github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 15:53:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

interim

Browse Source
This commit is contained in:
Jeremy Long
2017-02-25 16:08:44 -05:00
parent 0ce1ef596c
commit d180208e34
5 changed files with 18 additions and 143 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
View File

@@ -94,10 +94,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
* Whether or not all previous versions were affected.
*/
private String matchedAllPreviousCPE;
/**
* The notes for the vulnerability.
*/
private String notes;
/**
* Get the value of name.
@@ -122,7 +118,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
*
* @return the value of description
*/
public String getDescription() {
return description;
}
@@ -284,28 +279,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
this.cwe = cwe;
}
/**
* Get the value of notes from suppression notes.
*
* @return the value of notes
*/
public String getNotes() {
return notes;
}
/**
* Set the value of notes.
*
* @param notes new value of cwe
*/
public void setNotes(String notes) {
this.notes = notes;
}
/**
* CVSS Score.
*/
/**
* Get the value of cvssScore.
*
@@ -524,4 +497,4 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
public boolean hasMatchedAllPreviousCPE() {
return matchedAllPreviousCPE != null;
}
}
}

50
dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
View File

@@ -28,8 +28,6 @@ import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.io.UnsupportedEncodingException;
import java.util.List;
import org.apache.commons.lang3.StringUtils;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
import org.apache.velocity.context.Context;
@@ -40,12 +38,8 @@ import org.joda.time.format.DateTimeFormatter;
import org.owasp.dependencycheck.analyzer.Analyzer;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.exception.ReportException;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.xml.suppression.SuppressionParseException;
import org.owasp.dependencycheck.xml.suppression.SuppressionParser;
import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -122,55 +116,15 @@ public class ReportGenerator {
final String scanDateXML = dateFormatXML.print(dt);
context.put("applicationName", applicationName);
context.put("dependencies", dependencies);
context.put("analyzers", analyzers);
context.put("properties", properties);
context.put("scanDate", scanDate);
context.put("scanDateXML", scanDateXML);
context.put("enc", enc);
context.put("dependencies", addNotesToReport(dependencies));
context.put("version", Settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
}
/**
* creates a suppression note adder to dependency
*
* @param dependencies the list of dependencies
* @return dependencies with notes added suppressed vulnerabilities
*/
public List<Dependency> addNotesToReport(List<Dependency> dependencies){
final String suppressionFilePath = Settings.getString(Settings.KEYS.SUPPRESSION_FILE);
if(StringUtils.isBlank(suppressionFilePath)){
return dependencies;
}
final SuppressionParser parser1 = new SuppressionParser();
List<SuppressionRule> suppressionRule=null;
if(!suppressionFilePath.isEmpty()){
try {
suppressionRule=parser1.parseSuppressionRules(new File(suppressionFilePath));
} catch (SuppressionParseException e) {
e.printStackTrace();
}
}
for(Dependency dependency:dependencies){
for(Vulnerability suppressedVulnerability: dependency.getSuppressedVulnerabilities()){
for(SuppressionRule suppressionRule1:suppressionRule){
for(String cve: suppressionRule1.getCve()){
if(suppressedVulnerability.getName().equals(cve)){
suppressedVulnerability.setNotes(suppressionRule1.getNotes());
}
}
}
}
}
return dependencies;
}
/**
* Creates a new Velocity Engine.
*
@@ -378,4 +332,4 @@ public class ReportGenerator {
}
}
}
}
}

38
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java
View File

@@ -46,12 +46,6 @@ public class SuppressionHandler extends DefaultHandler {
* The CVE element name.
*/
public static final String CVE = "cve";
/**
* The CVE element name.
*/
public static final String NOTES = "notes";
/**
* The CPE element name.
*/
@@ -71,16 +65,7 @@ public class SuppressionHandler extends DefaultHandler {
/**
* A list of suppression rules.
*/
private final List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
/**
* Get the value of suppressionRules.
*
* @return the value of suppressionRules
*/
public List<SuppressionRule> getSuppressionRules() {
return suppressionRules;
}
private final List<SuppressionRule> suppressionRules = new ArrayList<>();
/**
* The current rule being read.
*/
@@ -94,6 +79,15 @@ public class SuppressionHandler extends DefaultHandler {
*/
private StringBuilder currentText;
/**
* Get the value of suppressionRules.
*
* @return the value of suppressionRules
*/
public List<SuppressionRule> getSuppressionRules() {
return suppressionRules;
}
/**
* Handles the start element event.
*
@@ -146,11 +140,7 @@ public class SuppressionHandler extends DefaultHandler {
rule.addCwe(currentText.toString());
} else if (CVE.equals(qName)) {
rule.addCve(currentText.toString());
}
else if (NOTES.equals(qName)) {
rule.addNotes(currentText.toString());
}
else if (CVSS_BELOW.equals(qName)) {
} else if (CVSS_BELOW.equals(qName)) {
final float cvss = Float.parseFloat(currentText.toString());
rule.addCvssBelow(cvss);
}
@@ -170,8 +160,8 @@ public class SuppressionHandler extends DefaultHandler {
}
/**
* Processes field members that have been collected during the characters and startElement method to construct a
* PropertyType object.
* Processes field members that have been collected during the characters
* and startElement method to construct a PropertyType object.
*
* @return a PropertyType object
*/
@@ -190,4 +180,4 @@ public class SuppressionHandler extends DefaultHandler {
}
return pt;
}
}
}

43
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java
View File

@@ -59,11 +59,6 @@ public class SuppressionRule {
* A Maven GAV to suppression.
*/
private PropertyType gav = null;
/**
* The notes added in suppression file
*/
private String notes;
/**
* A flag indicating whether or not the suppression rule is a core/base rule
@@ -180,42 +175,6 @@ public class SuppressionRule {
return !cvssBelow.isEmpty();
}
/**
* Get the value of notes.
*
* @return the value of notes
*/
public String getNotes() {
return notes;
}
/**
* Set the value of notes.
*
* @param notes new value of cve
*/
public void setNotes(String notes) {
this.notes = notes;
}
/**
* Adds the notes to the cve list.
*
* @param notes the cve to add
*/
public void addNotes(String notes) {
this.notes=notes;
}
/**
* Returns whether this suppression rule has notes entries.
*
* @return whether this suppression rule has notes entries
*/
public boolean hasNotes() {
return !cve.isEmpty();
}
/**
* Get the value of CWE.
*
@@ -523,4 +482,4 @@ public class SuppressionRule {
sb.append('}');
return sb.toString();
}
}
}

1
dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd
View File

@@ -211,7 +211,6 @@
<xs:element name="severity" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cwe" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="description" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="notes" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="references" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>