github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-17 23:04:07 +01:00
Code Issues Packages Projects Releases Wiki Activity

simplified velocity report generation

Browse Source 
Former-commit-id: 7c0f5bd492bce8a37c1633715d989970ee5b0d61
This commit is contained in:
Jeremy Long
2014-04-02 06:52:26 -04:00
parent 987ed1cefc
commit 931f7d47ea
4 changed files with 230 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
View File

@@ -26,15 +26,17 @@ import java.io.InputStream;
import java.io.InputStreamReader; import java.io.InputStreamReader;
import java.io.OutputStream; import java.io.OutputStream;
import java.io.OutputStreamWriter; import java.io.OutputStreamWriter;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.List; import java.util.List;
import java.util.logging.Level; import java.util.logging.Level;
import java.util.logging.Logger; import java.util.logging.Logger;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine; import org.apache.velocity.app.VelocityEngine;
import org.apache.velocity.context.Context; import org.apache.velocity.context.Context;
import org.apache.velocity.runtime.RuntimeConstants; import org.apache.velocity.runtime.RuntimeConstants;
import org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader; import org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader;
import org.apache.velocity.tools.ToolManager;
import org.apache.velocity.tools.config.EasyFactoryConfiguration;
import org.owasp.dependencycheck.analyzer.Analyzer; import org.owasp.dependencycheck.analyzer.Analyzer;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Dependency;
@@ -93,10 +95,20 @@ public class ReportGenerator {
engine.init(); engine.init();
DateFormat dateFormat = new SimpleDateFormat("MMM d, yyyy 'at' HH:mm:ss z");
DateFormat dateFormatXML = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
Date d = new Date();
String scanDate = dateFormat.format(d);
String scanDateXML = dateFormatXML.format(d);
EscapeTool enc = new EscapeTool();
context.put("applicationName", applicationName); context.put("applicationName", applicationName);
context.put("dependencies", dependencies); context.put("dependencies", dependencies);
context.put("analyzers", analyzers); context.put("analyzers", analyzers);
context.put("properties", properties); context.put("properties", properties);
context.put("scanDate", scanDate);
context.put("scanDateXML", scanDateXML);
context.put("enc", enc);
context.put("version", Settings.getString("application.version", "Unknown")); context.put("version", Settings.getString("application.version", "Unknown"));
} }
@@ -118,15 +130,15 @@ public class ReportGenerator {
* *
* @return a Velocity Context. * @return a Velocity Context.
*/ */
@edu.umd.cs.findbugs.annotations.SuppressWarnings(value = "RV_RETURN_VALUE_IGNORED_INFERRED",
justification = "No plan to fix this style issue")
private Context createContext() { private Context createContext() {
final ToolManager manager = new ToolManager(); //REMOVED all of the velocity tools to simplify the engine trying to resolve issues running this in Jenkins
final Context c = manager.createContext(); // final ToolManager manager = new ToolManager();
final EasyFactoryConfiguration config = new EasyFactoryConfiguration(); // final Context c = manager.createContext();
config.addDefaultTools(); // final EasyFactoryConfiguration config = new EasyFactoryConfiguration();
config.toolbox("application").tool("esc", "org.apache.velocity.tools.generic.EscapeTool").tool("org.apache.velocity.tools.generic.DateTool"); // config.addDefaultTools();
manager.configure(config); // config.toolbox("application").tool("esc", "org.apache.velocity.tools.generic.EscapeTool").tool("org.apache.velocity.tools.generic.DateTool");
// manager.configure(config);
