github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-26 19:11:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master'

Browse Source 
Former-commit-id: d3c49db24c64c2869257d1b3f9a8493e7925e7a7
This commit is contained in:
Steve Springett
2014-09-15 01:11:34 -05:00
parent bc9458101c 29595324c4
commit 58807d9021
9 changed files with 87 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
dependency-check-core/pom.xml
View File

@@ -628,6 +628,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<scope>provided</scope> <scope>provided</scope>
<optional>true</optional> <optional>true</optional>
</dependency> </dependency>
<dependency>
<groupId>org.glassfish.jersey.core</groupId>
<artifactId>jersey-client</artifactId>
<version>2.12</version>
<scope>provided</scope>
<optional>true</optional>
</dependency>
</dependencies> </dependencies>
<profiles> <profiles>
<profile> <profile>

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -114,7 +114,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
&& i.getValue() != null && i.getValue() != null
&& i.getValue().startsWith("cpe:/a:springsource:") && i.getValue().startsWith("cpe:/a:springsource:")
&& !i.getValue().toLowerCase().contains(mustContain)) { && !i.getValue().toLowerCase().contains(mustContain)) {
dependency.getIdentifiers().remove(i); itr.remove();
//dependency.getIdentifiers().remove(i);
} }
} }

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
View File

@@ -103,6 +103,12 @@ public class SuppressionHandler extends DefaultHandler {
currentText = new StringBuffer(); currentText = new StringBuffer();
if (SUPPRESS.equals(qName)) { if (SUPPRESS.equals(qName)) {
rule = new SuppressionRule(); rule = new SuppressionRule();
final String base = currentAttributes.getValue("base");
if (base != null) {
rule.setBase(Boolean.parseBoolean(base));
} else {
rule.setBase(false);
}
} }
} }

24
dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
View File

@@ -266,6 +266,26 @@ public class SuppressionRule {
return gav != null; return gav != null;
} }
private boolean base;
/**
* Get the value of base
*
* @return the value of base
*/
public boolean isBase() {
return base;
}
/**
* Set the value of base
*
* @param base new value of base
*/
public void setBase(boolean base) {
this.base = base;
}
/** /**
* Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any * Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any
* should be, they are removed from the dependency. * should be, they are removed from the dependency.
@@ -300,7 +320,9 @@ public class SuppressionRule {
final Identifier i = itr.next(); final Identifier i = itr.next();
for (PropertyType c : this.cpe) { for (PropertyType c : this.cpe) {
if (identifierMatches("cpe", c, i)) { if (identifierMatches("cpe", c, i)) {
if (!isBase()) {
dependency.addSuppressedIdentifier(i); dependency.addSuppressedIdentifier(i);
}
itr.remove(); itr.remove();
break; break;
} }
@@ -339,7 +361,9 @@ public class SuppressionRule {
} }
} }
if (remove) { if (remove) {
if (!isBase()) {
dependency.addSuppressedVulnerability(v); dependency.addSuppressedVulnerability(v);
}
itr.remove(); itr.remove();
} }
} }

