interim

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java

@@ -94,10 +94,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
      * Whether or not all previous versions were affected.
      */
     private String matchedAllPreviousCPE;
-    /**
-     * The notes for the vulnerability.
-     */
-    private String notes;
 
     /**
      * Get the value of name.
@@ -122,7 +118,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
      *
      * @return the value of description
      */
-
     public String getDescription() {
         return description;
     }
@@ -284,28 +279,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
         this.cwe = cwe;
     }
 
-    /**
-     * Get the value of notes from suppression notes.
-     *
-     * @return the value of notes
-     */
-    public String getNotes() {
-        return notes;
-    }
-
-    /**
-     * Set the value of notes.
-     *
-     * @param notes new value of cwe
-     */
-    public void setNotes(String notes) {
-        this.notes = notes;
-    }
-
-    /**
-     * CVSS Score.
-     */
-
     /**
      * Get the value of cvssScore.
      *
@@ -524,4 +497,4 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
     public boolean hasMatchedAllPreviousCPE() {
         return matchedAllPreviousCPE != null;
     }
-}
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java

@@ -28,8 +28,6 @@ import java.io.OutputStream;
 import java.io.OutputStreamWriter;
 import java.io.UnsupportedEncodingException;
 import java.util.List;
-
-import org.apache.commons.lang3.StringUtils;
 import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
 import org.apache.velocity.context.Context;
@@ -40,12 +38,8 @@ import org.joda.time.format.DateTimeFormatter;
 import org.owasp.dependencycheck.analyzer.Analyzer;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.exception.ReportException;
 import org.owasp.dependencycheck.utils.Settings;
-import org.owasp.dependencycheck.xml.suppression.SuppressionParseException;
-import org.owasp.dependencycheck.xml.suppression.SuppressionParser;
-import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -122,55 +116,15 @@ public class ReportGenerator {
         final String scanDateXML = dateFormatXML.print(dt);
 
         context.put("applicationName", applicationName);
+        context.put("dependencies", dependencies);
         context.put("analyzers", analyzers);
         context.put("properties", properties);
         context.put("scanDate", scanDate);
         context.put("scanDateXML", scanDateXML);
         context.put("enc", enc);
-        context.put("dependencies", addNotesToReport(dependencies));
         context.put("version", Settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
     }
 
-    /**
-     * creates a suppression note adder to dependency
-     *
-     * @param dependencies the list of dependencies
-     * @return dependencies with notes added suppressed vulnerabilities
-     */
-
-    public List<Dependency> addNotesToReport(List<Dependency> dependencies){
-        final String suppressionFilePath = Settings.getString(Settings.KEYS.SUPPRESSION_FILE);
-
-        if(StringUtils.isBlank(suppressionFilePath)){
-            return dependencies;
-        }
-
-        final SuppressionParser parser1 = new SuppressionParser();
-        List<SuppressionRule> suppressionRule=null;
-
-        if(!suppressionFilePath.isEmpty()){
-            try {
-                suppressionRule=parser1.parseSuppressionRules(new File(suppressionFilePath));
-            } catch (SuppressionParseException e) {
-                e.printStackTrace();
-            }
-        }
-
-        for(Dependency dependency:dependencies){
-            for(Vulnerability suppressedVulnerability: dependency.getSuppressedVulnerabilities()){
-                for(SuppressionRule suppressionRule1:suppressionRule){
-                    for(String cve: suppressionRule1.getCve()){
-                        if(suppressedVulnerability.getName().equals(cve)){
-                            suppressedVulnerability.setNotes(suppressionRule1.getNotes());
-                        }
-
-                    }
-                }
-            }
-        }
-        return dependencies;
-    }
-
     /**
      * Creates a new Velocity Engine.
      *
@@ -378,4 +332,4 @@ public class ReportGenerator {
             }
         }
     }
-}
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java

