
<xsd:annotation>
<xsd:documentation xml:lang="en">The OperatorEnumeration simple type defines acceptable operators. Each operator defines how to evaluate multiple arguments.</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:string">
<xsd:enumeration value="AND"/>
<xsd:enumeration value="OR"/>
</xsd:restriction>
</xsd:simpleType>
<!-- =============================================================================== -->
<!-- ============================== SUPPORTING TYPES ============================== -->
<!-- =============================================================================== -->
<xsd:complexType name="TextType">
<xsd:annotation>
<xsd:documentation xml:lang="en">This type allows the xml:lang attribute to associate a specific language with an element's string content.</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:extension base="xsd:string">
<xsd:attribute ref="xml:lang"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- =============================================================================== -->
<!-- ================================ ID PATTERNS ================================ -->
<!-- =============================================================================== -->
<xsd:simpleType name="namePattern">
<xsd:annotation>
<xsd:documentation xml:lang="en">Define the format for acceptable CPE Names. A URN format is used with the id starting with the word cpe followed by :/ and then some number of individual components separated by colons.</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:anyURI">
<xsd:pattern value="[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6}"/>
</xsd:restriction>
</xsd:simpleType>
</xsd:schema>

70
src/main/resources/schema/nvdcve/cve_0.1.xsd Normal file
View File

@@ -0,0 +1,70 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
== Model: Version 0-3 NetD
== Package: cve
-->
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://scap.nist.gov/schema/cve/0.1"
xmlns:scap_core="http://scap.nist.gov/schema/scap-core/0.1"
targetNamespace="http://scap.nist.gov/schema/cve/0.1"
elementFormDefault="qualified" attributeFormDefault="unqualified"
version="0.1">
<xsd:import namespace="http://scap.nist.gov/schema/scap-core/0.1" schemaLocation="scap-core_0.1.xsd"/>
<!-- ================================================== -->
<!-- ===== Simple Type Definitions -->
<!-- ================================================== -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- CVE_Name_Type <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="cveNamePatternType">
<xsd:annotation>
<xsd:documentation>Format for CVE Names is CVE-YYYY-NNNN, where YYYY is the year of publication and NNNN is a sequence number.</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:token">
<xsd:pattern value="CVE-([1,2])\d{3}-\d{4}"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- CVE_Status <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="cveStatus">
<xsd:annotation>
<xsd:documentation>Enumeration containing valid values for CVE status: Candidate, Entry, and Deprecated</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:token">
<xsd:enumeration value="CANDIDATE"/>
<xsd:enumeration value="ENTRY"/>
<xsd:enumeration value="DEPRECATED"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ================================================== -->
<!-- ===== Complex Type Definitions -->
<!-- ================================================== -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- CVE -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="cveType">
<xsd:sequence>
<xsd:element name="status" type="cveStatus" minOccurs="0">
<xsd:annotation>
<xsd:documentation>Status of Vulnerability -- Candidate, Entry, Deprecated</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="description" type="xsd:string" minOccurs="0">
<xsd:annotation>
<xsd:documentation>Free text field to describe the vulnerability</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="references" type="scap_core:referenceType" maxOccurs="unbounded" minOccurs="0">
<xsd:annotation>
<xsd:documentation>Discretionary information and links relevant to a given vulnerability referenced by the CVE</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
<xsd:attribute name="id" type="cveNamePatternType" use="required">
<xsd:annotation>
<xsd:documentation>CVE name in the CVE-YYYY-NNNN format</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
</xsd:complexType>
</xsd:schema>

