diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java index e376c03dd..a9ff9ca41 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java @@ -20,21 +20,161 @@ package org.owasp.dependencycheck.dependency; import java.io.Serializable; /** + * In identifier such as a CPE or dependency coordinates (i.e. GAV). * * @author Jeremy Long */ public class Identifier implements Serializable, Comparable { + // /** * The serial version UID for serialization. */ private static final long serialVersionUID = 1L; + /** + * The confidence that this is the correct identifier. + */ + private Confidence confidence; + /** + * The value of the identifier + */ + private String value; + /** + * The url for the identifier. + */ + private String url; + /** + * The type of the identifier. + */ + private String type; + /** + * A description of the identifier. + */ + private String description; + /** + * Notes about the vulnerability. Generally used for suppression + * information. + */ + private String notes; + // + + // + /** + * Get the value of confidence. + * + * @return the value of confidence + */ + public Confidence getConfidence() { + return confidence; + } /** - * Default constructor. Should only be used for automatic class - * creation as is the case with many XML parsers (for the parsing - * of the Dependency-Check XML report). For all other use-cases, - * please use the non-default constructors. + * Set the value of confidence. + * + * @param confidence new value of confidence + */ + public void setConfidence(Confidence confidence) { + this.confidence = confidence; + } + + /** + * Get the value of value. + * + * @return the value of value + */ + public String getValue() { + return value; + } + + /** + * Set the value of value. + * + * @param value new value of value + */ + public void setValue(String value) { + this.value = value; + } + + /** + * Get the value of url. + * + * @return the value of url + */ + public String getUrl() { + return url; + } + + /** + * Set the value of url. + * + * @param url new value of url + */ + public void setUrl(String url) { + this.url = url; + } + + /** + * Get the value of type. + * + * @return the value of type + */ + public String getType() { + return type; + } + + /** + *

+ * Set the value of type.

+ * Example would be "CPE".

+ * + * @param type new value of type + */ + public void setType(String type) { + this.type = type; + } + + /** + * Get the value of description. + * + * @return the value of description + */ + public String getDescription() { + return description; + } + + /** + * Set the value of description. + * + * @param description new value of description + */ + public void setDescription(String description) { + this.description = description; + } + + /** + * Get the value of notes from suppression notes. + * + * @return the value of notes + */ + public String getNotes() { + return notes; + } + + /** + * Set the value of notes. + * + * @param notes new value of notes + */ + public void setNotes(String notes) { + this.notes = notes; + } + // + + /** + * Default constructor. Should only be used for automatic class creation as + * is the case with many XML parsers (for the parsing of the + * Dependency-Check XML report). For all other use-cases, please use the + * non-default constructors. */ public Identifier() { } @@ -65,120 +205,6 @@ public class Identifier implements Serializable, Comparable { this.description = description; } - /** - * The confidence that this is the correct identifier. - */ - private Confidence confidence; - - /** - * Get the value of confidence. - * - * @return the value of confidence - */ - public Confidence getConfidence() { - return confidence; - } - - /** - * Set the value of confidence. - * - * @param confidence new value of confidence - */ - public void setConfidence(Confidence confidence) { - this.confidence = confidence; - } - - /** - * The value of the identifier - */ - private String value; - - /** - * Get the value of value. - * - * @return the value of value - */ - public String getValue() { - return value; - } - - /** - * Set the value of value. - * - * @param value new value of value - */ - public void setValue(String value) { - this.value = value; - } - /** - * The url for the identifier. - */ - private String url; - - /** - * Get the value of url. - * - * @return the value of url - */ - public String getUrl() { - return url; - } - - /** - * Set the value of url. - * - * @param url new value of url - */ - public void setUrl(String url) { - this.url = url; - } - /** - * The type of the identifier. - */ - private String type; - - /** - * Get the value of type. - * - * @return the value of type - */ - public String getType() { - return type; - } - - /** - *

- * Set the value of type.

- * Example would be "CPE".

