github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-13 15:23:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'notes' into Prakhash-reportmodifier1

Browse Source
This commit is contained in:
Jeremy Long
2017-02-25 16:09:21 -05:00
parent d180208e34 5f7486f851
commit 59e29b7afe
5 changed files with 466 additions and 151 deletions
Download Patch File Download Diff File Expand all files Collapse all files

265
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java
View File

@@ -20,21 +20,161 @@ package org.owasp.dependencycheck.dependency;
import java.io.Serializable;
/**
* In identifier such as a CPE or dependency coordinates (i.e. GAV).
*
* @author Jeremy Long
*/
public class Identifier implements Serializable, Comparable<Identifier> {
//<editor-fold defaultstate="collapsed" desc="fields">
/**
* The serial version UID for serialization.
*/
private static final long serialVersionUID = 1L;
/**
* The confidence that this is the correct identifier.
*/
private Confidence confidence;
/**
* The value of the identifier
*/
private String value;
/**
* The url for the identifier.
*/
private String url;
/**
* The type of the identifier.
*/
private String type;
/**
* A description of the identifier.
*/
private String description;
/**
* Notes about the vulnerability. Generally used for suppression
* information.
*/
private String notes;
//</editor-fold>
//<editor-fold defaultstate="collapsed" desc="getters/setters">
/**
* Get the value of confidence.
*
* @return the value of confidence
*/
public Confidence getConfidence() {
return confidence;
}
/**
* Default constructor. Should only be used for automatic class
* creation as is the case with many XML parsers (for the parsing
* of the Dependency-Check XML report). For all other use-cases,
* please use the non-default constructors.
* Set the value of confidence.
*
* @param confidence new value of confidence
*/
public void setConfidence(Confidence confidence) {
this.confidence = confidence;
}
/**
* Get the value of value.
*
* @return the value of value
*/
public String getValue() {
return value;
}
/**
* Set the value of value.
*
* @param value new value of value
*/
public void setValue(String value) {
this.value = value;
}
/**
* Get the value of url.
*
* @return the value of url
*/
public String getUrl() {
return url;
}
/**
* Set the value of url.
*
* @param url new value of url
*/
public void setUrl(String url) {
this.url = url;
}
/**
* Get the value of type.
*
* @return the value of type
*/
public String getType() {
return type;
}
/**
* <p>
* Set the value of type.</p><p>
* Example would be "CPE".</p>
*
* @param type new value of type
*/
public void setType(String type) {
this.type = type;
}
/**
* Get the value of description.
*
* @return the value of description
*/
public String getDescription() {
return description;
}
/**
* Set the value of description.
*
* @param description new value of description
*/
public void setDescription(String description) {
this.description = description;
}
/**
* Get the value of notes from suppression notes.
*
* @return the value of notes
*/
public String getNotes() {
return notes;
}
/**
* Set the value of notes.
*
* @param notes new value of notes
*/
public void setNotes(String notes) {
this.notes = notes;
}
//</editor-fold>
/**
* Default constructor. Should only be used for automatic class creation as
* is the case with many XML parsers (for the parsing of the
* Dependency-Check XML report). For all other use-cases, please use the
* non-default constructors.
*/
public Identifier() {
}
@@ -65,120 +205,6 @@ public class Identifier implements Serializable, Comparable<Identifier> {
this.description = description;
}
/**
* The confidence that this is the correct identifier.
*/
private Confidence confidence;
/**
* Get the value of confidence.
*
* @return the value of confidence
*/
public Confidence getConfidence() {
return confidence;
}
/**
* Set the value of confidence.
*
* @param confidence new value of confidence
*/
public void setConfidence(Confidence confidence) {
this.confidence = confidence;
}
/**
* The value of the identifier
*/
private String value;
/**
* Get the value of value.
*
* @return the value of value
*/
public String getValue() {
return value;
}
/**
* Set the value of value.
*
* @param value new value of value
*/
public void setValue(String value) {
this.value = value;
}
/**
* The url for the identifier.
*/
private String url;
/**
* Get the value of url.
*
* @return the value of url
*/
public String getUrl() {
return url;
}
/**
* Set the value of url.
*
* @param url new value of url
*/
public void setUrl(String url) {
this.url = url;
}
/**
* The type of the identifier.
*/
private String type;
/**
* Get the value of type.
*
* @return the value of type
*/
public String getType() {
return type;
}
/**
* <p>
* Set the value of type.</p><p>
* Example would be "CPE".</p>
*
* @param type new value of type
*/
public void setType(String type) {
this.type = type;
}
/**
* A description of the identifier.
*/
private String description;
/**
* Get the value of description.
*
* @return the value of description
*/
public String getDescription() {
return description;
}
/**
* Set the value of description.
*
* @param description new value of description
*/
public void setDescription(String description) {
this.description = description;
}
@Override
public boolean equals(Object obj) {
if (obj == null) {
@@ -213,7 +239,8 @@ public class Identifier implements Serializable, Comparable<Identifier> {
}
/**
* Implementation of the comparator interface. This compares the value of the identifier only.
* Implementation of the comparator interface. This compares the value of
* the identifier only.
*
* @param o the object being compared
* @return an integer indicating the ordering

