From a5990ea6f39b0c4d5dec9ccfb06815ebc145285c Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Tue, 21 Feb 2017 06:38:31 -0500
Subject: [PATCH] update to #657 to allow sorted vulnerable software in repots;
 also, sorting an array list is faster then building a treeset

---
 .../dependency/Vulnerability.java             | 42 ++++++++++++++++---
 .../main/resources/templates/HtmlReport.vsl   |  8 ++--
 .../main/resources/templates/XmlReport.vsl    |  8 ++--
 3 files changed, 44 insertions(+), 14 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
index aac408a02..1720edda8 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
@@ -18,10 +18,11 @@
 package org.owasp.dependencycheck.dependency;
 
 import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
-import java.util.SortedSet;
-import java.util.TreeSet;
 import org.apache.commons.lang3.builder.CompareToBuilder;
 
 /**
@@ -139,6 +140,21 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
         return references;
     }
 
+    /**
+     * Returns the list of references. This is primarily used within the
+     * generated reports.
+     *
+     * @param sorted whether the returned list should be sorted
+     * @return the list of references
+     */
+    public List<Reference> getReferences(boolean sorted) {
+        List<Reference> sortedRefs = new ArrayList<>(this.references);
+        if (sorted) {
+            Collections.sort(sortedRefs);
+        }
+        return sortedRefs;
+    }
+
     /**
      * Set the value of references.
      *
@@ -181,6 +197,21 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
         return vulnerableSoftware;
     }
 
+    /**
+     * Returns a sorted list of vulnerable software. This is primarily used for
+     * display within reports.
+     *
+     * @param sorted whether or not the list should be sorted
+     * @return the list of vulnerable software
+     */
+    public List<VulnerableSoftware> getVulnerableSoftware(boolean sorted) {
+        List<VulnerableSoftware> sortedVulnerableSoftware = new ArrayList<>(this.vulnerableSoftware);
+        if (sorted) {
+            Collections.sort(sortedVulnerableSoftware);
+        }
+        return sortedVulnerableSoftware;
+    }
+
     /**
      * Set the value of vulnerableSoftware.
      *
@@ -398,15 +429,14 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
         final StringBuilder sb = new StringBuilder("Vulnerability ");
         sb.append(this.name);
         sb.append("\nReferences:\n");
-        SortedSet<Reference> sortedReferences = new TreeSet<Reference>(this.references);
-        for (Reference reference : sortedReferences) {
+        for (Reference reference : getReferences(true)) {
             sb.append("=> ");
             sb.append(reference);
             sb.append("\n");
         }
         sb.append("\nSoftware:\n");
-        SortedSet<VulnerableSoftware> sortedVulnerableSoftware = new TreeSet<VulnerableSoftware>(this.vulnerableSoftware);
-        for (VulnerableSoftware software : sortedVulnerableSoftware) {
+
+        for (VulnerableSoftware software : getVulnerableSoftware(true)) {
             sb.append("=> ");
             sb.append(software);
             sb.append("\n");
diff --git a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl
index 7da1e3c15..02035e96e 100644
--- a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl
@@ -842,7 +842,7 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                             <p>$enc.html($vuln.description)
                                 #if ($vuln.getReferences().size()>0)
                                     <ul>
-                                    #foreach($ref in $vuln.getReferences())
+                                    #foreach($ref in $vuln.getReferences(true))
                                         <li>$enc.html($ref.source) - <a target="_blank" href="$enc.html($ref.url)">$ref.name</a></li>
                                     #end
                                     </ul>
@@ -857,7 +857,7 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                                 <p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="return toggleDisplay(this,'.vs$vsctr', 'show all', 'show less');">show all</a>)<ul>
                                     <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
                                     <li class="vs$vsctr">...</li>
-                                #foreach($vs in $vuln.getVulnerableSoftware())
+                                #foreach($vs in $vuln.getVulnerableSoftware(true))
                                     <li class="vs$vsctr hidden"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vs.name)">$enc.html($vs.name)</a> #if($vs.hasPreviousVersion()) and all previous versions#end</li>
                                 #end
                                 </ul></p>
@@ -977,7 +977,7 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                                     <p>$enc.html($vuln.description)
                                         #if ($vuln.getReferences().size()>0)
                                             <ul>
-                                            #foreach($ref in $vuln.getReferences())
+                                            #foreach($ref in $vuln.getReferences(true))
                                                 <li>$enc.html($ref.source) - <a target="_blank" href="$enc.html($ref.url)">$ref.name</a></li>
                                             #end
                                             </ul>
@@ -991,7 +991,7 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                                         <p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="return toggleDisplay(this,'.vs$vsctr', 'show all', 'show less');">show all</a>)<ul>
                                             <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
                                             <li class="vs$vsctr">...</li>
-                                        #foreach($vs in $vuln.getVulnerableSoftware())
+                                        #foreach($vs in $vuln.getVulnerableSoftware(true))
                                             <li class="vs$vsctr hidden"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vs.name)">$enc.html($vs.name)</a> #if($vs.hasPreviousVersion()) and all previous versions#end</li>
                                         #end
                                         </ul></p>
diff --git a/dependency-check-core/src/main/resources/templates/XmlReport.vsl b/dependency-check-core/src/main/resources/templates/XmlReport.vsl
index 8e71e1dc7..0bfd8c49c 100644
--- a/dependency-check-core/src/main/resources/templates/XmlReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/XmlReport.vsl
@@ -141,7 +141,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 #end
                     <description>$enc.xml($vuln.description)</description>
                     <references>
-#foreach($ref in $vuln.getReferences())
+#foreach($ref in $vuln.getReferences(true))
                         <reference>
                             <source>$enc.xml($ref.source)</source>
                             <url>$enc.xml($ref.url)</url>
@@ -150,7 +150,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 #end
                     </references>
                     <vulnerableSoftware>
-#foreach($vs in $vuln.getVulnerableSoftware())
+#foreach($vs in $vuln.getVulnerableSoftware(true))
                         <software#if($vs.hasPreviousVersion()) allPreviousVersion="true"#end>$enc.xml($vs.name)</software>
 #end
                     </vulnerableSoftware>
@@ -172,7 +172,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 #end
                     <description>$enc.xml($vuln.description)</description>
                     <references>
-#foreach($ref in $vuln.getReferences())
+#foreach($ref in $vuln.getReferences(true))
                         <reference>
                             <source>$enc.xml($ref.source)</source>
                             <url>$enc.xml($ref.url)</url>
@@ -181,7 +181,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 #end
                     </references>
                     <vulnerableSoftware>
-#foreach($vs in $vuln.getVulnerableSoftware())
+#foreach($vs in $vuln.getVulnerableSoftware(true))
                         <software#if($vs.hasPreviousVersion()) allPreviousVersion="true"#end>$enc.xml($vs.name)</software>
 #end
                     </vulnerableSoftware>