From 60c2e31ceafeb7ab4e852229ea1e671689b3cf80 Mon Sep 17 00:00:00 2001
From: Erik Lenoir <erik.lenoir@zenika.com>
Date: Thu, 14 Sep 2017 12:46:10 +0200
Subject: [PATCH 1/2] Enhance CSV report, cf #809

---
 .../dependencycheck/reporting/EscapeTool.java | 53 +++++++++++++++++++
 .../main/resources/templates/csvReport.vsl    |  4 +-
 2 files changed, 55 insertions(+), 2 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java
index 4eb456176..73d33aa1f 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java
@@ -163,4 +163,57 @@ public class EscapeTool {
         }
         return StringEscapeUtils.escapeCsv(sb.toString());
     }
+
+    /**
+     * Takes a set of Identifiers, filters them to just CPEs, and formats them
+     * for confidence display in a CSV.
+     *
+     * @param ids the set of identifiers
+     * @return the formated list of confidence
+     */
+    public String csvCpeConfidence(Set<Identifier> ids) {
+        if (ids == null || ids.isEmpty()) {
+            return "";
+        }
+        boolean addComma = false;
+        final StringBuilder sb = new StringBuilder();
+        for (Identifier id : ids) {
+            if ("cpe".equals(id.getType())) {
+                if (addComma) {
+                    sb.append(", ");
+                } else {
+                    addComma = true;
+                }
+                sb.append(id.getConfidence());
+            }
+        }
+        return StringEscapeUtils.escapeCsv(sb.toString());
+    }
+
+    /**
+     * Takes a set of Identifiers, filters them to just GAVs, and formats them
+     * for display in a CSV.
+     *
+     * @param ids the set of identifiers
+     * @return the formated list of GAV identifiers
+     */
+    public String csvGav(Set<Identifier> ids) {
+        if (ids == null || ids.isEmpty()) {
+            return "";
+        }
+        boolean addComma = false;
+        final StringBuilder sb = new StringBuilder();
+        for (Identifier id : ids) {
+            if ("maven".equals(id.getType())) {
+                if (addComma) {
+                    sb.append(", ");
+                } else {
+                    addComma = true;
+                }
+                sb.append(id.getValue());
+            }
+        }
+        return StringEscapeUtils.escapeCsv(sb.toString());
+    }
+
 }
diff --git a/dependency-check-core/src/main/resources/templates/csvReport.vsl b/dependency-check-core/src/main/resources/templates/csvReport.vsl
index 6348b5606..eb850368f 100644
--- a/dependency-check-core/src/main/resources/templates/csvReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/csvReport.vsl
@@ -17,11 +17,11 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
 
 @author Jeremy Long <jeremy.long@owasp.org>
 @version 1 *###
-"Project","ScanDate","DependencyName","DependencyPath","Description","License","Md5","Sha1","Identifiers","CPE","CVE","CWE","Vulnerability","Source","Severity","CVSSv2"
+"Project","ScanDate","DependencyName","DependencyPath","Description","License","Md5","Sha1","Identifiers","CPE","CVE","CWE","Vulnerability","Source","Severity","CVSSv2","GAV","CPE Confidence","Evidence Count"
 #macro(writeSev $score)#if($score<4.0)"Low"#elseif($score>=7.0)"High"#else"Medium"#end#end
 #foreach($dependency in $dependencies)#if($dependency.getVulnerabilities().size()>0)
 #foreach($vuln in $dependency.getVulnerabilities())
-$enc.csv($applicationName),$enc.csv($scanDate),$enc.csv($dependency.DisplayFileName),#if($dependency.FilePath)$enc.csv($dependency.FilePath)#end,#if($dependency.description)$enc.csv($dependency.description)#end,#if($dependency.license)$enc.csv($dependency.license)#end,#if($dependency.Md5sum)$enc.csv($dependency.Md5sum)#end,#if($dependency.Sha1sum)$enc.csv($dependency.Sha1sum)#end,#if($dependency.identifiers)$enc.csvIdentifiers($dependency.identifiers)#end,#if($dependency.identifiers)$enc.csvCpe($dependency.identifiers)#end,#if($vuln.name)$enc.csv($vuln.name)#end,#if($dependency.cwe)$enc.csv($vuln.cwe)#end,#if($vuln.description)$enc.csv($vuln.description)#end,#if($vuln.getSource().name())$enc.csv($vuln.getSource().name())#end,#writeSev($vuln.cvssScore),$vuln.cvssScore
+$enc.csv($applicationName),$enc.csv($scanDate),$enc.csv($dependency.DisplayFileName),#if($dependency.FilePath)$enc.csv($dependency.FilePath)#end,#if($dependency.description)$enc.csv($dependency.description)#end,#if($dependency.license)$enc.csv($dependency.license)#end,#if($dependency.Md5sum)$enc.csv($dependency.Md5sum)#end,#if($dependency.Sha1sum)$enc.csv($dependency.Sha1sum)#end,#if($dependency.identifiers)$enc.csvIdentifiers($dependency.identifiers)#end,#if($dependency.identifiers)$enc.csvCpe($dependency.identifiers)#end,#if($vuln.name)$enc.csv($vuln.name)#end,#if($dependency.cwe)$enc.csv($vuln.cwe)#end,#if($vuln.description)$enc.csv($vuln.description)#end,#if($vuln.getSource().name())$enc.csv($vuln.getSource().name())#end,#writeSev($vuln.cvssScore),$vuln.cvssScore,#if($dependency.identifiers)$enc.csvGav($dependency.identifiers)#end,#if($dependency.identifiers)$enc.csvCpeConfidence($dependency.identifiers)#end,$dependency.getEvidenceForDisplay().size()
 #end
 #end
 #end
\ No newline at end of file