VelocityContext c = new VelocityContext();
return c; return c;
} }

206
dependency-check-core/src/main/resources/templates/HtmlReport.vsl
View File

@@ -471,26 +471,38 @@ implied or otherwise, with regard to the analysis or its use. Any use of the too
is at the users risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever is at the users risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.</p> arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.</p>
]]# ]]#
<h2 class="">Project:&nbsp;$esc.html($applicationName)</h2> <h2 class="">Project:&nbsp;$enc.html($applicationName)</h2>
<div class=""> <div class="">
#set($depCount=$dependencies.size()) #set($depCount=$dependencies.size())
#set($vulnDepCount=0)
#set($vulnCount=0) #set($vulnCount=0)
#set($vulnSuppressedCount=0)
#set($cpeSuppressedCount=0)
#foreach($dependency in $dependencies) #foreach($dependency in $dependencies)
#set($depCount=$depCount+$dependency.getRelatedDependencies().size()) #set($depCount=$depCount+$dependency.getRelatedDependencies().size())
#if($dependency.getVulnerabilities().size()>0) #if($dependency.getVulnerabilities().size()>0)
#set($vulnCount=$vulnCount+1) #set($vulnDepCount=$vulnDepCount+1)
#set($vulnCount=$vulnCount+$dependency.getVulnerabilities().size())
#end
#if($dependency.getSuppressedIdentifiers().size()>0)
#set($cpeSuppressedCount=$cpeSuppressedCount+1)
#end
#if($dependency.getSuppressedVulnerabilities().size()>0)
#set($vulnSuppressedCount=$vulnSuppressedCount+$dependency.getSuppressedVulnerabilities().size())
#end #end
#end #end
Scan Information (<a href="#" onclick="toggleDisplay(this, '.scaninfo'); return false;">show all</a>):<br/> Scan Information (<a href="#" onclick="toggleDisplay(this, '.scaninfo'); return false;">show all</a>):<br/>
<ul class="indent"> <ul class="indent">
<li><i>dependency-check version</i>: $version</li> <li><i>dependency-check version</i>: $version</li>
<li><i>Report Generated On</i>: $date</li> <li><i>Report Generated On</i>: $scanDate</li>
<li><i>Dependencies Scanned</i>:&nbsp;$depCount</li> <li><i>Dependencies Scanned</i>:&nbsp;$depCount</li>
<li><i>Vulnerable Dependencies</i>:&nbsp;$vulnCount</li> <li><i>Vulnerable Dependencies</i>:&nbsp;$vulnDepCount</li>
<li><i>Vulnerabilities Found</i>:&nbsp;$vulnCount</li>
<li><i>Vulnerabilities Suppressed</i>:&nbsp;$vulnSuppressedCount</li>
<li class="scaninfo">...</li> <li class="scaninfo">...</li>
#foreach($prop in $properties.getMetaData().entrySet()) #foreach($prop in $properties.getMetaData().entrySet())
<li class="scaninfo hidden"><i>$esc.html($prop.key)</i>: $esc.html($prop.value)</li> <li class="scaninfo hidden"><i>$enc.html($prop.key)</i>: $enc.html($prop.value)</li>
#end #end
</ul><br/> </ul><br/>
Dependency Display:&nbsp;<a href="#" onclick="toggleDisplay(this,'.notvulnerable'); return false;">show all</a><br/><br/> Dependency Display:&nbsp;<a href="#" onclick="toggleDisplay(this,'.notvulnerable'); return false;">show all</a><br/><br/>
@@ -499,11 +511,11 @@ arising out of or in connection with the use of this tool, the analysis performe
#foreach($dependency in $dependencies) #foreach($dependency in $dependencies)
#set($lnkcnt=$lnkcnt+1) #set($lnkcnt=$lnkcnt+1)
<li class="#if($dependency.getVulnerabilities().size()==0)notvulnerable#else vulnerable#end"> <li class="#if($dependency.getVulnerabilities().size()==0)notvulnerable#else vulnerable#end">
<a href="#l${lnkcnt}_$esc.html($esc.url($dependency.Sha1sum))">$esc.html($dependency.FileName)</a> <a href="#l${lnkcnt}_$enc.html($enc.url($dependency.Sha1sum))">$enc.html($dependency.FileName)</a>
#if($dependency.getRelatedDependencies().size()>0) #if($dependency.getRelatedDependencies().size()>0)
<ul> <ul>
#foreach($related in $dependency.getRelatedDependencies()) #foreach($related in $dependency.getRelatedDependencies())