24
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
View File

@@ -94,6 +94,11 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
* Whether or not all previous versions were affected.
*/
private String matchedAllPreviousCPE;
/**
* Notes about the vulnerability. Generally used for suppression
* information.
*/
private String notes;
/**
* Get the value of name.
@@ -405,6 +410,24 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.cvssAvailabilityImpact = cvssAvailabilityImpact;
}
/**
* Get the value of notes from suppression notes.
*
* @return the value of notes
*/
public String getNotes() {
return notes;
}
/**
* Set the value of notes.
*
* @param notes new value of cwe
*/
public void setNotes(String notes) {
this.notes = notes;
}
@Override
public boolean equals(Object obj) {
if (obj == null) {
@@ -456,7 +479,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
return new CompareToBuilder()
.append(this.name, v.name)
.toComparison();
//return v.getName().compareTo(this.getName());
}
/**

81
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java
View File

@@ -46,6 +46,12 @@ public class SuppressionHandler extends DefaultHandler {
* The CVE element name.
*/
public static final String CVE = "cve";
/**
* The CVE element name.
*/
public static final String NOTES = "notes";
/**
* The CPE element name.
*/
@@ -65,7 +71,16 @@ public class SuppressionHandler extends DefaultHandler {
/**
* A list of suppression rules.
*/
private final List<SuppressionRule> suppressionRules = new ArrayList<>();
private final List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
/**
* Get the value of suppressionRules.
*
* @return the value of suppressionRules
*/
public List<SuppressionRule> getSuppressionRules() {
return suppressionRules;
}
/**
* The current rule being read.
*/
@@ -79,15 +94,6 @@ public class SuppressionHandler extends DefaultHandler {
*/
private StringBuilder currentText;
/**
* Get the value of suppressionRules.
*
* @return the value of suppressionRules
*/
public List<SuppressionRule> getSuppressionRules() {
return suppressionRules;
}
/**
* Handles the start element event.
*
@@ -122,27 +128,40 @@ public class SuppressionHandler extends DefaultHandler {
*/
@Override
public void endElement(String uri, String localName, String qName) throws SAXException {
if (SUPPRESS.equals(qName)) {
suppressionRules.add(rule);
rule = null;
} else if (FILE_PATH.equals(qName)) {
final PropertyType pt = processPropertyType();
rule.setFilePath(pt);
} else if (SHA1.equals(qName)) {
rule.setSha1(currentText.toString());
} else if (GAV.equals(qName)) {
final PropertyType pt = processPropertyType();
rule.setGav(pt);
} else if (CPE.equals(qName)) {
final PropertyType pt = processPropertyType();
rule.addCpe(pt);
} else if (CWE.equals(qName)) {
rule.addCwe(currentText.toString());
} else if (CVE.equals(qName)) {
rule.addCve(currentText.toString());
} else if (CVSS_BELOW.equals(qName)) {
final float cvss = Float.parseFloat(currentText.toString());
rule.addCvssBelow(cvss);
if (null != qName) {
switch (qName) {
case SUPPRESS:
suppressionRules.add(rule);
rule = null;
break;
case FILE_PATH:
rule.setFilePath(processPropertyType());
break;
case SHA1:
rule.setSha1(currentText.toString());
break;
case GAV:
rule.setGav(processPropertyType());
break;
case CPE:
rule.addCpe(processPropertyType());
break;
case CWE:
rule.addCwe(currentText.toString());
break;
case CVE:
rule.addCve(currentText.toString());
break;
case NOTES:
rule.addNotes(currentText.toString());
break;
case CVSS_BELOW:
final float cvss = Float.parseFloat(currentText.toString());
rule.addCvssBelow(cvss);
break;
default:
break;
}
}
}

