github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-18 23:34:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

releasing updates from private repo

Browse Source 
Former-commit-id: 064139c68ad185358d6c74a77511d9ca36229633
This commit is contained in:
Jeremy Long
2013-07-31 10:21:31 -04:00
parent a036b9fc27
commit c3f9f16ce3
264 changed files with 13532 additions and 3394 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
dependency-check-core/src/main/resources/META-INF/licenses/StupidTablePlugin/LICENSE.txt Normal file
View File

@@ -0,0 +1,19 @@
Copyright (c) 2012 Joseph McCullough
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

202
dependency-check-core/src/main/resources/META-INF/licenses/commons-io/LICENSE.txt Normal file
View File

@@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

5
dependency-check-core/src/main/resources/META-INF/licenses/cve/license.txt Normal file
View File

@@ -0,0 +1,5 @@
LICENSE
The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use Common Vulnerabilities and Exposures (CVE®) for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce MITREs copyright designation and this license in any such copy.
DISCLAIMERS
ALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN "AS IS" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

7
dependency-check-core/src/main/resources/META-INF/licenses/cwe/license.txt Normal file
View File

@@ -0,0 +1,7 @@
LICENSE
The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use Common Weakness Enumeration (CWE™) for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce MITREs copyright designation and this license in any such copy.
DISCLAIMERS
ALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN "AS IS" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
CWE is free to use by any organization or individual for any research, development, and/or commercial purposes, per these CWE Terms of Use. MITRE has copyrighted the CWE List, Top 25, CWSS, and CWRAF for the benefit of the community in order to ensure each remains a free and open standard, as well as to legally protect the ongoing use of it and any resulting content by government, vendors, and/or users. MITRE has trademarked ™ the CWE and related acronyms and the CWE and related logos to protect their sole and ongoing use by the CWE effort within the information security arena. Please contact cwe@mitre.org if you require further clarification on this issue.

253
dependency-check-core/src/main/resources/META-INF/licenses/h2database/license.txt Normal file
View File

