mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-15 00:03:43 +01:00
Merge remote-tracking branch 'origin/master'
Former-commit-id: d3c49db24c64c2869257d1b3f9a8493e7925e7a7
This commit is contained in:
Steve Springett
@@ -628,6 +628,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
<scope>provided</scope>
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.glassfish.jersey.core</groupId>
|
||||
<artifactId>jersey-client</artifactId>
|
||||
<version>2.12</version>
|
||||
<scope>provided</scope>
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
<profiles>
|
||||
<profile>
|
||||
|
||||
@@ -114,7 +114,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
|
||||
&& i.getValue() != null
|
||||
&& i.getValue().startsWith("cpe:/a:springsource:")
|
||||
&& !i.getValue().toLowerCase().contains(mustContain)) {
|
||||
dependency.getIdentifiers().remove(i);
|
||||
itr.remove();
|
||||
//dependency.getIdentifiers().remove(i);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -103,6 +103,12 @@ public class SuppressionHandler extends DefaultHandler {
|
||||
currentText = new StringBuffer();
|
||||
if (SUPPRESS.equals(qName)) {
|
||||
rule = new SuppressionRule();
|
||||
final String base = currentAttributes.getValue("base");
|
||||
if (base != null) {
|
||||
rule.setBase(Boolean.parseBoolean(base));
|
||||
} else {
|
||||
rule.setBase(false);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -266,6 +266,26 @@ public class SuppressionRule {
|
||||
return gav != null;
|
||||
}
|
||||
|
||||
private boolean base;
|
||||
|
||||
/**
|
||||
* Get the value of base
|
||||
*
|
||||
* @return the value of base
|
||||
*/
|
||||
public boolean isBase() {
|
||||
return base;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of base
|
||||
*
|
||||
* @param base new value of base
|
||||
*/
|
||||
public void setBase(boolean base) {
|
||||
this.base = base;
|
||||
}
|
||||
|
||||
/**
|
||||
* Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any
|
||||
* should be, they are removed from the dependency.
|
||||
@@ -300,7 +320,9 @@ public class SuppressionRule {
|
||||
final Identifier i = itr.next();
|
||||
for (PropertyType c : this.cpe) {
|
||||
if (identifierMatches("cpe", c, i)) {
|
||||
dependency.addSuppressedIdentifier(i);
|
||||
if (!isBase()) {
|
||||
dependency.addSuppressedIdentifier(i);
|
||||
}
|
||||
itr.remove();
|
||||
break;
|
||||
}
|
||||
@@ -339,7 +361,9 @@ public class SuppressionRule {
|
||||
}
|
||||
}
|
||||
if (remove) {
|
||||
dependency.addSuppressedVulnerability(v);
|
||||
if (!isBase()) {
|
||||
dependency.addSuppressedVulnerability(v);
|
||||
}
|
||||
itr.remove();
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
|
||||
<suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
This suppresses false positives identified on spring security.
|
||||
]]></notes>
|
||||
@@ -9,7 +9,7 @@
|
||||
<cpe>cpe:/a:springsource:spring_framework</cpe>
|
||||
<cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
|
||||
</suppress>
|
||||
<suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
This suppreses additional false positives for the xstream library that occur because spring has a copy of this library.
|
||||
com.springsource.com.thoughtworks.xstream-1.3.1.jar
|
||||
@@ -17,18 +17,25 @@
|
||||
<gav regex="true">com\.thoughtworks\.xstream:xstream:.*</gav>
|
||||
<cpe>cpe:/a:springsource:spring_framework</cpe>
|
||||
</suppress>
|
||||
<suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
Suppresses false positives on velocity tools.
|
||||
]]></notes>
|
||||
<gav regex="true">org.apache.velocity:velocity-tools:.*</gav>
|
||||
<gav regex="true">org\.apache\.velocity:velocity-tools:.*</gav>
|
||||
<cpe>cpe:/a:apache:struts</cpe>
|
||||
</suppress>
|
||||
<suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
Sandbox is a php blog platform and should not be flagged as a CPE for java or .net dependencies.
|
||||
]]></notes>
|
||||
<filePath regex="true">.*\.(jar|dll|exe|ear|war|pom)</filePath>
|
||||
<cpe>cpe:/a:sandbox:sandbox</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
Suppresses false positives on Jersey core client.
|
||||
]]></notes>
|
||||
<gav regex="true">org\.glassfish\.jersey\.core:jersey-(client|common):.*</gav>
|
||||
<cpe>cpe:/a:oracle:glassfish</cpe>
|
||||
</suppress>
|
||||
</suppressions>
|
||||
@@ -50,6 +50,7 @@
|
||||
<xs:element name="cvssBelow" type="dc:cvssScoreType"/>
|
||||
</xs:choice>
|
||||
</xs:sequence>
|
||||
<xs:attribute name="base" use="optional" type="xs:boolean" default="false"/>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
</xs:sequence>
|
||||
|
||||
@@ -88,7 +88,15 @@ public class SuppressionHandlerTest {
|
||||
|
||||
xmlReader.parse(in);
|
||||
|
||||
List result = handler.getSuppressionRules();
|
||||
List<SuppressionRule> result = handler.getSuppressionRules();
|
||||
assertTrue(result.size() > 3);
|
||||
int baseCount = 0;
|
||||
for (SuppressionRule r : result) {
|
||||
if (r.isBase()) {
|
||||
baseCount++;
|
||||
}
|
||||
}
|
||||
assertTrue(baseCount > 0);
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -146,6 +146,17 @@ public class SuppressionRuleTest {
|
||||
List<String> result = instance.getCve();
|
||||
assertEquals(cve, result);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of base property, of class SuppressionRule.
