mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-03-19 07:44:23 +01:00
updated to support changes for threadsafety
This commit is contained in:
Jeremy Long
@@ -99,6 +99,20 @@ public class EscapeTool {
|
|||||||
return StringEscapeUtils.escapeJson(text);
|
return StringEscapeUtils.escapeJson(text);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* JavaScript encodes the provided text.
|
||||||
|
*
|
||||||
|
* @param text the text to encode
|
||||||
|
* @return the JavaScript encoded text
|
||||||
|
*/
|
||||||
|
public String javascript(String text) {
|
||||||
|
if (text == null || text.isEmpty()) {
|
||||||
|
return text;
|
||||||
|
}
|
||||||
|
//until lang3 has escapeJavaScript we use this...
|
||||||
|
return org.apache.commons.lang.StringEscapeUtils.escapeJavaScript(text);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Formats text for CSV format. This includes trimming whitespace, replace
|
* Formats text for CSV format. This includes trimming whitespace, replace
|
||||||
* line breaks with spaces, and if necessary quotes the text and/or escapes
|
* line breaks with spaces, and if necessary quotes the text and/or escapes
|
||||||
|
|||||||
@@ -35,6 +35,7 @@ import java.io.UnsupportedEncodingException;
|
|||||||
import java.math.BigDecimal;
|
import java.math.BigDecimal;
|
||||||
import java.nio.charset.StandardCharsets;
|
import java.nio.charset.StandardCharsets;
|
||||||
import javax.annotation.concurrent.NotThreadSafe;
|
import javax.annotation.concurrent.NotThreadSafe;
|
||||||
|
import org.apache.commons.lang3.text.WordUtils;
|
||||||
import org.apache.velocity.VelocityContext;
|
import org.apache.velocity.VelocityContext;
|
||||||
import org.apache.velocity.app.VelocityEngine;
|
import org.apache.velocity.app.VelocityEngine;
|
||||||
import org.apache.velocity.context.Context;
|
import org.apache.velocity.context.Context;
|
||||||
@@ -45,6 +46,7 @@ import org.joda.time.format.DateTimeFormatter;
|
|||||||
import org.owasp.dependencycheck.analyzer.Analyzer;
|
import org.owasp.dependencycheck.analyzer.Analyzer;
|
||||||
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
|
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
|
||||||
import org.owasp.dependencycheck.dependency.Dependency;
|
import org.owasp.dependencycheck.dependency.Dependency;
|
||||||
|
import org.owasp.dependencycheck.dependency.EvidenceType;
|
||||||
import org.owasp.dependencycheck.exception.ReportException;
|
import org.owasp.dependencycheck.exception.ReportException;
|
||||||
import org.owasp.dependencycheck.utils.FileUtils;
|
import org.owasp.dependencycheck.utils.FileUtils;
|
||||||
import org.owasp.dependencycheck.utils.Settings;
|
import org.owasp.dependencycheck.utils.Settings;
|
||||||
@@ -195,6 +197,10 @@ public class ReportGenerator {
|
|||||||
ctxt.put("scanDate", scanDate);
|
ctxt.put("scanDate", scanDate);
|
||||||
ctxt.put("scanDateXML", scanDateXML);
|
ctxt.put("scanDateXML", scanDateXML);
|
||||||
ctxt.put("enc", new EscapeTool());
|
ctxt.put("enc", new EscapeTool());
|
||||||
|
ctxt.put("WordUtils", new WordUtils());
|
||||||
|
ctxt.put("VENDOR", EvidenceType.VENDOR);
|
||||||
|
ctxt.put("PRODUCT", EvidenceType.PRODUCT);
|
||||||
|
ctxt.put("VERSION", EvidenceType.VERSION);
|
||||||
ctxt.put("version", settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
|
ctxt.put("version", settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
|
||||||
return ctxt;
|
return ctxt;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -699,8 +699,8 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