@@ -0,0 +1,253 @@
H2 License - Version 1.0
1. Definitions
1.0.1. "Commercial Use" means distribution or otherwise making the Covered Code available to a third party.
1.1. "Contributor" means each entity that creates or contributes to the creation of Modifications.
1.2. "Contributor Version" means the combination of the Original Code, prior Modifications used by a Contributor, and the Modifications made by that particular Contributor.
1.3. "Covered Code" means the Original Code or Modifications or the combination of the Original Code and Modifications, in each case including portions thereof.
1.4. "Electronic Distribution Mechanism" means a mechanism generally accepted in the software development community for the electronic transfer of data.
1.5. "Executable" means Covered Code in any form other than Source Code.
1.6. "Initial Developer" means the individual or entity identified as the Initial Developer in the Source Code notice required by Exhibit A.
1.7. "Larger Work" means a work which combines Covered Code or portions thereof with code not governed by the terms of this License.
1.8. "License" means this document.
1.8.1. "Licensable" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently acquired, any and all of the rights conveyed herein.
1.9. "Modifications" means any addition to or deletion from the substance or structure of either the Original Code or any previous Modifications. When Covered Code is released as a series of files, a Modification is:
1.9.a. Any addition to or deletion from the contents of a file containing Original Code or previous Modifications.
1.9.b. Any new file that contains any part of the Original Code or previous Modifications.
1.10. "Original Code" means Source Code of computer software code which is described in the Source Code notice required by Exhibit A as Original Code, and which, at the time of its release under this License is not already Covered Code governed by this License.
1.10.1. "Patent Claims" means any patent claim(s), now owned or hereafter acquired, including without limitation, method, process, and apparatus claims, in any patent Licensable by grantor.
1.11. "Source Code" means the preferred form of the Covered Code for making modifications to it, including all modules it contains, plus any associated interface definition files, scripts used to control compilation and installation of an Executable, or source code differential comparisons against either the Original Code or another well known, available Covered Code of the Contributor's choice. The Source Code can be in a compressed or archival form, provided the appropriate decompression or de-archiving software is widely available for no charge.
1.12. "You" (or "Your") means an individual or a legal entity exercising rights under, and complying with all of the terms of, this License or a future version of this License issued under Section 6.1. For legal entities, "You" includes any entity which controls, is controlled by, or is under common control with You. For purposes of this definition, "control" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.
2. Source Code License
2.1. The Initial Developer Grant
The Initial Developer hereby grants You a world-wide, royalty-free, non-exclusive license, subject to third party intellectual property claims:
2.1.a. under intellectual property rights (other than patent or trademark) Licensable by Initial Developer to use, reproduce, modify, display, perform, sublicense and distribute the Original Code (or portions thereof) with or without Modifications, and/or as part of a Larger Work; and
2.1.b. under Patents Claims infringed by the making, using or selling of Original Code, to make, have made, use, practice, sell, and offer for sale, and/or otherwise dispose of the Original Code (or portions thereof).
2.1.c. the licenses granted in this Section 2.1 (a) and (b) are effective on the date Initial Developer first distributes Original Code under the terms of this License.
2.1.d. Notwithstanding Section 2.1 (b) above, no patent license is granted: 1) for code that You delete from the Original Code; 2) separate from the Original Code; or 3) for infringements caused by: i) the modification of the Original Code or ii) the combination of the Original Code with other software or devices.
2.2. Contributor Grant
Subject to third party intellectual property claims, each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license
2.2.a. under intellectual property rights (other than patent or trademark) Licensable by Contributor, to use, reproduce, modify, display, perform, sublicense and distribute the Modifications created by such Contributor (or portions thereof) either on an unmodified basis, with other Modifications, as Covered Code and/or as part of a Larger Work; and
2.2.b. under Patent Claims infringed by the making, using, or selling of Modifications made by that Contributor either alone and/or in combination with its Contributor Version (or portions of such combination), to make, use, sell, offer for sale, have made, and/or otherwise dispose of: 1) Modifications made by that Contributor (or portions thereof); and 2) the combination of Modifications made by that Contributor with its Contributor Version (or portions of such combination).
2.2.c. the licenses granted in Sections 2.2 (a) and 2.2 (b) are effective on the date Contributor first makes Commercial Use of the Covered Code.
2.2.c. Notwithstanding Section 2.2 (b) above, no patent license is granted: 1) for any code that Contributor has deleted from the Contributor Version; 2) separate from the Contributor Version; 3) for infringements caused by: i) third party modifications of Contributor Version or ii) the combination of Modifications made by that Contributor with other software (except as part of the Contributor Version) or other devices; or 4) under Patent Claims infringed by Covered Code in the absence of Modifications made by that Contributor.
3. Distribution Obligations
3.1. Application of License
The Modifications which You create or to which You contribute are governed by the terms of this License, including without limitation Section 2.2. The Source Code version of Covered Code may be distributed only under the terms of this License or a future version of this License released under Section 6.1, and You must include a copy of this License with every copy of the Source Code You distribute. You may not offer or impose any terms on any Source Code version that alters or restricts the applicable version of this License or the recipients' rights hereunder. However, You may include an additional document offering the additional rights described in Section 3.5.
3.2. Availability of Source Code
Any Modification which You create or to which You contribute must be made available in Source Code form under the terms of this License either on the same media as an Executable version or via an accepted Electronic Distribution Mechanism to anyone to whom you made an Executable version available; and if made available via Electronic Distribution Mechanism, must remain available for at least twelve (12) months after the date it initially became available, or at least six (6) months after a subsequent version of that particular Modification has been made available to such recipients. You are responsible for ensuring that the Source Code version remains available even if the Electronic Distribution Mechanism is maintained by a third party.
3.3. Description of Modifications
You must cause all Covered Code to which You contribute to contain a file documenting the changes You made to create that Covered Code and the date of any change. You must include a prominent statement that the Modification is derived, directly or indirectly, from Original Code provided by the Initial Developer and including the name of the Initial Developer in (a) the Source Code, and (b) in any notice in an Executable version or related documentation in which You describe the origin or ownership of the Covered Code.
3.4. Intellectual Property Matters
3.4.a. Third Party Claims: If Contributor has knowledge that a license under a third party's intellectual property rights is required to exercise the rights granted by such Contributor under Sections 2.1 or 2.2, Contributor must include a text file with the Source Code distribution titled "LEGAL" which describes the claim and the party making the claim in sufficient detail that a recipient will know whom to contact. If Contributor obtains such knowledge after the Modification is made available as described in Section 3.2, Contributor shall promptly modify the LEGAL file in all copies Contributor makes available thereafter and shall take other steps (such as notifying appropriate mailing lists or newsgroups) reasonably calculated to inform those who received the Covered Code that new knowledge has been obtained.
3.4.b. Contributor APIs: If Contributor's Modifications include an application programming interface and Contributor has knowledge of patent licenses which are reasonably necessary to implement that API, Contributor must also include this information in the legal file.
3.4.c. Representations: Contributor represents that, except as disclosed pursuant to Section 3.4 (a) above, Contributor believes that Contributor's Modifications are Contributor's original creation(s) and/or Contributor has sufficient rights to grant the rights conveyed by this License.
3.5. Required Notices
You must duplicate the notice in Exhibit A in each file of the Source Code. If it is not possible to put such notice in a particular Source Code file due to its structure, then You must include such notice in a location (such as a relevant directory) where a user would be likely to look for such a notice. If You created one or more Modification(s) You may add your name as a Contributor to the notice described in Exhibit A. You must also duplicate this License in any documentation for the Source Code where You describe recipients' rights or ownership rights relating to Covered Code. You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Code. However, You may do so only on Your own behalf, and not on behalf of the Initial Developer or any Contributor. You must make it absolutely clear than any such warranty, support, indemnity or liability obligation is offered by You alone, and You hereby agree to indemnify the Initial Developer and every Contributor for any liability incurred by the Initial Developer or such Contributor as a result of warranty, support, indemnity or liability terms You offer.
3.6. Distribution of Executable Versions
You may distribute Covered Code in Executable form only if the requirements of Sections 3.1, 3.2, 3.3, 3.4 and 3.5 have been met for that Covered Code, and if You include a notice stating that the Source Code version of the Covered Code is available under the terms of this License, including a description of how and where You have fulfilled the obligations of Section 3.2. The notice must be conspicuously included in any notice in an Executable version, related documentation or collateral in which You describe recipients' rights relating to the Covered Code. You may distribute the Executable version of Covered Code or ownership rights under a license of Your choice, which may contain terms different from this License, provided that You are in compliance with the terms of this License and that the license for the Executable version does not attempt to limit or alter the recipient's rights in the Source Code version from the rights set forth in this License. If You distribute the Executable version under a different license You must make it absolutely clear that any terms which differ from this License are offered by You alone, not by the Initial Developer or any Contributor. You hereby agree to indemnify the Initial Developer and every Contributor for any liability incurred by the Initial Developer or such Contributor as a result of any such terms You offer.
3.7. Larger Works
You may create a Larger Work by combining Covered Code with other code not governed by the terms of this License and distribute the Larger Work as a single product. In such a case, You must make sure the requirements of this License are fulfilled for the Covered Code.
4. Inability to Comply Due to Statute or Regulation.
If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Code due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be included in the legal file described in Section 3.4 and must be included with all distributions of the Source Code. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it.
5. Application of this License.
This License applies to code to which the Initial Developer has attached the notice in Exhibit A and to related Covered Code.
6. Versions of the License.
6.1. New Versions
The H2 Group may publish revised and/or new versions of the License from time to time. Each version will be given a distinguishing version number.
6.2. Effect of New Versions
Once Covered Code has been published under a particular version of the License, You may always continue to use it under the terms of that version. You may also choose to use such Covered Code under the terms of any subsequent version of the License published by the H2 Group. No one other than the H2 Group has the right to modify the terms applicable to Covered Code created under this License.
6.3. Derivative Works
If You create or use a modified version of this License (which you may only do in order to apply it to code which is not already Covered Code governed by this License), You must (a) rename Your license so that the phrases "H2 Group", "H2" or any confusingly similar phrase do not appear in your license (except to note that your license differs from this License) and (b) otherwise make it clear that Your version of the license contains terms which differ from the H2 License. (Filling in the name of the Initial Developer, Original Code or Contributor in the notice described in Exhibit A shall not of themselves be deemed to be modifications of this License.)
7. Disclaimer of Warranty
Covered code is provided under this license on an "as is" basis, without warranty of any kind, either expressed or implied, including, without limitation, warranties that the covered code is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the covered code is with you. Should any covered code prove defective in any respect, you (not the initial developer or any other contributor) assume the cost of any necessary servicing, repair or correction. This disclaimer of warranty constitutes an essential part of this license. No use of any covered code is authorized hereunder except under this disclaimer.
8. Termination
8.1. This License and the rights granted hereunder will terminate automatically if You fail to comply with terms herein and fail to cure such breach within 30 days of becoming aware of the breach. All sublicenses to the Covered Code which are properly granted shall survive any termination of this License. Provisions which, by their nature, must remain in effect beyond the termination of this License shall survive.
8.2. If You initiate litigation by asserting a patent infringement claim (excluding declaratory judgment actions) against Initial Developer or a Contributor (the Initial Developer or Contributor against whom You file such action is referred to as "Participant") alleging that:
8.2.a. such Participant's Contributor Version directly or indirectly infringes any patent, then any and all rights granted by such Participant to You under Sections 2.1 and/or 2.2 of this License shall, upon 60 days notice from Participant terminate prospectively, unless if within 60 days after receipt of notice You either: (i) agree in writing to pay Participant a mutually agreeable reasonable royalty for Your past and future use of Modifications made by such Participant, or (ii) withdraw Your litigation claim with respect to the Contributor Version against such Participant. If within 60 days of notice, a reasonable royalty and payment arrangement are not mutually agreed upon in writing by the parties or the litigation claim is not withdrawn, the rights granted by Participant to You under Sections 2.1 and/or 2.2 automatically terminate at the expiration of the 60 day notice period specified above.
8.2.b. any software, hardware, or device, other than such Participant's Contributor Version, directly or indirectly infringes any patent, then any rights granted to You by such Participant under Sections 2.1(b) and 2.2(b) are revoked effective as of the date You first made, used, sold, distributed, or had made, Modifications made by that Participant.
8.3. If You assert a patent infringement claim against Participant alleging that such Participant's Contributor Version directly or indirectly infringes any patent where such claim is resolved (such as by license or settlement) prior to the initiation of patent infringement litigation, then the reasonable value of the licenses granted by such Participant under Sections 2.1 or 2.2 shall be taken into account in determining the amount or value of any payment or license.
8.4. In the event of termination under Sections 8.1 or 8.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or any distributor hereunder prior to termination shall survive termination.
9. Limitation of Liability
Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall you, the initial developer, any other contributor, or any distributor of covered code, or any supplier of any of such parties, be liable to any person for any indirect, special, incidental, or consequential damages of any character including, without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such party's negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to you.
10. United States Government End Users
The Covered Code is a "commercial item", as that term is defined in 48 C.F.R. 2.101 (October 1995), consisting of "commercial computer software" and "commercial computer software documentation", as such terms are used in 48 C.F.R. 12.212 (September 1995). Consistent with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4 (June 1995), all U.S. Government End Users acquire Covered Code with only those rights set forth herein.
11. Miscellaneous
This License represents the complete agreement concerning subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. This License shall be governed by California law provisions (except to the extent applicable law, if any, provides otherwise), excluding its conflict-of-law provisions. With respect to disputes in which at least one party is a citizen of, or an entity chartered or registered to do business in United States of America, any litigation relating to this License shall be subject to the jurisdiction of the Federal Courts of the Northern District of California, with venue lying in Santa Clara County, California, with the losing party responsible for costs, including without limitation, court costs and reasonable attorneys' fees and expenses. The application of the United Nations Convention on Contracts for the International Sale of Goods is expressly excluded. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not apply to this License.
12. Responsibility for Claims
As between Initial Developer and the Contributors, each party is responsible for claims and damages arising, directly or indirectly, out of its utilization of rights under this License and You agree to work with Initial Developer and Contributors to distribute such responsibility on an equitable basis. Nothing herein is intended or shall be deemed to constitute any admission of liability.
13. Multiple-Licensed Code
Initial Developer may designate portions of the Covered Code as "Multiple-Licensed". "Multiple-Licensed" means that the Initial Developer permits you to utilize portions of the Covered Code under Your choice of this or the alternative licenses, if any, specified by the Initial Developer in the file described in Exhibit A.
Exhibit A
Multiple-Licensed under the H2 License, Version 1.0,
and under the Eclipse Public License, Version 1.0
(http://h2database.com/html/license.html).
Initial Developer: H2 Group
Eclipse Public License - Version 1.0
THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE PUBLIC LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
1. DEFINITIONS
"Contribution" means:
a) in the case of the initial Contributor, the initial code and documentation distributed under this Agreement, and
b) in the case of each subsequent Contributor:
i) changes to the Program, and
ii) additions to the Program;
where such changes and/or additions to the Program originate from and are distributed by that particular Contributor. A Contribution 'originates' from a Contributor if it was added to the Program by such Contributor itself or anyone acting on such Contributor's behalf. Contributions do not include additions to the Program which: (i) are separate modules of software distributed in conjunction with the Program under their own license agreement, and (ii) are not derivative works of the Program.
"Contributor" means any person or entity that distributes the Program.
"Licensed Patents " mean patent claims licensable by a Contributor which are necessarily infringed by the use or sale of its Contribution alone or when combined with the Program.
"Program" means the Contributions distributed in accordance with this Agreement.
"Recipient" means anyone who receives the Program under this Agreement, including all Contributors.
2. GRANT OF RIGHTS
a) Subject to the terms of this Agreement, each Contributor hereby grants Recipient a non-exclusive, worldwide, royalty-free copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, distribute and sublicense the Contribution of such Contributor, if any, and such derivative works, in source code and object code form.
b) Subject to the terms of this Agreement, each Contributor hereby grants Recipient a non-exclusive, worldwide, royalty-free patent license under Licensed Patents to make, use, sell, offer to sell, import and otherwise transfer the Contribution of such Contributor, if any, in source code and object code form. This patent license shall apply to the combination of the Contribution and the Program if, at the time the Contribution is added by the Contributor, such addition of the Contribution causes such combination to be covered by the Licensed Patents. The patent license shall not apply to any other combinations which include the Contribution. No hardware per se is licensed hereunder.
c) Recipient understands that although each Contributor grants the licenses to its Contributions set forth herein, no assurances are provided by any Contributor that the Program does not infringe the patent or other intellectual property rights of any other entity. Each Contributor disclaims any liability to Recipient for claims brought by any other entity based on infringement of intellectual property rights or otherwise. As a condition to exercising the rights and licenses granted hereunder, each Recipient hereby assumes sole responsibility to secure any other intellectual property rights needed, if any. For example, if a third party patent license is required to allow Recipient to distribute the Program, it is Recipient's responsibility to acquire that license before distributing the Program.
d) Each Contributor represents that to its knowledge it has sufficient copyright rights in its Contribution, if any, to grant the copyright license set forth in this Agreement.
3. REQUIREMENTS
A Contributor may choose to distribute the Program in object code form under its own license agreement, provided that:
a) it complies with the terms and conditions of this Agreement; and
b) its license agreement:
i) effectively disclaims on behalf of all Contributors all warranties and conditions, express and implied, including warranties or conditions of title and non-infringement, and implied warranties or conditions of merchantability and fitness for a particular purpose;
ii) effectively excludes on behalf of all Contributors all liability for damages, including direct, indirect, special, incidental and consequential damages, such as lost profits;
iii) states that any provisions which differ from this Agreement are offered by that Contributor alone and not by any other party; and
iv) states that source code for the Program is available from such Contributor, and informs licensees how to obtain it in a reasonable manner on or through a medium customarily used for software exchange.
When the Program is made available in source code form:
a) it must be made available under this Agreement; and
b) a copy of this Agreement must be included with each copy of the Program.
Contributors may not remove or alter any copyright notices contained within the Program.
Each Contributor must identify itself as the originator of its Contribution, if any, in a manner that reasonably allows subsequent Recipients to identify the originator of the Contribution.
4. COMMERCIAL DISTRIBUTION
Commercial distributors of software may accept certain responsibilities with respect to end users, business partners and the like. While this license is intended to facilitate the commercial use of the Program, the Contributor who includes the Program in a commercial product offering should do so in a manner which does not create potential liability for other Contributors. Therefore, if a Contributor includes the Program in a commercial product offering, such Contributor ("Commercial Contributor") hereby agrees to defend and indemnify every other Contributor ("Indemnified Contributor") against any losses, damages and costs (collectively "Losses") arising from claims, lawsuits and other legal actions brought by a third party against the Indemnified Contributor to the extent caused by the acts or omissions of such Commercial Contributor in connection with its distribution of the Program in a commercial product offering. The obligations in this section do not apply to any claims or Losses relating to any actual or alleged intellectual property infringement. In order to qualify, an Indemnified Contributor must: a) promptly notify the Commercial Contributor in writing of such claim, and b) allow the Commercial Contributor to control, and cooperate with the Commercial Contributor in, the defense and any related settlement negotiations. The Indemnified Contributor may participate in any such claim at its own expense.
For example, a Contributor might include the Program in a commercial product offering, Product X. That Contributor is then a Commercial Contributor. If that Commercial Contributor then makes performance claims, or offers warranties related to Product X, those performance claims and warranties are such Commercial Contributor's responsibility alone. Under this section, the Commercial Contributor would have to defend claims against the other Contributors related to those performance claims and warranties, and if a court requires any other Contributor to pay any damages as a result, the Commercial Contributor must pay those damages.
5. NO WARRANTY
EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely responsible for determining the appropriateness of using and distributing the Program and assumes all risks associated with its exercise of rights under this Agreement, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and unavailability or interruption of operations.
6. DISCLAIMER OF LIABILITY
EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
7. GENERAL
If any provision of this Agreement is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this Agreement, and without further action by the parties hereto, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable.
If Recipient institutes patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Program itself (excluding combinations of the Program with other software or hardware) infringes such Recipient's patent(s), then such Recipient's rights granted under Section 2(b) shall terminate as of the date such litigation is filed.
All Recipient's rights under this Agreement shall terminate if it fails to comply with any of the material terms or conditions of this Agreement and does not cure such failure in a reasonable period of time after becoming aware of such noncompliance. If all Recipient's rights under this Agreement terminate, Recipient agrees to cease use and distribution of the Program as soon as reasonably practicable. However, Recipient's obligations under this Agreement and any licenses granted by Recipient relating to the Program shall continue and survive.
Everyone is permitted to copy and distribute copies of this Agreement, but in order to avoid inconsistency the Agreement is copyrighted and may only be modified in the following manner. The Agreement Steward reserves the right to publish new versions (including revisions) of this Agreement from time to time. No one other than the Agreement Steward has the right to modify this Agreement. The Eclipse Foundation is the initial Agreement Steward. The Eclipse Foundation may assign the responsibility to serve as the Agreement Steward to a suitable separate entity. Each new version of the Agreement will be given a distinguishing version number. The Program (including Contributions) may always be distributed subject to the version of the Agreement under which it was received. In addition, after a new version of the Agreement is published, Contributor may elect to distribute the Program (including its Contributions) under the new version. Except as expressly stated in Sections 2(a) and 2(b) above, Recipient receives no rights or licenses to the intellectual property of any Contributor under this Agreement, whether expressly, by implication, estoppel or otherwise. All rights in the Program not expressly granted under this Agreement are reserved.
This Agreement is governed by the laws of the State of New York and the intellectual property laws of the United States of America. No party to this Agreement will bring a legal action under this Agreement more than one year after the cause of action arose. Each party waives its rights to a jury trial in any resulting litigation.
Export Control Classification Number (ECCN)
As far as we know, the U.S. Export Control Classification Number (ECCN) for this software is 5D002. However, for legal reasons, we can make no warranty that this information is correct. For details, see also the Apache Software Foundation Export Classifications page.

