From b05bb8a1ee78af42618624452ed1702072f579c4 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sun, 10 Sep 2017 08:40:01 -0400
Subject: [PATCH] updated to support changes for threadsafety

---
 .../dependencycheck/reporting/EscapeTool.java | 14 +++++++
 .../reporting/ReportGenerator.java            |  6 +++
 .../main/resources/templates/htmlReport.vsl   | 42 ++++++++++++-------
 .../main/resources/templates/jsonReport.vsl   |  6 +--
 4 files changed, 49 insertions(+), 19 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java
index adf89bfcb..c5fd7ce06 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java
@@ -99,6 +99,20 @@ public class EscapeTool {
         return StringEscapeUtils.escapeJson(text);
     }
 
+    /**
+     * JavaScript encodes the provided text.
+     *
+     * @param text the text to encode
+     * @return the JavaScript encoded text
+     */
+    public String javascript(String text) {
+        if (text == null || text.isEmpty()) {
+            return text;
+        }
+        //until lang3 has escapeJavaScript we use this... 
+        return org.apache.commons.lang.StringEscapeUtils.escapeJavaScript(text);
+    }
+
     /**
      * Formats text for CSV format. This includes trimming whitespace, replace
      * line breaks with spaces, and if necessary quotes the text and/or escapes
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
index 70208794e..ee99e6f12 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
@@ -35,6 +35,7 @@ import java.io.UnsupportedEncodingException;
 import java.math.BigDecimal;
 import java.nio.charset.StandardCharsets;
 import javax.annotation.concurrent.NotThreadSafe;
+import org.apache.commons.lang3.text.WordUtils;
 import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
 import org.apache.velocity.context.Context;
@@ -45,6 +46,7 @@ import org.joda.time.format.DateTimeFormatter;
 import org.owasp.dependencycheck.analyzer.Analyzer;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.EvidenceType;
 import org.owasp.dependencycheck.exception.ReportException;
 import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
@@ -195,6 +197,10 @@ public class ReportGenerator {
         ctxt.put("scanDate", scanDate);
         ctxt.put("scanDateXML", scanDateXML);
         ctxt.put("enc", new EscapeTool());
+        ctxt.put("WordUtils", new WordUtils());
+        ctxt.put("VENDOR", EvidenceType.VENDOR);
+        ctxt.put("PRODUCT", EvidenceType.PRODUCT);
+        ctxt.put("VERSION", EvidenceType.VERSION);
         ctxt.put("version", settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
         return ctxt;
     }
diff --git a/dependency-check-core/src/main/resources/templates/htmlReport.vsl b/dependency-check-core/src/main/resources/templates/htmlReport.vsl
index 025211943..ceb7922d9 100644
--- a/dependency-check-core/src/main/resources/templates/htmlReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/htmlReport.vsl
@@ -699,8 +699,8 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                         #end
                         </td>
                         <td>$dependency.getVulnerabilities().size()</td>
-                        <td data-sort-value="$cpeSort">$cpeIdConf</td>
-                        <td>$dependency.getEvidenceForDisplay().size()</td>
+                        <td data-sort-value="$cpeSort">$WordUtils.capitalizeFully($cpeIdConf.toString())</td>
+                        <td>$dependency.size()</td>
                     </tr>
                     #end
                 </table>
@@ -744,9 +744,15 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                         <h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
                         <div id="content$cnt" class="subsectioncontent standardsubsection hidden">
                             <table class="lined fullwidth" border="0">
-                                <tr><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:70%;">Value</th></tr>
-                                #foreach($evidence in $dependency.getEvidenceForDisplay())
-                                    <tr><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td></tr>
+                                <tr><th class="left" style="width:10%;">Type</th><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:50%;">Value</th><th class="left" style="width:10%;">Confidence</th></tr>
+                                #foreach($evidence in $dependency.getEvidence($VENDOR))
+                                    <tr><td>Vendor</td><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td><td>$WordUtils.capitalizeFully($evidence.getConfidence().toString())</td></tr>
+                                #end
+                                #foreach($evidence in $dependency.getEvidence($PRODUCT))
+                                    <tr><td>Product</td><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td><td>$WordUtils.capitalizeFully($evidence.getConfidence().toString())</td></tr>
+                                #end
+                                #foreach($evidence in $dependency.getEvidence($VERSION))
+                                    <tr><td>Version</td><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td><td>$WordUtils.capitalizeFully($evidence.getConfidence().toString())</td></tr>
                                 #end
                             </table>
                         </div>
@@ -813,11 +819,10 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                                     <li><b>$enc.html($id.type):</b>&nbsp;$enc.html($id.value)
                                 #end
                                 #if ($id.confidence)
-                                    &nbsp;&nbsp;<i>Confidence</i>:$id.confidence
+                                    &nbsp;&nbsp;<i>Confidence</i>:$WordUtils.capitalizeFully($id.confidence.toString())
                                 #end
                                 #if ($id.type=="cpe")
-                                    ##yes, we are HTML Encoding into JavaScript... the escape utils don't have a JS Encode and I haven't written one yet
-                                    &nbsp;&nbsp;<button class="copybutton" title="Generate Suppression XML for this CPE for this file" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', '$enc.html($suppressGav)', 'cpe', '$enc.html($id.value)')">suppress</button>
+                                    &nbsp;&nbsp;<button class="copybutton" title="Generate Suppression XML for this CPE for this file" onclick="copyText('$enc.javascript($dependency.DisplayFileName)', '$enc.javascript($dependency.Sha1sum)', '$enc.javascript($suppressGav)', 'cpe', '$enc.javascript($id.value)')">suppress</button>
                                 #end
                                 #if ($id.description || $id.notes)
                                     <ul>
@@ -841,7 +846,7 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                         #foreach($vuln in $dependency.getVulnerabilities())
                             #set($vsctr=$vsctr+1)
                             #if($vuln.getSource().name().equals("NVD"))
