From 1b1debdb30f6b570f0361a5846980afde58e8e48 Mon Sep 17 00:00:00 2001 From: stevespringett Date: Fri, 8 Sep 2017 00:58:27 -0500 Subject: [PATCH 1/2] Minor modifications to CSV, JSON, and XML reports to include Dependency.isVirtual and Vulnerability.Source --- .../dependency/Dependency.java | 10 + .../resources/schema/dependency-check.1.6.xsd | 205 ++++++++++++++++++ .../main/resources/templates/csvReport.vsl | 4 +- .../main/resources/templates/jsonReport.vsl | 20 +- .../main/resources/templates/xmlReport.vsl | 12 +- 5 files changed, 236 insertions(+), 15 deletions(-) create mode 100644 dependency-check-core/src/main/resources/schema/dependency-check.1.6.xsd diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index 08705b62d..6beb4a9c1 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -738,6 +738,16 @@ public class Dependency implements Serializable, Comparable { this.availableVersions.add(version); } + /** + * Returns whether or not this dependency is virtual or not. Virtual + * dependencies are specified during object constructor. No setter. + * + * @return true if Dependency is virtual, false if not + */ + public boolean isVirtual() { + return isVirtual; + } + /** * Implementation of the Comparable<Dependency> interface. The * comparison is solely based on the file path. diff --git a/dependency-check-core/src/main/resources/schema/dependency-check.1.6.xsd b/dependency-check-core/src/main/resources/schema/dependency-check.1.6.xsd new file mode 100644 index 000000000..39064a3f8 --- /dev/null +++ b/dependency-check-core/src/main/resources/schema/dependency-check.1.6.xsd @@ -0,0 +1,205 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/dependency-check-core/src/main/resources/templates/csvReport.vsl b/dependency-check-core/src/main/resources/templates/csvReport.vsl index 99c2758a1..6348b5606 100644 --- a/dependency-check-core/src/main/resources/templates/csvReport.vsl +++ b/dependency-check-core/src/main/resources/templates/csvReport.vsl @@ -17,11 +17,11 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved. @author Jeremy Long @version 1 *### -"Project","ScanDate","DependencyName","DependencyPath","Description","License","Md5","Sha1","Identifiers","CPE","CVE","CWE","Vulnerability","Severity","CVSSv2" +"Project","ScanDate","DependencyName","DependencyPath","Description","License","Md5","Sha1","Identifiers","CPE","CVE","CWE","Vulnerability","Source","Severity","CVSSv2" #macro(writeSev $score)#if($score<4.0)"Low"#elseif($score>=7.0)"High"#else"Medium"#end#end #foreach($dependency in $dependencies)#if($dependency.getVulnerabilities().size()>0) #foreach($vuln in $dependency.getVulnerabilities()) -$enc.csv($applicationName),$enc.csv($scanDate),$enc.csv($dependency.DisplayFileName),#if($dependency.FilePath)$enc.csv($dependency.FilePath)#end,#if($dependency.description)$enc.csv($dependency.description)#end,#if($dependency.license)$enc.csv($dependency.license)#end,#if($dependency.Md5sum)$enc.csv($dependency.Md5sum)#end,#if($dependency.Sha1sum)$enc.csv($dependency.Sha1sum)#end,#if($dependency.identifiers)$enc.csvIdentifiers($dependency.identifiers)#end,#if($dependency.identifiers)$enc.csvCpe($dependency.identifiers)#end,#if($vuln.name)$enc.csv($vuln.name)#end,#if($dependency.cwe)$enc.csv($vuln.cwe)#end,#if($vuln.description)$enc.csv($vuln.description)#end,#writeSev($vuln.cvssScore),$vuln.cvssScore +$enc.csv($applicationName),$enc.csv($scanDate),$enc.csv($dependency.DisplayFileName),#if($dependency.FilePath)$enc.csv($dependency.FilePath)#end,#if($dependency.description)$enc.csv($dependency.description)#end,#if($dependency.license)$enc.csv($dependency.license)#end,#if($dependency.Md5sum)$enc.csv($dependency.Md5sum)#end,#if($dependency.Sha1sum)$enc.csv($dependency.Sha1sum)#end,#if($dependency.identifiers)$enc.csvIdentifiers($dependency.identifiers)#end,#if($dependency.identifiers)$enc.csvCpe($dependency.identifiers)#end,#if($vuln.name)$enc.csv($vuln.name)#end,#if($dependency.cwe)$enc.csv($vuln.cwe)#end,#if($vuln.description)$enc.csv($vuln.description)#end,#if($vuln.getSource().name())$enc.csv($vuln.getSource().name())#end,#writeSev($vuln.cvssScore),$vuln.cvssScore #end #end #end \ No newline at end of file diff --git a/dependency-check-core/src/main/resources/templates/jsonReport.vsl b/dependency-check-core/src/main/resources/templates/jsonReport.vsl index 513c52ab9..ef69987dc 100644 --- a/dependency-check-core/src/main/resources/templates/jsonReport.vsl +++ b/dependency-check-core/src/main/resources/templates/jsonReport.vsl @@ -1,5 +1,5 @@ { - "reportSchema": "1.0", + "reportSchema": "1.1", "scanInfo": { "engineVersion": "$version", "dataSource": [ @@ -24,6 +24,7 @@ }, "dependencies": [ #foreach($dependency in $dependencies)#if($foreach.count > 1),#end{ + "isVirtual": #if($dependency.isVirtual)true#{else}false#end, "fileName": "$enc.json($dependency.DisplayFileName)", "filePath": "$enc.json($dependency.FilePath)", "md5": "$enc.json($dependency.Md5sum)", @@ -33,6 +34,7 @@ #if ($dependency.getRelatedDependencies().size()>0) ,"relatedDependencies": [ #foreach($related in $dependency.getRelatedDependencies()) #if($foreach.count > 1),#end { + "isVirtual": #if($dependency.isVirtual)true#{else}false#end, "filePath": "$enc.json($related.FilePath)", "sha1": "#if($related.Sha1sum)$enc.json($related.Sha1sum)#end", "md5": "#if($related.Md5sum)$enc.json($related.Md5sum)#end"#if($related.getIdentifiers()), @@ -132,6 +134,7 @@ #if($dependency.getVulnerabilities().size()>0) ,"vulnerabilities": [ #foreach($vuln in $dependency.getVulnerabilities())#if($foreach.count > 1),#end { + "source": "$enc.json($vuln.getSource().name())", "name": "$enc.json($vuln.name)", "cvssScore": "$vuln.cvssScore", #if ($vuln.getSource().name().equals("NVD")) @@ -169,14 +172,17 @@ #if($dependency.getSuppressedVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0) ,"suppressedVulnerabilities": [ #foreach($vuln in $dependency.getSuppressedVulnerabilities())#if($foreach.count > 1),#end { + "source": "$enc.json($vuln.getSource().name())", "name": "$enc.json($vuln.name)", "cvssScore": "$vuln.cvssScore", - "cvssAccessVector": "$enc.json($vuln.cvssAccessVector)", - "cvssAccessComplexity": "$enc.json($vuln.cvssAccessComplexity)", - "cvssAuthenticationr": "$enc.json($vuln.cvssAuthentication)", - "cvssConfidentialImpact": "$enc.json($vuln.cvssConfidentialityImpact)", - "cvssIntegrityImpact": "$enc.json($vuln.cvssIntegrityImpact)", - "cvssAvailabilityImpact": "$enc.json($vuln.cvssAvailabilityImpact)", + #if ($vuln.getSource().name().equals("NVD")) + "cvssAccessVector": "$enc.json($vuln.cvssAccessVector)", + "cvssAccessComplexity": "$enc.json($vuln.cvssAccessComplexity)", + "cvssAuthenticationr": "$enc.json($vuln.cvssAuthentication)", + "cvssConfidentialImpact": "$enc.json($vuln.cvssConfidentialityImpact)", + "cvssIntegrityImpact": "$enc.json($vuln.cvssIntegrityImpact)", + "cvssAvailabilityImpact": "$enc.json($vuln.cvssAvailabilityImpact)", + #end #if ($vuln.cvssScore<4.0) "severity": "Low", #elseif ($vuln.cvssScore>=7.0) "severity": "High", #else "severity": "Medium", diff --git a/dependency-check-core/src/main/resources/templates/xmlReport.vsl b/dependency-check-core/src/main/resources/templates/xmlReport.vsl index 63943e721..e7068b110 100644 --- a/dependency-check-core/src/main/resources/templates/xmlReport.vsl +++ b/dependency-check-core/src/main/resources/templates/xmlReport.vsl @@ -19,7 +19,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. @version 1.2 *# - + $version #foreach($prop in $properties.getMetaData().entrySet()) @@ -45,7 +45,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. #foreach($dependency in $dependencies) - + $enc.xml($dependency.DisplayFileName) $enc.xml($dependency.FilePath) $enc.xml($dependency.Md5sum) @@ -59,7 +59,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. #if ($dependency.getRelatedDependencies().size()>0) #foreach($related in $dependency.getRelatedDependencies()) - + $enc.xml($related.FilePath) #if($related.Sha1sum)$enc.xml($related.Sha1sum)#end #if($related.Md5sum)$enc.xml($related.Md5sum)#end @@ -141,8 +141,8 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. #if($dependency.getVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0) #foreach($vuln in $dependency.getVulnerabilities()) - - #if($vuln.getSource().name().equals("NSP"))NSP-#end$enc.xml($vuln.name) + + $enc.xml($vuln.name) $vuln.cvssScore #if($vuln.cvssAccessVector)$enc.xml($vuln.cvssAccessVector)#end #if($vuln.cvssAccessComplexity)$enc.xml($vuln.cvssAccessComplexity)#end @@ -181,7 +181,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. #end #foreach($vuln in $dependency.getSuppressedVulnerabilities()) - + $enc.xml($vuln.name) $vuln.cvssScore $enc.xml($vuln.cvssAccessVector) From bbd59be1d6da1484d80e00ffe13564d08b122ce1 Mon Sep 17 00:00:00 2001 From: stevespringett Date: Fri, 8 Sep 2017 10:06:32 -0500 Subject: [PATCH 2/2] Minor modification to XML schema and unit test. --- .../src/main/resources/schema/dependency-check.1.6.xsd | 4 ++-- .../owasp/dependencycheck/reporting/ReportGeneratorIT.java | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/dependency-check-core/src/main/resources/schema/dependency-check.1.6.xsd b/dependency-check-core/src/main/resources/schema/dependency-check.1.6.xsd index 39064a3f8..97f5af692 100644 --- a/dependency-check-core/src/main/resources/schema/dependency-check.1.6.xsd +++ b/dependency-check-core/src/main/resources/schema/dependency-check.1.6.xsd @@ -2,8 +2,8 @@ + targetNamespace="https://jeremylong.github.io/DependencyCheck/dependency-check.1.6.xsd" + xmlns:dc="https://jeremylong.github.io/DependencyCheck/dependency-check.1.6.xsd"> diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java index 719ba17b6..68620672b 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java @@ -78,7 +78,7 @@ public class ReportGeneratorIT extends BaseDBTestCase { engine.cleanup(); - InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/dependency-check.1.5.xsd"); + InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/dependency-check.1.6.xsd"); StreamSource xsdSource = new StreamSource(xsdStream); StreamSource xmlSource = new StreamSource(writeTo); SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);