mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-13 23:33:37 +01:00
Merge branch 'threadsafe' into dependency-updates
This commit is contained in:
Jeremy Long
@@ -661,6 +661,16 @@ public class Dependency extends EvidenceCollection implements Serializable, Comp
|
||||
this.availableVersions.add(version);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns whether or not this dependency is virtual or not. Virtual
|
||||
* dependencies are specified during object constructor. No setter.
|
||||
*
|
||||
* @return true if Dependency is virtual, false if not
|
||||
*/
|
||||
public boolean isVirtual() {
|
||||
return isVirtual;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of the Comparable<Dependency> interface. The
|
||||
* comparison is solely based on the file path.
|
||||
|
||||
@@ -0,0 +1,205 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<xs:schema id="analysis"
|
||||
xmlns:xs="http://www.w3.org/2001/XMLSchema"
|
||||
elementFormDefault="qualified"
|
||||
targetNamespace="https://jeremylong.github.io/DependencyCheck/dependency-check.1.6.xsd"
|
||||
xmlns:dc="https://jeremylong.github.io/DependencyCheck/dependency-check.1.6.xsd">
|
||||
|
||||
<xs:complexType name="scanInfo">
|
||||
<xs:sequence minOccurs="1" maxOccurs="1">
|
||||
<xs:element name="engineVersion" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
||||
<xs:element name="dataSource">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="timestamp" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
</xs:sequence>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
<xs:complexType name="projectInfo">
|
||||
<xs:sequence>
|
||||
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="groupID" type="xs:string" minOccurs="0" maxOccurs="1" />
|
||||
<xs:element name="artifactID" type="xs:string" minOccurs="0" maxOccurs="1" />
|
||||
<xs:element name="version" type="xs:string" minOccurs="0" maxOccurs="1" />
|
||||
<xs:element name="reportDate" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="credits" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
<xs:complexType name="identifier">
|
||||
<xs:sequence>
|
||||
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="url" type="xs:string" minOccurs="0" maxOccurs="1" />
|
||||
<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1" />
|
||||
<xs:element name="notes" type="xs:string" minOccurs="0" maxOccurs="1" />
|
||||
</xs:sequence>
|
||||
<xs:attribute name="type" type="xs:string" use="required" />
|
||||
<xs:attribute name="confidence" type="xs:string" use="optional" />
|
||||
</xs:complexType>
|
||||
<xs:complexType name="relatedDependency">
|
||||
<xs:sequence>
|
||||
<xs:element name="filePath" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="sha1" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="md5" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
||||
<xs:element name="identifier" type="dc:identifier" />
|
||||
</xs:sequence>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
<xs:complexType name="exception">
|
||||
<xs:sequence>
|
||||
<xs:element name="message" minOccurs="0" maxOccurs="unbounded" />
|
||||
<xs:element name="stackTrace" minOccurs="0" maxOccurs="unbounded">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
<xs:element name="trace" minOccurs="0" maxOccurs="unbounded" />
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
<xs:element name="innerException" minOccurs="0" maxOccurs="unbounded">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
<xs:element name="message" minOccurs="0" maxOccurs="unbounded" />
|
||||
<xs:element name="stackTrace" minOccurs="0" maxOccurs="unbounded">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
<xs:element name="trace" minOccurs="0" maxOccurs="unbounded" />
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
<xs:complexType name="evidence">
|
||||
<xs:sequence>
|
||||
<xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="value" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
</xs:sequence>
|
||||
<xs:attribute name="type" type="xs:string" use="required" />
|
||||
<xs:attribute name="confidence" type="xs:string" use="required" />
|
||||
</xs:complexType>
|
||||
<xs:complexType name="reference">
|
||||
<xs:sequence>
|
||||
<xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="url" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
<xs:complexType name="software">
|
||||
<xs:simpleContent>
|
||||
<xs:extension base="xs:string">
|
||||
<xs:attribute name="allPreviousVersion" type="xs:boolean" />
|
||||
</xs:extension>
|
||||
</xs:simpleContent>
|
||||
</xs:complexType>
|
||||
<xs:complexType name="vulnerability">
|
||||
<xs:sequence>
|
||||
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="cvssScore" type="xs:decimal" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="cvssAccessVector" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="cvssAccessComplexity" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="cvssAuthenticationr" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="cvssConfidentialImpact" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="cvssIntegrityImpact" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="cvssAvailabilityImpact" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="severity" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="cwe" type="xs:string" minOccurs="0" maxOccurs="1" />
|
||||
<xs:element name="description" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="notes" type="xs:string" minOccurs="0" maxOccurs="1" />
|
||||
<xs:element name="references" minOccurs="0" maxOccurs="1">
|
||||
<xs:complexType>
|
||||
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
||||
<xs:element name="reference" type="dc:reference" />
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
<xs:element name="vulnerableSoftware" minOccurs="0" maxOccurs="1">
|
||||
<xs:complexType>
|
||||
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
||||
<xs:element name="software" type="dc:software" />
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
</xs:sequence>
|
||||
<xs:attribute name="source" type="xs:string" use="required" />
|
||||
</xs:complexType>
|
||||
<xs:complexType name="dependency">
|
||||
<xs:sequence>
|
||||
<xs:element name="fileName" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="filePath" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="md5" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="sha1" type="xs:string" minOccurs="1" maxOccurs="1" />
|
||||
<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1" />
|
||||
<xs:element name="license" type="xs:string" minOccurs="0" maxOccurs="1" />
|
||||
<xs:element name="relatedDependencies" minOccurs="0" maxOccurs="1">
|
||||
<xs:complexType>
|
||||
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
||||
<xs:element name="relatedDependency" type="dc:relatedDependency" />
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
<xs:element name="analysisExceptions" minOccurs="0" maxOccurs="1">
|
||||
<xs:complexType>
|
||||
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
||||
<xs:element name="exception" type="dc:exception"/>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
<xs:element name="evidenceCollected" minOccurs="0" maxOccurs="1">
|
||||
<xs:complexType>
|
||||
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
||||
<xs:element name="evidence" type="dc:evidence"/>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
<xs:element name="identifiers" minOccurs="0" maxOccurs="1">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
||||
<xs:element name="identifier" type="dc:identifier" />
|
||||
</xs:sequence>
|
||||
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
||||
<xs:element name="suppressedIdentifier" type="dc:identifier"/>
|
||||
</xs:sequence>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
<xs:element name="vulnerabilities" minOccurs="0" maxOccurs="1">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
||||
<xs:element name="vulnerability" type="dc:vulnerability"/>
|
||||
</xs:sequence>
|
||||
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
||||
<xs:element name="suppressedVulnerability" type="dc:vulnerability"/>
|
||||
</xs:sequence>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
</xs:sequence>
|
||||
<xs:attribute name="isVirtual" type="xs:boolean" use="required" />
|
||||
</xs:complexType>
|
||||
|
||||
<xs:element name="analysis">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
<xs:element name="scanInfo" type="dc:scanInfo"/>
|
||||
<xs:element name="projectInfo" type="dc:projectInfo"/>