|
|||||||
#end
|
#end
|
||||||
</td>
|
</td>
|
||||||
<td>$dependency.getVulnerabilities().size()</td>
|
<td>$dependency.getVulnerabilities().size()</td>
|
||||||
<td data-sort-value="$cpeSort">$cpeIdConf</td>
|
<td data-sort-value="$cpeSort">$WordUtils.capitalizeFully($cpeIdConf.toString())</td>
|
||||||
<td>$dependency.getEvidenceForDisplay().size()</td>
|
<td>$dependency.size()</td>
|
||||||
</tr>
|
</tr>
|
||||||
#end
|
#end
|
||||||
</table>
|
</table>
|
||||||
@@ -744,9 +744,15 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
|
|||||||
<h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
|
<h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
|
||||||
<div id="content$cnt" class="subsectioncontent standardsubsection hidden">
|
<div id="content$cnt" class="subsectioncontent standardsubsection hidden">
|
||||||
<table class="lined fullwidth" border="0">
|
<table class="lined fullwidth" border="0">
|
||||||
<tr><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:70%;">Value</th></tr>
|
<tr><th class="left" style="width:10%;">Type</th><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:50%;">Value</th><th class="left" style="width:10%;">Confidence</th></tr>
|
||||||
#foreach($evidence in $dependency.getEvidenceForDisplay())
|
#foreach($evidence in $dependency.getEvidence($VENDOR))
|
||||||
<tr><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td></tr>
|
<tr><td>Vendor</td><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td><td>$WordUtils.capitalizeFully($evidence.getConfidence().toString())</td></tr>
|
||||||
|
#end
|
||||||
|
#foreach($evidence in $dependency.getEvidence($PRODUCT))
|
||||||
|
<tr><td>Product</td><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td><td>$WordUtils.capitalizeFully($evidence.getConfidence().toString())</td></tr>
|
||||||
|
#end
|
||||||
|
#foreach($evidence in $dependency.getEvidence($VERSION))
|
||||||
|
<tr><td>Version</td><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td><td>$WordUtils.capitalizeFully($evidence.getConfidence().toString())</td></tr>
|
||||||
#end
|
#end
|
||||||
</table>
|
</table>
|
||||||
</div>
|
</div>
|
||||||
@@ -813,11 +819,10 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
|
|||||||
<li><b>$enc.html($id.type):</b> $enc.html($id.value)
|
<li><b>$enc.html($id.type):</b> $enc.html($id.value)
|
||||||
#end
|
#end
|
||||||
#if ($id.confidence)
|
#if ($id.confidence)
|
||||||
<i>Confidence</i>:$id.confidence
|
<i>Confidence</i>:$WordUtils.capitalizeFully($id.confidence.toString())
|
||||||
#end
|
#end
|
||||||
#if ($id.type=="cpe")
|
#if ($id.type=="cpe")
|
||||||
##yes, we are HTML Encoding into JavaScript... the escape utils don't have a JS Encode and I haven't written one yet
|
<button class="copybutton" title="Generate Suppression XML for this CPE for this file" onclick="copyText('$enc.javascript($dependency.DisplayFileName)', '$enc.javascript($dependency.Sha1sum)', '$enc.javascript($suppressGav)', 'cpe', '$enc.javascript($id.value)')">suppress</button>
|
||||||
<button class="copybutton" title="Generate Suppression XML for this CPE for this file" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', '$enc.html($suppressGav)', 'cpe', '$enc.html($id.value)')">suppress</button>
|
|
||||||
#end
|
#end
|
||||||
#if ($id.description || $id.notes)
|
#if ($id.description || $id.notes)
|
||||||
<ul>
|
<ul>
|
||||||
@@ -841,7 +846,7 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
|
|||||||
