github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-15 00:03:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Added CVSS Scores

Browse Source 
Former-commit-id: 2feda15c4f42461b87a2a4e5941a32eb98a918de
This commit is contained in:
Jeremy Long
2013-01-13 16:48:27 -05:00
parent 0080b916ce
commit 9ee5ef39a7
7 changed files with 372 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.txt
View File

@@ -7,8 +7,8 @@ If found, it will generate a report linking to the associated CVE entries.
Usage:
$ mvn package
$ cd target
$ java -jar DependencyCheck-0.2.5.1.jar -h
$ java -jar DependencyCheck-0.2.5.1.jar -a Testing -out . -scan ./test-classes/org.mortbay.jetty.jar -scan ./test-classes/struts2-core-2.1.2.jar -scan ./lib
$ java -jar DependencyCheck-0.2.5.2.jar -h
$ java -jar DependencyCheck-0.2.5.2.jar -a Testing -out . -scan ./test-classes/org.mortbay.jetty.jar -scan ./test-classes/struts2-core-2.1.2.jar -scan ./lib
Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.

2
pom.xml
View File

@@ -23,7 +23,7 @@ along with DependencyCheck. If not, see <http://www.gnu.org/licenses/>.
<groupId>org.codesecure</groupId>
<artifactId>DependencyCheck</artifactId>
<version>0.2.5.1</version>
<version>0.2.5.2</version>
<packaging>jar</packaging>
<name>DependencyCheck</name>

31
src/main/java/org/codesecure/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -76,8 +76,10 @@ public class CveDB {
/**
* SQL Statement to create the vulnerability table
*/
public static final String CREATE_TABLE_VULNERABILITY = "CREATE TABLE IF NOT EXISTS vulnerability "
+ "(cveid CHAR(13) PRIMARY KEY, description varchar(8000))";
public static final String CREATE_TABLE_VULNERABILITY = "CREATE TABLE IF NOT EXISTS vulnerability (cveid CHAR(13) PRIMARY KEY, "
+ "description varchar(8000), cwe varchar(10), cvssScore DECIMAL(3,1), cvssAccessVector varchar(20), "
+ "cvssAccessComplexity varchar(20), cvssAuthentication varchar(20), cvssConfidentialityImpact varchar(20), "
+ "cvssIntegrityImpact varchar(20), cvssAvailabilityImpact varchar(20))";
/**
* SQL Statement to delete references by CVEID
*/
@@ -102,7 +104,9 @@ public class CveDB {
/**
* SQL Statement to insert a new vulnerability
*/
public static final String INSERT_VULNERABILITY = "INSERT INTO vulnerability (cveid, description) VALUES (?, ?)";
public static final String INSERT_VULNERABILITY = "INSERT INTO vulnerability (cveid, description, cwe, cvssScore, cvssAccessVector, "
+ "cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact) "
+ "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
/**
* SQL Statement to find CVE entries based on CPE data
*/
@@ -119,7 +123,7 @@ public class CveDB {
/**
* SQL Statement to select a vulnerability by CVEID
*/
public static final String SELECT_VULNERABILITY = "SELECT cveid, description FROM vulnerability WHERE cveid = ?";
public static final String SELECT_VULNERABILITY = "SELECT cveid, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact FROM vulnerability WHERE cveid = ?";
//</editor-fold>
//<editor-fold defaultstate="collapsed" desc="Collection of CallableStatements to work with the DB">
@@ -144,7 +148,7 @@ public class CveDB {
*/
private CallableStatement insertSoftware = null;
/**
* insert vulnerability - parameters (cveid, description)
* insert vulnerability - parameters (cveid, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact)
*/
private CallableStatement insertVulnerability = null;
/**
@@ -269,6 +273,15 @@ public class CveDB {
vuln = new Vulnerability();
vuln.setName(cve);
vuln.setDescription(rsV.getString(2));
vuln.setCwe(rsV.getString(3));
vuln.setCvssScore(rsV.getFloat(4));
vuln.setCvssAccessVector(rsV.getString(5));
vuln.setCvssAccessComplexity(rsV.getString(6));
vuln.setCvssAuthentication(rsV.getString(7));
vuln.setCvssConfidentialityImpact(rsV.getString(8));
vuln.setCvssIntegrityImpact(rsV.getString(9));
vuln.setCvssAvailabilityImpact(rsV.getString(10));
selectReferences.setString(1, cve);
rsR = selectReferences.executeQuery();
while (rsR.next()) {
@@ -333,6 +346,14 @@ public class CveDB {
insertVulnerability.setString(1, vuln.getName());
insertVulnerability.setString(2, vuln.getDescription());
insertVulnerability.setString(3, vuln.getCwe());
insertVulnerability.setFloat(4, vuln.getCvssScore());
insertVulnerability.setString(5, vuln.getCvssAccessVector());
insertVulnerability.setString(6, vuln.getCvssAccessComplexity());
insertVulnerability.setString(7, vuln.getCvssAuthentication());
insertVulnerability.setString(8, vuln.getCvssConfidentialityImpact());
insertVulnerability.setString(9, vuln.getCvssIntegrityImpact());
insertVulnerability.setString(10, vuln.getCvssAvailabilityImpact());
insertVulnerability.execute();
insertReference.setString(1, vuln.getName());