|
||||
*/
|
||||
@Test
|
||||
public void testBase() {
|
||||
SuppressionRule instance = new SuppressionRule();
|
||||
assertFalse(instance.isBase());
|
||||
instance.setBase(true);
|
||||
assertTrue(instance.isBase());
|
||||
}
|
||||
//</editor-fold>
|
||||
|
||||
//<editor-fold defaultstate="collapsed" desc="Ignored duplicate tests, left in, as empty tests, so IDE doesn't re-generate them">
|
||||
@@ -424,33 +435,33 @@ public class SuppressionRuleTest {
|
||||
instance.setSha1(sha1);
|
||||
instance.addCwe("287");
|
||||
instance.process(dependency);
|
||||
assertTrue(dependency.getVulnerabilities().size() == 1);
|
||||
assertEquals(1, dependency.getVulnerabilities().size());
|
||||
dependency.setSha1sum(sha1);
|
||||
instance.process(dependency);
|
||||
assertTrue(dependency.getVulnerabilities().isEmpty());
|
||||
assertTrue(dependency.getSuppressedVulnerabilities().size() == 1);
|
||||
assertEquals(1, dependency.getSuppressedVulnerabilities().size());
|
||||
|
||||
//cvss
|
||||
dependency.addVulnerability(v);
|
||||
instance = new SuppressionRule();
|
||||
instance.addCvssBelow(5f);
|
||||
instance.process(dependency);
|
||||
assertTrue(dependency.getVulnerabilities().size() == 1);
|
||||
assertEquals(1, dependency.getVulnerabilities().size());
|
||||
instance.addCvssBelow(8f);
|
||||
instance.process(dependency);
|
||||
assertTrue(dependency.getVulnerabilities().isEmpty());
|
||||
assertTrue(dependency.getSuppressedVulnerabilities().size() == 1);
|
||||
assertEquals(1, dependency.getSuppressedVulnerabilities().size());
|
||||
|
||||
//cve
|
||||
dependency.addVulnerability(v);
|
||||
instance = new SuppressionRule();
|
||||
instance.addCve("CVE-2012-1337");
|
||||
instance.process(dependency);
|
||||
assertTrue(dependency.getVulnerabilities().size() == 1);
|
||||
assertEquals(1, dependency.getVulnerabilities().size());
|
||||
instance.addCve("CVE-2013-1337");
|
||||
instance.process(dependency);
|
||||
assertTrue(dependency.getVulnerabilities().isEmpty());
|
||||
assertTrue(dependency.getSuppressedVulnerabilities().size() == 1);
|
||||
assertEquals(1, dependency.getSuppressedVulnerabilities().size());
|
||||
|
||||
//cpe
|
||||
instance = new SuppressionRule();
|
||||
@@ -468,18 +479,21 @@ public class SuppressionRuleTest {
|
||||
instance.setFilePath(pt);
|
||||
instance.process(dependency);
|
||||
assertTrue(dependency.getIdentifiers().isEmpty());
|
||||
assertTrue(dependency.getSuppressedIdentifiers().size() == 1);
|
||||
assertEquals(1, dependency.getSuppressedIdentifiers().size());
|
||||
|
||||
instance = new SuppressionRule();
|
||||
dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:4.0", "some url not needed for this test");
|
||||
dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:4.5", "some url not needed for this test");
|
||||
dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:5.0", "some url not needed for this test");
|
||||
pt = new PropertyType();
|
||||
pt.setValue("cpe:/a:microsoft:.net_framework");
|
||||
instance.addCpe(pt);
|
||||
assertTrue(dependency.getIdentifiers().size() == 3);
|
||||
instance.setBase(true);
|
||||
assertEquals(3, dependency.getIdentifiers().size());
|
||||
assertEquals(1, dependency.getSuppressedIdentifiers().size());
|
||||
instance.process(dependency);
|
||||
assertTrue(dependency.getIdentifiers().isEmpty());
|
||||
assertTrue(dependency.getSuppressedIdentifiers().size() == 3);
|
||||
assertEquals(1, dependency.getSuppressedIdentifiers().size());
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<filePath>c:\path\to\some.jar</filePath>
|
||||
<cpe>cpe:/a:csv:csv:1.0</cpe>
|
||||
</suppress>
|
||||
<suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
This suppresses any jboss:jboss cpe for any test.jar in any directory.
|
||||
]]></notes>
|
||||
|
||||
Reference in New Issue
Block a user