#foreach($vuln in $dependency.getVulnerabilities())
|
#foreach($vuln in $dependency.getVulnerabilities())
|
||||||
#set($vsctr=$vsctr+1)
|
#set($vsctr=$vsctr+1)
|
||||||
#if($vuln.getSource().name().equals("NVD"))
|
#if($vuln.getSource().name().equals("NVD"))
|
||||||
<p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b> <button class="copybutton" title="Generate Suppression XML for this CCE for this file" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', '$enc.html($suppressGav)', 'cve', '$enc.html($vuln.name)')">suppress</button></p>
|
<p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b> <button class="copybutton" title="Generate Suppression XML for this CCE for this file" onclick="copyText('$enc.javascript($dependency.DisplayFileName)', '$enc.javascript($dependency.Sha1sum)', '$enc.javascript($suppressGav)', 'cve', '$enc.javascript($vuln.name)')">suppress</button></p>
|
||||||
#elseif($vuln.getSource().name().equals("NSP"))
|
#elseif($vuln.getSource().name().equals("NSP"))
|
||||||
<p><b><a target="_blank" href="https://nodesecurity.io/advisories/$enc.url($vuln.name)">NSP-$enc.html($vuln.name)</a></b></p>
|
<p><b><a target="_blank" href="https://nodesecurity.io/advisories/$enc.url($vuln.name)">NSP-$enc.html($vuln.name)</a></b></p>
|
||||||
#end
|
#end
|
||||||
@@ -862,7 +867,7 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
|
|||||||
<br/>CWE: $vuln.cwe
|
<br/>CWE: $vuln.cwe
|
||||||
#end
|
#end
|
||||||
#if ($vuln.notes)
|
#if ($vuln.notes)
|
||||||
<br/>Notes: $enc.xml($vuln.notes)
|
<br/>Notes: $enc.html($vuln.notes)
|
||||||
#end</p>
|
#end</p>
|
||||||
<p>$enc.html($vuln.description)
|
<p>$enc.html($vuln.description)
|
||||||
#if ($vuln.getReferences().size()>0)
|
#if ($vuln.getReferences().size()>0)
|
||||||
@@ -935,9 +940,15 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
|
|||||||
<h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
|
<h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
|
||||||
<div id="content$cnt" class="subsectioncontent standardsubsection hidden">
|
<div id="content$cnt" class="subsectioncontent standardsubsection hidden">
|
||||||
<table class="lined fullwidth" border="0">
|
<table class="lined fullwidth" border="0">
|
||||||
<tr><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:70%;">Value</th></tr>
|
<tr><th class="left" style="width:10%;">Type</th><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:50%;">Value</th><th class="left" style="width:10%;">Confidence</th></tr>
|
||||||
#foreach($evidence in $dependency.getEvidenceForDisplay())
|
#foreach($evidence in $dependency.getEvidence($VENDOR))
|
||||||
<tr><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td></tr>
|
<tr><td>Vendor</td><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td><td>$WordUtils.capitalizeFully($evidence.getConfidence().toString())</td></tr>
|
||||||
|
#end
|
||||||
|
#foreach($evidence in $dependency.getEvidence($PRODUCT))
|
||||||
|
<tr><td>Product</td><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td><td>$WordUtils.capitalizeFully($evidence.getConfidence().toString())</td></tr>
|
||||||
|
#end
|
||||||
|
#foreach($evidence in $dependency.getEvidence($VERSION))
|
||||||
|
<tr><td>Version</td><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td><td>$WordUtils.capitalizeFully($evidence.getConfidence().toString())</td></tr>
|
||||||
#end
|
#end
|
||||||
</table>
|
</table>
|
||||||
</div>
|
</div>
|
||||||
@@ -975,7 +986,6 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
|