<li>$esc.html($related.FileName)</li> <li>$enc.html($related.FileName)</li>
#end #end
</ul> </ul>
#end #end
@@ -516,22 +528,22 @@ arising out of or in connection with the use of this tool, the analysis performe
#set($vsctr=0) ##counter to create unique groups for vulnerable software #set($vsctr=0) ##counter to create unique groups for vulnerable software
#foreach($dependency in $dependencies) #foreach($dependency in $dependencies)
#set($lnkcnt=$lnkcnt+1) #set($lnkcnt=$lnkcnt+1)
<h3 class="subsectionheader standardsubsection#if($dependency.getVulnerabilities().size()==0) notvulnerable#end"><a name="l${lnkcnt}_$esc.html($dependency.Sha1sum)"></a>$esc.html($dependency.FileName)</h3> <h3 class="subsectionheader standardsubsection#if($dependency.getVulnerabilities().size()==0) notvulnerable#end"><a name="l${lnkcnt}_$enc.html($dependency.Sha1sum)"></a>$enc.html($dependency.FileName)</h3>
<div class="subsectioncontent#if($dependency.getVulnerabilities().size()==0) notvulnerable#end"> <div class="subsectioncontent#if($dependency.getVulnerabilities().size()==0) notvulnerable#end">
#if ($dependency.description) #if ($dependency.description)
<p><b>Description:</b>&nbsp;$esc.html($dependency.description)<br/></p> <p><b>Description:</b>&nbsp;$enc.html($dependency.description)<br/></p>
#end #end
<p> <p>
#if ($dependency.license) #if ($dependency.license)
#if ($dependency.license.startsWith("http://")) #if ($dependency.license.startsWith("http://"))
<b>License:</b><pre class="indent"><a href="$esc.html($dependency.license)">$esc.html($dependency.license)</a></pre> <b>License:</b><pre class="indent"><a href="$enc.html($dependency.license)">$enc.html($dependency.license)</a></pre>
#else #else
<b>License:</b><pre class="indent">$esc.html($dependency.license)</pre> <b>License:</b><pre class="indent">$enc.html($dependency.license)</pre>
#end #end
#end #end
<b>File&nbsp;Path:</b>&nbsp;$esc.html($dependency.FilePath)<br/> <b>File&nbsp;Path:</b>&nbsp;$enc.html($dependency.FilePath)<br/>
<b>MD5:</b>&nbsp;$esc.html($dependency.Md5sum)<br/> <b>MD5:</b>&nbsp;$enc.html($dependency.Md5sum)<br/>
<b>SHA1:</b>&nbsp;$esc.html($dependency.Sha1sum) <b>SHA1:</b>&nbsp;$enc.html($dependency.Sha1sum)
</p> </p>
#set($cnt=$cnt+1) #set($cnt=$cnt+1)
<h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4> <h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
@@ -539,7 +551,7 @@ arising out of or in connection with the use of this tool, the analysis performe
<table class="lined fullwidth" border="0"> <table class="lined fullwidth" border="0">
<tr><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:70%;">Value</th></tr> <tr><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:70%;">Value</th></tr>
#foreach($evidence in $dependency.getEvidenceUsed()) #foreach($evidence in $dependency.getEvidenceUsed())
<tr><td>$esc.html($evidence.getSource())</td><td>$esc.html($evidence.getName())</td><td>$esc.html($evidence.getValue())</td></tr> <tr><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td></tr>
#end #end
</table> </table>
</div> </div>
@@ -549,18 +561,18 @@ arising out of or in connection with the use of this tool, the analysis performe
<div id="content$cnt" class="subsectioncontent standardsubsection hidden"> <div id="content$cnt" class="subsectioncontent standardsubsection hidden">
<ul> <ul>
#foreach($related in $dependency.getRelatedDependencies()) #foreach($related in $dependency.getRelatedDependencies())
<li>$esc.html($related.FileName) <li>$enc.html($related.FileName)
<ul> <ul>
<li>File Path:&nbsp;$esc.html($related.FilePath)</li> <li>File Path:&nbsp;$enc.html($related.FilePath)</li>
<li>SHA1:&nbsp;$esc.html($related.Sha1sum)</li> <li>SHA1:&nbsp;$enc.html($related.Sha1sum)</li>