From 9a9cf826ab59bfbef8a7aba00993a1e552127271 Mon Sep 17 00:00:00 2001
From: Erik Lenoir <erik.lenoir@zenika.com>
Date: Thu, 14 Sep 2017 14:01:41 +0200
Subject: [PATCH 2/2] Add TU

---
 .../reporting/EscapeToolTest.java             | 95 +++++++++++++++++++
 1 file changed, 95 insertions(+)

diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/EscapeToolTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/EscapeToolTest.java
index 04eda668c..6890d2469 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/EscapeToolTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/EscapeToolTest.java
@@ -21,6 +21,8 @@ import java.util.HashSet;
 import java.util.Set;
 import org.junit.Test;
 import static org.junit.Assert.*;
+
+import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Identifier;
 
 /**
@@ -228,4 +230,97 @@ public class EscapeToolTest {
         result = instance.csvCpe(ids);
         assertTrue(expResult.equals(result) || expResult2.equals(result));
     }
+
+    /**
+     * Test of csvCpeConfidence method, of class EscapeTool.
+     */
+    @Test
+    public void testCsvCpeConfidence() {
+        EscapeTool instance = new EscapeTool();
+        Set<Identifier> ids = null;
+        String expResult = "";
+        String result = instance.csvCpeConfidence(ids);
+        assertEquals(expResult, result);
+
+        ids = new HashSet<>();
+        expResult = "";
+        result = instance.csvCpeConfidence(ids);
+        assertEquals(expResult, result);
+
+        ids = new HashSet<>();
+        ids.add(new Identifier("gav", "somegroup:something:1.0", ""));
+        expResult = "";
+        result = instance.csvCpeConfidence(ids);
+        assertEquals(expResult, result);
+
+        ids = new HashSet<>();
+        Identifier i1 = new Identifier("cpe", "cpe:/a:somegroup:something:1.0", "");
+        i1.setConfidence(Confidence.HIGH);
+        ids.add(i1);
+        expResult = "HIGH";
+        result = instance.csvCpeConfidence(ids);
+        assertEquals(expResult, result);
+
+        ids = new HashSet<>();
+        i1 = new Identifier("cpe", "cpe:/a:somegroup:something:1.0", "");
+        i1.setConfidence(Confidence.HIGH);
+        ids.add(i1);
+        Identifier i2 = new Identifier("cpe", "cpe:/a:somegroup:something2:1.0", "");
+        i2.setConfidence(Confidence.MEDIUM);
+        ids.add(i2);
+        Identifier i3 = new Identifier("gav", "somegroup:something:1.0", "");
+        i3.setConfidence(Confidence.LOW);
+        ids.add(i3);
+
+        expResult = "\"HIGH, MEDIUM\"";
+        String expResult2 = "\"MEDIUM, HIGH\"";
+        result = instance.csvCpeConfidence(ids);
+        assertTrue(expResult.equals(result) || expResult2.equals(result));
+    }
+
+    /**
+     * Test of csvGav method, of class EscapeTool.
+     */
+    @Test
+    public void testCsvGav() {
+        EscapeTool instance = new EscapeTool();
+        Set<Identifier> ids = null;
+        String expResult = "";
+        String result = instance.csvGav(ids);
+        assertEquals(expResult, result);
+
+        ids = new HashSet<>();
+        expResult = "";
+        result = instance.csvGav(ids);
+        assertEquals(expResult, result);
+
+        ids = new HashSet<>();
+        ids.add(new Identifier("cpe", "somegroup:something:1.0", ""));
+        expResult = "";
+        result = instance.csvGav(ids);
+        assertEquals(expResult, result);
+
+        ids = new HashSet<>();
+        ids.add(new Identifier("maven", "somegroup:something:1.0", ""));
+        expResult = "somegroup:something:1.0";
+        result = instance.csvGav(ids);
+        assertEquals(expResult, result);
+
+        ids = new HashSet<>();
+        ids.add(new Identifier("cpe", "cpe:/a:somegroup:something:1.0", ""));
+        ids.add(new Identifier("maven", "somegroup:something:1.0", ""));
+        expResult = "somegroup:something:1.0";
+        result = instance.csvGav(ids);
+        assertEquals(expResult, result);
+
+        ids = new HashSet<>();
+        ids.add(new Identifier("maven", "somegroup:something:1.0", ""));
+        ids.add(new Identifier("cpe", "cpe:/a:somegroup:something:1.0", ""));
+        ids.add(new Identifier("maven", "somegroup:something2:1.0", ""));
+        expResult = "\"somegroup:something:1.0, somegroup:something2:1.0\"";
+        String expResult2 = "\"somegroup:something2:1.0, somegroup:something:1.0\"";
+        result = instance.csvGav(ids);
+        assertTrue(expResult.equals(result) || expResult2.equals(result));
+    }
+
 }