386
src/main/resources/schema/nvdcve/cvss-v2_0.2.xsd Normal file
View File

@@ -0,0 +1,386 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
== Package: cvss-v2
-->
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://scap.nist.gov/schema/cvss-v2/0.2"
targetNamespace="http://scap.nist.gov/schema/cvss-v2/0.2"
elementFormDefault="qualified" attributeFormDefault="unqualified"
version="0.2">
<!-- ================================================== -->
<!-- ===== Simple Type Definitions -->
<!-- ================================================== -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Zero_To_Ten <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="zeroToTenDecimalType">
<xsd:annotation>
<xsd:documentation>Value restriction to single decimal values from 0.0 to 10.0, as used in CVSS scores</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:decimal">
<xsd:minInclusive value="0"/>
<xsd:maxInclusive value="10"/>
<xsd:fractionDigits value="1"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ================================================== -->
<!-- ===== Group Definitions -->
<!-- ================================================== -->
<xsd:group name="baseVectorsGroup">
<xsd:sequence>
<xsd:element minOccurs="0" name="access-vector" type="accessVectorType"/>
<xsd:element minOccurs="0" name="access-complexity" type="accessComplexityType"/>
<xsd:element minOccurs="0" name="authentication" type="authenticationType"/>
<xsd:element minOccurs="0" name="confidentiality-impact" type="ciaType"/>
<xsd:element minOccurs="0" name="integrity-impact" type="ciaType"/>
<xsd:element minOccurs="0" name="availability-impact" type="ciaType"/>
</xsd:sequence>
</xsd:group>
<xsd:group name="environmentalVectorsGroup">
<xsd:sequence>
<xsd:element minOccurs="0" name="collateral-damage-potential" type="collateralDamagePotentialType"/>
<xsd:element minOccurs="0" name="target-distribution" type="targetDistributionType"/>
<xsd:element minOccurs="0" name="confidentiality-requirement" type="ciaRequirementType"/>
<xsd:element minOccurs="0" name="integrity-requirement" type="ciaRequirementType"/>
<xsd:element minOccurs="0" name="availability-requirement" type="ciaRequirementType"/>
</xsd:sequence>
</xsd:group>
<xsd:group name="temporalVectorsGroup">
<xsd:sequence>
<xsd:element minOccurs="0" name="exploitability" type="exploitabilityType"/>
<xsd:element minOccurs="0" name="remediation-level" type="remediationLevelType"/>
<xsd:element minOccurs="0" name="report-confidence" type="confidenceType"/>
</xsd:sequence>
</xsd:group>
<xsd:group name="baseVectorsCriteriaGroup">
<xsd:sequence>
<xsd:element minOccurs="0" name="access-vector" type="accessVectorEnumType"/>
<xsd:element minOccurs="0" name="access-complexity" type="accessComplexityEnumType"/>
<xsd:element minOccurs="0" name="authentication" type="authenticationEnumType"/>
<xsd:element minOccurs="0" name="confidentiality-impact" type="ciaEnumType"/>
<xsd:element minOccurs="0" name="integrity-impact" type="ciaEnumType"/>
<xsd:element minOccurs="0" name="availability-impact" type="ciaEnumType"/>
</xsd:sequence>
</xsd:group>
<xsd:group name="environmentalVectorsCriteriaGroup">
<xsd:sequence>
<xsd:element minOccurs="0" name="collateral-damage-potential" type="collateralDamagePotentialEnumType"/>
<xsd:element minOccurs="0" name="target-distribution" type="targetDistributionEnumType"/>
<xsd:element minOccurs="0" name="confidentiality-requirement" type="ciaRequirementEnumType"/>
<xsd:element minOccurs="0" name="integrity-requirement" type="ciaRequirementEnumType"/>
<xsd:element minOccurs="0" name="availability-requirement" type="ciaRequirementEnumType"/>
</xsd:sequence>
</xsd:group>
<xsd:group name="temporalVectorsCriteriaGroup">
<xsd:sequence>
<xsd:element minOccurs="0" name="exploitability" type="exploitabilityEnumType"/>
<xsd:element minOccurs="0" name="remediation-level" type="remediationLevelEnumType"/>
<xsd:element minOccurs="0" name="report-confidence" type="confidenceEnumType"/>
</xsd:sequence>
</xsd:group>
<!-- ================================================== -->
<!-- ===== Complex Type Definitions -->
<!-- ================================================== -->
<xsd:attributeGroup name="vectorAttributeGroup">
<xsd:attribute name="approximated" type="xsd:boolean" default="false">
<xsd:annotation>
<xsd:documentation>Indicates if the vector has been approximated as the result of an upgrade from a previous CVSS version</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
</xsd:attributeGroup>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- HML_Enumeration <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="accessComplexityEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="HIGH"/>
<xsd:enumeration value="MEDIUM"/>
<xsd:enumeration value="LOW"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="accessComplexityType">
<xsd:simpleContent>
<xsd:extension base="accessComplexityEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- LAN_Enumerations <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="accessVectorEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="LOCAL"/>
<xsd:enumeration value="ADJACENT_NETWORK"/>
<xsd:enumeration value="NETWORK"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="accessVectorType">
<xsd:simpleContent>
<xsd:extension base="accessVectorEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- LMHN_Enumeration <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="ciaRequirementEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="LOW"/>
<xsd:enumeration value="MEDIUM"/>
<xsd:enumeration value="HIGH"/>
<xsd:enumeration value="NOT_DEFINED"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="ciaRequirementType">
<xsd:simpleContent>
<xsd:extension base="ciaRequirementEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- NLLMMHHN_Enumeration <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="collateralDamagePotentialEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="NONE"/>
<xsd:enumeration value="LOW"/>
<xsd:enumeration value="LOW_MEDIUM"/>
<xsd:enumeration value="MEDIUM_HIGH"/>
<xsd:enumeration value="HIGH"/>
<xsd:enumeration value="NOT_DEFINED"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="collateralDamagePotentialType">
<xsd:simpleContent>
<xsd:extension base="collateralDamagePotentialEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- NLMHN_Enumeration <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="targetDistributionEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="NONE"/>
<xsd:enumeration value="LOW"/>
<xsd:enumeration value="MEDIUM"/>
<xsd:enumeration value="HIGH"/>
<xsd:enumeration value="NOT_DEFINED"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="targetDistributionType">
<xsd:simpleContent>
<xsd:extension base="targetDistributionEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- NPC_Enumeration <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="ciaEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="NONE"/>
