merge owasp 1.4.1

dependency-check-core/src/main/resources/dependencycheck-base-hint.xml

@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.0.xsd">
+	<hint>
+		<given>
+			<evidence type="product" source="Manifest" name="Implementation-Title" value="Spring Framework" confidence="HIGH"/>
+			<evidence type="product" source="Manifest" name="Implementation-Title" value="org.springframework.core" confidence="HIGH"/>
+			<evidence type="product" source="Manifest" name="Implementation-Title" value="spring-core" confidence="HIGH"/>
+		</given>
+		<add>
+			<evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGH"/>
+			<evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGH"/>
+			<evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGH"/>
+			<evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal" confidence="HIGH"/>
+		</add>
+	</hint>
+	<hint>
+		<given>
+			<evidence type="product" source="jar" name="package name" value="springframework" confidence="LOW"/>
+			<fileName contains="spring"/>	
+		</given>
+		<add>
+			<evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGH"/>
+			<evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGH"/>
+			<evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGH"/>
+			<evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal" confidence="HIGH"/>
+		</add>
+	</hint>
+	<hint>
+		<given>
+			<evidence type="product" source="jar" name="package name" value="springframework" confidence="LOW"/>
+		</given>
+		<add>
+			<evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGH"/>
+			<evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGH"/>
+			<evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal" confidence="HIGH"/>
+		</add>
+	</hint>
+	<hint>
+		<given>
+			<evidence type="product" source="Manifest" name="Bundle-Name" value="Spring Security Core" confidence="MEDIUM"/>
+			<evidence type="product" source="pom" name="artifactid" value="spring-security-core" confidence="HIGH"/>	
+		</given>
+		<add>
+			<evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGH"/>
+			<evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGH"/>
+			<evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGH"/>
+		</add>
+	</hint>
+	<hint>
+		<given>
+			<evidence type="vendor" source="composer.lock" name="vendor" value="symfony" confidence="HIGHEST"/>
+		</given>
+		<add>
+			<evidence type="vendor" source="hint analyzer" name="vendor" value="sensiolabs" confidence="HIGHEST"/>
+		</add>
+	</hint>		
+	<hint>
+		<given>
+			<evidence type="vendor" source="composer.lock" name="vendor" value="zendframework" confidence="HIGHEST"/>
+		</given>
+		<add>
+			<evidence type="vendor" source="hint analyzer" name="vendor" value="zend" confidence="HIGHEST"/>
+		</add>
+	</hint>	
+	<hint>
+		<given>
+			<evidence type="product" source="composer.lock" name="product" value="zendframework" confidence="HIGHEST"/>
+		</given>
+		<add>
+			<evidence type="vendor" source="hint analyzer" name="vendor" value="zend_framework" confidence="HIGHEST"/>
+		</add>
+	</hint>	
+	<vendorDuplicatingHint value="sun" duplicate="oracle"/>	
+	<vendorDuplicatingHint value="oracle" duplicate="sun"/>	
+</hints>

dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml

@@ -56,6 +56,13 @@
         <cpe>cpe:/a:oracle:glassfish</cpe>
         <cpe>cpe:/a:oracle:oracle_client</cpe>
     </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Supresses false positives on jersey-apache-client4
+        ]]></notes>
+        <gav regex="true">com\.sun\.jersey\.contribs:jersey-apache-client.*</gav>
+        <cpe>cpe:/a:apache:httpclient</cpe>
+    </suppress>
     <suppress base="true">
         <notes><![CDATA[
         Suppresses false positives on glassfish

dependency-check-core/src/main/resources/dependencycheck.properties

@@ -59,6 +59,7 @@ cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
 #cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
 cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
 #cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+cve.cpe.startswith.filter=cpe:/a:
 