<li>MD5:&nbsp;$esc.html($related.Md5sum)</li> <li>MD5:&nbsp;$enc.html($related.Md5sum)</li>
#foreach($id in $related.getIdentifiers()) #foreach($id in $related.getIdentifiers())
#if ($id.type=="maven") #if ($id.type=="maven")
#if( $id.url ) #if( $id.url )
##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here... ##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
<li>$esc.html($id.type):&nbsp;<a href="$esc.html($id.url)" target="_blank">$esc.html($id.value)</a> <li>$enc.html($id.type):&nbsp;<a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>
#else #else
<li>$esc.html($id.type):&nbsp;$esc.html($id.value) <li>$enc.html($id.type):&nbsp;$enc.html($id.value)
#end #end
</li> </li>
#end #end
@@ -579,7 +591,7 @@ arising out of or in connection with the use of this tool, the analysis performe
#end #end
#end #end
<h4 id="header$cnt" class="subsectionheader white">Identifiers</h4> <h4 id="header$cnt" class="subsectionheader white">Identifiers</h4>
##:&nbsp;<a href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$esc.url($cpevalue)" target="_blank">$esc.html($cpevalue)</a></h4> ##:&nbsp;<a href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$enc.url($cpevalue)" target="_blank">$enc.html($cpevalue)</a></h4>
<div id="content$cnt" class="subsectioncontent standardsubsection"> <div id="content$cnt" class="subsectioncontent standardsubsection">
#if ($dependency.getIdentifiers().size()==0) #if ($dependency.getIdentifiers().size()==0)
<ul><li><b>None</b></li></ul> <ul><li><b>None</b></li></ul>
@@ -588,19 +600,19 @@ arising out of or in connection with the use of this tool, the analysis performe
#foreach($id in $dependency.getIdentifiers()) #foreach($id in $dependency.getIdentifiers())
#if( $id.url ) #if( $id.url )
##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here... ##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
<li><b>$esc.html($id.type):</b>&nbsp;<a href="$esc.html($id.url)" target="_blank">$esc.html($id.value)</a> <li><b>$enc.html($id.type):</b>&nbsp;<a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>
#else #else
<li><b>$esc.html($id.type):</b>&nbsp;$esc.html($id.value) <li><b>$enc.html($id.type):</b>&nbsp;$enc.html($id.value)
#end #end
#if ($id.confidence) #if ($id.confidence)
&nbsp;&nbsp;<i>Confidence</i>:$id.confidence &nbsp;&nbsp;<i>Confidence</i>:$id.confidence
#end #end
#if ($id.type=="cpe") #if ($id.type=="cpe")
##yes, we are HTML Encoding into JavaScript... the escape utils don't have a JS Encode and I haven't written one yet ##yes, we are HTML Encoding into JavaScript... the escape utils don't have a JS Encode and I haven't written one yet
&nbsp;&nbsp;<button class="copybutton" onclick="copyText('$esc.html($dependency.FileNameForJavaScript)', '$esc.html($dependency.Sha1sum)', 'cpe', '$esc.html($id.value)')">suppress</button> &nbsp;&nbsp;<button class="copybutton" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', 'cpe', '$enc.html($id.value)')">suppress</button>
#end #end
#if ($id.description) #if ($id.description)
<br/>$esc.html($id.description) <br/>$enc.html($id.description)
#end #end
</li> </li>
#end #end
@@ -613,7 +625,7 @@ arising out of or in connection with the use of this tool, the analysis performe
<div id="content$cnt" class="subsectioncontent standardsubsection"> <div id="content$cnt" class="subsectioncontent standardsubsection">
#foreach($vuln in $dependency.getVulnerabilities()) #foreach($vuln in $dependency.getVulnerabilities())
#set($vsctr=$vsctr+1) #set($vsctr=$vsctr+1)
<p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$esc.url($vuln.name)">$esc.html($vuln.name)</a></b>&nbsp;&nbsp;<button class="copybutton" onclick="copyText('$esc.html($dependency.FileNameForJavaScript)', '$esc.html($dependency.Sha1sum)', 'cve', '$esc.html($vuln.name)')">suppress</button></p> <p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<button class="copybutton" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', 'cve', '$enc.html($vuln.name)')">suppress</button></p>