2
dependency-check-core/src/main/resources/META-INF/licenses/h2database/readme.txt Normal file
View File

@@ -0,0 +1,2 @@
The H2 database engine (http://www.h2database.com/) is dual licensed and available under a modified version of the MPL 1.1 (Mozilla Public License) or under the (unmodified) EPL 1.0 (Eclipse Public License).
An original copy of the license agreement can be found at: http://www.h2database.com/html/license.html

1026
dependency-check-core/src/main/resources/META-INF/licenses/jquery/MIT-LICENSE.txt Normal file
View File

File diff suppressed because it is too large Load Diff

21
dependency-check-core/src/main/resources/META-INF/licenses/jsoup/LICENSE.txt Normal file
View File

@@ -0,0 +1,21 @@
The MIT License
Copyright (c) 2009, 2010, 2011, 2012, 2013 Jonathan Hedley <jonathan@hedley.net>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

202
dependency-check-core/src/main/resources/META-INF/licenses/lucene/LICENSE.txt Normal file
View File

@@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

202
dependency-check-core/src/main/resources/META-INF/licenses/velocity/LICENSE.txt Normal file
View File

@@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

8
dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer Normal file
View File

@@ -0,0 +1,8 @@
org.owasp.dependencycheck.analyzer.ArchiveAnalyzer
org.owasp.dependencycheck.analyzer.JarAnalyzer
org.owasp.dependencycheck.analyzer.FileNameAnalyzer
org.owasp.dependencycheck.analyzer.HintAnalyzer
org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer
org.owasp.dependencycheck.analyzer.FalsePositiveAnalyzer
org.owasp.dependencycheck.data.cpe.CPEAnalyzer
org.owasp.dependencycheck.data.nvdcve.NvdCveAnalyzer

1
dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.data.CachedWebDataSource Normal file
View File

@@ -0,0 +1 @@
org.owasp.dependencycheck.data.nvdcve.xml.DatabaseUpdater

BIN
dependency-check-core/src/main/resources/data/cwe.hashmap.serialized Normal file
View File

Binary file not shown.

33
dependency-check-core/src/main/resources/data/initialize.sql Normal file
View File

@@ -0,0 +1,33 @@
DROP INDEX IF EXISTS idxVulnerability;
DROP INDEX IF EXISTS idxReference;
DROP INDEX IF EXISTS idxCpe;
DROP INDEX IF EXISTS idxCpeEntry;
DROP INDEX IF EXISTS idxSoftwareCve;
DROP INDEX IF EXISTS idxSoftwareCpe;
DROP TABLE IF EXISTS vulnerability;
DROP TABLE IF EXISTS reference;
DROP TABLE IF EXISTS cpeEntry;
DROP TABLE IF EXISTS software;
CREATE TABLE settings (id varchar(50) PRIMARY KEY, value varchar(200));
CREATE TABLE vulnerability (id int auto_increment PRIMARY KEY, cve VARCHAR(20) UNIQUE,
description VARCHAR(8000), cwe VARCHAR(10), cvssScore DECIMAL(3,1), cvssAccessVector VARCHAR(20),
cvssAccessComplexity VARCHAR(20), cvssAuthentication VARCHAR(20), cvssConfidentialityImpact VARCHAR(20),
cvssIntegrityImpact VARCHAR(20), cvssAvailabilityImpact VARCHAR(20));
CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255),
CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE);
CREATE TABLE cpeEntry (id INT auto_increment PRIMARY KEY, cpe VARCHAR(500), vendor VARCHAR(255), product VARCHAR(255));
CREATE TABLE software (cveid INT, cpeEntryId INT, previousVersion VARCHAR(50)
, CONSTRAINT fkSoftwareCve FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE
, CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id));
CREATE INDEX idxVulnerability ON vulnerability(cve);
CREATE INDEX idxReference ON reference(cveid);
CREATE INDEX idxCpe ON cpeEntry(cpe);
CREATE INDEX idxCpeEntry ON cpeEntry(vendor, product);
CREATE INDEX idxSoftwareCve ON software(cveid);
CREATE INDEX idxSoftwareCpe ON software(cpeEntryId);

31
dependency-check-core/src/main/resources/dependencycheck.properties Normal file
View File

@@ -0,0 +1,31 @@
application.name=${pom.name}
application.version=${pom.version}
autoupdate=true
#temp.directory defaults to System.getProperty("java.io.tmpdir")
#temp.directory=[path to temp directory]
# the path to the data directory
data.directory=data
# the path to the lucene index to store the cpe data
data.cpe=cpe
# the path to the h2 database to store the nvd cve data
data.cve=cve
# the path to the cpe xml file
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz
# the path to the cpe meta data file.
cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.meta
# the number of days that the modified nvd cve data holds data for. We don't need
# to update the other files if we are within this timespan. Per NIST this file
# holds 8 days of updates, we are using 7 just to be safe.
cve.url.modified.validfordays=7
# the path to the modified nvd cve xml file.
cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cve.startyear=2002
cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml

163
dependency-check-core/src/main/resources/schema/DependencyCheck.xsd Normal file
View File

@@ -0,0 +1,163 @@
<?xml version="1.0" encoding="utf-8"?>
<xs:schema id="analysis" xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="analysis">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="projectInfo">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="reportDate" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="credits" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="dependencies">
<xs:complexType>
<xs:sequence>
<xs:element name="dependency" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="fileName" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="filePath" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="md5" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="sha1" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="license" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="relatedDependencies" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="relatedDependency" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="filePath" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="sha1" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="md5" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="analysisExceptions" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="exception" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="message" minOccurs="0" maxOccurs="unbounded" />
<xs:element name="stackTrace" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="trace" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="innerException" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="message" minOccurs="0" maxOccurs="unbounded" />
<xs:element name="stackTrace" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="trace" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="evidenceCollected" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="evidence" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="value" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="identifiers" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="identifier" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="url" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1" />
</xs:sequence>
<xs:attribute name="type" type="xs:string" />
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="vulnerabilities" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="vulnerability" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cvssScore" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="severity" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cwe" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="description" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="references" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="reference" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="url" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="vulnerableSoftware" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="software" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="allPreviousVersion" type="xs:boolean" />
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>

156
dependency-check-core/src/main/resources/schema/cpe/cpe-dictionary_2.2.xsd Normal file
View File

@@ -0,0 +1,156 @@
<?xml version="1.0" encoding="UTF-8"?>
<xsd:schema targetNamespace="http://cpe.mitre.org/dictionary/2.0" xmlns:cpe_dict="http://cpe.mitre.org/dictionary/2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xml="http://www.w3.org/XML/1998/namespace" elementFormDefault="qualified" attributeFormDefault="unqualified">
<xsd:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>
<xsd:annotation>
<xsd:documentation xml:lang="en">This is an XML Schema for the CPE Dictionary. It is used to transfer a collection of official CPE Names along with any necessary supporting information (title, references, automated check, etc.). For more information, consult the CPE Specification document.</xsd:documentation>
<xsd:appinfo>
<schema>CPE Dictionary</schema>
<author>Neal Ziring, Andrew Buttner</author>
<version>2.2</version>
<date>03/11/2009 09:00:00 AM</date>
</xsd:appinfo>
</xsd:annotation>
<!-- =============================================================================== -->
<!-- =============================================================================== -->
<!-- =============================================================================== -->
<xsd:element name="cpe-list" type="cpe_dict:ListType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The cpe-list element acts as a top-level container for CPE Name items. Each individual item must be unique. Please refer to the description of ListType for additional information about the sturcture of this element.</xsd:documentation>
</xsd:annotation>
<xsd:key name="itemURIKey">
<xsd:selector xpath="./cpe_dict:cpe-item"/>
<xsd:field xpath="@name"/>
</xsd:key>
</xsd:element>
<xsd:element name="cpe-item" type="cpe_dict:ItemType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The cpe-item element denotes a single CPE Name. Please refer to the description of ItemType for additional information about the sturcture of this element.</xsd:documentation>
</xsd:annotation>
<xsd:unique name="titleLangKey">
<xsd:selector xpath="./cpe_dict:title"/>
<xsd:field xpath="@xml:lang"/>
</xsd:unique>
<xsd:unique name="notesLangKey">
<xsd:selector xpath="./cpe_dict:notes"/>
<xsd:field xpath="@xml:lang"/>
</xsd:unique>
<xsd:unique name="checkSystemKey">
<xsd:selector xpath="./cpe_dict:check"/>
<xsd:field xpath="@system"/>
</xsd:unique>
</xsd:element>
<!-- =============================================================================== -->
<!-- ============================= SUPPORTING TYPES ============================== -->
<!-- =============================================================================== -->
<xsd:complexType name="GeneratorType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The GeneratorType complex type defines an element that is used to hold information about when a particular document was compiled, what version of the schema was used, what tool compiled the document, and what version of that tools was used. Additional generator information is also allowed although it is not part of the official schema. Individual organizations can place generator information that they feel are important and these will be skipped during the validation. All that this schema really cares about is that the stated generator information is there.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="product_name" type="xsd:string" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation xml:lang="en">The optional product_name element specifies the name of the application used to generate the file.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="product_version" type="xsd:string" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation xml:lang="en">The optional product_version element specifies the version of the application used to generate the file.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="schema_version" type="xsd:decimal" minOccurs="1" maxOccurs="1">
<xsd:annotation>
<xsd:documentation xml:lang="en">The required schema_version element specifies the version of the schema that the document has been written against and that should be used for validation.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="timestamp" type="xsd:dateTime" minOccurs="1" maxOccurs="1">
<xsd:annotation>
<xsd:documentation xml:lang="en">The required timestamp element specifies when the particular document was compiled. The format for the timestamp is yyyy-mm-ddThh:mm:ss. Note that the timestamp element does not specify item in the document was created or modified but rather when the actual XML document that contains the items was created. For example, a document might pull a bunch of existing items together, each of which having been created at some point in the past. The timestamp in this case would be when this combined document was created.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:any minOccurs="0" maxOccurs="unbounded" namespace="##other" processContents="lax"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="ItemType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The ItemType complex type defines an element that represents a single CPE Name. The required name attribute is a URI which must be a unique key and should follow the URI structure outlined in the CPE Specification. The optional title element is used to provide a human-readable title for the platform. To support uses intended for multiple languages, this element supports the xml:lang attribute. At most one title element can appear for each language. The notes element holds optional descriptive material. Multiple notes elements are allowed, but only one per language should be used. Note that the language associated with the notes element applies to all child note elements. The optional references element holds external info references. The optional check element is used to call out an OVAL Definition that can confirm or reject an IT system as an instance of the named platform. Additional elements not part of the CPE namespace are allowed and are just skipped by validation. In essence, a dictionary file can contain additional information the a user can choose to use or not, but this information is not required to be used or understood.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="title" type="cpe_dict:TextType" minOccurs="1" maxOccurs="unbounded"/>
<xsd:element name="notes" type="cpe_dict:NotesType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="references" type="cpe_dict:ReferencesType" minOccurs="0" maxOccurs="1"/>
<xsd:element name="check" type="cpe_dict:CheckType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:any minOccurs="0" maxOccurs="unbounded" namespace="##other" processContents="lax"/>
</xsd:sequence>
<xsd:attribute name="name" type="cpe_dict:namePattern" use="required"/>
<xsd:attribute name="deprecated" type="xsd:boolean" use="optional" default="false"/>
<xsd:attribute name="deprecated_by" type="cpe_dict:namePattern" use="optional"/>
<xsd:attribute name="deprecation_date" type="xsd:dateTime" use="optional"/>
</xsd:complexType>
<xsd:complexType name="ListType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The ListType complex type defines an element that is used to hold a collection of individual items. The required generator section provides information about when the definition file was compiled and under what version. Additional elements not part of the CPE namespace are allowed and are just skipped by validation. In essence, a dictionary file can contain additional information the a user can choose to use or not, but this information is not required to be used or understood.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="generator" type="cpe_dict:GeneratorType" minOccurs="0" maxOccurs="1"/>
<xsd:element ref="cpe_dict:cpe-item" minOccurs="1" maxOccurs="unbounded"/>
<xsd:any minOccurs="0" maxOccurs="unbounded" namespace="##other" processContents="lax"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="TextType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The TextType complex type allows the xml:lang attribute to associate a specific language with an element's string content.</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:extension base="xsd:string">
<xsd:attribute ref="xml:lang"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<xsd:complexType name="NotesType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The notesType complex type defines an element that consists of one or more child note elements. It is assumed that each of these note elements are representative of the same language as defined by their parent.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="note" type="xsd:string" minOccurs="1" maxOccurs="unbounded"/>
</xsd:sequence>
<xsd:attribute ref="xml:lang"/>
</xsd:complexType>
<xsd:complexType name="ReferencesType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The ReferencesType complex type defines an element used to hold a collection of individual references. Each reference consists of a piece of text (intended to be human-readable) and a URI (intended to be a URL, and point to a real resource) and is used to point to extra descriptive material, for example a supplier's web site or platform documentation.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="reference" minOccurs="1" maxOccurs="unbounded">
<xsd:complexType>
<xsd:simpleContent>
<xsd:extension base="xsd:string">
<xsd:attribute name="href" type="xsd:anyURI"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
</xsd:element>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="CheckType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The CheckType complex type is used to define an element for hold information about an individual check. It includes a checking system specification URI, string content, and an optional external file reference. The checking system specification should be the URI for a particular version of OVAL or a related system testing language, and the content will be an identifier of a test written in that language. The external file reference could be used to point to the file in which the content test identifier is defined.</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:extension base="xsd:string">
<xsd:attribute name="system" type="xsd:anyURI" use="required"/>
<xsd:attribute name="href" type="xsd:anyURI" use="optional"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- =============================================================================== -->
<!-- ================================ ID PATTERNS ================================ -->
<!-- =============================================================================== -->
<xsd:simpleType name="namePattern">
<xsd:annotation>
<xsd:documentation xml:lang="en">Define the format for acceptable CPE Names. A URN format is used with the id starting with the word cpe followed by :/ and then some number of individual components separated by colons.</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:anyURI">
<xsd:pattern value="[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6}"/>
</xsd:restriction>
</xsd:simpleType>
</xsd:schema>

