github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 15:53:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #722 from jeremylong/falsepositives

Browse Source 
Fix False Positives
This commit is contained in:
Jeremy Long
2017-05-07 10:40:56 -04:00
committed by GitHub
parent c9a6bb4b16 fd0abd9066
commit 3677b5f429
4 changed files with 91 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
View File

@@ -561,4 +561,36 @@
<gav regex="true">^org\.springframework\.boot:spring-boot-starter-data-jpa:.*$</gav>
<cve>CVE-2016-6652</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #699
]]></notes>
<gav regex="true">^com\.splunk:splunk:.*$</gav>
<cpe>cpe:/a:splunk:splunk</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #713
]]></notes>
<gav regex="true">^org\.openid4java:openid4java:.*$</gav>
<cpe>cpe:/a:openid:openid</cpe>
<cpe>cpe:/a:openid:openid4java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #700
]]></notes>
<gav regex="true">^org\.springframework\.cloud:spring-cloud-netflix-core:.*$</gav>
<cpe>cpe:/a:pivotal:spring_framework</cpe>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positive per issue #700
]]></notes>
<gav regex="true">^org\.springframework\.cloud:spring-cloud-.*$</gav>
<cpe>cpe:/a:pivotal:spring_framework</cpe>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
<cpe>cpe:/a:context_project:context</cpe>
</suppress>
</suppressions>

28
dependency-check-core/src/main/resources/templates/JsonReport.vsl
View File

@@ -156,20 +156,20 @@
#foreach($vuln in $dependency.getSuppressedVulnerabilities())#if($foreach.count > 1),#end {
"name": "$enc.json($vuln.name)",
"cvssScore": "$vuln.cvssScore",
"cvssAccessVector": "$enc.json"($vuln.cvssAccessVector),
"cvssAccessComplexity": "$enc.json"($vuln.cvssAccessComplexity),
"cvssAuthenticationr": "$enc.json"($vuln.cvssAuthentication),
"cvssConfidentialImpact": "$enc.json"($vuln.cvssConfidentialityImpact),
"cvssIntegrityImpact": "$enc.json"($vuln.cvssIntegrityImpact),
"cvssAvailabilityImpact": "$enc.json"($vuln.cvssAvailabilityImpact),
#if ($vuln.cvssScore<4.0) "severity": "Low",
#elseif ($vuln.cvssScore>=7.0) "severity": "High",
#else "severity": "Medium",
#end
#if ($vuln.cwe)"cwe": "$enc.json($vuln.cwe)",#end
"cvssAccessVector": "$enc.json($vuln.cvssAccessVector)",
"cvssAccessComplexity": "$enc.json($vuln.cvssAccessComplexity)",
"cvssAuthenticationr": "$enc.json($vuln.cvssAuthentication)",
"cvssConfidentialImpact": "$enc.json($vuln.cvssConfidentialityImpact)",
"cvssIntegrityImpact": "$enc.json($vuln.cvssIntegrityImpact)",
"cvssAvailabilityImpact": "$enc.json($vuln.cvssAvailabilityImpact)",
#if ($vuln.cvssScore<4.0) "severity": "Low",
#elseif ($vuln.cvssScore>=7.0) "severity": "High",
#else "severity": "Medium",
#end
#if ($vuln.cwe)"cwe": "$enc.json($vuln.cwe)",#end
"description": "$enc.json($vuln.description)"
#if ($vuln.notes),"notes": "$enc.json($vuln.notes)"#end
,"references" [
,"references": [
#foreach($ref in $vuln.getReferences())
#if($foreach.count > 1),#end {
"source": "$enc.json($ref.source)",
@@ -181,14 +181,14 @@
"vulnerableSoftware": [
#foreach($vs in $vuln.getVulnerableSoftware())
#if($foreach.count > 1),#end {
#if($vs.hasPreviousVersion()) "allPreviousVersion": "true"#end,
#if($vs.hasPreviousVersion()) "allPreviousVersion": "true",#end
"name": "$enc.json($vs.name)"
}
#end
]
}
#end
}
]
#end
}

46
dependency-check-maven/src/it/false-positives/pom.xml
View File

@@ -22,6 +22,19 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
<artifactId>test-dataformat-jackson</artifactId>
<version>1.0.0-SNAPSHOT</version>
<packaging>jar</packaging>
<repositories>
<repository>
<id>redhat</id>
<name>redhat</name>
<url>https://maven.repository.redhat.com/ga/</url>
</repository>
<repository>
<id>spring</id>
<name>spring</name>
<url>http://repo.spring.io/plugins-release/</url>
</repository>
</repositories>
<dependencies>
<!-- False Positives from issue #642 -->
<dependency>
@@ -29,6 +42,37 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
<artifactId>spring-boot</artifactId>
<version>1.4.3.RELEASE</version>
</dependency>
<!-- end issue #642 -->
<!-- End Issue #642 -->
<!-- False Positives from issue #699 -->
<dependency>
<groupId>com.splunk</groupId>
<artifactId>splunk</artifactId>
<version>1.6.2.0</version>
</dependency>
<!-- End Issue #699 -->
<!-- False Positives from issue #700 -->
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-netflix-core</artifactId>
<version>1.2.5.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-commons</artifactId>
<version>1.1.7.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-context</artifactId>
<version>1.1.7.RELEASE</version>
</dependency>
<!-- End Issue #700 -->
<!-- False Positives from issue #713 -->
<dependency>
<groupId>org.openid4java</groupId>
<artifactId>openid4java</artifactId>
<version>0.9.7</version>
</dependency>
<!-- End Issue #713 -->
</dependencies>
</project>

10
dependency-check-maven/src/it/false-positives/postbuild.groovy
View File

@@ -20,16 +20,6 @@ import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils;
import java.nio.charset.Charset;
// Save NVD-CVE for next IT (if not already done)
File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db");
File datasSave = new File("target/nvd-cve-backup", "dc.h2.db");
if (datasDwl.exists() && !datasSave.exists()){
System.out.println("Save NVD-CVE into backup");
FileUtils.copyFile(datasDwl, datasSave);
}
// Check to see if jackson-dataformat-xml-2.4.5.jar was identified.
//TODO change this to xpath and check for CVE-2016-3720