2
src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java
View File

@@ -77,7 +77,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
/**
* The current version of the database
*/
public static final String DATABASE_VERSION = "2.0";
public static final String DATABASE_VERSION = "2.1";
/**
* <p>Downloads the latest NVD CVE XML file from the web and imports it into

144
src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java
View File

@@ -21,6 +21,8 @@ package org.codesecure.dependencycheck.data.nvdcve.xml;
import java.io.IOException;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.lucene.index.CorruptIndexException;
import org.codesecure.dependencycheck.data.cpe.Index;
import org.codesecure.dependencycheck.data.nvdcve.CveDB;
@@ -75,6 +77,22 @@ public class NvdCve20Handler extends DefaultHandler {
if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) {
throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported");
}
} else if (current.isVulnCWENode()) {
vulnerability.setCwe(attributes.getValue("id"));
} else if (current.isCVSSScoreNode()) {
nodeText = new StringBuilder(5);
} else if (current.isCVSSAccessVectorNode()) {
nodeText = new StringBuilder(20);
} else if (current.isCVSSAccessComplexityNode()) {
nodeText = new StringBuilder(20);
} else if (current.isCVSSAuthenticationNode()) {
nodeText = new StringBuilder(20);
} else if (current.isCVSSAvailabilityImpactNode()) {
nodeText = new StringBuilder(20);
} else if (current.isCVSSConfidentialityImpactNode()) {
nodeText = new StringBuilder(20);
} else if (current.isCVSSIntegrityImpactNode()) {
nodeText = new StringBuilder(20);
}
}
@@ -101,6 +119,32 @@ public class NvdCve20Handler extends DefaultHandler {
}
}
vulnerability = null;
} else if (current.isCVSSScoreNode()) {
try {
float score = Float.parseFloat(nodeText.toString());
vulnerability.setCvssScore(score);
} catch (NumberFormatException ex) {
Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, null, ex);
}
nodeText = null;
} else if (current.isCVSSAccessVectorNode()) {
vulnerability.setCvssAccessVector(nodeText.toString());
nodeText = null;
} else if (current.isCVSSAccessComplexityNode()) {
vulnerability.setCvssAccessComplexity(nodeText.toString());
nodeText = null;
} else if (current.isCVSSAuthenticationNode()) {
vulnerability.setCvssAuthentication(nodeText.toString());
nodeText = null;
} else if (current.isCVSSAvailabilityImpactNode()) {
vulnerability.setCvssAvailabilityImpact(nodeText.toString());
nodeText = null;
} else if (current.isCVSSConfidentialityImpactNode()) {
vulnerability.setCvssConfidentialityImpact(nodeText.toString());
nodeText = null;
} else if (current.isCVSSIntegrityImpactNode()) {
vulnerability.setCvssIntegrityImpact(nodeText.toString());
nodeText = null;
} else if (current.isVulnProductNode()) {
String cpe = nodeText.toString();
if (cpe.startsWith("cpe:/a:")) {
@@ -217,6 +261,40 @@ public class NvdCve20Handler extends DefaultHandler {
* A node type in the NVD CVE Schema 2.0
*/
public static final String VULN_SUMMARY = "vuln:summary";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String VULN_CWE = "vuln:cwe";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String CVSS_SCORE = "cvss:score";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String CVSS_ACCESS_VECTOR = "cvss:access-vector";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String CVSS_ACCESS_COMPLEXITY = "cvss:access-complexity";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String CVSS_AUTHENTICATION = "cvss:authentication";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String CVSS_CONFIDENTIALITY_IMPACT = "cvss:confidentiality-impact";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String CVSS_INTEGRITY_IMPACT = "cvss:integrity-impact";
/**
* A node type in the NVD CVE Schema 2.0
*/
public static final String CVSS_AVAILABILITY_IMPACT = "cvss:availability-impact";
private String node = null;
/**
@@ -299,6 +377,72 @@ public class NvdCve20Handler extends DefaultHandler {
public boolean isVulnSummaryNode() {
return VULN_SUMMARY.equals(node);
}
/**
* Checks if the handler is at the VULN_CWE node
*
* @return true or false
*/
public boolean isVulnCWENode() {
return VULN_CWE.equals(node);
}
/**
* Checks if the handler is at the CVSS_SCORE node
*
* @return true or false
*/
public boolean isCVSSScoreNode() {
return CVSS_SCORE.equals(node);
}
/**
* Checks if the handler is at the CVSS_ACCESS_VECTOR node
*
* @return true or false
*/
public boolean isCVSSAccessVectorNode() {
return CVSS_ACCESS_VECTOR.equals(node);
}
/**
* Checks if the handler is at the CVSS_ACCESS_COMPLEXITY node
*
* @return true or false
*/
public boolean isCVSSAccessComplexityNode() {
return CVSS_ACCESS_COMPLEXITY.equals(node);
}
/**
* Checks if the handler is at the CVSS_AUTHENTICATION node
*
* @return true or false
*/
public boolean isCVSSAuthenticationNode() {
return CVSS_AUTHENTICATION.equals(node);
}
/**
* Checks if the handler is at the CVSS_CONFIDENTIALITY_IMPACT node
*
* @return true or false
*/
public boolean isCVSSConfidentialityImpactNode() {
return CVSS_CONFIDENTIALITY_IMPACT.equals(node);
}
/**
* Checks if the handler is at the CVSS_INTEGRITY_IMPACT node
*
* @return true or false
*/
public boolean isCVSSIntegrityImpactNode() {
return CVSS_INTEGRITY_IMPACT.equals(node);
}
/**
* Checks if the handler is at the CVSS_AVAILABILITY_IMPACT node
*
* @return true or false
*/
public boolean isCVSSAvailabilityImpactNode() {
return CVSS_AVAILABILITY_IMPACT.equals(node);
}
}
// </editor-fold>
}

