@@ -144,7 +148,7 @@ public class CveDB {
*/
private CallableStatement insertSoftware = null;
/**
- * insert vulnerability - parameters (cveid, description)
+ * insert vulnerability - parameters (cveid, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact)
*/
private CallableStatement insertVulnerability = null;
/**
@@ -269,6 +273,15 @@ public class CveDB {
vuln = new Vulnerability();
vuln.setName(cve);
vuln.setDescription(rsV.getString(2));
+ vuln.setCwe(rsV.getString(3));
+ vuln.setCvssScore(rsV.getFloat(4));
+ vuln.setCvssAccessVector(rsV.getString(5));
+ vuln.setCvssAccessComplexity(rsV.getString(6));
+ vuln.setCvssAuthentication(rsV.getString(7));
+ vuln.setCvssConfidentialityImpact(rsV.getString(8));
+ vuln.setCvssIntegrityImpact(rsV.getString(9));
+ vuln.setCvssAvailabilityImpact(rsV.getString(10));
+
selectReferences.setString(1, cve);
rsR = selectReferences.executeQuery();
while (rsR.next()) {
@@ -333,6 +346,14 @@ public class CveDB {
insertVulnerability.setString(1, vuln.getName());
insertVulnerability.setString(2, vuln.getDescription());
+ insertVulnerability.setString(3, vuln.getCwe());
+ insertVulnerability.setFloat(4, vuln.getCvssScore());
+ insertVulnerability.setString(5, vuln.getCvssAccessVector());
+ insertVulnerability.setString(6, vuln.getCvssAccessComplexity());
+ insertVulnerability.setString(7, vuln.getCvssAuthentication());
+ insertVulnerability.setString(8, vuln.getCvssConfidentialityImpact());
+ insertVulnerability.setString(9, vuln.getCvssIntegrityImpact());
+ insertVulnerability.setString(10, vuln.getCvssAvailabilityImpact());
insertVulnerability.execute();
insertReference.setString(1, vuln.getName());
diff --git a/src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java b/src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java
index ea4282fd4..500de60de 100644
--- a/src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java
+++ b/src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java
@@ -77,7 +77,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
/**
* The current version of the database
*/
- public static final String DATABASE_VERSION = "2.0";
+ public static final String DATABASE_VERSION = "2.1";
/**
* Downloads the latest NVD CVE XML file from the web and imports it into
diff --git a/src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java b/src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java
index 21b327bb1..11fe26204 100644
--- a/src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java
+++ b/src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java
@@ -21,6 +21,8 @@ package org.codesecure.dependencycheck.data.nvdcve.xml;
import java.io.IOException;
import java.util.List;
import java.util.Map;
+import java.util.logging.Level;
+import java.util.logging.Logger;
import org.apache.lucene.index.CorruptIndexException;
import org.codesecure.dependencycheck.data.cpe.Index;
import org.codesecure.dependencycheck.data.nvdcve.CveDB;
@@ -75,6 +77,22 @@ public class NvdCve20Handler extends DefaultHandler {
if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) {
throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported");
}
+ } else if (current.isVulnCWENode()) {
+ vulnerability.setCwe(attributes.getValue("id"));
+ } else if (current.isCVSSScoreNode()) {
+ nodeText = new StringBuilder(5);
+ } else if (current.isCVSSAccessVectorNode()) {
+ nodeText = new StringBuilder(20);
+ } else if (current.isCVSSAccessComplexityNode()) {
+ nodeText = new StringBuilder(20);
+ } else if (current.isCVSSAuthenticationNode()) {
+ nodeText = new StringBuilder(20);
+ } else if (current.isCVSSAvailabilityImpactNode()) {
+ nodeText = new StringBuilder(20);
+ } else if (current.isCVSSConfidentialityImpactNode()) {
+ nodeText = new StringBuilder(20);
+ } else if (current.isCVSSIntegrityImpactNode()) {
+ nodeText = new StringBuilder(20);
}
}
@@ -101,6 +119,32 @@ public class NvdCve20Handler extends DefaultHandler {
}
}
vulnerability = null;
+ } else if (current.isCVSSScoreNode()) {
+ try {
+ float score = Float.parseFloat(nodeText.toString());
+ vulnerability.setCvssScore(score);
+ } catch (NumberFormatException ex) {
+ Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, null, ex);
+ }
+ nodeText = null;
+ } else if (current.isCVSSAccessVectorNode()) {
+ vulnerability.setCvssAccessVector(nodeText.toString());