-                                <p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<button class="copybutton" title="Generate Suppression XML for this CCE for this file" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', '$enc.html($suppressGav)', 'cve', '$enc.html($vuln.name)')">suppress</button></p>
+                                <p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<button class="copybutton" title="Generate Suppression XML for this CCE for this file" onclick="copyText('$enc.javascript($dependency.DisplayFileName)', '$enc.javascript($dependency.Sha1sum)', '$enc.javascript($suppressGav)', 'cve', '$enc.javascript($vuln.name)')">suppress</button></p>
                             #elseif($vuln.getSource().name().equals("NSP"))
                                 <p><b><a target="_blank" href="https://nodesecurity.io/advisories/$enc.url($vuln.name)">NSP-$enc.html($vuln.name)</a></b></p>
                             #end
@@ -862,7 +867,7 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                                 <br/>CWE: $vuln.cwe
                             #end
                             #if ($vuln.notes)
-                                <br/>Notes: $enc.xml($vuln.notes)
+                                <br/>Notes: $enc.html($vuln.notes)
                             #end</p>
                             <p>$enc.html($vuln.description)
                             #if ($vuln.getReferences().size()>0)
@@ -935,9 +940,15 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                                 <h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
                                 <div id="content$cnt" class="subsectioncontent standardsubsection hidden">
                                     <table class="lined fullwidth" border="0">
-                                        <tr><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:70%;">Value</th></tr>
-                                        #foreach($evidence in $dependency.getEvidenceForDisplay())
-                                            <tr><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td></tr>
+                                        <tr><th class="left" style="width:10%;">Type</th><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:50%;">Value</th><th class="left" style="width:10%;">Confidence</th></tr>
+                                        #foreach($evidence in $dependency.getEvidence($VENDOR))
+                                            <tr><td>Vendor</td><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td><td>$WordUtils.capitalizeFully($evidence.getConfidence().toString())</td></tr>
+                                        #end
+                                        #foreach($evidence in $dependency.getEvidence($PRODUCT))
+                                            <tr><td>Product</td><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td><td>$WordUtils.capitalizeFully($evidence.getConfidence().toString())</td></tr>
+                                        #end
+                                        #foreach($evidence in $dependency.getEvidence($VERSION))
+                                            <tr><td>Version</td><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td><td>$WordUtils.capitalizeFully($evidence.getConfidence().toString())</td></tr>
                                         #end
                                     </table>
                                 </div>
@@ -975,7 +986,6 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                                     #foreach($id in $dependency.getSuppressedIdentifiers())
                                         #if( $id.url )
                                             #if($id.type=="maven")
-                                            ##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
                                             <li><b>$enc.html($id.type):</b>&nbsp;<a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>&nbsp;<span title="verified from repo" style="color:green">&#x2713;</span>&nbsp;&nbsp;<span class="suppressedLabel" >suppressed</span>
                                             #else
                                             <li><b>$enc.html($id.type):</b>&nbsp;<a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>&nbsp;&nbsp;<span class="suppressedLabel" >suppressed</span>
@@ -984,7 +994,7 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                                             <li><b>$enc.html($id.type):</b>&nbsp;$enc.html($id.value)&nbsp;&nbsp;<span class="suppressedLabel" >suppressed</span>
                                         #end
                                         #if ($id.confidence)
-                                            &nbsp;&nbsp;<i>Confidence</i>:$id.confidence
+                                            &nbsp;&nbsp;<i>Confidence</i>:$WordUtils.capitalizeFully($id.confidence.toString())
                                         #end
                                         #if ($id.description || $id.notes)
                                             <ul>
@@ -992,7 +1002,7 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                                                 <li>Description: $enc.html($id.description)</li>
                                             #end
                                             #if ($id.notes)
-                                                <li>Notes: $enc.xml($id.notes)</li>
+                                                <li>Notes: $enc.html($id.notes)</li>
                                             #end
                                             </ul>
                                         #end
diff --git a/dependency-check-core/src/main/resources/templates/jsonReport.vsl b/dependency-check-core/src/main/resources/templates/jsonReport.vsl
index ef69987dc..df072f15c 100644
--- a/dependency-check-core/src/main/resources/templates/jsonReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/jsonReport.vsl
@@ -67,7 +67,7 @@
             #end
             ,"evidenceCollected": {
                 "vendorEvidence": [
-                    #foreach($evidence in $dependency.getVendorEvidence())
+                    #foreach($evidence in $dependency.getEvidence($VENDOR))
                         #if($foreach.count > 1),#end{
                             "type": "vendor",
                             "confidence": "$enc.json($evidence.getConfidence().toString())",
@@ -78,7 +78,7 @@
                     #end
                 ],
                 "productEvidence": [
-                    #foreach($evidence in $dependency.getProductEvidence())
+                    #foreach($evidence in $dependency.getEvidence($PRODUCT))
                         #if($foreach.count > 1),#end{
                             "type": "product",
                             "confidence": "$enc.json($evidence.getConfidence().toString())",
@@ -89,7 +89,7 @@
                     #end
                 ],
                 "versionEvidence": [
-                    #foreach($evidence in $dependency.getVersionEvidence())
+                    #foreach($evidence in $dependency.getEvidence($VERSION))
                     #if($foreach.count > 1),#end
                     {
                         "type": "version",