<xsd:enumeration value="PARTIAL"/>
<xsd:enumeration value="COMPLETE"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="ciaType">
<xsd:simpleContent>
<xsd:extension base="ciaEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- NSM_Enumeration <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="authenticationEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="MULTIPLE_INSTANCES"/>
<xsd:enumeration value="SINGLE_INSTANCE"/>
<xsd:enumeration value="NONE"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="authenticationType">
<xsd:simpleContent>
<xsd:extension base="authenticationEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- OTWU_Enumeration <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="remediationLevelEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="OFFICIAL_FIX"/>
<xsd:enumeration value="TEMPORARY_FIX"/>
<xsd:enumeration value="WORKAROUND"/>
<xsd:enumeration value="UNAVAILABLE"/>
<xsd:enumeration value="NOT_DEFINED"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="remediationLevelType">
<xsd:simpleContent>
<xsd:extension base="remediationLevelEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- UUCN_Enumeration <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="confidenceEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="UNCONFIRMED"/>
<xsd:enumeration value="UNCORROBORATED"/>
<xsd:enumeration value="CONFIRMED"/>
<xsd:enumeration value="NOT_DEFINED"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="confidenceType">
<xsd:simpleContent>
<xsd:extension base="confidenceEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- UPFH_Enumeration <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="exploitabilityEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="UNPROVEN"/>
<xsd:enumeration value="PROOF_OF_CONCEPT"/>
<xsd:enumeration value="FUNCTIONAL"/>
<xsd:enumeration value="HIGH"/>
<xsd:enumeration value="NOT_DEFINED"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="exploitabilityType">
<xsd:simpleContent>
<xsd:extension base="exploitabilityEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<xsd:complexType name="metricsType" abstract="true">
<xsd:annotation>
<xsd:documentation>Base type for metrics that defines common attributes of all metrics.</xsd:documentation>
</xsd:annotation>
<xsd:attribute name="upgraded-from-version" type="xsd:decimal">
<xsd:annotation>
<xsd:documentation>Indicates if the metrics have been upgraded from a previous version of CVSS. If fields that were approximated will have an approximated attribute set to 'true'.</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- CVSS_V2 -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="cvssType">
<xsd:annotation>
<xsd:documentation>"This schema was intentionally designed to avoid mixing classes and attributes between CVSS version 1, CVSS version 2, and future versions. Scores in the CVSS system are interdependent. The temporal score is a multiplier of the base score. The environmental score, in turn, is a multiplier of the temporal score. The ability to transfer these scores independently is provided on the assumption that the user understands the business logic. For any given metric, it is preferred that the score, as a minimum is provided, however the score can be re-created from the metrics or the multiplier and any scores they are dependent on."</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element minOccurs="0" maxOccurs="unbounded" name="base_metrics" type="baseMetricsType"/>
<xsd:element minOccurs="0" maxOccurs="unbounded" name="environmental_metrics" type="environmentalMetricsType"/>
<xsd:element minOccurs="0" maxOccurs="unbounded" name="temporal_metrics" type="temporalMetricsType"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="cvssImpactType">
<xsd:complexContent>
<xsd:restriction base="cvssType">
<xsd:sequence>
<xsd:element minOccurs="1" maxOccurs="1" name="base_metrics" type="baseMetricsType"/>
<xsd:element minOccurs="0" maxOccurs="1" name="environmental_metrics" type="environmentalMetricsType"/>
<xsd:element minOccurs="0" maxOccurs="1" name="temporal_metrics" type="temporalMetricsType"/>
</xsd:sequence>
</xsd:restriction>
</xsd:complexContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Base_Metrics -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="baseMetricsType">
<xsd:complexContent mixed="false">
<xsd:extension base="metricsType">
<xsd:sequence>
<xsd:element minOccurs="0" name="score" type="zeroToTenDecimalType">
<xsd:annotation>
<xsd:documentation>Base severity score assigned to a vulnerability by a source</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element minOccurs="0" name="exploit-subscore" type="zeroToTenDecimalType">
<xsd:annotation>
<xsd:documentation>Base exploit sub-score assigned to a vulnerability by a source</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element minOccurs="0" name="impact-subscore" type="zeroToTenDecimalType">
<xsd:annotation>
<xsd:documentation>Base impact sub-score assigned to a vulnerability by a source</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:group ref="baseVectorsGroup"/>
<xsd:element name="source" type="xsd:anyURI">
<xsd:annotation>
<xsd:documentation>Data source the vector was obtained from. Example: http://nvd.nist.gov or com.symantec.deepsight</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element minOccurs="0" name="generated-on-datetime" type="xsd:dateTime"/>
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Environmental_Metrics -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="environmentalMetricsType">
<xsd:complexContent mixed="false">
<xsd:extension base="metricsType">
<xsd:sequence>
<xsd:element minOccurs="0" name="score" type="zeroToTenDecimalType"/>
<xsd:group ref="environmentalVectorsGroup"/>
<xsd:element name="source" type="xsd:anyURI">
<xsd:annotation>
<xsd:documentation>Data source the vector was obtained from. Example: gov.nist.nvd or com.symantec.deepsight</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element minOccurs="0" name="generated-on-datetime" type="xsd:dateTime"/>
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Temporal_Metrics -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="temporalMetricsType">
<xsd:complexContent mixed="false">
<xsd:extension base="metricsType">
<xsd:sequence>
<xsd:element minOccurs="0" name="score" type="zeroToTenDecimalType">
<xsd:annotation>
<xsd:documentation>The temporal score is the temporal multiplier times the base score.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element minOccurs="0" name="temporal-multiplier" type="xsd:decimal">
<xsd:annotation>
<xsd:documentation>The temporal multiplier is a number between zero and one. Reference the CVSS standard for computation.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:group ref="temporalVectorsGroup"/>
<xsd:element name="source" type="xsd:anyURI"/>
<xsd:element name="generated-on-datetime" type="xsd:dateTime"/>
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
</xsd:schema>