- * - * @param type new value of type - */ - public void setType(String type) { - this.type = type; - } - /** - * A description of the identifier. - */ - private String description; - - /** - * Get the value of description. - * - * @return the value of description - */ - public String getDescription() { - return description; - } - - /** - * Set the value of description. - * - * @param description new value of description - */ - public void setDescription(String description) { - this.description = description; - } - @Override public boolean equals(Object obj) { if (obj == null) { @@ -213,7 +239,8 @@ public class Identifier implements Serializable, Comparable { } /** - * Implementation of the comparator interface. This compares the value of the identifier only. + * Implementation of the comparator interface. This compares the value of + * the identifier only. * * @param o the object being compared * @return an integer indicating the ordering diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java index 01ea8c8f6..013c8db79 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java @@ -94,6 +94,11 @@ public class Vulnerability implements Serializable, Comparable { * Whether or not all previous versions were affected. */ private String matchedAllPreviousCPE; + /** + * Notes about the vulnerability. Generally used for suppression + * information. + */ + private String notes; /** * Get the value of name. @@ -405,6 +410,24 @@ public class Vulnerability implements Serializable, Comparable { this.cvssAvailabilityImpact = cvssAvailabilityImpact; } + /** + * Get the value of notes from suppression notes. + * + * @return the value of notes + */ + public String getNotes() { + return notes; + } + + /** + * Set the value of notes. + * + * @param notes new value of cwe + */ + public void setNotes(String notes) { + this.notes = notes; + } + @Override public boolean equals(Object obj) { if (obj == null) { @@ -456,7 +479,6 @@ public class Vulnerability implements Serializable, Comparable { return new CompareToBuilder() .append(this.name, v.name) .toComparison(); - //return v.getName().compareTo(this.getName()); } /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java index 590f55199..62c11ffc3 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java @@ -46,6 +46,12 @@ public class SuppressionHandler extends DefaultHandler { * The CVE element name. */ public static final String CVE = "cve"; + + /** + * The CVE element name. + */ + public static final String NOTES = "notes"; + /** * The CPE element name. */ @@ -65,7 +71,16 @@ public class SuppressionHandler extends DefaultHandler { /** * A list of suppression rules. */ - private final List suppressionRules = new ArrayList<>(); + private final List suppressionRules = new ArrayList(); + + /** + * Get the value of suppressionRules. + * + * @return the value of suppressionRules + */ + public List getSuppressionRules() { + return suppressionRules; + } /** * The current rule being read. */ @@ -79,15 +94,6 @@ public class SuppressionHandler extends DefaultHandler { */ private StringBuilder currentText; - /** - * Get the value of suppressionRules. - * - * @return the value of suppressionRules - */ - public List getSuppressionRules() { - return suppressionRules; - } - /** * Handles the start element event. * @@ -122,27 +128,40 @@ public class SuppressionHandler extends DefaultHandler { */ @Override public void endElement(String uri, String localName, String qName) throws SAXException { - if (SUPPRESS.equals(qName)) { - suppressionRules.add(rule); - rule = null; - } else if (FILE_PATH.equals(qName)) { - final PropertyType pt = processPropertyType(); - rule.setFilePath(pt); - } else if (SHA1.equals(qName)) { - rule.setSha1(currentText.toString()); - } else if (GAV.equals(qName)) { - final PropertyType pt = processPropertyType(); - rule.setGav(pt); - } else if (CPE.equals(qName)) { - final PropertyType pt = processPropertyType(); - rule.addCpe(pt); - } else if (CWE.equals(qName)) { - rule.addCwe(currentText.toString()); - } else if (CVE.equals(qName)) { - rule.addCve(currentText.toString()); - } else if (CVSS_BELOW.equals(qName)) { - final float cvss = Float.parseFloat(currentText.toString()); - rule.addCvssBelow(cvss); + if (null != qName) { + switch (qName) { + case SUPPRESS: + suppressionRules.add(rule); + rule = null; + break; + case FILE_PATH: + rule.setFilePath(processPropertyType()); + break; + case SHA1: + rule.setSha1(currentText.toString()); + break; + case GAV: + rule.setGav(processPropertyType()); + break; + case CPE: + rule.addCpe(processPropertyType()); + break; + case CWE: + rule.addCwe(currentText.toString()); + break; + case CVE: + rule.addCve(currentText.toString()); + break; + case NOTES: + rule.addNotes(currentText.toString()); + break; + case CVSS_BELOW: + final float cvss = Float.parseFloat(currentText.toString()); + rule.addCvssBelow(cvss); + break; + default: + break; + } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java index 9ba1a6239..30313be71 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java @@ -59,6 +59,11 @@ public class SuppressionRule { * A Maven GAV to suppression. */ private PropertyType gav = null; + /** + * The notes added in suppression file + */ + + private String notes; /** * A flag indicating whether or not the suppression rule is a core/base rule @@ -175,6 +180,42 @@ public class SuppressionRule { return !cvssBelow.isEmpty(); } + /** + * Get the value of notes. + * + * @return the value of notes + */ + public String getNotes() { + return notes; + } + + /** + * Set the value of notes. + * + * @param notes new value of cve + */ + public void setNotes(String notes) { + this.notes = notes; + } + + /** + * Adds the notes to the cve list. + * + * @param notes the cve to add + */ + public void addNotes(String notes) { + this.notes = notes; + } + + /** + * Returns whether this suppression rule has notes entries. + * + * @return whether this suppression rule has notes entries + */ + public boolean hasNotes() { + return !cve.isEmpty(); + } + /** * Get the value of CWE. * @@ -328,6 +369,9 @@ public class SuppressionRule { for (PropertyType c : this.cpe) { if (identifierMatches("cpe", c, i)) { if (!isBase()) { + if (this.notes != null) { + i.setNotes(this.notes); + } dependency.addSuppressedIdentifier(i); } itr.remove(); @@ -369,6 +413,9 @@ public class SuppressionRule { } if (remove) { if (!isBase()) { + if (this.notes != null) { + v.setNotes(this.notes); + } dependency.addSuppressedVulnerability(v); } itr.remove(); diff --git a/dependency-check-core/src/main/resources/schema/dependency-check.1.4.xsd b/dependency-check-core/src/main/resources/schema/dependency-check.1.4.xsd new file mode 100644 index 000000000..01178fa7e --- /dev/null +++ b/dependency-check-core/src/main/resources/schema/dependency-check.1.4.xsd @@ -0,0 +1,200 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file