|||||||
#foreach($id in $dependency.getSuppressedIdentifiers())
|
#foreach($id in $dependency.getSuppressedIdentifiers())
|
||||||
#if( $id.url )
|
#if( $id.url )
|
||||||
#if($id.type=="maven")
|
#if($id.type=="maven")
|
||||||
##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
|
|
||||||
<li><b>$enc.html($id.type):</b> <a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a> <span title="verified from repo" style="color:green">✓</span> <span class="suppressedLabel" >suppressed</span>
|
<li><b>$enc.html($id.type):</b> <a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a> <span title="verified from repo" style="color:green">✓</span> <span class="suppressedLabel" >suppressed</span>
|
||||||
#else
|
#else
|
||||||
<li><b>$enc.html($id.type):</b> <a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a> <span class="suppressedLabel" >suppressed</span>
|
<li><b>$enc.html($id.type):</b> <a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a> <span class="suppressedLabel" >suppressed</span>
|
||||||
@@ -984,7 +994,7 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
|
|||||||
<li><b>$enc.html($id.type):</b> $enc.html($id.value) <span class="suppressedLabel" >suppressed</span>
|
<li><b>$enc.html($id.type):</b> $enc.html($id.value) <span class="suppressedLabel" >suppressed</span>
|
||||||
#end
|
#end
|
||||||
#if ($id.confidence)
|
#if ($id.confidence)
|
||||||
<i>Confidence</i>:$id.confidence
|
<i>Confidence</i>:$WordUtils.capitalizeFully($id.confidence.toString())
|
||||||
#end
|
#end
|
||||||
#if ($id.description || $id.notes)
|
#if ($id.description || $id.notes)
|
||||||
<ul>
|
<ul>
|
||||||
@@ -992,7 +1002,7 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
|
|||||||
<li>Description: $enc.html($id.description)</li>
|
<li>Description: $enc.html($id.description)</li>
|
||||||
#end
|
#end
|
||||||
#if ($id.notes)
|
#if ($id.notes)
|
||||||
<li>Notes: $enc.xml($id.notes)</li>
|
<li>Notes: $enc.html($id.notes)</li>
|
||||||
#end
|
#end
|
||||||
</ul>
|
</ul>
|
||||||
#end
|
#end
|
||||||
|
|||||||
@@ -67,7 +67,7 @@
|
|||||||
#end
|
#end
|
||||||
,"evidenceCollected": {
|
,"evidenceCollected": {
|
||||||
"vendorEvidence": [
|
"vendorEvidence": [
|
||||||
#foreach($evidence in $dependency.getVendorEvidence())
|
#foreach($evidence in $dependency.getEvidence($VENDOR))
|
||||||
#if($foreach.count > 1),#end{
|
#if($foreach.count > 1),#end{
|
||||||
"type": "vendor",
|
"type": "vendor",
|
||||||
"confidence": "$enc.json($evidence.getConfidence().toString())",
|
"confidence": "$enc.json($evidence.getConfidence().toString())",
|
||||||
@@ -78,7 +78,7 @@
|
|||||||
#end
|
#end
|
||||||
],
|
],
|
||||||
"productEvidence": [
|
"productEvidence": [
|
||||||
#foreach($evidence in $dependency.getProductEvidence())
|
#foreach($evidence in $dependency.getEvidence($PRODUCT))
|
||||||
#if($foreach.count > 1),#end{
|
#if($foreach.count > 1),#end{
|
||||||
"type": "product",
|
"type": "product",
|
||||||
"confidence": "$enc.json($evidence.getConfidence().toString())",
|
"confidence": "$enc.json($evidence.getConfidence().toString())",
|
||||||
@@ -89,7 +89,7 @@
|
|||||||
#end
|
#end
|
||||||
],
|
],
|
||||||
"versionEvidence": [
|
"versionEvidence": [
|
||||||
#foreach($evidence in $dependency.getVersionEvidence())
|
#foreach($evidence in $dependency.getEvidence($VERSION))
|
||||||
#if($foreach.count > 1),#end
|
#if($foreach.count > 1),#end
|
||||||
{
|
{
|
||||||
"type": "version",
|
"type": "version",
|
||||||
|
|||||||
Reference in New Issue
Block a user