report is modified with the notes element

2026-01-14 07:43:40 +01:00 · 2017-02-24 11:03:10 +05:30
parent d267e14b73
commit aa0314c840
6 changed files with 149 additions and 20 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
@@ -279,6 +279,33 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
        this.cwe = cwe;
    }

+    /**
+     * The notes for the vulnerability.
+     */
+    private String notes;
+
+    /**
+     * Get the value of notes from suppression notes.
+     *
+     * @return the value of notes
+     */
+    public String getNotes() {
+        return notes;
+    }
+
+    /**
+     * Set the value of notes.
+     *
+     * @param notes new value of cwe
+     */
+    public void setNotes(String notes) {
+        this.notes = notes;
+    }
+
+    /**
+     * CVSS Score.
+     */
+
    /**
     * Get the value of cvssScore.
     *
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
@@ -28,6 +28,8 @@ import java.io.OutputStream;
 import java.io.OutputStreamWriter;
 import java.io.UnsupportedEncodingException;
 import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
 import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
 import org.apache.velocity.context.Context;
@@ -38,8 +40,12 @@ import org.joda.time.format.DateTimeFormatter;
 import org.owasp.dependencycheck.analyzer.Analyzer;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.exception.ReportException;
 import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.xml.suppression.SuppressionParseException;
+import org.owasp.dependencycheck.xml.suppression.SuppressionParser;
+import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

@@ -116,15 +122,57 @@ public class ReportGenerator {
        final String scanDateXML = dateFormatXML.print(dt);

        context.put("applicationName", applicationName);
-        context.put("dependencies", dependencies);
        context.put("analyzers", analyzers);
        context.put("properties", properties);
        context.put("scanDate", scanDate);
        context.put("scanDateXML", scanDateXML);
        context.put("enc", enc);
+        context.put("dependencies", addNotesToReport(dependencies));
        context.put("version", Settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
    }

+    /**
+     * creates a suppression note adder to dependency
+     *
+     * @param dependencies the list of dependencies
+     * @return dependencies with notes added suppressed vulnerabilities
+     */
+
+    public List<Dependency> addNotesToReport(List<Dependency> dependencies){
+        final String suppressionFilePath = Settings.getString(Settings.KEYS.SUPPRESSION_FILE);
+
+        LOGGER.info("Settings.KEYS.SUPPRESSION_FILE"+Settings.KEYS.SUPPRESSION_FILE);
+
+        if(StringUtils.isBlank(suppressionFilePath)){
+            return dependencies;
+        }
+
+        final SuppressionParser parser1 = new SuppressionParser();
+        List<SuppressionRule> suppressionRule=null;
+
+        if(!suppressionFilePath.isEmpty()){
+            try {
+                suppressionRule=parser1.parseSuppressionRules(new File(suppressionFilePath));
+            } catch (SuppressionParseException e) {
+                e.printStackTrace();
+            }
+        }
+
+        for(Dependency dependency:dependencies){
+            for(Vulnerability suppressedVulnerability: dependency.getSuppressedVulnerabilities()){
+                for(SuppressionRule suppressionRule1:suppressionRule){
+                    for(String cve: suppressionRule1.getCve()){
+                        if(suppressedVulnerability.getName().equals(cve)){
+                            suppressedVulnerability.setNotes(suppressionRule1.getNotes());
+                        }
+
+                    }
+                }
+            }
+        }
+        return dependencies;
+    }
+
    /**
     * Creates a new Velocity Engine.
     *
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java
@@ -46,6 +46,12 @@ public class SuppressionHandler extends DefaultHandler {
     * The CVE element name.
     */
    public static final String CVE = "cve";
+
+    /**
+     * The CVE element name.
+     */
+    public static final String NOTES = "notes";
+
    /**
     * The CPE element name.
     */
@@ -65,7 +71,16 @@ public class SuppressionHandler extends DefaultHandler {
    /**
     * A list of suppression rules.
     */
-    private final List<SuppressionRule> suppressionRules = new ArrayList<>();
+    private final List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
+
+    /**
+     * Get the value of suppressionRules.
+     *
+     * @return the value of suppressionRules
+     */
+    public List<SuppressionRule> getSuppressionRules() {
+        return suppressionRules;
+    }
    /**
     * The current rule being read.
     */
@@ -79,15 +94,6 @@ public class SuppressionHandler extends DefaultHandler {
     */
    private StringBuilder currentText;