<p>Severity: <p>Severity:
#if ($vuln.cvssScore<4.0) #if ($vuln.cvssScore<4.0)
Low Low
@@ -626,20 +638,20 @@ arising out of or in connection with the use of this tool, the analysis performe
#if ($vuln.cwe) #if ($vuln.cwe)
<br/>CWE: $vuln.cwe <br/>CWE: $vuln.cwe
#end</p> #end</p>
<p>$esc.html($vuln.description) <p>$enc.html($vuln.description)
#if ($vuln.getReferences().size()>0) #if ($vuln.getReferences().size()>0)
<ul> <ul>
#foreach($ref in $vuln.getReferences()) #foreach($ref in $vuln.getReferences())
<li>$esc.html($ref.source) - <a target="_blank" href="$esc.html($ref.url)">$ref.name</a></li> <li>$enc.html($ref.source) - <a target="_blank" href="$enc.html($ref.url)">$ref.name</a></li>
#end #end
</ul> </ul>
#end #end
</p> </p>
<p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="toggleDisplay(this,'.vs$vsctr'); return false;">show all</a>)<ul> <p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="toggleDisplay(this,'.vs$vsctr'); return false;">show all</a>)<ul>
<li class="vs$vsctr"><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$esc.url($vuln.matchedCPE)">$esc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li> <li class="vs$vsctr"><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
<li class="vs$vsctr">...</li> <li class="vs$vsctr">...</li>
#foreach($vs in $vuln.getVulnerableSoftware()) #foreach($vs in $vuln.getVulnerableSoftware())
<li class="vs$vsctr hidden"><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$esc.url($vs.name)">$esc.html($vs.name)</a> #if($vs.hasPreviousVersion()) and all previous versions#end</li> <li class="vs$vsctr hidden"><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$enc.url($vs.name)">$enc.html($vs.name)</a> #if($vs.hasPreviousVersion()) and all previous versions#end</li>
#end #end
</ul></p> </ul></p>
#end #end
@@ -647,6 +659,138 @@ arising out of or in connection with the use of this tool, the analysis performe
#end #end
</div> </div>
#end #end
## BEGIN SUPPRESSED VULNERABILITIES
#if ($vulnSuppressedCount>0 || $cpeSuppressedCount>0)
#set($cnt=$cnt+1)
<h3 id="header$cnt" class="sectionheader expandable expandablesubsection white">Suppressed Vulnerabilities</h3>
<div id="content$cnt" class="sectioncontent standardsubsection hidden">
#foreach($dependency in $dependencies)
#if ($dependency.getSuppressedIdentifiers().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0)
#set($lnkcnt=$lnkcnt+1)
<h3 class="subsectionheader standardsubsection">$enc.html($dependency.FileName)</h3>
<div class="subsectioncontent">
#if ($dependency.description)
<p><b>Description:</b>&nbsp;$enc.html($dependency.description)<br/></p>
#end
<p>
#if ($dependency.license)
#if ($dependency.license.startsWith("http://"))
<b>License:</b><pre class="indent"><a href="$enc.html($dependency.license)">$enc.html($dependency.license)</a></pre>
#else
<b>License:</b><pre class="indent">$enc.html($dependency.license)</pre>
#end
#end
<b>File&nbsp;Path:</b>&nbsp;$enc.html($dependency.FilePath)<br/>
<b>MD5:</b>&nbsp;$enc.html($dependency.Md5sum)<br/>
<b>SHA1:</b>&nbsp;$enc.html($dependency.Sha1sum)
</p>
#set($cnt=$cnt+1)
<h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
<div id="content$cnt" class="subsectioncontent standardsubsection hidden">
<table class="lined fullwidth" border="0">
<tr><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:70%;">Value</th></tr>
#foreach($evidence in $dependency.getEvidenceUsed())
<tr><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td></tr>
#end
</table>
</div>
#if($dependency.getRelatedDependencies().size()>0)
#set($cnt=$cnt+1)
<h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Related Dependencies</h4>