+ nodeText = null;
+ } else if (current.isCVSSAccessComplexityNode()) {
+ vulnerability.setCvssAccessComplexity(nodeText.toString());
+ nodeText = null;
+ } else if (current.isCVSSAuthenticationNode()) {
+ vulnerability.setCvssAuthentication(nodeText.toString());
+ nodeText = null;
+ } else if (current.isCVSSAvailabilityImpactNode()) {
+ vulnerability.setCvssAvailabilityImpact(nodeText.toString());
+ nodeText = null;
+ } else if (current.isCVSSConfidentialityImpactNode()) {
+ vulnerability.setCvssConfidentialityImpact(nodeText.toString());
+ nodeText = null;
+ } else if (current.isCVSSIntegrityImpactNode()) {
+ vulnerability.setCvssIntegrityImpact(nodeText.toString());
+ nodeText = null;
} else if (current.isVulnProductNode()) {
String cpe = nodeText.toString();
if (cpe.startsWith("cpe:/a:")) {
@@ -217,6 +261,40 @@ public class NvdCve20Handler extends DefaultHandler {
* A node type in the NVD CVE Schema 2.0
*/
public static final String VULN_SUMMARY = "vuln:summary";
+
+ /**
+ * A node type in the NVD CVE Schema 2.0
+ */
+ public static final String VULN_CWE = "vuln:cwe";
+ /**
+ * A node type in the NVD CVE Schema 2.0
+ */
+ public static final String CVSS_SCORE = "cvss:score";
+ /**
+ * A node type in the NVD CVE Schema 2.0
+ */
+ public static final String CVSS_ACCESS_VECTOR = "cvss:access-vector";
+ /**
+ * A node type in the NVD CVE Schema 2.0
+ */
+ public static final String CVSS_ACCESS_COMPLEXITY = "cvss:access-complexity";
+ /**
+ * A node type in the NVD CVE Schema 2.0
+ */
+ public static final String CVSS_AUTHENTICATION = "cvss:authentication";
+ /**
+ * A node type in the NVD CVE Schema 2.0
+ */
+ public static final String CVSS_CONFIDENTIALITY_IMPACT = "cvss:confidentiality-impact";
+ /**
+ * A node type in the NVD CVE Schema 2.0
+ */
+ public static final String CVSS_INTEGRITY_IMPACT = "cvss:integrity-impact";
+ /**
+ * A node type in the NVD CVE Schema 2.0
+ */
+ public static final String CVSS_AVAILABILITY_IMPACT = "cvss:availability-impact";
+
private String node = null;
/**
@@ -299,6 +377,72 @@ public class NvdCve20Handler extends DefaultHandler {
public boolean isVulnSummaryNode() {
return VULN_SUMMARY.equals(node);
}
+
+ /**
+ * Checks if the handler is at the VULN_CWE node
+ *
+ * @return true or false
+ */
+ public boolean isVulnCWENode() {
+ return VULN_CWE.equals(node);
+ }
+ /**
+ * Checks if the handler is at the CVSS_SCORE node
+ *
+ * @return true or false
+ */
+ public boolean isCVSSScoreNode() {
+ return CVSS_SCORE.equals(node);
+ }
+ /**
+ * Checks if the handler is at the CVSS_ACCESS_VECTOR node
+ *
+ * @return true or false
+ */
+ public boolean isCVSSAccessVectorNode() {
+ return CVSS_ACCESS_VECTOR.equals(node);
+ }
+ /**
+ * Checks if the handler is at the CVSS_ACCESS_COMPLEXITY node
+ *
+ * @return true or false
+ */
+ public boolean isCVSSAccessComplexityNode() {
+ return CVSS_ACCESS_COMPLEXITY.equals(node);
+ }
+ /**
+ * Checks if the handler is at the CVSS_AUTHENTICATION node
+ *
+ * @return true or false
+ */
+ public boolean isCVSSAuthenticationNode() {
+ return CVSS_AUTHENTICATION.equals(node);
+ }
+ /**
+ * Checks if the handler is at the CVSS_CONFIDENTIALITY_IMPACT node
+ *
+ * @return true or false
+ */
+ public boolean isCVSSConfidentialityImpactNode() {
+ return CVSS_CONFIDENTIALITY_IMPACT.equals(node);
+ }
+ /**
+ * Checks if the handler is at the CVSS_INTEGRITY_IMPACT node
+ *
+ * @return true or false
+ */
+ public boolean isCVSSIntegrityImpactNode() {
+ return CVSS_INTEGRITY_IMPACT.equals(node);
+ }
+ /**
+ * Checks if the handler is at the CVSS_AVAILABILITY_IMPACT node
+ *
+ * @return true or false
+ */
+ public boolean isCVSSAvailabilityImpactNode() {
+ return CVSS_AVAILABILITY_IMPACT.equals(node);
+ }
+
}
//
}
diff --git a/src/main/java/org/codesecure/dependencycheck/dependency/Vulnerability.java b/src/main/java/org/codesecure/dependencycheck/dependency/Vulnerability.java
index 918b6c3f7..18a8c5cbe 100644
--- a/src/main/java/org/codesecure/dependencycheck/dependency/Vulnerability.java
+++ b/src/main/java/org/codesecure/dependencycheck/dependency/Vulnerability.java
@@ -142,7 +142,6 @@ public class Vulnerability implements Serializable {
this.vulnerableSoftware = vulnerableSoftware;
}
-
/**
* Adds an entry for vulnerable software
* @param cpe string representation of a CPE entry