498
dependency-check-core/src/main/resources/schema/nvdcve/1_2/nvdcve.xsd Normal file
View File

@@ -0,0 +1,498 @@
<?xml version="1.0"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://nvd.nist.gov/feeds/cve/1.2"
xmlns:cve="http://nvd.nist.gov/feeds/cve/1.2"
elementFormDefault="qualified" attributeFormDefault="unqualified"
version="1.2">
<xs:annotation>
<xs:documentation>This schema defines the structure of the National
Vulnerability Database XML feed files version: 1.2. The elements and
attribute in this document are described by xs:annotation tags. This
file is kept at http://nvd.nist.gov/schema/nvdcve.xsd. The NVD XML
feeds are available at http://nvd.nist.gov/download.cfm.
Release Notes:
Version 1.2:
* CVSS version 2 scores and vectors have been added. Please see
http://nvd.nist.gov/cvss.cfm?vectorinfo and
http://www.first.org/cvss/cvss-guide.html for more information on
how to interpret this data. </xs:documentation>
</xs:annotation>
<xs:element name="nvd">
<xs:annotation>
<xs:documentation>The root element of the NVD CVE feed. Multiple "entry" child elements describe specific NVD CVE entries.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element ref="cve:entry" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="nvd_xml_version" type="xs:NMTOKEN" use="required">
<xs:annotation>
<xs:documentation>The schema version number supported by the feed.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="pub_date" type="cve:dateType" use="required">
<xs:annotation>
<xs:documentation>The date the feed was generated.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:element name="entry" type="cve:entryType">
<xs:annotation>
<xs:documentation>A CVE entry.</xs:documentation>
</xs:annotation>
</xs:element>
<!-- ******************************************************************* -->
<!-- * Complex Types * -->
<!-- ******************************************************************* -->
<xs:complexType name="entryType">
<xs:annotation>
<xs:documentation> Documents one CVE entry. The child elements should always
appear in the sequence defined below. These elements are compatible with
entry elements from the CVE XML feeds.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="desc">
<xs:annotation>
<xs:documentation>Description wrapper tag, parent to any
documented descriptions of this CVE entry. While the "desc"
tag will always be present, there may be no "descript" child
tags. Only one "descript" tag will exist for each
description source (i.e. CVE, NVD, ...). </xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element name="descript" type="cve:descriptType" minOccurs="0" maxOccurs="2">
<xs:annotation>
<xs:documentation>A description of a CVE entry
from the source indicated by the "source"
attribute.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="impacts" minOccurs="0">
<xs:annotation>
<xs:documentation> Impact wrapper tag (may or may not be
present). Only one "impact" tag will exist for each impact
explanation source. </xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element name="impact" type="cve:impactType">
<xs:annotation>
<xs:documentation> Contains a specific impact
explanation of this CVE entry from source
indicated by the "source" attribute.
</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="sols" type="cve:solsType" minOccurs="0">
<xs:annotation>
<xs:documentation> Solution wrapper tag (may or may not be
present). Only one "sol" tag will exist for each solution
explanation source. </xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="loss_types" type="cve:lossTypeType" minOccurs="0">
<xs:annotation>
<xs:documentation> Loss type tag (may or may not be present).
Contains one loss type child for each loss type of this CVE
entry. Potential loss types are: "avail" => availability
"conf" => confidentiality "int" => integrity "sec_prot" =>
security protection </xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="vuln_types" type="cve:vulnType" minOccurs="0">
<xs:annotation>
<xs:documentation> Vulnerability type tag (may or may not be
present). Contains one vulnerability type child for each
vulnerability type of this CVE entry. Potential
vulnerability types are: "access" => Access validation error
"input" => Input validation error "design" => Design error
"exception" => Exceptional condition error "env" =>
Environmental error "config" => Configuration error "race"
=> Race condition error "other" => other </xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="range" type="cve:rangeType" minOccurs="0">
<xs:annotation>
<xs:documentation> Vulnerability range tag (may or may not be
present). Contains one vulnerability range child for each
vulnerability range of this CVE entry. Potential
vulnerability ranges are: "local" => Locally exploitable
"local_network" => Local network exploitable "network" =>
Network exploitable "user_init" => User accesses attacker
</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="refs">
<xs:annotation>
<xs:documentation> Reference wrapper tag (always present).
External references to this CVE entry are contained within
this tag. </xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element name="ref" type="cve:refType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation> Individual reference to this CVE
entry. Text is the name of this vulnerability at
this particular reference. Attributes: "source"
(required) => Name of reference source "url"
(required) => hyperlink to reference "sig" =>
indicates this reference includes a tool
signature "adv" => indicates this reference is a
Security Advisory "patch" => indicates this
reference includes a patch for this
vulnerability </xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="vuln_soft" type="cve:vulnSoftType" minOccurs="0">
<xs:annotation>
<xs:documentation> Vulnerable software wrapper tag (may or may
not be present). Software affected by this CVE entry are
listed within this tag. </xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="type" use="required">
<xs:annotation>
<xs:documentation>CVE or CAN</xs:documentation>
</xs:annotation>
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="CAN"/>
<xs:enumeration value="CVE"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="name" use="required">
<xs:annotation>
<xs:documentation>the full CVE name</xs:documentation>
</xs:annotation>
<xs:simpleType>
<xs:restriction base="xs:ID">
<xs:pattern value="(CAN|CVE)\-\d\d\d\d\-\d\d\d\d"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="seq" use="required">
<xs:annotation>
<xs:documentation>the sequence number from CVE name</xs:documentation>
</xs:annotation>
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:pattern value="\d\d\d\d\-\d\d\d\d"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="nvd_name" type="xs:string">
<xs:annotation>
<xs:documentation>the NVD name (if it exists)</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="discovered" type="cve:dateType">
<xs:annotation>
<xs:documentation>the date this entry was discovered</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="published" type="cve:dateType" use="required">
<xs:annotation>
<xs:documentation>the date this entry was published</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="modified" type="cve:dateType">
<xs:annotation>
<xs:documentation>the date this entry was last modified</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="severity">
<xs:annotation>
<xs:documentation>the entry's severity as determined by the NVD analysts: High, Medium, or Low</xs:documentation>
</xs:annotation>
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="High"/>
<xs:enumeration value="Medium"/>
<xs:enumeration value="Low"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="reject" type="cve:trueOnlyAttribute">
<xs:annotation>
<xs:documentation>indicates that this CVE entry has been rejected by CVE or NVD</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="CVSS_version" type="xs:string">
<xs:annotation>
<xs:documentation>the CVSS Version Indicator</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="CVSS_score" type="cve:zeroToTen">
<xs:annotation>
<xs:documentation>Same as the CVSS_base_score to provide backwards compatability with the previous CVE XML feed format. This field is deprecated an may be removed at a future date.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="CVSS_base_score" type="cve:zeroToTen">
<xs:annotation>
<xs:documentation>CVSS version 2 Base Score</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="CVSS_impact_subscore" type="cve:zeroToTen">
<xs:annotation>
<xs:documentation>CVSS version 2 Impact Score</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="CVSS_exploit_subscore" type="cve:zeroToTen">
<xs:annotation>
<xs:documentation>CVSS version 2 Exploit Score</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="CVSS_vector" type="cve:CVSSVector">
<xs:annotation>
<xs:documentation>the CVSS version 2 Vector string</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
<xs:complexType name="descriptType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="source" type="cve:descriptSourceType" use="required">
<xs:annotation>
<xs:documentation>The source of the CVE description.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="impactType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="source" type="cve:impactSourceType" use="required">
</xs:attribute>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="vulnType">
<xs:sequence>
<xs:element name="access" minOccurs="0"/>
<xs:element name="input" minOccurs="0">
<xs:annotation>
<xs:documentation> Input validation error tag with
one attribute for each input validation error
type. Potential input validation error types
are: "bound" => Boundary condition error
"buffer" => Buffer overflow </xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="bound" type="cve:trueOnlyAttribute"/>
<xs:attribute name="buffer" type="cve:trueOnlyAttribute"
/>
</xs:complexType>
</xs:element>
<xs:element name="design" minOccurs="0"/>
<xs:element name="exception" minOccurs="0"/>
<xs:element name="env" minOccurs="0"/>
<xs:element name="config" minOccurs="0"/>
<xs:element name="race" minOccurs="0"/>
<xs:element name="other" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="solsType">
<xs:sequence>
<xs:element name="sol">
<xs:annotation>
<xs:documentation> Contains a specific solution
explanation of this CVE entry from source
indicated by the "source" attribute.
</xs:documentation>
</xs:annotation>
<xs:complexType mixed="true">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="source" type="cve:solsSourceType" use="required">
</xs:attribute>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="lossTypeType">
<xs:sequence>
<xs:element name="avail" minOccurs="0"/>
<xs:element name="conf" minOccurs="0"/>
<xs:element name="int" minOccurs="0"/>
<xs:element name="sec_prot" minOccurs="0">
<xs:annotation>
<xs:documentation> Security Protection tag with one
attribute for each security protection type.
Potential security protection types are: "admin"
=> gain administrative access "user" => gain
user access "other" => other </xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="admin" type="cve:trueOnlyAttribute"/>
<xs:attribute name="user" type="cve:trueOnlyAttribute"/>
<xs:attribute name="other" type="cve:trueOnlyAttribute"
/>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="rangeType">
<xs:sequence>
<xs:element name="local" minOccurs="0"/>
<xs:element name="local_network" minOccurs="0"/>
<xs:element name="network" minOccurs="0"/>
<xs:element name="user_init" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="refType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="source" type="xs:string" use="required"/>
<xs:attribute name="url" type="cve:urlType" use="required"/>
<xs:attribute name="sig" type="cve:trueOnlyAttribute"/>
<xs:attribute name="adv" type="cve:trueOnlyAttribute"/>
<xs:attribute name="patch" type="cve:trueOnlyAttribute"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="vulnSoftType">
<xs:sequence>
<xs:element name="prod" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation> Product wrapper tag. Versions of
this product that are affected by this
vulnerability are listed within this tag.
Attributes: "name" => Product name "vendor" =>
Vendor of this product </xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element name="vers" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation> Represents a version
of this product that is affected by
this vulnerability. Attributes:
"num" => This version number "prev"
=> Indicates that versions previous
to this version number are also
affected by this vulnerability
"edition" => Indicates the edition
associated with the version number
</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="num"
type="xs:string" use="required"/>
<xs:attribute name="prev"
type="cve:trueOnlyAttribute"/>
<xs:attribute name="edition"
type="xs:string"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="name" type="xs:string"
use="required"/>
<xs:attribute name="vendor" type="xs:string"
use="required"/>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
<!-- ******************************************************************* -->
<!-- * Simple Types * -->
<!-- ******************************************************************* -->
<xs:simpleType name="descriptSourceType">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="cve"/>
<xs:enumeration value="nvd"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="impactSourceType">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nvd"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="solsSourceType">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nvd"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="dateType">
<xs:annotation>
<xs:documentation> Defines date format for NVD. Dates follow the mask "yyyy-mm-dd"
</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:pattern
value="(19|20)\d\d-((01|03|05|07|08|10|12)-(0[1-9]|[1-2]\d|3[01])|(04|06|09|11)-(0[1-9]|[1-2]\d|30)|02-(0[1-9]|1\d|2\d))"
/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="urlType">
<xs:annotation>
<xs:documentation> Restricts urls in NVD beyond the xs:anyURI restrictions.
</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:anyURI">
<xs:whiteSpace value="collapse"/>
<xs:pattern value="(news|(ht|f)tp(s)?)://.+"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="trueOnlyAttribute">
<xs:annotation>
<xs:documentation> simpleType used for attributes that are only present when they are
true. Such attributes appear only in the form attribute_name="1".
</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="1"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="zeroToTen">
<xs:annotation>
<xs:documentation> simpleType used when scoring on a scale of 0-10, inclusive
</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:decimal">
<xs:minInclusive value="0" fixed="true"/>
<xs:maxInclusive value="10" fixed="true"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="CVSSVector">
<xs:annotation>
<xs:documentation>simpleType to describe the CVSS Base Vector </xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:pattern
value="\(AV:[LAN]/AC:[HML]/Au:[NSM]/C:[NPC]/I:[NPC]/A:[NPC]\)"/>
</xs:restriction>
</xs:simpleType>
</xs:schema>