47
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java
View File

@@ -59,6 +59,11 @@ public class SuppressionRule {
* A Maven GAV to suppression.
*/
private PropertyType gav = null;
/**
* The notes added in suppression file
*/
private String notes;
/**
* A flag indicating whether or not the suppression rule is a core/base rule
@@ -175,6 +180,42 @@ public class SuppressionRule {
return !cvssBelow.isEmpty();
}
/**
* Get the value of notes.
*
* @return the value of notes
*/
public String getNotes() {
return notes;
}
/**
* Set the value of notes.
*
* @param notes new value of cve
*/
public void setNotes(String notes) {
this.notes = notes;
}
/**
* Adds the notes to the cve list.
*
* @param notes the cve to add
*/
public void addNotes(String notes) {
this.notes = notes;
}
/**
* Returns whether this suppression rule has notes entries.
*
* @return whether this suppression rule has notes entries
*/
public boolean hasNotes() {
return !cve.isEmpty();
}
/**
* Get the value of CWE.
*
@@ -328,6 +369,9 @@ public class SuppressionRule {
for (PropertyType c : this.cpe) {
if (identifierMatches("cpe", c, i)) {
if (!isBase()) {
if (this.notes != null) {
i.setNotes(this.notes);
}
dependency.addSuppressedIdentifier(i);
}
itr.remove();
@@ -369,6 +413,9 @@ public class SuppressionRule {
}
if (remove) {
if (!isBase()) {
if (this.notes != null) {
v.setNotes(this.notes);
}
dependency.addSuppressedVulnerability(v);
}
itr.remove();

200
dependency-check-core/src/main/resources/schema/dependency-check.1.4.xsd Normal file
View File

@@ -0,0 +1,200 @@
<?xml version="1.0" encoding="utf-8"?>
<xs:schema id="analysis"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified"
targetNamespace="https://jeremylong.github.io/DependencyCheck/dependency-check.1.4.xsd"
xmlns:dc="https://jeremylong.github.io/DependencyCheck/dependency-check.1.4.xsd">
<xs:complexType name="scanInfo">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="engineVersion" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="dataSource">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="timestamp" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:sequence>
</xs:complexType>
<xs:complexType name="projectInfo">
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="reportDate" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="credits" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="identifier">
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="url" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="notes" type="xs:string" minOccurs="0" maxOccurs="1" />
</xs:sequence>
<xs:attribute name="type" type="xs:string" use="required" />
<xs:attribute name="confidence" type="xs:string" use="optional" />
</xs:complexType>
<xs:complexType name="relatedDependency">
<xs:sequence>
<xs:element name="filePath" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="sha1" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="md5" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="identifier" type="dc:identifier" />
</xs:sequence>
</xs:sequence>
</xs:complexType>
<xs:complexType name="exception">
<xs:sequence>
<xs:element name="message" minOccurs="0" maxOccurs="unbounded" />
<xs:element name="stackTrace" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="trace" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="innerException" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="message" minOccurs="0" maxOccurs="unbounded" />
<xs:element name="stackTrace" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="trace" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="evidence">
<xs:sequence>
<xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="value" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
<xs:attribute name="type" type="xs:string" use="required" />
<xs:attribute name="confidence" type="xs:string" use="required" />
</xs:complexType>
<xs:complexType name="reference">
<xs:sequence>
<xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="url" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="software">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="allPreviousVersion" type="xs:boolean" />
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="vulnerability">
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cvssScore" type="xs:decimal" minOccurs="1" maxOccurs="1" />
<xs:element name="cvssAccessVector" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cvssAccessComplexity" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cvssAuthenticationr" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cvssConfidentialImpact" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cvssIntegrityImpact" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cvssAvailabilityImpact" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="severity" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cwe" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="description" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="notes" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="references" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="reference" type="dc:reference" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="vulnerableSoftware" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="software" type="dc:software" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="dependency">
<xs:sequence>
<xs:element name="fileName" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="filePath" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="md5" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="sha1" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="license" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="relatedDependencies" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="relatedDependency" type="dc:relatedDependency" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="analysisExceptions" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="exception" type="dc:exception"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="evidenceCollected" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="evidence" type="dc:evidence"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="identifiers" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="identifier" type="dc:identifier" />
</xs:sequence>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="suppressedIdentifier" type="dc:identifier"/>
</xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="vulnerabilities" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="vulnerability" type="dc:vulnerability"/>
</xs:sequence>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="suppressedVulnerability" type="dc:vulnerability"/>
</xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:element name="analysis">
<xs:complexType>
<xs:sequence>
<xs:element name="scanInfo" type="dc:scanInfo"/>
<xs:element name="projectInfo" type="dc:projectInfo"/>
<xs:element name="dependencies">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="dependency" type="dc:dependency"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>