@@ -178,6 +177,182 @@ public class Vulnerability implements Serializable {
}
return vulnerableSoftware.add(vulnSoftware);
}
+ /**
+ * The CWE for the vulnerability
+ */
+ protected String cwe;
+
+ /**
+ * Get the value of cwe
+ *
+ * @return the value of cwe
+ */
+ public String getCwe() {
+ return cwe;
+ }
+
+ /**
+ * Set the value of cwe
+ *
+ * @param cwe new value of cwe
+ */
+ public void setCwe(String cwe) {
+ this.cwe = cwe;
+ }
+ /**
+ * CVSS Score
+ */
+ protected float cvssScore;
+
+ /**
+ * Get the value of cvssScore
+ *
+ * @return the value of cvssScore
+ */
+ public float getCvssScore() {
+ return cvssScore;
+ }
+
+ /**
+ * Set the value of cvssScore
+ *
+ * @param cvssScore new value of cvssScore
+ */
+ public void setCvssScore(float cvssScore) {
+ this.cvssScore = cvssScore;
+ }
+ /**
+ * CVSS Access Vector
+ */
+ protected String cvssAccessVector;
+
+ /**
+ * Get the value of cvssAccessVector
+ *
+ * @return the value of cvssAccessVector
+ */
+ public String getCvssAccessVector() {
+ return cvssAccessVector;
+ }
+
+ /**
+ * Set the value of cvssAccessVector
+ *
+ * @param cvssAccessVector new value of cvssAccessVector
+ */
+ public void setCvssAccessVector(String cvssAccessVector) {
+ this.cvssAccessVector = cvssAccessVector;
+ }
+ /**
+ * CVSS Access Complexity
+ */
+ protected String cvssAccessComplexity;
+
+ /**
+ * Get the value of cvssAccessComplexity
+ *
+ * @return the value of cvssAccessComplexity
+ */
+ public String getCvssAccessComplexity() {
+ return cvssAccessComplexity;
+ }
+
+ /**
+ * Set the value of cvssAccessComplexity
+ *
+ * @param cvssAccessComplexity new value of cvssAccessComplexity
+ */
+ public void setCvssAccessComplexity(String cvssAccessComplexity) {
+ this.cvssAccessComplexity = cvssAccessComplexity;
+ }
+ /**
+ * CVSS Authentication
+ */
+ protected String cvssAuthentication;
+
+ /**
+ * Get the value of cvssAuthentication
+ *
+ * @return the value of cvssAuthentication
+ */
+ public String getCvssAuthentication() {
+ return cvssAuthentication;
+ }
+
+ /**
+ * Set the value of cvssAuthentication
+ *
+ * @param cvssAuthentication new value of cvssAuthentication
+ */
+ public void setCvssAuthentication(String cvssAuthentication) {
+ this.cvssAuthentication = cvssAuthentication;
+ }
+ /**
+ * CVSS Confidentiality Impact
+ */
+ protected String cvssConfidentialityImpact;
+
+ /**
+ * Get the value of cvssConfidentialityImpact
+ *
+ * @return the value of cvssConfidentialityImpact
+ */
+ public String getCvssConfidentialityImpact() {
+ return cvssConfidentialityImpact;
+ }
+
+ /**
+ * Set the value of cvssConfidentialityImpact
+ *
+ * @param cvssConfidentialityImpact new value of cvssConfidentialityImpact
+ */
+ public void setCvssConfidentialityImpact(String cvssConfidentialityImpact) {
+ this.cvssConfidentialityImpact = cvssConfidentialityImpact;
+ }
+ /**
+ * CVSS Integrity Impact
+ */
+ protected String cvssIntegrityImpact;
+
+ /**
+ * Get the value of cvssIntegrityImpact
+ *
+ * @return the value of cvssIntegrityImpact
+ */
+ public String getCvssIntegrityImpact() {
+ return cvssIntegrityImpact;
+ }
+
+ /**
+ * Set the value of cvssIntegrityImpact
+ *
+ * @param cvssIntegrityImpact new value of cvssIntegrityImpact
+ */
+ public void setCvssIntegrityImpact(String cvssIntegrityImpact) {
+ this.cvssIntegrityImpact = cvssIntegrityImpact;
+ }
+ /**
+ * CVSS Availability Impact
+ */
+ protected String cvssAvailabilityImpact;
+
+ /**
+ * Get the value of cvssAvailabilityImpact
+ *
+ * @return the value of cvssAvailabilityImpact
+ */
+ public String getCvssAvailabilityImpact() {
+ return cvssAvailabilityImpact;
+ }
+
+ /**
+ * Set the value of cvssAvailabilityImpact
+ *
+ * @param cvssAvailabilityImpact new value of cvssAvailabilityImpact
+ */
+ public void setCvssAvailabilityImpact(String cvssAvailabilityImpact) {
+ this.cvssAvailabilityImpact = cvssAvailabilityImpact;
+ }
@Override
public boolean equals(Object obj) {
diff --git a/src/main/resources/templates/HtmlReport.vsl b/src/main/resources/templates/HtmlReport.vsl
index a727f7a7d..c36d88673 100644
--- a/src/main/resources/templates/HtmlReport.vsl
+++ b/src/main/resources/templates/HtmlReport.vsl
@@ -48,12 +48,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
$(header).addClass("expandablesubsection");
$(header).removeClass("collaspablesubsection");
}
-
+
});
});