61
dependency-check-core/src/main/resources/schema/nvdcve/2_0/cce_0.1.xsd Normal file
View File

@@ -0,0 +1,61 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
== Model: Version 0-3 NetD
== Package: cce
-->
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://scap.nist.gov/schema/cce/0.1"
xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.1"
targetNamespace="http://scap.nist.gov/schema/cce/0.1"
elementFormDefault="qualified" attributeFormDefault="unqualified"
version="0.1">
<xsd:annotation>
<xsd:documentation>CCE is at an early phase of adoption. This schema is a work in progress and is far from
final. Additional work with using CCEs in a practical setting is required.</xsd:documentation>
</xsd:annotation>
<xsd:import namespace="http://scap.nist.gov/schema/scap-core/0.1" schemaLocation="scap-core_0.1.xsd"/>
<!-- ================================================== -->
<!-- ===== Simple Type Definitions -->
<!-- ================================================== -->
<xsd:simpleType name="cceNamePatternType">
<xsd:annotation>
<xsd:documentation>The format for a CCE name is CCE-NNNNNNNNNNN, where NNNNNNNNNNN is a sequence number.</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:token">
<xsd:pattern value="CCE-[1-9]\d{0,10}"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ================================================== -->
<!-- ===== Complex Type Definitions -->
<!-- ================================================== -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- CCE -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="cceType">
<xsd:sequence>
<xsd:element name="definition" type="xsd:string" minOccurs="0"/>
<xsd:element name="parameter" type="cceParameterType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="technical-mechanisms" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="references" type="scap-core:referenceType" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
<xsd:attribute name="id" type="cceNamePatternType" use="required"/>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- CCE_Parameter -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="cceParameterType">
<xsd:sequence>
<xsd:element name="value" type="xsd:string" maxOccurs="unbounded"/>
</xsd:sequence>
<xsd:attribute name="identifier" type="xsd:token">
<xsd:annotation>
<xsd:documentation>TODO: What does this identify?</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
<xsd:attribute name="operator" type="xsd:token">
<xsd:annotation>
<xsd:documentation>TODO: should this be an enumeration?</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
</xsd:complexType>
</xsd:schema>

101
dependency-check-core/src/main/resources/schema/nvdcve/2_0/cpe-language_2.1.xsd Normal file
View File

@@ -0,0 +1,101 @@
<?xml version="1.0" encoding="UTF-8"?>
<xsd:schema targetNamespace="http://cpe.mitre.org/language/2.0" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xml="http://www.w3.org/XML/1998/namespace" elementFormDefault="qualified" attributeFormDefault="unqualified">
<xsd:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>
<xsd:annotation>
<xsd:documentation xml:lang="en">This XML Schema defines the CPE Language. An individual CPE Name addresses a single part of an actual system. To identify more complex platform types, there needs to be a way to combine different CPE Names using logical operators. For example, there may be a need to identify a platform with a particular operating system AND a certain application. The CPE Language exists to satisfy this need, enabling the CPE Name for the operating system to be combined with the CPE Name for the application. For more information, consult the CPE Specification document.</xsd:documentation>
<xsd:appinfo>
<schema>CPE Language</schema>
<author>Neal Ziring, Andrew Buttner</author>
<version>2.1</version>
<date>01/31/2008 09:00:00 AM</date>
</xsd:appinfo>
</xsd:annotation>
<!-- =============================================================================== -->
<!-- =============================================================================== -->
<!-- =============================================================================== -->
<xsd:element name="platform-specification">
<xsd:annotation>
<xsd:documentation xml:lang="en">This element is the root element of a CPE Language XML documents and therefore acts as a container for child platform definitions.</xsd:documentation>
</xsd:annotation>
<xsd:complexType>
<xsd:sequence>
<xsd:element name="platform" type="cpe:PlatformType" minOccurs="1" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<xsd:key name="platformKey">
<xsd:selector xpath="cpe:platform"/>
<xsd:field xpath="@id"/>
</xsd:key>
</xsd:element>
<xsd:element name="logical-test" type="cpe:LogicalTestType"/>
<!-- =============================================================================== -->
<!-- ================================== PLATFORM ================================= -->
<!-- =============================================================================== -->
<xsd:complexType name="PlatformType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The platform element represents the description or qualifications of a particular IT platform type. The platform is defined by the logical-test child element. The id attribute holds a locally unique name for the platform. There is no defined format for this id, it just has to be unique to the containing language document.</xsd:documentation>
<xsd:documentation xml:lang="en">The optional title element may appear as a child to a platform element. It provides a human-readable title for it. To support uses intended for multiple languages, this element supports the xml:lang attribute. At most one title element can appear for each language.</xsd:documentation>
<xsd:documentation xml:lang="en">The optional remark element may appear as a child of a platform element. It provides some additional description. Zero or more remark elements may appear. To support uses intended for multiple languages, this element supports the xml:lang attribute. There can be multiple remarks for a single language.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="title" type="cpe:TextType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="remark" type="cpe:TextType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="logical-test" type="cpe:LogicalTestType" minOccurs="1" maxOccurs="1"/>
</xsd:sequence>
<xsd:attribute name="id" type="xsd:anyURI" use="required"/>
</xsd:complexType>
<xsd:complexType name="LogicalTestType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The logical-test element appears as a child of a platform element, and may also be nested to create more complex logical tests. The content consists of one or more elements: fact-ref, and logical-test children are permitted. The operator to be applied, and optional negation of the test, are given as attributes.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="logical-test" type="cpe:LogicalTestType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="fact-ref" type="cpe:FactRefType" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
<xsd:attribute name="operator" type="cpe:operatorEnumeration" use="required"/>
<xsd:attribute name="negate" type="xsd:boolean" use="required"/>
</xsd:complexType>
<xsd:complexType name="FactRefType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The fact-ref element appears as a child of a logical-test element. It is simply a reference to a CPE Name that always evaluates to a Boolean result.</xsd:documentation>
</xsd:annotation>
<xsd:attribute name="name" type="cpe:namePattern" use="required"/>
</xsd:complexType>
<!-- =============================================================================== -->
<!-- =============================== ENUMERATIONS ================================ -->
<!-- =============================================================================== -->
<xsd:simpleType name="operatorEnumeration">
<xsd:annotation>
<xsd:documentation xml:lang="en">The OperatorEnumeration simple type defines acceptable operators. Each operator defines how to evaluate multiple arguments.</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:string">
<xsd:enumeration value="AND"/>
<xsd:enumeration value="OR"/>
</xsd:restriction>
</xsd:simpleType>
<!-- =============================================================================== -->
<!-- ============================== SUPPORTING TYPES ============================== -->
<!-- =============================================================================== -->
<xsd:complexType name="TextType">
<xsd:annotation>
<xsd:documentation xml:lang="en">This type allows the xml:lang attribute to associate a specific language with an element's string content.</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:extension base="xsd:string">
<xsd:attribute ref="xml:lang"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- =============================================================================== -->
<!-- ================================ ID PATTERNS ================================ -->
<!-- =============================================================================== -->
<xsd:simpleType name="namePattern">
<xsd:annotation>
<xsd:documentation xml:lang="en">Define the format for acceptable CPE Names. A URN format is used with the id starting with the word cpe followed by :/ and then some number of individual components separated by colons.</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:anyURI">
<xsd:pattern value="[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6}"/>
</xsd:restriction>
</xsd:simpleType>
</xsd:schema>

70
dependency-check-core/src/main/resources/schema/nvdcve/2_0/cve_0.1.xsd Normal file
View File

@@ -0,0 +1,70 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
== Model: Version 0-3 NetD
== Package: cve
-->
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://scap.nist.gov/schema/cve/0.1"
xmlns:scap_core="http://scap.nist.gov/schema/scap-core/0.1"
targetNamespace="http://scap.nist.gov/schema/cve/0.1"
elementFormDefault="qualified" attributeFormDefault="unqualified"
version="0.1">
<xsd:import namespace="http://scap.nist.gov/schema/scap-core/0.1" schemaLocation="scap-core_0.1.xsd"/>
<!-- ================================================== -->
<!-- ===== Simple Type Definitions -->
<!-- ================================================== -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- CVE_Name_Type <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="cveNamePatternType">
<xsd:annotation>
<xsd:documentation>Format for CVE Names is CVE-YYYY-NNNN, where YYYY is the year of publication and NNNN is a sequence number.</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:token">
<xsd:pattern value="CVE-([1,2])\d{3}-\d{4}"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- CVE_Status <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="cveStatus">
<xsd:annotation>
<xsd:documentation>Enumeration containing valid values for CVE status: Candidate, Entry, and Deprecated</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:token">
<xsd:enumeration value="CANDIDATE"/>
<xsd:enumeration value="ENTRY"/>
<xsd:enumeration value="DEPRECATED"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ================================================== -->
<!-- ===== Complex Type Definitions -->
<!-- ================================================== -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- CVE -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="cveType">
<xsd:sequence>
<xsd:element name="status" type="cveStatus" minOccurs="0">
<xsd:annotation>
<xsd:documentation>Status of Vulnerability -- Candidate, Entry, Deprecated</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="description" type="xsd:string" minOccurs="0">
<xsd:annotation>
<xsd:documentation>Free text field to describe the vulnerability</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="references" type="scap_core:referenceType" maxOccurs="unbounded" minOccurs="0">
<xsd:annotation>
<xsd:documentation>Discretionary information and links relevant to a given vulnerability referenced by the CVE</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
<xsd:attribute name="id" type="cveNamePatternType" use="required">
<xsd:annotation>
<xsd:documentation>CVE name in the CVE-YYYY-NNNN format</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
</xsd:complexType>
</xsd:schema>

386
dependency-check-core/src/main/resources/schema/nvdcve/2_0/cvss-v2_0.2.xsd Normal file
View File