177
src/main/java/org/codesecure/dependencycheck/dependency/Vulnerability.java
View File

@@ -142,7 +142,6 @@ public class Vulnerability implements Serializable {
this.vulnerableSoftware = vulnerableSoftware;
}
/**
* Adds an entry for vulnerable software
* @param cpe string representation of a CPE entry
@@ -178,6 +177,182 @@ public class Vulnerability implements Serializable {
}
return vulnerableSoftware.add(vulnSoftware);
}
/**
* The CWE for the vulnerability
*/
protected String cwe;
/**
* Get the value of cwe
*
* @return the value of cwe
*/
public String getCwe() {
return cwe;
}
/**
* Set the value of cwe
*
* @param cwe new value of cwe
*/
public void setCwe(String cwe) {
this.cwe = cwe;
}
/**
* CVSS Score
*/
protected float cvssScore;
/**
* Get the value of cvssScore
*
* @return the value of cvssScore
*/
public float getCvssScore() {
return cvssScore;
}
/**
* Set the value of cvssScore
*
* @param cvssScore new value of cvssScore
*/
public void setCvssScore(float cvssScore) {
this.cvssScore = cvssScore;
}
/**
* CVSS Access Vector
*/
protected String cvssAccessVector;
/**
* Get the value of cvssAccessVector
*
* @return the value of cvssAccessVector
*/
public String getCvssAccessVector() {
return cvssAccessVector;
}
/**
* Set the value of cvssAccessVector
*
* @param cvssAccessVector new value of cvssAccessVector
*/
public void setCvssAccessVector(String cvssAccessVector) {
this.cvssAccessVector = cvssAccessVector;
}
/**
* CVSS Access Complexity
*/
protected String cvssAccessComplexity;
/**
* Get the value of cvssAccessComplexity
*
* @return the value of cvssAccessComplexity
*/
public String getCvssAccessComplexity() {
return cvssAccessComplexity;
}
/**
* Set the value of cvssAccessComplexity
*
* @param cvssAccessComplexity new value of cvssAccessComplexity
*/
public void setCvssAccessComplexity(String cvssAccessComplexity) {
this.cvssAccessComplexity = cvssAccessComplexity;
}
/**
* CVSS Authentication
*/
protected String cvssAuthentication;
/**
* Get the value of cvssAuthentication
*
* @return the value of cvssAuthentication
*/
public String getCvssAuthentication() {
return cvssAuthentication;
}
/**
* Set the value of cvssAuthentication
*
* @param cvssAuthentication new value of cvssAuthentication
*/
public void setCvssAuthentication(String cvssAuthentication) {
this.cvssAuthentication = cvssAuthentication;
}
/**
* CVSS Confidentiality Impact
*/
protected String cvssConfidentialityImpact;
/**
* Get the value of cvssConfidentialityImpact
*
* @return the value of cvssConfidentialityImpact
*/
public String getCvssConfidentialityImpact() {
return cvssConfidentialityImpact;
}
/**
* Set the value of cvssConfidentialityImpact
*
* @param cvssConfidentialityImpact new value of cvssConfidentialityImpact
*/
public void setCvssConfidentialityImpact(String cvssConfidentialityImpact) {
this.cvssConfidentialityImpact = cvssConfidentialityImpact;
}
/**
* CVSS Integrity Impact
*/
protected String cvssIntegrityImpact;
/**
* Get the value of cvssIntegrityImpact
*
* @return the value of cvssIntegrityImpact
*/
public String getCvssIntegrityImpact() {
return cvssIntegrityImpact;
}
/**
* Set the value of cvssIntegrityImpact
*
* @param cvssIntegrityImpact new value of cvssIntegrityImpact
*/
public void setCvssIntegrityImpact(String cvssIntegrityImpact) {
this.cvssIntegrityImpact = cvssIntegrityImpact;
}
/**
* CVSS Availability Impact
*/
protected String cvssAvailabilityImpact;
/**
* Get the value of cvssAvailabilityImpact
*
* @return the value of cvssAvailabilityImpact
*/
public String getCvssAvailabilityImpact() {
return cvssAvailabilityImpact;
}
/**
* Set the value of cvssAvailabilityImpact
*
* @param cvssAvailabilityImpact new value of cvssAvailabilityImpact
*/
public void setCvssAvailabilityImpact(String cvssAvailabilityImpact) {
this.cvssAvailabilityImpact = cvssAvailabilityImpact;
}
@Override
public boolean equals(Object obj) {