 cpe.validfordays=30
 cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz

dependency-check-core/src/main/resources/schema/dependency-hint.1.0.xsd

@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema id="hints"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           elementFormDefault="qualified"
+           targetNamespace="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.0.xsd"
+           xmlns:dc="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.0.xsd">
+	   
+    <xs:simpleType name="type">
+        <xs:restriction base="xs:string">
+            <xs:enumeration value="vendor"/>
+            <xs:enumeration value="product"/>
+        </xs:restriction>
+    </xs:simpleType>
+    <xs:simpleType name="confidence">
+        <xs:restriction base="xs:string">
+            <xs:enumeration value="HIGHEST"/>
+            <xs:enumeration value="HIGH"/>
+            <xs:enumeration value="MEDIUM"/>
+            <xs:enumeration value="LOW"/>
+        </xs:restriction>
+    </xs:simpleType>
+    <xs:complexType name="evidence">
+        <xs:attribute name="type" use="required" type="dc:type"/>
+        <xs:attribute name="source" use="required" type="xs:string"/>
+        <xs:attribute name="name" use="required" type="xs:string"/>
+        <xs:attribute name="value" use="required" type="xs:string"/>
+        <xs:attribute name="confidence" use="required" type="dc:confidence"/>
+    </xs:complexType>
+    <xs:complexType name="fileName">
+        <xs:attribute name="contains" use="required" type="xs:string"/>
+        <xs:attribute name="regex" use="optional" type="xs:boolean" default="false"/>
+        <xs:attribute name="caseSensitive" use="optional" type="xs:boolean" default="false"/>
+    </xs:complexType>
+    <xs:complexType name="given">
+        <xs:choice minOccurs="1" maxOccurs="unbounded">
+            <xs:element name="evidence" type="dc:evidence"/>
+            <xs:element name="fileName" type="dc:fileName"/>
+        </xs:choice>
+    </xs:complexType>
+    <xs:complexType name="add">
+        <xs:sequence minOccurs="1" maxOccurs="unbounded">
+            <xs:element name="evidence" type="dc:evidence"/>
+        </xs:sequence>
+    </xs:complexType>	
+    <xs:complexType name="hint">
+        <xs:sequence minOccurs="1" maxOccurs="1">
+            <xs:element name="given" type="dc:given"/>
+            <xs:element name="add" type="dc:add"/>
+        </xs:sequence>
+    </xs:complexType>
+    <xs:complexType name="duplicatingHint">
+        <xs:attribute name="value" use="required" type="xs:string"/>
+        <xs:attribute name="duplicate" use="required" type="xs:string"/>
+    </xs:complexType>
+	
+    <xs:element name="hints">
+        <xs:complexType>
+            <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                    <xs:element name="hint" type="dc:hint"/>
+                </xs:sequence>
+                <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                    <xs:element name="vendorDuplicatingHint" type="dc:duplicatingHint"/>
+                </xs:sequence>
+            </xs:sequence>
+        </xs:complexType>
+    </xs:element>
+</xs:schema>

dependency-check-core/src/main/resources/templates/HtmlReport.vsl

@@ -541,7 +541,7 @@ arising out of or in connection with the use of this tool, the analysis performe
                     <ul class="indent">
                         <li><i>dependency-check version</i>: $version</li>
                         <li><i>Report Generated On</i>: $scanDate</li>
-                        <li><i>Dependencies Scanned</i>:&nbsp;$depCount</li>
+                        <li><i>Dependencies Scanned</i>:&nbsp;$depCount ($dependencies.size() unique)</li>
                         <li><i>Vulnerable Dependencies</i>:&nbsp;$vulnDepCount</li>
                         <li><i>Vulnerabilities Found</i>:&nbsp;$vulnCount</li>
                         <li><i>Vulnerabilities Suppressed</i>:&nbsp;$vulnSuppressedCount</li>
@@ -660,13 +660,13 @@ arising out of or in connection with the use of this tool, the analysis performe
                             <b>MD5:</b>&nbsp;$enc.html($dependency.Md5sum)<br/>
                             <b>SHA1:</b>&nbsp;$enc.html($dependency.Sha1sum)
                             #if ($dependency.projectReferences.size()==1)
-                                <br/><b>Referenced In Project:</b>
+                                <br/><b>Referenced In Project/Scope:</b>
                                 #foreach($ref in $dependency.projectReferences)
                                     $enc.html($ref)
                                 #end
                             #end
                             #if ($dependency.projectReferences.size()>1)
-                                <br/><b>Referenced In Projects:</b><ul>
+                                <br/><b>Referenced In Projects/Scopes:</b><ul>
                                 #foreach($ref in $dependency.projectReferences)
                                     <li>$enc.html($ref)</li>
                                 #end