@@ -0,0 +1,386 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
== Package: cvss-v2
-->
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://scap.nist.gov/schema/cvss-v2/0.2"
targetNamespace="http://scap.nist.gov/schema/cvss-v2/0.2"
elementFormDefault="qualified" attributeFormDefault="unqualified"
version="0.2">
<!-- ================================================== -->
<!-- ===== Simple Type Definitions -->
<!-- ================================================== -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Zero_To_Ten <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="zeroToTenDecimalType">
<xsd:annotation>
<xsd:documentation>Value restriction to single decimal values from 0.0 to 10.0, as used in CVSS scores</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:decimal">
<xsd:minInclusive value="0"/>
<xsd:maxInclusive value="10"/>
<xsd:fractionDigits value="1"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ================================================== -->
<!-- ===== Group Definitions -->
<!-- ================================================== -->
<xsd:group name="baseVectorsGroup">
<xsd:sequence>
<xsd:element minOccurs="0" name="access-vector" type="accessVectorType"/>
<xsd:element minOccurs="0" name="access-complexity" type="accessComplexityType"/>
<xsd:element minOccurs="0" name="authentication" type="authenticationType"/>
<xsd:element minOccurs="0" name="confidentiality-impact" type="ciaType"/>
<xsd:element minOccurs="0" name="integrity-impact" type="ciaType"/>
<xsd:element minOccurs="0" name="availability-impact" type="ciaType"/>
</xsd:sequence>
</xsd:group>
<xsd:group name="environmentalVectorsGroup">
<xsd:sequence>
<xsd:element minOccurs="0" name="collateral-damage-potential" type="collateralDamagePotentialType"/>
<xsd:element minOccurs="0" name="target-distribution" type="targetDistributionType"/>
<xsd:element minOccurs="0" name="confidentiality-requirement" type="ciaRequirementType"/>
<xsd:element minOccurs="0" name="integrity-requirement" type="ciaRequirementType"/>
<xsd:element minOccurs="0" name="availability-requirement" type="ciaRequirementType"/>
</xsd:sequence>
</xsd:group>
<xsd:group name="temporalVectorsGroup">
<xsd:sequence>
<xsd:element minOccurs="0" name="exploitability" type="exploitabilityType"/>
<xsd:element minOccurs="0" name="remediation-level" type="remediationLevelType"/>
<xsd:element minOccurs="0" name="report-confidence" type="confidenceType"/>
</xsd:sequence>
</xsd:group>
<xsd:group name="baseVectorsCriteriaGroup">
<xsd:sequence>
<xsd:element minOccurs="0" name="access-vector" type="accessVectorEnumType"/>
<xsd:element minOccurs="0" name="access-complexity" type="accessComplexityEnumType"/>
<xsd:element minOccurs="0" name="authentication" type="authenticationEnumType"/>
<xsd:element minOccurs="0" name="confidentiality-impact" type="ciaEnumType"/>
<xsd:element minOccurs="0" name="integrity-impact" type="ciaEnumType"/>
<xsd:element minOccurs="0" name="availability-impact" type="ciaEnumType"/>
</xsd:sequence>
</xsd:group>
<xsd:group name="environmentalVectorsCriteriaGroup">
<xsd:sequence>
<xsd:element minOccurs="0" name="collateral-damage-potential" type="collateralDamagePotentialEnumType"/>
<xsd:element minOccurs="0" name="target-distribution" type="targetDistributionEnumType"/>
<xsd:element minOccurs="0" name="confidentiality-requirement" type="ciaRequirementEnumType"/>
<xsd:element minOccurs="0" name="integrity-requirement" type="ciaRequirementEnumType"/>
<xsd:element minOccurs="0" name="availability-requirement" type="ciaRequirementEnumType"/>
</xsd:sequence>
</xsd:group>
<xsd:group name="temporalVectorsCriteriaGroup">
<xsd:sequence>
<xsd:element minOccurs="0" name="exploitability" type="exploitabilityEnumType"/>
<xsd:element minOccurs="0" name="remediation-level" type="remediationLevelEnumType"/>
<xsd:element minOccurs="0" name="report-confidence" type="confidenceEnumType"/>
</xsd:sequence>
</xsd:group>
<!-- ================================================== -->
<!-- ===== Complex Type Definitions -->
<!-- ================================================== -->
<xsd:attributeGroup name="vectorAttributeGroup">
<xsd:attribute name="approximated" type="xsd:boolean" default="false">
<xsd:annotation>
<xsd:documentation>Indicates if the vector has been approximated as the result of an upgrade from a previous CVSS version</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
</xsd:attributeGroup>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- HML_Enumeration <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="accessComplexityEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="HIGH"/>
<xsd:enumeration value="MEDIUM"/>
<xsd:enumeration value="LOW"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="accessComplexityType">
<xsd:simpleContent>
<xsd:extension base="accessComplexityEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- LAN_Enumerations <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="accessVectorEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="LOCAL"/>
<xsd:enumeration value="ADJACENT_NETWORK"/>
<xsd:enumeration value="NETWORK"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="accessVectorType">
<xsd:simpleContent>
<xsd:extension base="accessVectorEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- LMHN_Enumeration <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="ciaRequirementEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="LOW"/>
<xsd:enumeration value="MEDIUM"/>
<xsd:enumeration value="HIGH"/>
<xsd:enumeration value="NOT_DEFINED"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="ciaRequirementType">
<xsd:simpleContent>
<xsd:extension base="ciaRequirementEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- NLLMMHHN_Enumeration <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="collateralDamagePotentialEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="NONE"/>
<xsd:enumeration value="LOW"/>
<xsd:enumeration value="LOW_MEDIUM"/>
<xsd:enumeration value="MEDIUM_HIGH"/>
<xsd:enumeration value="HIGH"/>
<xsd:enumeration value="NOT_DEFINED"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="collateralDamagePotentialType">
<xsd:simpleContent>
<xsd:extension base="collateralDamagePotentialEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- NLMHN_Enumeration <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="targetDistributionEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="NONE"/>
<xsd:enumeration value="LOW"/>
<xsd:enumeration value="MEDIUM"/>
<xsd:enumeration value="HIGH"/>
<xsd:enumeration value="NOT_DEFINED"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="targetDistributionType">
<xsd:simpleContent>
<xsd:extension base="targetDistributionEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- NPC_Enumeration <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="ciaEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="NONE"/>
<xsd:enumeration value="PARTIAL"/>
<xsd:enumeration value="COMPLETE"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="ciaType">
<xsd:simpleContent>
<xsd:extension base="ciaEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- NSM_Enumeration <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="authenticationEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="MULTIPLE_INSTANCES"/>
<xsd:enumeration value="SINGLE_INSTANCE"/>
<xsd:enumeration value="NONE"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="authenticationType">
<xsd:simpleContent>
<xsd:extension base="authenticationEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- OTWU_Enumeration <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="remediationLevelEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="OFFICIAL_FIX"/>
<xsd:enumeration value="TEMPORARY_FIX"/>
<xsd:enumeration value="WORKAROUND"/>
<xsd:enumeration value="UNAVAILABLE"/>
<xsd:enumeration value="NOT_DEFINED"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="remediationLevelType">
<xsd:simpleContent>
<xsd:extension base="remediationLevelEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- UUCN_Enumeration <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="confidenceEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="UNCONFIRMED"/>
<xsd:enumeration value="UNCORROBORATED"/>
<xsd:enumeration value="CONFIRMED"/>
<xsd:enumeration value="NOT_DEFINED"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="confidenceType">
<xsd:simpleContent>
<xsd:extension base="confidenceEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- UPFH_Enumeration <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="exploitabilityEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="UNPROVEN"/>
<xsd:enumeration value="PROOF_OF_CONCEPT"/>
<xsd:enumeration value="FUNCTIONAL"/>
<xsd:enumeration value="HIGH"/>
<xsd:enumeration value="NOT_DEFINED"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="exploitabilityType">
<xsd:simpleContent>
<xsd:extension base="exploitabilityEnumType">
<xsd:attributeGroup ref="vectorAttributeGroup"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<xsd:complexType name="metricsType" abstract="true">
<xsd:annotation>
<xsd:documentation>Base type for metrics that defines common attributes of all metrics.</xsd:documentation>
</xsd:annotation>
<xsd:attribute name="upgraded-from-version" type="xsd:decimal">
<xsd:annotation>
<xsd:documentation>Indicates if the metrics have been upgraded from a previous version of CVSS. If fields that were approximated will have an approximated attribute set to 'true'.</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- CVSS_V2 -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="cvssType">
<xsd:annotation>
<xsd:documentation>"This schema was intentionally designed to avoid mixing classes and attributes between CVSS version 1, CVSS version 2, and future versions. Scores in the CVSS system are interdependent. The temporal score is a multiplier of the base score. The environmental score, in turn, is a multiplier of the temporal score. The ability to transfer these scores independently is provided on the assumption that the user understands the business logic. For any given metric, it is preferred that the score, as a minimum is provided, however the score can be re-created from the metrics or the multiplier and any scores they are dependent on."</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element minOccurs="0" maxOccurs="unbounded" name="base_metrics" type="baseMetricsType"/>
<xsd:element minOccurs="0" maxOccurs="unbounded" name="environmental_metrics" type="environmentalMetricsType"/>
<xsd:element minOccurs="0" maxOccurs="unbounded" name="temporal_metrics" type="temporalMetricsType"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="cvssImpactType">
<xsd:complexContent>
<xsd:restriction base="cvssType">
<xsd:sequence>
<xsd:element minOccurs="1" maxOccurs="1" name="base_metrics" type="baseMetricsType"/>
<xsd:element minOccurs="0" maxOccurs="1" name="environmental_metrics" type="environmentalMetricsType"/>
<xsd:element minOccurs="0" maxOccurs="1" name="temporal_metrics" type="temporalMetricsType"/>
</xsd:sequence>
</xsd:restriction>
</xsd:complexContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Base_Metrics -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="baseMetricsType">
<xsd:complexContent mixed="false">
<xsd:extension base="metricsType">
<xsd:sequence>
<xsd:element minOccurs="0" name="score" type="zeroToTenDecimalType">
<xsd:annotation>
<xsd:documentation>Base severity score assigned to a vulnerability by a source</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element minOccurs="0" name="exploit-subscore" type="zeroToTenDecimalType">
<xsd:annotation>
<xsd:documentation>Base exploit sub-score assigned to a vulnerability by a source</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element minOccurs="0" name="impact-subscore" type="zeroToTenDecimalType">
<xsd:annotation>
<xsd:documentation>Base impact sub-score assigned to a vulnerability by a source</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:group ref="baseVectorsGroup"/>
<xsd:element name="source" type="xsd:anyURI">
<xsd:annotation>
<xsd:documentation>Data source the vector was obtained from. Example: http://nvd.nist.gov or com.symantec.deepsight</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element minOccurs="0" name="generated-on-datetime" type="xsd:dateTime"/>
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Environmental_Metrics -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="environmentalMetricsType">
<xsd:complexContent mixed="false">
<xsd:extension base="metricsType">
<xsd:sequence>
<xsd:element minOccurs="0" name="score" type="zeroToTenDecimalType"/>
<xsd:group ref="environmentalVectorsGroup"/>
<xsd:element name="source" type="xsd:anyURI">
<xsd:annotation>
<xsd:documentation>Data source the vector was obtained from. Example: gov.nist.nvd or com.symantec.deepsight</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element minOccurs="0" name="generated-on-datetime" type="xsd:dateTime"/>
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Temporal_Metrics -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="temporalMetricsType">
<xsd:complexContent mixed="false">
<xsd:extension base="metricsType">
<xsd:sequence>
<xsd:element minOccurs="0" name="score" type="zeroToTenDecimalType">
<xsd:annotation>
<xsd:documentation>The temporal score is the temporal multiplier times the base score.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element minOccurs="0" name="temporal-multiplier" type="xsd:decimal">
<xsd:annotation>
<xsd:documentation>The temporal multiplier is a number between zero and one. Reference the CVSS standard for computation.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:group ref="temporalVectorsGroup"/>
<xsd:element name="source" type="xsd:anyURI"/>
<xsd:element name="generated-on-datetime" type="xsd:dateTime"/>
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
</xsd:schema>

57
dependency-check-core/src/main/resources/schema/nvdcve/2_0/nvd-cve-feed_2.0.xsd Normal file
View File