|
||||
<xs:element name="dependencies">
|
||||
<xs:complexType>
|
||||
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
||||
<xs:element name="dependency" type="dc:dependency"/>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
</xs:schema>
|
||||
@@ -17,11 +17,11 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
|
||||
|
||||
@author Jeremy Long <jeremy.long@owasp.org>
|
||||
@version 1 *###
|
||||
"Project","ScanDate","DependencyName","DependencyPath","Description","License","Md5","Sha1","Identifiers","CPE","CVE","CWE","Vulnerability","Severity","CVSSv2"
|
||||
"Project","ScanDate","DependencyName","DependencyPath","Description","License","Md5","Sha1","Identifiers","CPE","CVE","CWE","Vulnerability","Source","Severity","CVSSv2"
|
||||
#macro(writeSev $score)#if($score<4.0)"Low"#elseif($score>=7.0)"High"#else"Medium"#end#end
|
||||
#foreach($dependency in $dependencies)#if($dependency.getVulnerabilities().size()>0)
|
||||
#foreach($vuln in $dependency.getVulnerabilities())
|
||||
$enc.csv($applicationName),$enc.csv($scanDate),$enc.csv($dependency.DisplayFileName),#if($dependency.FilePath)$enc.csv($dependency.FilePath)#end,#if($dependency.description)$enc.csv($dependency.description)#end,#if($dependency.license)$enc.csv($dependency.license)#end,#if($dependency.Md5sum)$enc.csv($dependency.Md5sum)#end,#if($dependency.Sha1sum)$enc.csv($dependency.Sha1sum)#end,#if($dependency.identifiers)$enc.csvIdentifiers($dependency.identifiers)#end,#if($dependency.identifiers)$enc.csvCpe($dependency.identifiers)#end,#if($vuln.name)$enc.csv($vuln.name)#end,#if($dependency.cwe)$enc.csv($vuln.cwe)#end,#if($vuln.description)$enc.csv($vuln.description)#end,#writeSev($vuln.cvssScore),$vuln.cvssScore
|
||||
$enc.csv($applicationName),$enc.csv($scanDate),$enc.csv($dependency.DisplayFileName),#if($dependency.FilePath)$enc.csv($dependency.FilePath)#end,#if($dependency.description)$enc.csv($dependency.description)#end,#if($dependency.license)$enc.csv($dependency.license)#end,#if($dependency.Md5sum)$enc.csv($dependency.Md5sum)#end,#if($dependency.Sha1sum)$enc.csv($dependency.Sha1sum)#end,#if($dependency.identifiers)$enc.csvIdentifiers($dependency.identifiers)#end,#if($dependency.identifiers)$enc.csvCpe($dependency.identifiers)#end,#if($vuln.name)$enc.csv($vuln.name)#end,#if($dependency.cwe)$enc.csv($vuln.cwe)#end,#if($vuln.description)$enc.csv($vuln.description)#end,#if($vuln.getSource().name())$enc.csv($vuln.getSource().name())#end,#writeSev($vuln.cvssScore),$vuln.cvssScore
|
||||
#end
|
||||
#end
|
||||
#end
|
||||
@@ -1,5 +1,5 @@
|
||||
{
|
||||
"reportSchema": "1.0",
|
||||
"reportSchema": "1.1",
|
||||
"scanInfo": {
|
||||
"engineVersion": "$version",
|
||||
"dataSource": [
|
||||
@@ -24,6 +24,7 @@
|
||||
},
|
||||
"dependencies": [
|
||||
#foreach($dependency in $dependencies)#if($foreach.count > 1),#end{
|
||||
"isVirtual": #if($dependency.isVirtual)true#{else}false#end,
|
||||
"fileName": "$enc.json($dependency.DisplayFileName)",
|
||||
"filePath": "$enc.json($dependency.FilePath)",
|
||||
"md5": "$enc.json($dependency.Md5sum)",
|
||||
@@ -33,6 +34,7 @@
|
||||
#if ($dependency.getRelatedDependencies().size()>0)
|
||||
,"relatedDependencies": [
|
||||
#foreach($related in $dependency.getRelatedDependencies()) #if($foreach.count > 1),#end {
|
||||
"isVirtual": #if($dependency.isVirtual)true#{else}false#end,
|
||||
"filePath": "$enc.json($related.FilePath)",
|
||||
"sha1": "#if($related.Sha1sum)$enc.json($related.Sha1sum)#end",
|
||||
"md5": "#if($related.Md5sum)$enc.json($related.Md5sum)#end"#if($related.getIdentifiers()),
|
||||
@@ -132,6 +134,7 @@
|
||||
#if($dependency.getVulnerabilities().size()>0)
|
||||
,"vulnerabilities": [
|
||||
#foreach($vuln in $dependency.getVulnerabilities())#if($foreach.count > 1),#end {
|
||||
"source": "$enc.json($vuln.getSource().name())",
|
||||
"name": "$enc.json($vuln.name)",
|
||||
"cvssScore": "$vuln.cvssScore",
|
||||
#if ($vuln.getSource().name().equals("NVD"))
|
||||
@@ -169,14 +172,17 @@
|
||||
#if($dependency.getSuppressedVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0)
|
||||
,"suppressedVulnerabilities": [
|
||||
#foreach($vuln in $dependency.getSuppressedVulnerabilities())#if($foreach.count > 1),#end {
|
||||
"source": "$enc.json($vuln.getSource().name())",