18
src/main/resources/schema/nvdcve/generateBindings.bat Normal file
View File

@@ -0,0 +1,18 @@
if not "%JAVA_HOME%" == "" goto JAVA_HOME_DEFINED
:NO_JAVA_HOME
set XJC=xjc.exe
goto LAUNCH
:JAVA_HOME_DEFINED
set XJC="%JAVA_HOME%\bin\xjc.exe"
goto LAUNCH
:LAUNCH
%XJC% -extension -d ..\..\..\java -b "bindings.xml" -p "org.codesecure.dependencycheck.data.nvdcve.generated" -mark-generated "nvd-cve-feed_2.0.xsd"
echo --------------------------------------------------------------
echo IMPORTANT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
echo You must add the following annotation to the VulnerabilityType
echo @XmlRootElement(name = "vulnerabilityType", namespace = "http://scap.nist.gov/schema/vulnerability/0.4")
echo --------------------------------------------------------------

16
src/main/resources/schema/nvdcve/generateBindings.sh Normal file
View File

@@ -0,0 +1,16 @@
#!/bin/sh
if [ -n "$JAVA_HOME" ]
then
XJC="$JAVA_HOME/bin/xjc.exe"
else
XJC=xjc.exe
fi
exec "$XJC" -extension -d ../../../java -b "bindings.xml" -p "org.codesecure.dependencycheck.data.nvdcve.generated" -mark-generated "nvd-cve-feed_2.0.xsd"
echo '--------------------------------------------------------------'
echo 'IMPORTANT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!'
echo 'You must add the following annotation to the VulnerabilityType'
echo '@XmlRootElement(name = "vulnerabilityType", namespace = "http://scap.nist.gov/schema/vulnerability/0.4")'
echo '--------------------------------------------------------------'

57
src/main/resources/schema/nvdcve/nvd-cve-feed_2.0.xsd Normal file
View File

@@ -0,0 +1,57 @@
<?xml version="1.0"?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://scap.nist.gov/schema/feed/vulnerability/2.0"
xmlns:vuln="http://scap.nist.gov/schema/vulnerability/0.4"
targetNamespace="http://scap.nist.gov/schema/feed/vulnerability/2.0"
elementFormDefault="qualified" attributeFormDefault="unqualified"
version="2.0">
<xsd:import namespace="http://scap.nist.gov/schema/vulnerability/0.4" schemaLocation="vulnerability_0.4.xsd"/>
<xsd:annotation>
<xsd:documentation>TODO: address distributed with for APP->OS resolution</xsd:documentation>
<xsd:documentation>This schema defines the structure of the National
Vulnerability Database XML feed files version: 1.2. The elements and
attribute in this document are described by xsd:annotation tags. This
file is kept at http://nvd.nist.gov/schema/nvdcve.xsd. The NVD XML
feeds are available at http://nvd.nist.gov/download.cfm.
Release Notes:
Version 2.0:
* Redesign of the feed to integrate with the new vulnerability data
model schema.
Version 1.2:
* CVSS version 2 scores and vectors have been added. Please see
http://nvd.nist.gov/cvss.cfm?vectorinfo and
http://www.first.org/cvss/cvss-guide.html for more information on
how to interpret this data. </xsd:documentation>
</xsd:annotation>
<xsd:element name="nvd">
<xsd:annotation>
<xsd:documentation>The root element of the NVD CVE feed. Multiple "entry" child elements describe specific NVD CVE entries.</xsd:documentation>
</xsd:annotation>
<xsd:complexType>
<xsd:sequence>
<xsd:element ref="entry" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>A CVE entry.</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
<xsd:attribute name="nvd_xml_version" type="xsd:decimal" use="required">
<xsd:annotation>
<xsd:documentation>The schema version number supported by the feed.</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
<xsd:attribute name="pub_date" type="xsd:dateTime" use="required">
<xsd:annotation>
<xsd:documentation>The date the feed was generated.</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
</xsd:complexType>
</xsd:element>
<xsd:element name="entry" type="vuln:vulnerabilityType">
<xsd:annotation>
<xsd:documentation>A CVE entry.</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:schema>