@@ -0,0 +1,57 @@
<?xml version="1.0"?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://scap.nist.gov/schema/feed/vulnerability/2.0"
xmlns:vuln="http://scap.nist.gov/schema/vulnerability/0.4"
targetNamespace="http://scap.nist.gov/schema/feed/vulnerability/2.0"
elementFormDefault="qualified" attributeFormDefault="unqualified"
version="2.0">
<xsd:import namespace="http://scap.nist.gov/schema/vulnerability/0.4" schemaLocation="vulnerability_0.4.xsd"/>
<xsd:annotation>
<xsd:documentation>TODO: address distributed with for APP->OS resolution</xsd:documentation>
<xsd:documentation>This schema defines the structure of the National
Vulnerability Database XML feed files version: 1.2. The elements and
attribute in this document are described by xsd:annotation tags. This
file is kept at http://nvd.nist.gov/schema/nvdcve.xsd. The NVD XML
feeds are available at http://nvd.nist.gov/download.cfm.
Release Notes:
Version 2.0:
* Redesign of the feed to integrate with the new vulnerability data
model schema.
Version 1.2:
* CVSS version 2 scores and vectors have been added. Please see
http://nvd.nist.gov/cvss.cfm?vectorinfo and
http://www.first.org/cvss/cvss-guide.html for more information on
how to interpret this data. </xsd:documentation>
</xsd:annotation>
<xsd:element name="nvd">
<xsd:annotation>
<xsd:documentation>The root element of the NVD CVE feed. Multiple "entry" child elements describe specific NVD CVE entries.</xsd:documentation>
</xsd:annotation>
<xsd:complexType>
<xsd:sequence>
<xsd:element ref="entry" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>A CVE entry.</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
<xsd:attribute name="nvd_xml_version" type="xsd:decimal" use="required">
<xsd:annotation>
<xsd:documentation>The schema version number supported by the feed.</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
<xsd:attribute name="pub_date" type="xsd:dateTime" use="required">
<xsd:annotation>
<xsd:documentation>The date the feed was generated.</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
</xsd:complexType>
</xsd:element>
<xsd:element name="entry" type="vuln:vulnerabilityType">
<xsd:annotation>
<xsd:documentation>A CVE entry.</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:schema>

72
dependency-check-core/src/main/resources/schema/nvdcve/2_0/patch_0.1.xsd Normal file
View File

@@ -0,0 +1,72 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
== Generated by hyperModel (www.XMLmodeling.com) Mon Jan 07 09:36:55 EST 2008
== Model: MITRE CPE 2.1
== Package: patch_2.1
-->
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://scap.nist.gov/schema/patch/0.1"
xmlns:scap_core="http://scap.nist.gov/schema/scap-core/0.1"
targetNamespace="http://scap.nist.gov/schema/patch/0.1"
elementFormDefault="qualified" attributeFormDefault="unqualified"
version="0.1">
<xsd:import namespace="http://scap.nist.gov/schema/scap-core/0.1" schemaLocation="scap-core_0.1.xsd"/>
<!-- ================================================== -->
<!-- ===== Element Declarations -->
<!-- ================================================== -->
<xsd:element name="patch" type="patchType"/>
<!-- ================================================== -->
<!-- ===== Complex Type Definitions -->
<!-- ================================================== -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- patch -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="patchType">
<xsd:sequence>
<xsd:element name="title" type="scap_core:textType" minOccurs="0">
<xsd:annotation>
<xsd:documentation>Human-formatted title for the patch. If none given, then duplicate of the name.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="references" minOccurs="0">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="reference" type="scap_core:referenceType" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="notes" type="scap_core:notesType" maxOccurs="unbounded" minOccurs="0"/>
<xsd:element name="check" type="scap_core:checkReferenceType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="supersedes" type="patchType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>Patches that superceded by the referenced patch.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="superseded-by" type="patchType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>Patches that supersede the patch comprising the current XML document.</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
<xsd:attribute name="identifier" type="xsd:double" use="required">
<xsd:annotation>
<xsd:documentation>Identifier unique within the XML document for the given patch.</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
<xsd:attribute name="name" type="xsd:string" use="required">
<xsd:annotation>
<xsd:documentation>Vendor supplied name for the patch. Will use lower case and underscores for spaces, consistent with CPE naming conventions.</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
<xsd:attribute name="superseded" type="xsd:boolean" use="required">
<xsd:annotation>
<xsd:documentation>Boolean value. True of patch is superseded. False if not.</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
<xsd:attribute name="deprecated" type="xsd:boolean">
<xsd:annotation>
<xsd:documentation>Indicates that a patch should not be used -- regardless of supersession.</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
</xsd:complexType>
</xsd:schema>

139
dependency-check-core/src/main/resources/schema/nvdcve/2_0/scap-core_0.1.xsd Normal file
View File

@@ -0,0 +1,139 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
== Model: MITRE CPE 2.1
== Package: scap-core_0.1
-->
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://scap.nist.gov/schema/scap-core/0.1"
xmlns:xml="http://www.w3.org/XML/1998/namespace"
targetNamespace="http://scap.nist.gov/schema/scap-core/0.1"
elementFormDefault="qualified"
attributeFormDefault="unqualified"
version="0.1">
<xsd:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>
<!-- ================================================== -->
<!-- ===== Complex Type Definitions -->
<!-- ================================================== -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- check <<complexType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="checkReferenceType">
<xsd:annotation>
<xsd:documentation xml:lang="en">Data type for the check element, a checking system specification URI, string content, and an optional external file reference. The checking system specification should be the URI for a particular version of OVAL or a related system testing language, and the content will be an identifier of a test written in that language. The external file reference could be used to point to the file in which the content test identifier is defined.</xsd:documentation>
</xsd:annotation>
<xsd:attribute name="system" type="xsd:anyURI" use="required"/>
<xsd:attribute name="href" type="xsd:anyURI" use="required"/>
<xsd:attribute name="name" type="xsd:token" use="optional"/>
</xsd:complexType>
<xsd:complexType name="checkSearchType">
<xsd:attribute name="system" type="xsd:anyURI" use="required"/>
<xsd:attribute name="name" type="xsd:token" use="optional"/>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- notes -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="notesType">
<xsd:annotation>
<xsd:documentation xml:lang="en">The notesType defines an element that consists of one or more child note elements. It is assumed that each of these note elements are representative of the same language as defined by their parent.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element maxOccurs="unbounded" name="note" type="textType"/>
</xsd:sequence>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- reference <<complexType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="referenceType">
<xsd:annotation>
<xsd:documentation xml:lang="en">Type for a reference in the description of a CPE item. This would normally be used to point to extra descriptive material, or the supplier's web site, or the platform documentation. It consists of a piece of text (intended to be human-readable) and a URI (intended to be a URL, and point to a real resource).</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:extension base="textType">
<xsd:attribute name="href" type="xsd:anyURI"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- tag -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="tagType">
<xsd:attribute name="name" type="xsd:token" use="required"/>
<xsd:attribute name="value" type="xsd:token" use="required"/>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- text <<complexType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="textType">
<xsd:annotation>
<xsd:documentation xml:lang="en">This type allows the xml:lang attribute to associate a specific language with an element's string content.</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:extension base="xsd:string">
<xsd:attribute ref="xml:lang"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
<xsd:group name="cpeReferenceGroup">
<xsd:choice>
<xsd:element name="cpe-name" type="cpeNamePatternType"/>
<xsd:element name="cpe-searchable-name" type="cpeSearchableNamePatternType"/>
</xsd:choice>
</xsd:group>
<xsd:complexType name="searchableCpeReferencesType">
<xsd:sequence>
<xsd:group ref="cpeReferenceGroup" minOccurs="1" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<!-- =============================================================================== -->
<!-- ================================ ID PATTERNS ================================ -->
<!-- =============================================================================== -->
<xsd:simpleType name="cpeNamePatternType">
<xsd:annotation>
<xsd:documentation xml:lang="en">Define the format for acceptable CPE Names. An urn format is used with the id starting with the word oval followed by a unique string, followed by the three letter code 'def', and ending with an integer.</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:anyURI">
<xsd:pattern value="[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~]*){0,6}"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:simpleType name="cpeSearchableNamePatternType">
<xsd:annotation>
<xsd:documentation xml:lang="en">Define the format for acceptable
searchableCPE Names. The URI escaped code '%25' may be used
to represent the character '%' which will be interpreted as a
wildcard.</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:anyURI">
<xsd:pattern value="[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~*]*){0,6}"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:simpleType name="cpeComponentPatternType">
<xsd:annotation>
<xsd:documentation>The name pattern of a CPE component.</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:token">
<xsd:pattern value="[A-Za-z0-9\._\-~]*"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:simpleType name="cpePartComponentPatternType">
<xsd:annotation>
<xsd:documentation>The name pattern of the CPE part component.</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="cpeComponentPatternType">
<xsd:pattern value="[hoaHOA]"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:simpleType name="cweNamePatternType">
<xsd:restriction base="xsd:token">
<xsd:pattern value="CWE-[1-9]\d{0,5}"></xsd:pattern>
</xsd:restriction>
</xsd:simpleType>
</xsd:schema>

260
dependency-check-core/src/main/resources/schema/nvdcve/2_0/vulnerability_0.4.xsd Normal file
View File

