diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
index e38b9c458..ab89d76d3 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
@@ -661,6 +661,16 @@ public class Dependency extends EvidenceCollection implements Serializable, Comp
this.availableVersions.add(version);
}
+ /**
+ * Returns whether or not this dependency is virtual or not. Virtual
+ * dependencies are specified during object constructor. No setter.
+ *
+ * @return true if Dependency is virtual, false if not
+ */
+ public boolean isVirtual() {
+ return isVirtual;
+ }
+
/**
* Implementation of the Comparable<Dependency> interface. The
* comparison is solely based on the file path.
diff --git a/dependency-check-core/src/main/resources/schema/dependency-check.1.6.xsd b/dependency-check-core/src/main/resources/schema/dependency-check.1.6.xsd
new file mode 100644
index 000000000..97f5af692
--- /dev/null
+++ b/dependency-check-core/src/main/resources/schema/dependency-check.1.6.xsd
@@ -0,0 +1,205 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/dependency-check-core/src/main/resources/templates/csvReport.vsl b/dependency-check-core/src/main/resources/templates/csvReport.vsl
index 99c2758a1..6348b5606 100644
--- a/dependency-check-core/src/main/resources/templates/csvReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/csvReport.vsl
@@ -17,11 +17,11 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
@author Jeremy Long
@version 1 *###
-"Project","ScanDate","DependencyName","DependencyPath","Description","License","Md5","Sha1","Identifiers","CPE","CVE","CWE","Vulnerability","Severity","CVSSv2"
+"Project","ScanDate","DependencyName","DependencyPath","Description","License","Md5","Sha1","Identifiers","CPE","CVE","CWE","Vulnerability","Source","Severity","CVSSv2"
#macro(writeSev $score)#if($score<4.0)"Low"#elseif($score>=7.0)"High"#else"Medium"#end#end
#foreach($dependency in $dependencies)#if($dependency.getVulnerabilities().size()>0)
#foreach($vuln in $dependency.getVulnerabilities())
-$enc.csv($applicationName),$enc.csv($scanDate),$enc.csv($dependency.DisplayFileName),#if($dependency.FilePath)$enc.csv($dependency.FilePath)#end,#if($dependency.description)$enc.csv($dependency.description)#end,#if($dependency.license)$enc.csv($dependency.license)#end,#if($dependency.Md5sum)$enc.csv($dependency.Md5sum)#end,#if($dependency.Sha1sum)$enc.csv($dependency.Sha1sum)#end,#if($dependency.identifiers)$enc.csvIdentifiers($dependency.identifiers)#end,#if($dependency.identifiers)$enc.csvCpe($dependency.identifiers)#end,#if($vuln.name)$enc.csv($vuln.name)#end,#if($dependency.cwe)$enc.csv($vuln.cwe)#end,#if($vuln.description)$enc.csv($vuln.description)#end,#writeSev($vuln.cvssScore),$vuln.cvssScore
+$enc.csv($applicationName),$enc.csv($scanDate),$enc.csv($dependency.DisplayFileName),#if($dependency.FilePath)$enc.csv($dependency.FilePath)#end,#if($dependency.description)$enc.csv($dependency.description)#end,#if($dependency.license)$enc.csv($dependency.license)#end,#if($dependency.Md5sum)$enc.csv($dependency.Md5sum)#end,#if($dependency.Sha1sum)$enc.csv($dependency.Sha1sum)#end,#if($dependency.identifiers)$enc.csvIdentifiers($dependency.identifiers)#end,#if($dependency.identifiers)$enc.csvCpe($dependency.identifiers)#end,#if($vuln.name)$enc.csv($vuln.name)#end,#if($dependency.cwe)$enc.csv($vuln.cwe)#end,#if($vuln.description)$enc.csv($vuln.description)#end,#if($vuln.getSource().name())$enc.csv($vuln.getSource().name())#end,#writeSev($vuln.cvssScore),$vuln.cvssScore
#end
#end
#end
\ No newline at end of file
diff --git a/dependency-check-core/src/main/resources/templates/jsonReport.vsl b/dependency-check-core/src/main/resources/templates/jsonReport.vsl
index 513c52ab9..ef69987dc 100644
--- a/dependency-check-core/src/main/resources/templates/jsonReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/jsonReport.vsl
@@ -1,5 +1,5 @@
{
- "reportSchema": "1.0",
+ "reportSchema": "1.1",
"scanInfo": {
"engineVersion": "$version",
"dataSource": [
@@ -24,6 +24,7 @@
},
"dependencies": [
#foreach($dependency in $dependencies)#if($foreach.count > 1),#end{
+ "isVirtual": #if($dependency.isVirtual)true#{else}false#end,
"fileName": "$enc.json($dependency.DisplayFileName)",
"filePath": "$enc.json($dependency.FilePath)",
"md5": "$enc.json($dependency.Md5sum)",
@@ -33,6 +34,7 @@