33
src/main/resources/templates/HtmlReport.vsl
View File

@@ -48,12 +48,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
$(header).addClass("expandablesubsection");
$(header).removeClass("collaspablesubsection");
}
});
});
</script>
<style type="text/css">
.rounded-corners {
-moz-border-radius: 20px;
-webkit-border-radius: 20px;
@@ -81,7 +81,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
/*background-image: url(img/minus.gif);*/
background-image: url(data:image/gif;base64,R0lGODlhDAAMAIABAICAgP///yH5BAEAAAEALAAAAAAMAAwAAAIajI8Hy22Q1IszQHphW3ZuXUUZ1ZXi8zFkUgAAOw==);
background-repeat: no-repeat;
background-position: 98% 50%;
background-position: 98% 50%;
-moz-border-radius-bottomleft:0px; /* bottom left corner */
-webkit-border-bottom-left-radius:0px; /* bottom left corner */
border-bottom-left-radius: 0px;
@@ -93,7 +93,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
border-bottom-left-radius: 0px;
border-bottom: 0px solid #ffffff;
}
.content {
margin-top:0px;
margin-left:20px;
@@ -102,7 +102,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
background: #ffffff;
padding: 20px;
}
.sectionheader {
background-color: #cccccc;
margin-top: 20px;
@@ -148,12 +148,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
margin-right:20px;
margin-bottom:10px;
background: #ffffff;
padding-top: 10px;
padding-bottom: 20px;
padding-left:20px;
padding-right:20px;
border-top: 0px;
border-right: 1px solid #ccc;
border-left: 1px solid #ccc;
@@ -175,7 +175,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
border-bottom-right-radius: 15px;
border-bottom-left-radius: 15px;
}
.subsectionheader {
background-color: #cccccc;
margin-top: 20px;
@@ -295,10 +295,10 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</div>
<h2>Dependencies</h2>
#set($cnt=0)
#foreach($dependency in $dependencies)
#foreach($dependency in $dependencies)
<h3 class="subsectionheader standardsubsection"><a name="$esc.html($dependency.FilePath)"></a>$esc.html($dependency.FileName)</h3>
<div class="subsectioncontent">
#if ($dependency.description)
#if ($dependency.description)
<p><b>Description:</b>&nbsp;$esc.html($dependency.description)<br/></p>
#end
<p>
@@ -385,6 +385,17 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<div id="content$cnt" class="subsectioncontent standardsubsection">
#foreach($vuln in $dependency.getVulnerabilities())
<p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$esc.url($vuln.name)">$esc.html($vuln.name)</a></b></p>
<p>Severity:
#if ($vuln.cvssScore<4.0)
Low
#else
#if ($vuln.cvssScore>=7.0)
High
#else
Medium
#end
#end
<br/>CVSS Score: $vuln.cvssScore</p>
<p>$esc.html($vuln.description)
#if ($vuln.getReferences().size()>0)
<ul>
@@ -400,6 +411,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</div>
#end
</div>
</div>
</div>
</body>
</html>