@@ -0,0 +1,260 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
== Model: Version 0-4 NetD
== Package: vulnerability
-->
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://scap.nist.gov/schema/vulnerability/0.4"
xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.1"
xmlns:cve="http://scap.nist.gov/schema/cve/0.1"
xmlns:cce="http://scap.nist.gov/schema/cce/0.1"
xmlns:cvssv2="http://scap.nist.gov/schema/cvss-v2/0.2"
xmlns:cpe-lang="http://cpe.mitre.org/language/2.0"
xmlns:patch="http://scap.nist.gov/schema/patch/0.1"
xmlns:xml="http://www.w3.org/XML/1998/namespace"
targetNamespace="http://scap.nist.gov/schema/vulnerability/0.4"
elementFormDefault="qualified" attributeFormDefault="unqualified"
version="0.4">
<xsd:import namespace="http://scap.nist.gov/schema/scap-core/0.1" schemaLocation="scap-core_0.1.xsd"/>
<xsd:import namespace="http://scap.nist.gov/schema/cve/0.1" schemaLocation="cve_0.1.xsd"/>
<xsd:import namespace="http://scap.nist.gov/schema/cce/0.1" schemaLocation="cce_0.1.xsd"/>
<xsd:import namespace="http://scap.nist.gov/schema/cvss-v2/0.2" schemaLocation="cvss-v2_0.2.xsd"/>
<xsd:import namespace="http://cpe.mitre.org/language/2.0" schemaLocation="cpe-language_2.1.xsd"/>
<xsd:import namespace="http://scap.nist.gov/schema/patch/0.1" schemaLocation="patch_0.1.xsd"/>
<xsd:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>
<!-- ================================================== -->
<!-- ===== Element Declarations -->
<!-- ================================================== -->
<xsd:element name="vulnerability" type="vulnerabilityType"/>
<!-- ================================================== -->
<!-- ===== Simple Type Definitions -->
<!-- ================================================== -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Fix_Action_Description_List <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="fixActionDescriptionEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="PATCH"/>
<xsd:enumeration value="SOFTWARE_UPDATE"/>
<xsd:enumeration value="CONFIGURATION_CHANGE"/>
<xsd:enumeration value="POLICY_CHANGE"/>
<xsd:enumeration value="EXTERNAL_MITIGATION"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Fix_Action_Type_List <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="fixActionTypeEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="MITIGATION"/>
<xsd:enumeration value="REMEDIATION"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Fix_Effectiveness_List <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="fixEffectivenessEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="PARTIAL"/>
<xsd:enumeration value="COMPLETE"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Vulnerability_Reference_Category_List <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="vulnerabilityReferenceCategoryEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="PATCH"/>
<xsd:enumeration value="VENDOR_ADVISORY"/>
<xsd:enumeration value="THIRD_PARTY_ADVISORY"/>
<xsd:enumeration value="SIGNATURE_SOURCE"/>
<xsd:enumeration value="MITIGATION_PROCEDURE"/>
<xsd:enumeration value="TOOL_CONFIGURATION_DESCRIPTION"/>
<xsd:enumeration value="UNKNOWN"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Security_Protection -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="securityProtectionType">
<xsd:annotation>
<xsd:documentation>The security protection type</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:token">
<xsd:enumeration value="ALLOWS_ADMIN_ACCESS">
<xsd:annotation>
<xsd:documentation>gain administrative access</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
<xsd:enumeration value="ALLOWS_USER_ACCESS">
<xsd:annotation>
<xsd:documentation>gain user access</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
<xsd:enumeration value="ALLOWS_OTHER_ACCESS"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ================================================== -->
<!-- ===== Complex Type Definitions -->
<!-- ================================================== -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Associated_Exploit_Location -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="associatedExploitLocationType">
<xsd:sequence>
<xsd:element name="physical-access" type="xsd:boolean" minOccurs="0" default="false"/>
<xsd:element name="voluntarily-interact" type="xsd:boolean" minOccurs="0" default="false"/>
<xsd:element name="dialup" type="xsd:boolean" minOccurs="0" default="false"/>
<xsd:element name="unknown" type="xsd:boolean" minOccurs="0" default="false"/>
</xsd:sequence>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Fix_Action -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="fixActionType">
<xsd:annotation>
<xsd:documentation>A single fix action should only cover a single patch application, software update, configuration change, or external fix. Dependencies should be documented by using the "next_fix_action" element to point to a recursive list of fix actions.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element ref="patch:patch" minOccurs="0"/>
<xsd:element name="configuration-remediation" type="vulnerabilityReferenceType" minOccurs="0"/>
<xsd:element name="software-update" type="scap-core:cpeNamePatternType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>CPE name of the software update package.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="notes" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="deprecated-by" type="scap-core:cpeNamePatternType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="next-fix-action" type="fixActionType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="fix-action-tool-configuration" type="toolConfigurationType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="applicable-configuration" type="cpe-lang:PlatformType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="effectiveness" type="fixEffectivenessEnumType" minOccurs="0">
<xsd:annotation>
<xsd:documentation>States whether the fix action fully avoids the risk associated with the vulnerability or reduces risk to some extent.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="applicable-check" type="scap-core:checkReferenceType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>Describes or points to the check/test (either OVAL or other) that this particular fix action addresses. E.G. applying this fix will change the value of this test result.</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
<xsd:attribute name="fix_action_description" type="fixActionDescriptionEnumType" use="required"/>
<xsd:attribute name="fix_action_type" type="fixActionTypeEnumType" use="required"/>
<xsd:attribute name="id" type="xsd:token" use="required">
<xsd:annotation>
<xsd:documentation>Unique value within the source. Will be used with the source element to serve as a global unique identifier.</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
<xsd:attribute name="source" type="xsd:anyURI" use="required">
<xsd:annotation>
<xsd:documentation>Should be a URI-like -- e.g. inverted DNS address e.g mil.jtf-gno</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- OSVDB_Extension -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="osvdbExtensionType">
<xsd:sequence>
<xsd:element name="exploit-location" type="associatedExploitLocationType"/>
</xsd:sequence>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Tool_Configuration -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="toolConfigurationType">
<xsd:sequence>
<xsd:element name="name" type="scap-core:cpeNamePatternType" minOccurs="0">
<xsd:annotation>
<xsd:documentation>The CPE name of the scanning tool. A value must be supplied for this element. The CPE name can be used for a CPE from the NVD. The CPE title attribute can be used for internal naming conventions. (or both, if possible)</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="definition" type="scap-core:checkReferenceType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>Defines required signature or policy definition that must be installed on the tool.</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- CWE Reference -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="cweReferenceType">
<xsd:attribute name="id" type="scap-core:cweNamePatternType" use="required"/>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Vulnerable Software -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="vulnerableSoftwareType">
<xsd:sequence>
<xsd:element name="product" type="cpe-lang:namePattern" minOccurs="1" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Vulnerability -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="vulnerabilityType">
<xsd:annotation>
<xsd:documentation>TODO: Low priority: Add reference to notes type to allow analysts, vendor and other comments. Add source attribute. Maybe categorization?</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="osvdb-ext" type="osvdbExtensionType" minOccurs="0"/>
<xsd:element name="vulnerable-configuration" type="cpe-lang:PlatformType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="vulnerable-software-list" type="vulnerableSoftwareType" minOccurs="0"/>
<xsd:choice minOccurs="0">
<xsd:element name="cve-id" type="cve:cveNamePatternType"/>
<xsd:element name="cce-id" type="cce:cceNamePatternType"/>
</xsd:choice>
<xsd:element name="discovered-datetime" type="xsd:dateTime" minOccurs="0"/>
<xsd:element name="disclosure-datetime" type="xsd:dateTime" minOccurs="0"/>
<xsd:element name="exploit-publish-datetime" type="xsd:dateTime" minOccurs="0"/>
<xsd:element name="published-datetime" type="xsd:dateTime" minOccurs="0"/>
<xsd:element name="last-modified-datetime" type="xsd:dateTime" minOccurs="0"/>
<xsd:element name="cvss" type="cvssv2:cvssImpactType" minOccurs="0"/>
<xsd:element name="security-protection" type="securityProtectionType" minOccurs="0"/>
<xsd:element name="assessment_check" type="scap-core:checkReferenceType" maxOccurs="unbounded" minOccurs="0"/>
<xsd:element name="cwe" type="cweReferenceType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="references" type="vulnerabilityReferenceType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="fix_action" type="fixActionType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="scanner" type="toolConfigurationType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>Denotes a scanner and required configuration that is capable of detecting the referenced vulnerability. May also be an OVAL definition and omit scanner name.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="summary" type="xsd:string" minOccurs="0"/>
<xsd:element name="technical_description" type="scap-core:referenceType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="attack_scenario" type="scap-core:referenceType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>This element should ultimately be held in a threat model.</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
<xsd:attribute name="id" type="vulnerabilityIdType" use="required"/>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Vulnerability_Reference -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="vulnerabilityReferenceType">
<xsd:annotation>
<xsd:documentation>TODO: revisit referenceType and textType</xsd:documentation>
<xsd:documentation>Extends the base "reference" class by adding the ability to specify which kind (within the vulnerability model) of reference it is. See "Vulnerability_Reference_Category_List" enumeration.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="source" type="xsd:string" minOccurs="0">
<xsd:annotation>
<xsd:documentation>TODO: determine purpose</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="reference" type="scap-core:referenceType"/>
<xsd:element minOccurs="0" name="notes" type="scap-core:notesType"/>
</xsd:sequence>
<xsd:attribute ref="xml:lang" use="optional" default="en"/>
<xsd:attribute name="reference_type" type="vulnerabilityReferenceCategoryEnumType" use="required"/>
<xsd:attribute name="deprecated" type="xsd:boolean"/>
</xsd:complexType>
<xsd:simpleType name="vulnerabilityIdType">
<xsd:restriction base="xsd:token"/>
</xsd:simpleType>
</xsd:schema>

12
dependency-check-core/src/main/resources/schema/pom/generateBindings.bat Normal file
View File

@@ -0,0 +1,12 @@
if not "%JAVA_HOME%" == "" goto JAVA_HOME_DEFINED
:NO_JAVA_HOME
set XJC=xjc.exe
goto LAUNCH
:JAVA_HOME_DEFINED
set XJC="%JAVA_HOME%\bin\xjc.exe"
goto LAUNCH
:LAUNCH
%XJC% -extension -d ..\..\..\java -p "org.owasp.dependencycheck.jaxb.pom.generated" -mark-generated "maven-v4_0_0.xsd"

10
dependency-check-core/src/main/resources/schema/pom/generateBindings.sh Normal file
View File

@@ -0,0 +1,10 @@
#!/bin/sh
if [ -n "$JAVA_HOME" ]
then
XJC="$JAVA_HOME/bin/xjc.exe"
else
XJC=xjc.exe
fi
exec "$XJC" -extension -d ../../../java -p "org.owasp.dependencycheck.jaxb.pom.generated" -mark-generated "maven-v4_0_0.xsd"

2213
dependency-check-core/src/main/resources/schema/pom/maven-v4_0_0.xsd Normal file
View File

File diff suppressed because it is too large Load Diff

460
dependency-check-core/src/main/resources/templates/HtmlReport.vsl Normal file
View File

File diff suppressed because one or more lines are too long

232
dependency-check-core/src/main/resources/templates/VulnerabilityReport.vsl Normal file
View File

File diff suppressed because one or more lines are too long

142
dependency-check-core/src/main/resources/templates/XmlReport.vsl Normal file
View File

@@ -0,0 +1,142 @@
#**
This file is part of Dependency-Check.
Dependency-Check is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
Dependency-Check is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Dependency-Check. If not, see http://www.gnu.org/licenses/.
Copyright (c) 2012 Jeremy Long. All Rights Reserved.
@author Jeremy Long (jeremy.long@owasp.org)
@version 1
*#<?xml version="1.0"?>
<analysis xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check">
<projectInfo>
<name>$esc.html($applicationName)</name>
<reportDate>$date</reportDate>
<credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits>
</projectInfo>
<dependencies>
#foreach($dependency in $dependencies)
<dependency>
<fileName>$esc.html($dependency.FileName)</fileName>
<filePath>$esc.html($dependency.FilePath)</filePath>
<md5>$esc.html($dependency.Md5sum)</md5>
<sha1>$esc.html($dependency.Sha1sum)</sha1>
#if ($dependency.description)
<description>$esc.html($dependency.description)</description>
#end
#if ($dependency.license)
<license>$esc.html($dependency.license)</license>
#end
#if ($dependency.getRelatedDependencies().size()>0)
<relatedDependencies>
#foreach($related in $dependency.getRelatedDependencies())
<relatedDependency>
<filePath>$esc.html($related.FilePath)</filePath>
<sha1>$esc.html($related.Sha1sum)</sha1>
<md5>$esc.html($related.Md5sum)</md5>
</relatedDependency>
#end
</relatedDependencies>
#end
#if ( $dependency.analysisExceptions.size() != 0 )
<analysisExceptions>
#foreach($ex in $dependency.analysisExceptions)
<exception>
<message>$esc.html($ex.message)</message>
#if ( $ex.stackTrace )
<stackTrace>
#foreach ($st in $ex.stackTrace)
<trace>$esc.html($st)</trace>
#end
</stackTrace>
#end
#if ( $ex.cause )
<innerException>
<message>$esc.html($ex.cause.message)</message>
#if ( $ex.cause.stackTrace )
<stackTrace>
#foreach ($st in $ex.cause.stackTrace)
<trace>$esc.html($st)</trace>
#end
</stackTrace>
#end
</innerException>
#end
</exception>
#end
</analysisExceptions>
#end
<evidenceCollected>
#foreach($evidence in $dependency.getEvidenceUsed())
<evidence>
<source>$esc.html($evidence.getSource())</source>
<name>$esc.html($evidence.getName())</name>
<value>$esc.html($evidence.getValue().trim())</value>
</evidence>
#end
</evidenceCollected>
#if($dependency.getIdentifiers().size()>0)
<identifiers>
#foreach($id in $dependency.getIdentifiers())
<identifier type="$esc.html($id.type)">
<name>$esc.html($id.value)</name>
#if( $id.url )
<url>$esc.html($id.url)</url>
#end
#if( $id.description )
<description>$esc.html($id.description)</description>
#end
</identifier>
#end
</identifiers>
#end
#if($dependency.getVulnerabilities().size()>0)
<vulnerabilities>
#foreach($vuln in $dependency.getVulnerabilities())
<vulnerability>
<name>$esc.html($vuln.name)</name>
<cvssScore>$vuln.cvssScore</cvssScore>
#if ($vuln.cvssScore<4.0)
<severity>Low</severity>
#elseif ($vuln.cvssScore>=7.0)
<severity>High</severity>
#else
<severity>Medium</severity>
#end
#if ($vuln.cwe)
<cwe>$esc.html($vuln.cwe)</cwe>
#end
<description>$esc.html($vuln.description)</description>
<references>
#foreach($ref in $vuln.getReferences())
<reference>
<source>$esc.html($ref.source)</source>
<url>$esc.html($ref.url)</url>
<name>$esc.html($ref.name)</name>
</reference>
#end
</references>
<vulnerableSoftware>
#foreach($vs in $vuln.getVulnerableSoftware())
<software#if($vs.hasPreviousVersion()) allPreviousVersion="true"#end>$esc.html($vs.name)</software>
#end
</vulnerableSoftware>
</vulnerability>
#end
</vulnerabilities>
#end
</dependency>
#end
</dependencies>
</analysis>

BIN
dependency-check-core/src/main/resources/templates/img/minus.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 67 B

BIN
dependency-check-core/src/main/resources/templates/img/plus.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 69 B

2
dependency-check-core/src/main/resources/templates/scripts/jquery-1.8.0.min.js vendored Normal file
View File

File diff suppressed because one or more lines are too long