17
dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
View File

@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression"> <suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
<suppress> <suppress base="true">
<notes><![CDATA[ <notes><![CDATA[
This suppresses false positives identified on spring security. This suppresses false positives identified on spring security.
]]></notes> ]]></notes>
@@ -9,7 +9,7 @@
<cpe>cpe:/a:springsource:spring_framework</cpe> <cpe>cpe:/a:springsource:spring_framework</cpe>
<cpe>cpe:/a:vmware:springsource_spring_framework</cpe> <cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
</suppress> </suppress>
<suppress> <suppress base="true">
<notes><![CDATA[ <notes><![CDATA[
This suppreses additional false positives for the xstream library that occur because spring has a copy of this library. This suppreses additional false positives for the xstream library that occur because spring has a copy of this library.
com.springsource.com.thoughtworks.xstream-1.3.1.jar com.springsource.com.thoughtworks.xstream-1.3.1.jar
@@ -17,18 +17,25 @@
<gav regex="true">com\.thoughtworks\.xstream:xstream:.*</gav> <gav regex="true">com\.thoughtworks\.xstream:xstream:.*</gav>
<cpe>cpe:/a:springsource:spring_framework</cpe> <cpe>cpe:/a:springsource:spring_framework</cpe>
</suppress> </suppress>
<suppress> <suppress base="true">
<notes><![CDATA[ <notes><![CDATA[
Suppresses false positives on velocity tools. Suppresses false positives on velocity tools.
]]></notes> ]]></notes>
<gav regex="true">org.apache.velocity:velocity-tools:.*</gav> <gav regex="true">org\.apache\.velocity:velocity-tools:.*</gav>
<cpe>cpe:/a:apache:struts</cpe> <cpe>cpe:/a:apache:struts</cpe>
</suppress> </suppress>
<suppress> <suppress base="true">
<notes><![CDATA[ <notes><![CDATA[
Sandbox is a php blog platform and should not be flagged as a CPE for java or .net dependencies. Sandbox is a php blog platform and should not be flagged as a CPE for java or .net dependencies.
]]></notes> ]]></notes>
<filePath regex="true">.*\.(jar|dll|exe|ear|war|pom)</filePath> <filePath regex="true">.*\.(jar|dll|exe|ear|war|pom)</filePath>
<cpe>cpe:/a:sandbox:sandbox</cpe> <cpe>cpe:/a:sandbox:sandbox</cpe>
</suppress> </suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives on Jersey core client.
]]></notes>
<gav regex="true">org\.glassfish\.jersey\.core:jersey-(client|common):.*</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
</suppressions> </suppressions>

1
dependency-check-core/src/main/resources/schema/suppression.xsd
View File

@@ -50,6 +50,7 @@
<xs:element name="cvssBelow" type="dc:cvssScoreType"/> <xs:element name="cvssBelow" type="dc:cvssScoreType"/>
</xs:choice> </xs:choice>
</xs:sequence> </xs:sequence>
<xs:attribute name="base" use="optional" type="xs:boolean" default="false"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
</xs:sequence> </xs:sequence>

10
dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionHandlerTest.java
View File

@@ -88,7 +88,15 @@ public class SuppressionHandlerTest {
xmlReader.parse(in); xmlReader.parse(in);
List result = handler.getSuppressionRules(); List<SuppressionRule> result = handler.getSuppressionRules();
assertTrue(result.size() > 3); assertTrue(result.size() > 3);
int baseCount = 0;
for (SuppressionRule r : result) {
if (r.isBase()) {
baseCount++;
}
}
assertTrue(baseCount > 0);
} }
} }

32
dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionRuleTest.java
View File

