From d180208e3413d398f5da1ccb12036958013ee716 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 25 Feb 2017 16:08:44 -0500 Subject: [PATCH] interim --- .../dependency/Vulnerability.java | 29 +---------- .../reporting/ReportGenerator.java | 50 +------------------ .../xml/suppression/SuppressionHandler.java | 38 ++++++-------- .../xml/suppression/SuppressionRule.java | 43 +--------------- .../resources/schema/dependency-check.1.3.xsd | 1 - 5 files changed, 18 insertions(+), 143 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java index f980936ab..01ea8c8f6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java @@ -94,10 +94,6 @@ public class Vulnerability implements Serializable, Comparable { * Whether or not all previous versions were affected. */ private String matchedAllPreviousCPE; - /** - * The notes for the vulnerability. - */ - private String notes; /** * Get the value of name. @@ -122,7 +118,6 @@ public class Vulnerability implements Serializable, Comparable { * * @return the value of description */ - public String getDescription() { return description; } @@ -284,28 +279,6 @@ public class Vulnerability implements Serializable, Comparable { this.cwe = cwe; } - /** - * Get the value of notes from suppression notes. - * - * @return the value of notes - */ - public String getNotes() { - return notes; - } - - /** - * Set the value of notes. - * - * @param notes new value of cwe - */ - public void setNotes(String notes) { - this.notes = notes; - } - - /** - * CVSS Score. - */ - /** * Get the value of cvssScore. * @@ -524,4 +497,4 @@ public class Vulnerability implements Serializable, Comparable { public boolean hasMatchedAllPreviousCPE() { return matchedAllPreviousCPE != null; } -} +} \ No newline at end of file diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java index af10abb51..e56f4fc75 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java @@ -28,8 +28,6 @@ import java.io.OutputStream; import java.io.OutputStreamWriter; import java.io.UnsupportedEncodingException; import java.util.List; - -import org.apache.commons.lang3.StringUtils; import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; import org.apache.velocity.context.Context; @@ -40,12 +38,8 @@ import org.joda.time.format.DateTimeFormatter; import org.owasp.dependencycheck.analyzer.Analyzer; import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.dependency.Vulnerability; import org.owasp.dependencycheck.exception.ReportException; import org.owasp.dependencycheck.utils.Settings; -import org.owasp.dependencycheck.xml.suppression.SuppressionParseException; -import org.owasp.dependencycheck.xml.suppression.SuppressionParser; -import org.owasp.dependencycheck.xml.suppression.SuppressionRule; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -122,55 +116,15 @@ public class ReportGenerator { final String scanDateXML = dateFormatXML.print(dt); context.put("applicationName", applicationName); + context.put("dependencies", dependencies); context.put("analyzers", analyzers); context.put("properties", properties); context.put("scanDate", scanDate); context.put("scanDateXML", scanDateXML); context.put("enc", enc); - context.put("dependencies", addNotesToReport(dependencies)); context.put("version", Settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown")); } - /** - * creates a suppression note adder to dependency - * - * @param dependencies the list of dependencies - * @return dependencies with notes added suppressed vulnerabilities - */ - - public List addNotesToReport(List dependencies){ - final String suppressionFilePath = Settings.getString(Settings.KEYS.SUPPRESSION_FILE); - - if(StringUtils.isBlank(suppressionFilePath)){ - return dependencies; - } - - final SuppressionParser parser1 = new SuppressionParser(); - List suppressionRule=null; - - if(!suppressionFilePath.isEmpty()){ - try { - suppressionRule=parser1.parseSuppressionRules(new File(suppressionFilePath)); - } catch (SuppressionParseException e) { - e.printStackTrace(); - } - } - - for(Dependency dependency:dependencies){ - for(Vulnerability suppressedVulnerability: dependency.getSuppressedVulnerabilities()){ - for(SuppressionRule suppressionRule1:suppressionRule){ - for(String cve: suppressionRule1.getCve()){ - if(suppressedVulnerability.getName().equals(cve)){ - suppressedVulnerability.setNotes(suppressionRule1.getNotes()); - } - - } - } - } - } - return dependencies; - } - /** * Creates a new Velocity Engine. * @@ -378,4 +332,4 @@ public class ReportGenerator { } } } -} +} \ No newline at end of file diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java index f63e00279..590f55199 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java @@ -46,12 +46,6 @@ public class SuppressionHandler extends DefaultHandler { * The CVE element name. */ public static final String CVE = "cve"; - - /** - * The CVE element name. - */ - public static final String NOTES = "notes"; - /** * The CPE element name. */ @@ -71,16 +65,7 @@ public class SuppressionHandler extends DefaultHandler { /** * A list of suppression rules. */ - private final List suppressionRules = new ArrayList(); - - /** - * Get the value of suppressionRules. - * - * @return the value of suppressionRules - */ - public List getSuppressionRules() { - return suppressionRules; - } + private final List suppressionRules = new ArrayList<>(); /** * The current rule being read. */ @@ -94,6 +79,15 @@ public class SuppressionHandler extends DefaultHandler { */ private StringBuilder currentText; + /** + * Get the value of suppressionRules. + * + * @return the value of suppressionRules + */ + public List getSuppressionRules() { + return suppressionRules; + } + /** * Handles the start element event. * @@ -146,11 +140,7 @@ public class SuppressionHandler extends DefaultHandler { rule.addCwe(currentText.toString()); } else if (CVE.equals(qName)) { rule.addCve(currentText.toString()); - } - else if (NOTES.equals(qName)) { - rule.addNotes(currentText.toString()); - } - else if (CVSS_BELOW.equals(qName)) { + } else if (CVSS_BELOW.equals(qName)) { final float cvss = Float.parseFloat(currentText.toString()); rule.addCvssBelow(cvss); } @@ -170,8 +160,8 @@ public class SuppressionHandler extends DefaultHandler { } /** - * Processes field members that have been collected during the characters and startElement method to construct a - * PropertyType object. + * Processes field members that have been collected during the characters + * and startElement method to construct a PropertyType object. * * @return a PropertyType object */ @@ -190,4 +180,4 @@ public class SuppressionHandler extends DefaultHandler { } return pt; } -} +} \ No newline at end of file diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java index e253094fd..9ba1a6239 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java @@ -59,11 +59,6 @@ public class SuppressionRule { * A Maven GAV to suppression. */ private PropertyType gav = null; - /** - * The notes added in suppression file - */ - - private String notes; /** * A flag indicating whether or not the suppression rule is a core/base rule @@ -180,42 +175,6 @@ public class SuppressionRule { return !cvssBelow.isEmpty(); } - /** - * Get the value of notes. - * - * @return the value of notes - */ - public String getNotes() { - return notes; - } - - /** - * Set the value of notes. - * - * @param notes new value of cve - */ - public void setNotes(String notes) { - this.notes = notes; - } - - /** - * Adds the notes to the cve list. - * - * @param notes the cve to add - */ - public void addNotes(String notes) { - this.notes=notes; - } - - /** - * Returns whether this suppression rule has notes entries. - * - * @return whether this suppression rule has notes entries - */ - public boolean hasNotes() { - return !cve.isEmpty(); - } - /** * Get the value of CWE. * @@ -523,4 +482,4 @@ public class SuppressionRule { sb.append('}'); return sb.toString(); } -} +} \ No newline at end of file diff --git a/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd index 615844c10..023eb6f15 100644 --- a/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd +++ b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd @@ -211,7 +211,6 @@ -