72
src/main/resources/schema/nvdcve/patch_0.1.xsd Normal file
View File

@@ -0,0 +1,72 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
== Generated by hyperModel (www.XMLmodeling.com) Mon Jan 07 09:36:55 EST 2008
== Model: MITRE CPE 2.1
== Package: patch_2.1
-->
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://scap.nist.gov/schema/patch/0.1"
xmlns:scap_core="http://scap.nist.gov/schema/scap-core/0.1"
targetNamespace="http://scap.nist.gov/schema/patch/0.1"
elementFormDefault="qualified" attributeFormDefault="unqualified"
version="0.1">
<xsd:import namespace="http://scap.nist.gov/schema/scap-core/0.1" schemaLocation="scap-core_0.1.xsd"/>
<!-- ================================================== -->
<!-- ===== Element Declarations -->
<!-- ================================================== -->
<xsd:element name="patch" type="patchType"/>
<!-- ================================================== -->
<!-- ===== Complex Type Definitions -->
<!-- ================================================== -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- patch -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="patchType">
<xsd:sequence>
<xsd:element name="title" type="scap_core:textType" minOccurs="0">
<xsd:annotation>
<xsd:documentation>Human-formatted title for the patch. If none given, then duplicate of the name.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="references" minOccurs="0">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="reference" type="scap_core:referenceType" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="notes" type="scap_core:notesType" maxOccurs="unbounded" minOccurs="0"/>
<xsd:element name="check" type="scap_core:checkReferenceType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="supersedes" type="patchType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>Patches that superceded by the referenced patch.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="superseded-by" type="patchType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>Patches that supersede the patch comprising the current XML document.</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
<xsd:attribute name="identifier" type="xsd:double" use="required">
<xsd:annotation>
<xsd:documentation>Identifier unique within the XML document for the given patch.</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
<xsd:attribute name="name" type="xsd:string" use="required">
<xsd:annotation>
<xsd:documentation>Vendor supplied name for the patch. Will use lower case and underscores for spaces, consistent with CPE naming conventions.</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
<xsd:attribute name="superseded" type="xsd:boolean" use="required">
<xsd:annotation>
<xsd:documentation>Boolean value. True of patch is superseded. False if not.</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
<xsd:attribute name="deprecated" type="xsd:boolean">
<xsd:annotation>
<xsd:documentation>Indicates that a patch should not be used -- regardless of supersession.</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
</xsd:complexType>
</xsd:schema>