@@ -146,6 +146,17 @@ public class SuppressionRuleTest {
List<String> result = instance.getCve(); List<String> result = instance.getCve();
assertEquals(cve, result); assertEquals(cve, result);
} }
/**
* Test of base property, of class SuppressionRule.
*/
@Test
public void testBase() {
SuppressionRule instance = new SuppressionRule();
assertFalse(instance.isBase());
instance.setBase(true);
assertTrue(instance.isBase());
}
//</editor-fold> //</editor-fold>
//<editor-fold defaultstate="collapsed" desc="Ignored duplicate tests, left in, as empty tests, so IDE doesn't re-generate them"> //<editor-fold defaultstate="collapsed" desc="Ignored duplicate tests, left in, as empty tests, so IDE doesn't re-generate them">
@@ -424,33 +435,33 @@ public class SuppressionRuleTest {
instance.setSha1(sha1); instance.setSha1(sha1);
instance.addCwe("287"); instance.addCwe("287");
instance.process(dependency); instance.process(dependency);
assertTrue(dependency.getVulnerabilities().size() == 1); assertEquals(1, dependency.getVulnerabilities().size());
dependency.setSha1sum(sha1); dependency.setSha1sum(sha1);
instance.process(dependency); instance.process(dependency);
assertTrue(dependency.getVulnerabilities().isEmpty()); assertTrue(dependency.getVulnerabilities().isEmpty());
assertTrue(dependency.getSuppressedVulnerabilities().size() == 1); assertEquals(1, dependency.getSuppressedVulnerabilities().size());
//cvss //cvss
dependency.addVulnerability(v); dependency.addVulnerability(v);
instance = new SuppressionRule(); instance = new SuppressionRule();
instance.addCvssBelow(5f); instance.addCvssBelow(5f);
instance.process(dependency); instance.process(dependency);
assertTrue(dependency.getVulnerabilities().size() == 1); assertEquals(1, dependency.getVulnerabilities().size());
instance.addCvssBelow(8f); instance.addCvssBelow(8f);
instance.process(dependency); instance.process(dependency);
assertTrue(dependency.getVulnerabilities().isEmpty()); assertTrue(dependency.getVulnerabilities().isEmpty());
assertTrue(dependency.getSuppressedVulnerabilities().size() == 1); assertEquals(1, dependency.getSuppressedVulnerabilities().size());
//cve //cve
dependency.addVulnerability(v); dependency.addVulnerability(v);
instance = new SuppressionRule(); instance = new SuppressionRule();
instance.addCve("CVE-2012-1337"); instance.addCve("CVE-2012-1337");
instance.process(dependency); instance.process(dependency);
assertTrue(dependency.getVulnerabilities().size() == 1); assertEquals(1, dependency.getVulnerabilities().size());
instance.addCve("CVE-2013-1337"); instance.addCve("CVE-2013-1337");
instance.process(dependency); instance.process(dependency);
assertTrue(dependency.getVulnerabilities().isEmpty()); assertTrue(dependency.getVulnerabilities().isEmpty());
assertTrue(dependency.getSuppressedVulnerabilities().size() == 1); assertEquals(1, dependency.getSuppressedVulnerabilities().size());
//cpe //cpe
instance = new SuppressionRule(); instance = new SuppressionRule();
@@ -468,18 +479,21 @@ public class SuppressionRuleTest {
instance.setFilePath(pt); instance.setFilePath(pt);
instance.process(dependency); instance.process(dependency);
assertTrue(dependency.getIdentifiers().isEmpty()); assertTrue(dependency.getIdentifiers().isEmpty());
assertTrue(dependency.getSuppressedIdentifiers().size() == 1); assertEquals(1, dependency.getSuppressedIdentifiers().size());
instance = new SuppressionRule();
dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:4.0", "some url not needed for this test"); dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:4.0", "some url not needed for this test");
dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:4.5", "some url not needed for this test"); dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:4.5", "some url not needed for this test");
dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:5.0", "some url not needed for this test"); dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:5.0", "some url not needed for this test");
pt = new PropertyType(); pt = new PropertyType();
pt.setValue("cpe:/a:microsoft:.net_framework"); pt.setValue("cpe:/a:microsoft:.net_framework");
instance.addCpe(pt); instance.addCpe(pt);
assertTrue(dependency.getIdentifiers().size() == 3); instance.setBase(true);
assertEquals(3, dependency.getIdentifiers().size());
assertEquals(1, dependency.getSuppressedIdentifiers().size());
instance.process(dependency); instance.process(dependency);
assertTrue(dependency.getIdentifiers().isEmpty()); assertTrue(dependency.getIdentifiers().isEmpty());
assertTrue(dependency.getSuppressedIdentifiers().size() == 3); assertEquals(1, dependency.getSuppressedIdentifiers().size());
} }
/** /**

2
dependency-check-core/src/test/resources/suppressions.xml
View File

@@ -10,7 +10,7 @@
<filePath>c:\path\to\some.jar</filePath> <filePath>c:\path\to\some.jar</filePath>
<cpe>cpe:/a:csv:csv:1.0</cpe> <cpe>cpe:/a:csv:csv:1.0</cpe>
</suppress> </suppress>
<suppress> <suppress base="true">
<notes><![CDATA[ <notes><![CDATA[
This suppresses any jboss:jboss cpe for any test.jar in any directory. This suppresses any jboss:jboss cpe for any test.jar in any directory.
]]></notes> ]]></notes>