<div id="content$cnt" class="subsectioncontent standardsubsection hidden">
<ul>
#foreach($related in $dependency.getRelatedDependencies())
<li>$enc.html($related.FileName)
<ul>
<li>File Path:&nbsp;$enc.html($related.FilePath)</li>
<li>SHA1:&nbsp;$enc.html($related.Sha1sum)</li>
<li>MD5:&nbsp;$enc.html($related.Md5sum)</li>
</ul>
</li>
#end
</ul>
</div>
#end
#set($cnt=$cnt+1)
#set($cpeCount=0)
#foreach($id in $dependency.getSuppressedIdentifiers())
#if($id.type.equals("cpe"))
#set($cpeCount=$cpeCount+1)
#end
#end
<h4 id="header$cnt" class="subsectionheader white">Suppressed Identifiers</h4>
##:&nbsp;<a href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$enc.url($cpevalue)" target="_blank">$enc.html($cpevalue)</a></h4>
<div id="content$cnt" class="subsectioncontent standardsubsection">
#if ($dependency.getSuppressedIdentifiers().size()==0)
<ul><li><b>None</b></li></ul>
#else ## ($dependency.getSuppressedIdentifiers().size()>0)
<ul>
#foreach($id in $dependency.getSuppressedIdentifiers())
#if( $id.url )
##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
<li><b>$enc.html($id.type):</b>&nbsp;<a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>
#else
<li><b>$enc.html($id.type):</b>&nbsp;$enc.html($id.value)
#end
#if ($id.confidence)
&nbsp;&nbsp;<i>Confidence</i>:$id.confidence
#end
#if ($id.description)
<br/>$enc.html($id.description)
#end
</li>
#end
</ul>
#end
</div>
#if($dependency.getSuppressedVulnerabilities().size()>0)
#set($cnt=$cnt+1)
<h4 id="header$cnt" class="subsectionheader expandable collaspablesubsection white">Suppressed Vulnerabilities</h4>
<div id="content$cnt" class="subsectioncontent standardsubsection">
#foreach($vuln in $dependency.getSuppressedVulnerabilities())
#set($vsctr=$vsctr+1)
<p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<button class="copybutton" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', 'cve', '$enc.html($vuln.name)')">suppress</button></p>
<p>Severity:
#if ($vuln.cvssScore<4.0)
Low
#elseif ($vuln.cvssScore>=7.0)
High
#else
Medium
#end
<br/>CVSS Score: $vuln.cvssScore
#if ($vuln.cwe)
<br/>CWE: $vuln.cwe
#end</p>
<p>$enc.html($vuln.description)
#if ($vuln.getReferences().size()>0)
<ul>
#foreach($ref in $vuln.getReferences())
<li>$enc.html($ref.source) - <a target="_blank" href="$enc.html($ref.url)">$ref.name</a></li>
#end
</ul>
#end
</p>
<p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="toggleDisplay(this,'.vs$vsctr'); return false;">show all</a>)<ul>
<li class="vs$vsctr"><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
<li class="vs$vsctr">...</li>
#foreach($vs in $vuln.getVulnerableSoftware())
<li class="vs$vsctr hidden"><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$enc.url($vs.name)">$enc.html($vs.name)</a> #if($vs.hasPreviousVersion()) and all previous versions#end</li>
#end
</ul></p>
#end
</div>
#end
</div>
#end
#end
</div>
#end
## END SUPPRESSED VULNERABILITIES
</div> </div>
</div> </div>
<div><br/><br/>This report contains data retrieved from the <a href="nvd.nist.gov">National Vulnerability Database</a>.</div> <div><br/><br/>This report contains data retrieved from the <a href="nvd.nist.gov">National Vulnerability Database</a>.</div>

10
dependency-check-core/src/main/resources/templates/VulnerabilityReport.vsl
View File

@@ -178,8 +178,8 @@ implied or otherwise, with regard to the analysis or its use. Any use of the too
is at the users risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever is at the users risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.</p> arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.</p>
]]# ]]#
<h2 class="sectionheader white">Project:&nbsp;$esc.html($applicationName)</h2> <h2 class="sectionheader white">Project:&nbsp;$enc.html($applicationName)</h2>