|
||||
"name": "$enc.json($vuln.name)",
|
||||
"cvssScore": "$vuln.cvssScore",
|
||||
"cvssAccessVector": "$enc.json($vuln.cvssAccessVector)",
|
||||
"cvssAccessComplexity": "$enc.json($vuln.cvssAccessComplexity)",
|
||||
"cvssAuthenticationr": "$enc.json($vuln.cvssAuthentication)",
|
||||
"cvssConfidentialImpact": "$enc.json($vuln.cvssConfidentialityImpact)",
|
||||
"cvssIntegrityImpact": "$enc.json($vuln.cvssIntegrityImpact)",
|
||||
"cvssAvailabilityImpact": "$enc.json($vuln.cvssAvailabilityImpact)",
|
||||
#if ($vuln.getSource().name().equals("NVD"))
|
||||
"cvssAccessVector": "$enc.json($vuln.cvssAccessVector)",
|
||||
"cvssAccessComplexity": "$enc.json($vuln.cvssAccessComplexity)",
|
||||
"cvssAuthenticationr": "$enc.json($vuln.cvssAuthentication)",
|
||||
"cvssConfidentialImpact": "$enc.json($vuln.cvssConfidentialityImpact)",
|
||||
"cvssIntegrityImpact": "$enc.json($vuln.cvssIntegrityImpact)",
|
||||
"cvssAvailabilityImpact": "$enc.json($vuln.cvssAvailabilityImpact)",
|
||||
#end
|
||||
#if ($vuln.cvssScore<4.0) "severity": "Low",
|
||||
#elseif ($vuln.cvssScore>=7.0) "severity": "High",
|
||||
#else "severity": "Medium",
|
||||
|
||||
@@ -19,7 +19,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
@version 1.2
|
||||
|
||||
*#<?xml version="1.0"?>
|
||||
<analysis xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.1.5.xsd">
|
||||
<analysis xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.1.6.xsd">
|
||||
<scanInfo>
|
||||
<engineVersion>$version</engineVersion>
|
||||
#foreach($prop in $properties.getMetaData().entrySet())
|
||||
@@ -45,7 +45,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
</projectInfo>
|
||||
<dependencies>
|
||||
#foreach($dependency in $dependencies)
|
||||
<dependency>
|
||||
<dependency isVirtual="#if($dependency.isVirtual)true#{else}false#end">
|
||||
<fileName>$enc.xml($dependency.DisplayFileName)</fileName>
|
||||
<filePath>$enc.xml($dependency.FilePath)</filePath>
|
||||
<md5>$enc.xml($dependency.Md5sum)</md5>
|
||||
@@ -59,7 +59,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
#if ($dependency.getRelatedDependencies().size()>0)
|
||||
<relatedDependencies>
|
||||
#foreach($related in $dependency.getRelatedDependencies())
|
||||
<relatedDependency>
|
||||
<relatedDependency isVirtual="#if($related.isVirtual)true#{else}false#end">
|
||||
<filePath>$enc.xml($related.FilePath)</filePath>
|
||||
<sha1>#if($related.Sha1sum)$enc.xml($related.Sha1sum)#end</sha1>
|
||||
<md5>#if($related.Md5sum)$enc.xml($related.Md5sum)#end</md5>
|
||||
@@ -141,8 +141,8 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
#if($dependency.getVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0)
|
||||
<vulnerabilities>
|
||||
#foreach($vuln in $dependency.getVulnerabilities())
|
||||
<vulnerability>
|
||||
<name>#if($vuln.getSource().name().equals("NSP"))NSP-#end$enc.xml($vuln.name)</name>
|
||||
<vulnerability source="$enc.xml($vuln.getSource().name())">
|
||||
<name>$enc.xml($vuln.name)</name>
|
||||
<cvssScore>$vuln.cvssScore</cvssScore>
|
||||
<cvssAccessVector>#if($vuln.cvssAccessVector)$enc.xml($vuln.cvssAccessVector)#end</cvssAccessVector>
|
||||
<cvssAccessComplexity>#if($vuln.cvssAccessComplexity)$enc.xml($vuln.cvssAccessComplexity)#end</cvssAccessComplexity>
|
||||
@@ -181,7 +181,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
</vulnerability>
|
||||
#end
|
||||
#foreach($vuln in $dependency.getSuppressedVulnerabilities())
|
||||
<suppressedVulnerability>
|
||||
<suppressedVulnerability source="$enc.xml($vuln.getSource().name())">
|
||||
<name>$enc.xml($vuln.name)</name>
|
||||
<cvssScore>$vuln.cvssScore</cvssScore>
|
||||
<cvssAccessVector>$enc.xml($vuln.cvssAccessVector)</cvssAccessVector>
|
||||
|
||||
@@ -78,7 +78,7 @@ public class ReportGeneratorIT extends BaseDBTestCase {
|
||||
|
||||
engine.close();
|
||||
|
||||
InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/dependency-check.1.5.xsd");
|
||||
InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/dependency-check.1.6.xsd");
|
||||
StreamSource xsdSource = new StreamSource(xsdStream);
|
||||
StreamSource xmlSource = new StreamSource(writeTo);
|
||||
SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
|
||||
|
||||
Reference in New Issue
Block a user