#if ($dependency.getRelatedDependencies().size()>0)
,"relatedDependencies": [
#foreach($related in $dependency.getRelatedDependencies()) #if($foreach.count > 1),#end {
+ "isVirtual": #if($dependency.isVirtual)true#{else}false#end,
"filePath": "$enc.json($related.FilePath)",
"sha1": "#if($related.Sha1sum)$enc.json($related.Sha1sum)#end",
"md5": "#if($related.Md5sum)$enc.json($related.Md5sum)#end"#if($related.getIdentifiers()),
@@ -132,6 +134,7 @@
#if($dependency.getVulnerabilities().size()>0)
,"vulnerabilities": [
#foreach($vuln in $dependency.getVulnerabilities())#if($foreach.count > 1),#end {
+ "source": "$enc.json($vuln.getSource().name())",
"name": "$enc.json($vuln.name)",
"cvssScore": "$vuln.cvssScore",
#if ($vuln.getSource().name().equals("NVD"))
@@ -169,14 +172,17 @@
#if($dependency.getSuppressedVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0)
,"suppressedVulnerabilities": [
#foreach($vuln in $dependency.getSuppressedVulnerabilities())#if($foreach.count > 1),#end {
+ "source": "$enc.json($vuln.getSource().name())",
"name": "$enc.json($vuln.name)",
"cvssScore": "$vuln.cvssScore",
- "cvssAccessVector": "$enc.json($vuln.cvssAccessVector)",
- "cvssAccessComplexity": "$enc.json($vuln.cvssAccessComplexity)",
- "cvssAuthenticationr": "$enc.json($vuln.cvssAuthentication)",
- "cvssConfidentialImpact": "$enc.json($vuln.cvssConfidentialityImpact)",
- "cvssIntegrityImpact": "$enc.json($vuln.cvssIntegrityImpact)",
- "cvssAvailabilityImpact": "$enc.json($vuln.cvssAvailabilityImpact)",
+ #if ($vuln.getSource().name().equals("NVD"))
+ "cvssAccessVector": "$enc.json($vuln.cvssAccessVector)",
+ "cvssAccessComplexity": "$enc.json($vuln.cvssAccessComplexity)",
+ "cvssAuthenticationr": "$enc.json($vuln.cvssAuthentication)",
+ "cvssConfidentialImpact": "$enc.json($vuln.cvssConfidentialityImpact)",
+ "cvssIntegrityImpact": "$enc.json($vuln.cvssIntegrityImpact)",
+ "cvssAvailabilityImpact": "$enc.json($vuln.cvssAvailabilityImpact)",
+ #end
#if ($vuln.cvssScore<4.0) "severity": "Low",
#elseif ($vuln.cvssScore>=7.0) "severity": "High",
#else "severity": "Medium",
diff --git a/dependency-check-core/src/main/resources/templates/xmlReport.vsl b/dependency-check-core/src/main/resources/templates/xmlReport.vsl
index 63943e721..e7068b110 100644
--- a/dependency-check-core/src/main/resources/templates/xmlReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/xmlReport.vsl
@@ -19,7 +19,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
@version 1.2
*#
-
+
$version
#foreach($prop in $properties.getMetaData().entrySet())
@@ -45,7 +45,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
#foreach($dependency in $dependencies)
-
+
$enc.xml($dependency.DisplayFileName)
$enc.xml($dependency.FilePath)
$enc.xml($dependency.Md5sum)
@@ -59,7 +59,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
#if ($dependency.getRelatedDependencies().size()>0)
#foreach($related in $dependency.getRelatedDependencies())
-
+
$enc.xml($related.FilePath)
#if($related.Sha1sum)$enc.xml($related.Sha1sum)#end
#if($related.Md5sum)$enc.xml($related.Md5sum)#end
@@ -141,8 +141,8 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
#if($dependency.getVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0)
#foreach($vuln in $dependency.getVulnerabilities())
-
- #if($vuln.getSource().name().equals("NSP"))NSP-#end$enc.xml($vuln.name)
+
+ $enc.xml($vuln.name)
$vuln.cvssScore
#if($vuln.cvssAccessVector)$enc.xml($vuln.cvssAccessVector)#end
#if($vuln.cvssAccessComplexity)$enc.xml($vuln.cvssAccessComplexity)#end
@@ -181,7 +181,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
#end
#foreach($vuln in $dependency.getSuppressedVulnerabilities())
-
+
$enc.xml($vuln.name)
$vuln.cvssScore
$enc.xml($vuln.cvssAccessVector)
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java
index c95212b36..289691262 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java
@@ -78,7 +78,7 @@ public class ReportGeneratorIT extends BaseDBTestCase {
engine.close();
- InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/dependency-check.1.5.xsd");
+ InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/dependency-check.1.6.xsd");
StreamSource xsdSource = new StreamSource(xsdStream);
StreamSource xmlSource = new StreamSource(writeTo);
SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);