<div class="sectioncontent">Report Generated On: $date<br/><br/> <div class="sectioncontent">Report Generated On: $scanDate<br/><br/>
#set($depCount=$dependencies.size()) #set($depCount=$dependencies.size())
#set($vulnCount=0) #set($vulnCount=0)
@@ -205,7 +205,7 @@ arising out of or in connection with the use of this tool, the analysis performe
#if($dependency.getVulnerabilities().size()>0) #if($dependency.getVulnerabilities().size()>0)
#foreach($vuln in $dependency.getVulnerabilities()) #foreach($vuln in $dependency.getVulnerabilities())
<tr> <tr>
<td><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$esc.url($vuln.name)">$esc.html($vuln.name)</a></td> <td><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></td>
<td> <td>
#if ($vuln.cwe) #if ($vuln.cwe)
$vuln.cwe $vuln.cwe
@@ -222,10 +222,10 @@ arising out of or in connection with the use of this tool, the analysis performe
($vuln.cvssScore) ($vuln.cvssScore)
<td>#set($cnt=$cnt+1) <td>#set($cnt=$cnt+1)
#if($dependency.getRelatedDependencies().size()>0)<span id="header$cnt" class="expandable collapsedList">#end #if($dependency.getRelatedDependencies().size()>0)<span id="header$cnt" class="expandable collapsedList">#end
$esc.html($dependency.FileName) $enc.html($dependency.FileName)
#if($dependency.getRelatedDependencies().size()>0)&nbsp;&nbsp;&nbsp;</span><div id="content$cnt" class="hidden">#end #if($dependency.getRelatedDependencies().size()>0)&nbsp;&nbsp;&nbsp;</span><div id="content$cnt" class="hidden">#end
#foreach($related in $dependency.getRelatedDependencies()) #foreach($related in $dependency.getRelatedDependencies())
$esc.html($related.FileName)<br/> $enc.html($related.FileName)<br/>
#end #end
#if($dependency.getRelatedDependencies().size()>0)</div#end #if($dependency.getRelatedDependencies().size()>0)</div#end
</td> </td>

56
dependency-check-core/src/main/resources/templates/XmlReport.vsl
View File

@@ -23,42 +23,42 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<engineVersion>$version</engineVersion> <engineVersion>$version</engineVersion>
#foreach($prop in $properties.getMetaData().entrySet()) #foreach($prop in $properties.getMetaData().entrySet())
<dataSource> <dataSource>
<name>$esc.xml($prop.key)</name> <name>$enc.xml($prop.key)</name>
<timestamp>$esc.xml($prop.value)</timestamp> <timestamp>$enc.xml($prop.value)</timestamp>
</dataSource> </dataSource>
#end #end
</scanInfo> </scanInfo>
<projectInfo> <projectInfo>
<name>$esc.xml($applicationName)</name> <name>$enc.xml($applicationName)</name>
<reportDate>$date</reportDate> <reportDate>$scanDateXML</reportDate>
<credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits> <credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits>
</projectInfo> </projectInfo>
<dependencies> <dependencies>
#foreach($dependency in $dependencies) #foreach($dependency in $dependencies)
<dependency> <dependency>
<fileName>$esc.xml($dependency.FileName)</fileName> <fileName>$enc.xml($dependency.FileName)</fileName>
<filePath>$esc.xml($dependency.FilePath)</filePath> <filePath>$enc.xml($dependency.FilePath)</filePath>
<md5>$esc.xml($dependency.Md5sum)</md5> <md5>$enc.xml($dependency.Md5sum)</md5>
<sha1>$esc.xml($dependency.Sha1sum)</sha1> <sha1>$enc.xml($dependency.Sha1sum)</sha1>
#if ($dependency.description) #if ($dependency.description)
<description>$esc.xml($dependency.description)</description> <description>$enc.xml($dependency.description)</description>
#end #end
#if ($dependency.license) #if ($dependency.license)
<license>$esc.xml($dependency.license)</license> <license>$enc.xml($dependency.license)</license>
#end #end
#if ($dependency.getRelatedDependencies().size()>0) #if ($dependency.getRelatedDependencies().size()>0)
<relatedDependencies> <relatedDependencies>