139
src/main/resources/schema/nvdcve/scap-core_0.1.xsd Normal file
View File

@@ -0,0 +1,139 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
== Model: MITRE CPE 2.1
== Package: scap-core_0.1
-->
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://scap.nist.gov/schema/scap-core/0.1"
xmlns:xml="http://www.w3.org/XML/1998/namespace"
targetNamespace="http://scap.nist.gov/schema/scap-core/0.1"
elementFormDefault="qualified"
attributeFormDefault="unqualified"
version="0.1">
<xsd:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>
<!-- ================================================== -->
<!-- ===== Complex Type Definitions -->
<!-- ================================================== -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- check <<complexType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="checkReferenceType">
<xsd:annotation>
<xsd:documentation xml:lang="en">Data type for the check element, a checking system specification URI, string content, and an optional external file reference. The checking system specification should be the URI for a particular version of OVAL or a related system testing language, and the content will be an identifier of a test written in that language. The external file reference could be used to point to the file in which the content test identifier is defined.</xsd:documentation>
</xsd:annotation>
<xsd:attribute name="system" type="xsd:anyURI" use="required"/>
<xsd:attribute name="href" type="xsd:anyURI" use="required"/>
<xsd:attribute name="name" type="xsd:token" use="optional"/>
</xsd:complexType>
<xsd:complexType name="checkSearchType">
<xsd:attribute name="system" type="xsd:anyURI" use="required"/>
<xsd:attribute name="name" type="xsd:token" use="optional"/>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- notes -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="notesType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The notesType defines an element that consists of one or more child note elements. It is assumed that each of these note elements are representative of the same language as defined by their parent.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element maxOccurs="unbounded" name="note" type="textType"/>
</xsd:sequence>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- reference <<complexType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="referenceType">
<xsd:annotation>
<xsd:documentation xml:lang="en">Type for a reference in the description of a CPE item. This would normally be used to point to extra descriptive material, or the supplier's web site, or the platform documentation. It consists of a piece of text (intended to be human-readable) and a URI (intended to be a URL, and point to a real resource).</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:extension base="textType">
<xsd:attribute name="href" type="xsd:anyURI"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- tag -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="tagType">
<xsd:attribute name="name" type="xsd:token" use="required"/>
<xsd:attribute name="value" type="xsd:token" use="required"/>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- text <<complexType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="textType">
<xsd:annotation>
<xsd:documentation xml:lang="en">This type allows the xml:lang attribute to associate a specific language with an element's string content.</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:extension base="xsd:string">
<xsd:attribute ref="xml:lang"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<xsd:group name="cpeReferenceGroup">
<xsd:choice>
<xsd:element name="cpe-name" type="cpeNamePatternType"/>
<xsd:element name="cpe-searchable-name" type="cpeSearchableNamePatternType"/>
</xsd:choice>
</xsd:group>
<xsd:complexType name="searchableCpeReferencesType">
<xsd:sequence>
<xsd:group ref="cpeReferenceGroup" minOccurs="1" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<!-- =============================================================================== -->
<!-- ================================ ID PATTERNS ================================ -->
<!-- =============================================================================== -->
<xsd:simpleType name="cpeNamePatternType">
<xsd:annotation>
<xsd:documentation xml:lang="en">Define the format for acceptable CPE Names. An urn format is used with the id starting with the word oval followed by a unique string, followed by the three letter code 'def', and ending with an integer.</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:anyURI">
<xsd:pattern value="[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~]*){0,6}"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:simpleType name="cpeSearchableNamePatternType">
<xsd:annotation>
<xsd:documentation xml:lang="en">Define the format for acceptable
searchableCPE Names. The URI escaped code '%25' may be used
to represent the character '%' which will be interpreted as a
wildcard.</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:anyURI">
<xsd:pattern value="[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~*]*){0,6}"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:simpleType name="cpeComponentPatternType">
<xsd:annotation>
<xsd:documentation>The name pattern of a CPE component.</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:token">
<xsd:pattern value="[A-Za-z0-9\._\-~]*"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:simpleType name="cpePartComponentPatternType">
<xsd:annotation>
<xsd:documentation>The name pattern of the CPE part component.</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="cpeComponentPatternType">
<xsd:pattern value="[hoaHOA]"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:simpleType name="cweNamePatternType">
<xsd:restriction base="xsd:token">
<xsd:pattern value="CWE-[1-9]\d{0,5}"></xsd:pattern>
</xsd:restriction>
</xsd:simpleType>
</xsd:schema>