-    /**
-     * Get the value of suppressionRules.
-     *
-     * @return the value of suppressionRules
-     */
-    public List<SuppressionRule> getSuppressionRules() {
-        return suppressionRules;
-    }
-
    /**
     * Handles the start element event.
     *
@@ -140,7 +146,11 @@ public class SuppressionHandler extends DefaultHandler {
            rule.addCwe(currentText.toString());
        } else if (CVE.equals(qName)) {
            rule.addCve(currentText.toString());
-        } else if (CVSS_BELOW.equals(qName)) {
+        }
+        else if (NOTES.equals(qName)) {
+            rule.addNotes(currentText.toString());
+        }
+        else if (CVSS_BELOW.equals(qName)) {
            final float cvss = Float.parseFloat(currentText.toString());
            rule.addCvssBelow(cvss);
        }
@@ -160,8 +170,8 @@ public class SuppressionHandler extends DefaultHandler {
    }

    /**
-     * Processes field members that have been collected during the characters
-     * and startElement method to construct a PropertyType object.
+     * Processes field members that have been collected during the characters and startElement method to construct a
+     * PropertyType object.
     *
     * @return a PropertyType object
     */
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java
@@ -175,6 +175,49 @@ public class SuppressionRule {
        return !cvssBelow.isEmpty();
    }

+
+    /**
+     * The notes added in suppression file
+     */
+
+    private String notes = new String();
+
+    /**
+     * Get the value of notes.
+     *
+     * @return the value of notes
+     */
+    public String getNotes() {
+        return notes;
+    }
+
+    /**
+     * Set the value of notes.
+     *
+     * @param notes new value of cve
+     */
+    public void setNotes(String notes) {
+        this.notes = notes;
+    }
+
+    /**
+     * Adds the notes to the cve list.
+     *
+     * @param notes the cve to add
+     */
+    public void addNotes(String notes) {
+        this.notes=notes;
+    }
+
+    /**
+     * Returns whether this suppression rule has notes entries.
+     *
+     * @return whether this suppression rule has notes entries
+     */
+    public boolean hasNotes() {
+        return !cve.isEmpty();
+    }
+
    /**
     * Get the value of CWE.
     *
--- a/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd
+++ b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<xs:schema id="analysis" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="https://jeremylong.github.io/DependencyCheck/dependency-check.1.3.xsd">
+<xs:schema id="analysis" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified">
    <xs:element name="analysis">
        <xs:complexType>
            <xs:sequence minOccurs="0" maxOccurs="unbounded">
--- a/dependency-check-core/src/main/resources/templates/XmlReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/XmlReport.vsl
@@ -19,7 +19,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
@version 1.2

 *#<?xml version="1.0"?>
-<analysis xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.1.3.xsd">
+<analysis xmlns="https://github.com/Prakhash/DependencyCheck/blob/master/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd">
    <scanInfo>
        <engineVersion>$version</engineVersion>
 #foreach($prop in $properties.getMetaData().entrySet())
@@ -141,7 +141,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 #end
                    <description>$enc.xml($vuln.description)</description>
                    <references>
-#foreach($ref in $vuln.getReferences(true))
+#foreach($ref in $vuln.getReferences())
                        <reference>
                            <source>$enc.xml($ref.source)</source>
                            <url>$enc.xml($ref.url)</url>
@@ -150,7 +150,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 #end
                    </references>
                    <vulnerableSoftware>
-#foreach($vs in $vuln.getVulnerableSoftware(true))
+#foreach($vs in $vuln.getVulnerableSoftware())
                        <software#if($vs.hasPreviousVersion()) allPreviousVersion="true"#end>$enc.xml($vs.name)</software>
 #end
                    </vulnerableSoftware>
@@ -171,8 +171,9 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                    <cwe>$enc.xml($vuln.cwe)</cwe>
 #end
                    <description>$enc.xml($vuln.description)</description>
+                    <notes>$enc.xml($vuln.notes)</notes>
                    <references>
-#foreach($ref in $vuln.getReferences(true))
+#foreach($ref in $vuln.getReferences())
                        <reference>
                            <source>$enc.xml($ref.source)</source>
                            <url>$enc.xml($ref.url)</url>
@@ -181,7 +182,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 #end
                    </references>
                    <vulnerableSoftware>
-#foreach($vs in $vuln.getVulnerableSoftware(true))
+#foreach($vs in $vuln.getVulnerableSoftware())
                        <software#if($vs.hasPreviousVersion()) allPreviousVersion="true"#end>$enc.xml($vs.name)</software>
 #end
                    </vulnerableSoftware>