#foreach($related in $dependency.getRelatedDependencies()) #foreach($related in $dependency.getRelatedDependencies())
<relatedDependency> <relatedDependency>
<filePath>$esc.xml($related.FilePath)</filePath> <filePath>$enc.xml($related.FilePath)</filePath>
<sha1>$esc.xml($related.Sha1sum)</sha1> <sha1>$enc.xml($related.Sha1sum)</sha1>
<md5>$esc.xml($related.Md5sum)</md5> <md5>$enc.xml($related.Md5sum)</md5>
#foreach($id in $related.getIdentifiers()) #foreach($id in $related.getIdentifiers())
#if ($id.type=="maven") #if ($id.type=="maven")
<identifier type="$esc.xml($id.type)"> <identifier type="$enc.xml($id.type)">
<name>($id.value)</name> <name>($id.value)</name>
#if( $id.url ) #if( $id.url )
<url>$esc.xml($id.url)</url> <url>$enc.xml($id.url)</url>
#end #end
</identifier> </identifier>
#end #end
@@ -70,22 +70,22 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<evidenceCollected> <evidenceCollected>
#foreach($evidence in $dependency.getEvidenceUsed()) #foreach($evidence in $dependency.getEvidenceUsed())
<evidence> <evidence>
<source>$esc.xml($evidence.getSource())</source> <source>$enc.xml($evidence.getSource())</source>
<name>$esc.xml($evidence.getName())</name> <name>$enc.xml($evidence.getName())</name>
<value>$esc.xml($evidence.getValue().trim())</value> <value>$enc.xml($evidence.getValue().trim())</value>
</evidence> </evidence>
#end #end
</evidenceCollected> </evidenceCollected>
#if($dependency.getIdentifiers().size()>0) #if($dependency.getIdentifiers().size()>0)
<identifiers> <identifiers>
#foreach($id in $dependency.getIdentifiers()) #foreach($id in $dependency.getIdentifiers())
<identifier type="$esc.xml($id.type)" #if($id.confidence)confidence="$id.confidence"#end> <identifier type="$enc.xml($id.type)" #if($id.confidence)confidence="$id.confidence"#end>
<name>($id.value)</name> <name>($id.value)</name>
#if( $id.url ) #if( $id.url )
<url>$esc.xml($id.url)</url> <url>$enc.xml($id.url)</url>
#end #end
#if( $id.description ) #if( $id.description )
<description>$esc.xml($id.description)</description> <description>$enc.xml($id.description)</description>
#end #end
</identifier> </identifier>
#end #end
@@ -95,7 +95,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<vulnerabilities> <vulnerabilities>
#foreach($vuln in $dependency.getVulnerabilities()) #foreach($vuln in $dependency.getVulnerabilities())
<vulnerability> <vulnerability>
<name>$esc.xml($vuln.name)</name> <name>$enc.xml($vuln.name)</name>
<cvssScore>$vuln.cvssScore</cvssScore> <cvssScore>$vuln.cvssScore</cvssScore>
#if ($vuln.cvssScore<4.0) #if ($vuln.cvssScore<4.0)
<severity>Low</severity> <severity>Low</severity>
@@ -105,21 +105,21 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<severity>Medium</severity> <severity>Medium</severity>
#end #end
#if ($vuln.cwe) #if ($vuln.cwe)
<cwe>$esc.xml($vuln.cwe)</cwe> <cwe>$enc.xml($vuln.cwe)</cwe>
#end #end
<description>$esc.xml($vuln.description)</description> <description>$enc.xml($vuln.description)</description>
<references> <references>
#foreach($ref in $vuln.getReferences()) #foreach($ref in $vuln.getReferences())
<reference> <reference>
<source>$esc.xml($ref.source)</source> <source>$enc.xml($ref.source)</source>
<url>$esc.xml($ref.url)</url> <url>$enc.xml($ref.url)</url>
<name>$esc.xml($ref.name)</name> <name>$enc.xml($ref.name)</name>
</reference> </reference>
#end #end
</references> </references>
<vulnerableSoftware> <vulnerableSoftware>
#foreach($vs in $vuln.getVulnerableSoftware()) #foreach($vs in $vuln.getVulnerableSoftware())
<software#if($vs.hasPreviousVersion()) allPreviousVersion="true"#end>$esc.xml($vs.name)</software> <software#if($vs.hasPreviousVersion()) allPreviousVersion="true"#end>$enc.xml($vs.name)</software>
#end #end
</vulnerableSoftware> </vulnerableSoftware>
</vulnerability> </vulnerability>