260
src/main/resources/schema/nvdcve/vulnerability_0.4.xsd Normal file
View File

@@ -0,0 +1,260 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
== Model: Version 0-4 NetD
== Package: vulnerability
-->
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://scap.nist.gov/schema/vulnerability/0.4"
xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.1"
xmlns:cve="http://scap.nist.gov/schema/cve/0.1"
xmlns:cce="http://scap.nist.gov/schema/cce/0.1"
xmlns:cvssv2="http://scap.nist.gov/schema/cvss-v2/0.2"
xmlns:cpe-lang="http://cpe.mitre.org/language/2.0"
xmlns:patch="http://scap.nist.gov/schema/patch/0.1"
xmlns:xml="http://www.w3.org/XML/1998/namespace"
targetNamespace="http://scap.nist.gov/schema/vulnerability/0.4"
elementFormDefault="qualified" attributeFormDefault="unqualified"
version="0.4">
<xsd:import namespace="http://scap.nist.gov/schema/scap-core/0.1" schemaLocation="scap-core_0.1.xsd"/>
<xsd:import namespace="http://scap.nist.gov/schema/cve/0.1" schemaLocation="cve_0.1.xsd"/>
<xsd:import namespace="http://scap.nist.gov/schema/cce/0.1" schemaLocation="cce_0.1.xsd"/>
<xsd:import namespace="http://scap.nist.gov/schema/cvss-v2/0.2" schemaLocation="cvss-v2_0.2.xsd"/>
<xsd:import namespace="http://cpe.mitre.org/language/2.0" schemaLocation="cpe-language_2.1.xsd"/>
<xsd:import namespace="http://scap.nist.gov/schema/patch/0.1" schemaLocation="patch_0.1.xsd"/>
<xsd:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>
<!-- ================================================== -->
<!-- ===== Element Declarations -->
<!-- ================================================== -->
<xsd:element name="vulnerability" type="vulnerabilityType"/>
<!-- ================================================== -->
<!-- ===== Simple Type Definitions -->
<!-- ================================================== -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Fix_Action_Description_List <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="fixActionDescriptionEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="PATCH"/>
<xsd:enumeration value="SOFTWARE_UPDATE"/>
<xsd:enumeration value="CONFIGURATION_CHANGE"/>
<xsd:enumeration value="POLICY_CHANGE"/>
<xsd:enumeration value="EXTERNAL_MITIGATION"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Fix_Action_Type_List <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="fixActionTypeEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="MITIGATION"/>
<xsd:enumeration value="REMEDIATION"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Fix_Effectiveness_List <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="fixEffectivenessEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="PARTIAL"/>
<xsd:enumeration value="COMPLETE"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Vulnerability_Reference_Category_List <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="vulnerabilityReferenceCategoryEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="PATCH"/>
<xsd:enumeration value="VENDOR_ADVISORY"/>
<xsd:enumeration value="THIRD_PARTY_ADVISORY"/>
<xsd:enumeration value="SIGNATURE_SOURCE"/>
<xsd:enumeration value="MITIGATION_PROCEDURE"/>
<xsd:enumeration value="TOOL_CONFIGURATION_DESCRIPTION"/>
<xsd:enumeration value="UNKNOWN"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Security_Protection -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="securityProtectionType">
<xsd:annotation>
<xsd:documentation>The security protection type</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:token">
<xsd:enumeration value="ALLOWS_ADMIN_ACCESS">
<xsd:annotation>
<xsd:documentation>gain administrative access</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
<xsd:enumeration value="ALLOWS_USER_ACCESS">
<xsd:annotation>
<xsd:documentation>gain user access</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
<xsd:enumeration value="ALLOWS_OTHER_ACCESS"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ================================================== -->
<!-- ===== Complex Type Definitions -->
<!-- ================================================== -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Associated_Exploit_Location -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="associatedExploitLocationType">
<xsd:sequence>
<xsd:element name="physical-access" type="xsd:boolean" minOccurs="0" default="false"/>
<xsd:element name="voluntarily-interact" type="xsd:boolean" minOccurs="0" default="false"/>
<xsd:element name="dialup" type="xsd:boolean" minOccurs="0" default="false"/>
<xsd:element name="unknown" type="xsd:boolean" minOccurs="0" default="false"/>
</xsd:sequence>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Fix_Action -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="fixActionType">
<xsd:annotation>
<xsd:documentation>A single fix action should only cover a single patch application, software update, configuration change, or external fix. Dependencies should be documented by using the "next_fix_action" element to point to a recursive list of fix actions.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element ref="patch:patch" minOccurs="0"/>
<xsd:element name="configuration-remediation" type="vulnerabilityReferenceType" minOccurs="0"/>
<xsd:element name="software-update" type="scap-core:cpeNamePatternType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>CPE name of the software update package.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="notes" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="deprecated-by" type="scap-core:cpeNamePatternType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="next-fix-action" type="fixActionType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="fix-action-tool-configuration" type="toolConfigurationType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="applicable-configuration" type="cpe-lang:PlatformType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="effectiveness" type="fixEffectivenessEnumType" minOccurs="0">
<xsd:annotation>
<xsd:documentation>States whether the fix action fully avoids the risk associated with the vulnerability or reduces risk to some extent.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="applicable-check" type="scap-core:checkReferenceType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>Describes or points to the check/test (either OVAL or other) that this particular fix action addresses. E.G. applying this fix will change the value of this test result.</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