@@ -46,12 +46,6 @@ public class SuppressionHandler extends DefaultHandler {
      * The CVE element name.
      */
     public static final String CVE = "cve";
-
-    /**
-     * The CVE element name.
-     */
-    public static final String NOTES = "notes";
-
     /**
      * The CPE element name.
      */
@@ -71,16 +65,7 @@ public class SuppressionHandler extends DefaultHandler {
     /**
      * A list of suppression rules.
      */
-    private final List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
+    private final List<SuppressionRule> suppressionRules = new ArrayList<>();
-
-    /**
-     * Get the value of suppressionRules.
-     *
-     * @return the value of suppressionRules
-     */
-    public List<SuppressionRule> getSuppressionRules() {
-        return suppressionRules;
-    }
     /**
      * The current rule being read.
      */
@@ -94,6 +79,15 @@ public class SuppressionHandler extends DefaultHandler {
      */
     private StringBuilder currentText;
 
+    /**
+     * Get the value of suppressionRules.
+     *
+     * @return the value of suppressionRules
+     */
+    public List<SuppressionRule> getSuppressionRules() {
+        return suppressionRules;
+    }
+
     /**
      * Handles the start element event.
      *
@@ -146,11 +140,7 @@ public class SuppressionHandler extends DefaultHandler {
             rule.addCwe(currentText.toString());
         } else if (CVE.equals(qName)) {
             rule.addCve(currentText.toString());
-        }
+        } else if (CVSS_BELOW.equals(qName)) {
-        else if (NOTES.equals(qName)) {
-            rule.addNotes(currentText.toString());
-        }
-        else if (CVSS_BELOW.equals(qName)) {
             final float cvss = Float.parseFloat(currentText.toString());
             rule.addCvssBelow(cvss);
         }
@@ -170,8 +160,8 @@ public class SuppressionHandler extends DefaultHandler {
     }
 
     /**
-     * Processes field members that have been collected during the characters and startElement method to construct a
+     * Processes field members that have been collected during the characters
-     * PropertyType object.
+     * and startElement method to construct a PropertyType object.
      *
      * @return a PropertyType object
      */
@@ -190,4 +180,4 @@ public class SuppressionHandler extends DefaultHandler {
         }
         return pt;
     }
-}
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java

@@ -59,11 +59,6 @@ public class SuppressionRule {
      * A Maven GAV to suppression.
      */
     private PropertyType gav = null;
-    /**
-     * The notes added in suppression file
-     */
-
-    private String notes;
 
     /**
      * A flag indicating whether or not the suppression rule is a core/base rule
@@ -180,42 +175,6 @@ public class SuppressionRule {
         return !cvssBelow.isEmpty();
     }
 
-    /**
-     * Get the value of notes.
-     *
-     * @return the value of notes
-     */
-    public String getNotes() {
-        return notes;
-    }
-
-    /**
-     * Set the value of notes.
-     *
-     * @param notes new value of cve
-     */
-    public void setNotes(String notes) {
-        this.notes = notes;
-    }
-
-    /**
-     * Adds the notes to the cve list.
-     *
-     * @param notes the cve to add
-     */
-    public void addNotes(String notes) {
-        this.notes=notes;
-    }
-
-    /**
-     * Returns whether this suppression rule has notes entries.
-     *
-     * @return whether this suppression rule has notes entries
-     */
-    public boolean hasNotes() {
-        return !cve.isEmpty();
-    }
-
     /**
      * Get the value of CWE.
      *
@@ -523,4 +482,4 @@ public class SuppressionRule {
         sb.append('}');
         return sb.toString();
     }
-}
+}

dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd

@@ -211,7 +211,6 @@
                                                                     <xs:element name="severity" type="xs:string" minOccurs="1" maxOccurs="1" />
                                                                     <xs:element name="cwe" type="xs:string" minOccurs="0" maxOccurs="1" />
                                                                     <xs:element name="description" type="xs:string" minOccurs="1" maxOccurs="1" />
-                                                                    <xs:element name="notes" type="xs:string" minOccurs="1" maxOccurs="1" />
                                                                     <xs:element name="references" minOccurs="0" maxOccurs="1">
                                                                         <xs:complexType>
                                                                             <xs:sequence>