<xsd:attribute name="fix_action_description" type="fixActionDescriptionEnumType" use="required"/>
<xsd:attribute name="fix_action_type" type="fixActionTypeEnumType" use="required"/>
<xsd:attribute name="id" type="xsd:token" use="required">
<xsd:annotation>
<xsd:documentation>Unique value within the source. Will be used with the source element to serve as a global unique identifier.</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
<xsd:attribute name="source" type="xsd:anyURI" use="required">
<xsd:annotation>
<xsd:documentation>Should be a URI-like -- e.g. inverted DNS address e.g mil.jtf-gno</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- OSVDB_Extension -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="osvdbExtensionType">
<xsd:sequence>
<xsd:element name="exploit-location" type="associatedExploitLocationType"/>
</xsd:sequence>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Tool_Configuration -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="toolConfigurationType">
<xsd:sequence>
<xsd:element name="name" type="scap-core:cpeNamePatternType" minOccurs="0">
<xsd:annotation>
<xsd:documentation>The CPE name of the scanning tool. A value must be supplied for this element. The CPE name can be used for a CPE from the NVD. The CPE title attribute can be used for internal naming conventions. (or both, if possible)</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="definition" type="scap-core:checkReferenceType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>Defines required signature or policy definition that must be installed on the tool.</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- CWE Reference -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="cweReferenceType">
<xsd:attribute name="id" type="scap-core:cweNamePatternType" use="required"/>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Vulnerable Software -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="vulnerableSoftwareType">
<xsd:sequence>
<xsd:element name="product" type="cpe-lang:namePattern" minOccurs="1" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Vulnerability -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="vulnerabilityType">
<xsd:annotation>
<xsd:documentation>TODO: Low priority: Add reference to notes type to allow analysts, vendor and other comments. Add source attribute. Maybe categorization?</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="osvdb-ext" type="osvdbExtensionType" minOccurs="0"/>
<xsd:element name="vulnerable-configuration" type="cpe-lang:PlatformType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="vulnerable-software-list" type="vulnerableSoftwareType" minOccurs="0"/>
<xsd:choice minOccurs="0">
<xsd:element name="cve-id" type="cve:cveNamePatternType"/>
<xsd:element name="cce-id" type="cce:cceNamePatternType"/>
</xsd:choice>
<xsd:element name="discovered-datetime" type="xsd:dateTime" minOccurs="0"/>
<xsd:element name="disclosure-datetime" type="xsd:dateTime" minOccurs="0"/>
<xsd:element name="exploit-publish-datetime" type="xsd:dateTime" minOccurs="0"/>
<xsd:element name="published-datetime" type="xsd:dateTime" minOccurs="0"/>
<xsd:element name="last-modified-datetime" type="xsd:dateTime" minOccurs="0"/>
<xsd:element name="cvss" type="cvssv2:cvssImpactType" minOccurs="0"/>
<xsd:element name="security-protection" type="securityProtectionType" minOccurs="0"/>
<xsd:element name="assessment_check" type="scap-core:checkReferenceType" maxOccurs="unbounded" minOccurs="0"/>
<xsd:element name="cwe" type="cweReferenceType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="references" type="vulnerabilityReferenceType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="fix_action" type="fixActionType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="scanner" type="toolConfigurationType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>Denotes a scanner and required configuration that is capable of detecting the referenced vulnerability. May also be an OVAL definition and omit scanner name.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="summary" type="xsd:string" minOccurs="0"/>
<xsd:element name="technical_description" type="scap-core:referenceType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="attack_scenario" type="scap-core:referenceType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>This element should ultimately be held in a threat model.</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
<xsd:attribute name="id" type="vulnerabilityIdType" use="required"/>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Vulnerability_Reference -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="vulnerabilityReferenceType">
<xsd:annotation>
<xsd:documentation>TODO: revisit referenceType and textType</xsd:documentation>
<xsd:documentation>Extends the base "reference" class by adding the ability to specify which kind (within the vulnerability model) of reference it is. See "Vulnerability_Reference_Category_List" enumeration.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="source" type="xsd:string" minOccurs="0">
<xsd:annotation>
<xsd:documentation>TODO: determine purpose</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="reference" type="scap-core:referenceType"/>
<xsd:element minOccurs="0" name="notes" type="scap-core:notesType"/>
</xsd:sequence>
<xsd:attribute ref="xml:lang" use="optional" default="en"/>
<xsd:attribute name="reference_type" type="vulnerabilityReferenceCategoryEnumType" use="required"/>
<xsd:attribute name="deprecated" type="xsd:boolean"/>
</xsd:complexType>
<xsd:simpleType name="vulnerabilityIdType">
<xsd:restriction base="xsd:token"/>
</xsd:simpleType>
</xsd:schema>

20
src/main/resources/templates/HtmlReport.vsl
View File

@@ -374,7 +374,25 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
#end
</ul>
#end
</div>
</div>
#if($dependency.getVulnerabilities().size()>0)
#set($cnt=$cnt+1)
<h4 id="header$cnt" class="subsectionheader white">Published Vulnerabilities</h4>
<div id="content$cnt" class="subsectioncontent standardsubsection">
#foreach($vuln in $dependency.getVulnerabilities())
<p><b><a target="blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$esc.url($vuln.name)">$esc.html($vuln.name)</a></b></p>
<p>$esc.html($vuln.description)
#if ($vuln.getReferences().size()>0)
<ul>
#foreach($ref in $vuln.getReferences())
<li>$esc.html($ref.source) - <a target="blank" href="$esc.html($ref.url)">$ref.name</a></li>
#end
</ul>
#end
</p>
#end
</div>
#end
</div>
#end
</div>