From aa0314c840a8d72b981f15d043fef89eecf802e4 Mon Sep 17 00:00:00 2001 From: Prakhash Date: Fri, 24 Feb 2017 11:03:10 +0530 Subject: [PATCH 01/12] report is modified with the notes element --- .../dependency/Vulnerability.java | 27 ++++++++++ .../reporting/ReportGenerator.java | 50 ++++++++++++++++++- .../xml/suppression/SuppressionHandler.java | 36 ++++++++----- .../xml/suppression/SuppressionRule.java | 43 ++++++++++++++++ .../resources/schema/dependency-check.1.3.xsd | 2 +- .../main/resources/templates/XmlReport.vsl | 11 ++-- 6 files changed, 149 insertions(+), 20 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java index 1720edda8..43077cfd1 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java @@ -279,6 +279,33 @@ public class Vulnerability implements Serializable, Comparable { this.cwe = cwe; } + /** + * The notes for the vulnerability. + */ + private String notes; + + /** + * Get the value of notes from suppression notes. + * + * @return the value of notes + */ + public String getNotes() { + return notes; + } + + /** + * Set the value of notes. + * + * @param notes new value of cwe + */ + public void setNotes(String notes) { + this.notes = notes; + } + + /** + * CVSS Score. + */ + /** * Get the value of cvssScore. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java index 4847a43bf..7b70d550f 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java @@ -28,6 +28,8 @@ import java.io.OutputStream; import java.io.OutputStreamWriter; import java.io.UnsupportedEncodingException; import java.util.List; + +import org.apache.commons.lang3.StringUtils; import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; import org.apache.velocity.context.Context; @@ -38,8 +40,12 @@ import org.joda.time.format.DateTimeFormatter; import org.owasp.dependencycheck.analyzer.Analyzer; import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.Vulnerability; import org.owasp.dependencycheck.exception.ReportException; import org.owasp.dependencycheck.utils.Settings; +import org.owasp.dependencycheck.xml.suppression.SuppressionParseException; +import org.owasp.dependencycheck.xml.suppression.SuppressionParser; +import org.owasp.dependencycheck.xml.suppression.SuppressionRule; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -116,15 +122,57 @@ public class ReportGenerator { final String scanDateXML = dateFormatXML.print(dt); context.put("applicationName", applicationName); - context.put("dependencies", dependencies); context.put("analyzers", analyzers); context.put("properties", properties); context.put("scanDate", scanDate); context.put("scanDateXML", scanDateXML); context.put("enc", enc); + context.put("dependencies", addNotesToReport(dependencies)); context.put("version", Settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown")); } + /** + * creates a suppression note adder to dependency + * + * @param dependencies the list of dependencies + * @return dependencies with notes added suppressed vulnerabilities + */ + + public List addNotesToReport(List dependencies){ + final String suppressionFilePath = Settings.getString(Settings.KEYS.SUPPRESSION_FILE); + + LOGGER.info("Settings.KEYS.SUPPRESSION_FILE"+Settings.KEYS.SUPPRESSION_FILE); + + if(StringUtils.isBlank(suppressionFilePath)){ + return dependencies; + } + + final SuppressionParser parser1 = new SuppressionParser(); + List suppressionRule=null; + + if(!suppressionFilePath.isEmpty()){ + try { + suppressionRule=parser1.parseSuppressionRules(new File(suppressionFilePath)); + } catch (SuppressionParseException e) { + e.printStackTrace(); + } + } + + for(Dependency dependency:dependencies){ + for(Vulnerability suppressedVulnerability: dependency.getSuppressedVulnerabilities()){ + for(SuppressionRule suppressionRule1:suppressionRule){ + for(String cve: suppressionRule1.getCve()){ + if(suppressedVulnerability.getName().equals(cve)){ + suppressedVulnerability.setNotes(suppressionRule1.getNotes()); + } + + } + } + } + } + return dependencies; + } + /** * Creates a new Velocity Engine. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java index 6c7f5f314..f63e00279 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java @@ -46,6 +46,12 @@ public class SuppressionHandler extends DefaultHandler { * The CVE element name. */ public static final String CVE = "cve"; + + /** + * The CVE element name. + */ + public static final String NOTES = "notes"; + /** * The CPE element name. */ @@ -65,7 +71,16 @@ public class SuppressionHandler extends DefaultHandler { /** * A list of suppression rules. */ - private final List suppressionRules = new ArrayList<>(); + private final List suppressionRules = new ArrayList(); + + /** + * Get the value of suppressionRules. + * + * @return the value of suppressionRules + */ + public List getSuppressionRules() { + return suppressionRules; + } /** * The current rule being read. */ @@ -79,15 +94,6 @@ public class SuppressionHandler extends DefaultHandler { */ private StringBuilder currentText; - /** - * Get the value of suppressionRules. - * - * @return the value of suppressionRules - */ - public List getSuppressionRules() { - return suppressionRules; - } - /** * Handles the start element event. * @@ -140,7 +146,11 @@ public class SuppressionHandler extends DefaultHandler { rule.addCwe(currentText.toString()); } else if (CVE.equals(qName)) { rule.addCve(currentText.toString()); - } else if (CVSS_BELOW.equals(qName)) { + } + else if (NOTES.equals(qName)) { + rule.addNotes(currentText.toString()); + } + else if (CVSS_BELOW.equals(qName)) { final float cvss = Float.parseFloat(currentText.toString()); rule.addCvssBelow(cvss); } @@ -160,8 +170,8 @@ public class SuppressionHandler extends DefaultHandler { } /** - * Processes field members that have been collected during the characters - * and startElement method to construct a PropertyType object. + * Processes field members that have been collected during the characters and startElement method to construct a + * PropertyType object. * * @return a PropertyType object */ diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java index 312cfb02b..24a8fa5c6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java @@ -175,6 +175,49 @@ public class SuppressionRule { return !cvssBelow.isEmpty(); } + + /** + * The notes added in suppression file + */ + + private String notes = new String(); + + /** + * Get the value of notes. + * + * @return the value of notes + */ + public String getNotes() { + return notes; + } + + /** + * Set the value of notes. + * + * @param notes new value of cve + */ + public void setNotes(String notes) { + this.notes = notes; + } + + /** + * Adds the notes to the cve list. + * + * @param notes the cve to add + */ + public void addNotes(String notes) { + this.notes=notes; + } + + /** + * Returns whether this suppression rule has notes entries. + * + * @return whether this suppression rule has notes entries + */ + public boolean hasNotes() { + return !cve.isEmpty(); + } + /** * Get the value of CWE. * diff --git a/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd index 023eb6f15..d20593670 100644 --- a/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd +++ b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd @@ -1,5 +1,5 @@ - + diff --git a/dependency-check-core/src/main/resources/templates/XmlReport.vsl b/dependency-check-core/src/main/resources/templates/XmlReport.vsl index 0bfd8c49c..4ee7c62fb 100644 --- a/dependency-check-core/src/main/resources/templates/XmlReport.vsl +++ b/dependency-check-core/src/main/resources/templates/XmlReport.vsl @@ -19,7 +19,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. @version 1.2 *# - + $version #foreach($prop in $properties.getMetaData().entrySet()) @@ -141,7 +141,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. #end $enc.xml($vuln.description) -#foreach($ref in $vuln.getReferences(true)) +#foreach($ref in $vuln.getReferences()) $enc.xml($ref.source) $enc.xml($ref.url) @@ -150,7 +150,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. #end -#foreach($vs in $vuln.getVulnerableSoftware(true)) +#foreach($vs in $vuln.getVulnerableSoftware()) $enc.xml($vs.name) #end @@ -171,8 +171,9 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. $enc.xml($vuln.cwe) #end $enc.xml($vuln.description) + $enc.xml($vuln.notes) -#foreach($ref in $vuln.getReferences(true)) +#foreach($ref in $vuln.getReferences()) $enc.xml($ref.source) $enc.xml($ref.url) @@ -181,7 +182,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. #end -#foreach($vs in $vuln.getVulnerableSoftware(true)) +#foreach($vs in $vuln.getVulnerableSoftware()) $enc.xml($vs.name) #end From 192d1de9447a1ed7f508e022659bfc7506c962e9 Mon Sep 17 00:00:00 2001 From: Prakhash Date: Fri, 24 Feb 2017 12:06:51 +0530 Subject: [PATCH 02/12] name space changes are reverted to the original --- .../src/main/resources/schema/dependency-check.1.3.xsd | 2 +- .../src/main/resources/templates/XmlReport.vsl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd index d20593670..023eb6f15 100644 --- a/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd +++ b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd @@ -1,5 +1,5 @@ - + diff --git a/dependency-check-core/src/main/resources/templates/XmlReport.vsl b/dependency-check-core/src/main/resources/templates/XmlReport.vsl index 4ee7c62fb..859b0b974 100644 --- a/dependency-check-core/src/main/resources/templates/XmlReport.vsl +++ b/dependency-check-core/src/main/resources/templates/XmlReport.vsl @@ -19,7 +19,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. @version 1.2 *# - + $version #foreach($prop in $properties.getMetaData().entrySet()) From c9640fbf04bf53d8e87be5a07e8ea41b3314ef42 Mon Sep 17 00:00:00 2001 From: Prakhash Date: Fri, 24 Feb 2017 12:15:21 +0530 Subject: [PATCH 03/12] schema file is modified with notes attribute' --- .../src/main/resources/schema/dependency-check.1.3.xsd | 1 + 1 file changed, 1 insertion(+) diff --git a/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd index 023eb6f15..d2352b00a 100644 --- a/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd +++ b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd @@ -168,6 +168,7 @@ + From 583c2d34d376f7bbc47edeba0460d9810f7a2d99 Mon Sep 17 00:00:00 2001 From: Prakhash Date: Fri, 24 Feb 2017 14:23:56 +0530 Subject: [PATCH 04/12] schema changes are added with global schema --- .../org/owasp/dependencycheck/reporting/ReportGenerator.java | 2 -- .../src/main/resources/schema/dependency-check.1.3.xsd | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java index 7b70d550f..af10abb51 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java @@ -141,8 +141,6 @@ public class ReportGenerator { public List addNotesToReport(List dependencies){ final String suppressionFilePath = Settings.getString(Settings.KEYS.SUPPRESSION_FILE); - LOGGER.info("Settings.KEYS.SUPPRESSION_FILE"+Settings.KEYS.SUPPRESSION_FILE); - if(StringUtils.isBlank(suppressionFilePath)){ return dependencies; } diff --git a/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd index d2352b00a..615844c10 100644 --- a/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd +++ b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd @@ -168,7 +168,6 @@ - @@ -212,6 +211,7 @@ + From 3071cfd7be8bbd90170d14404a3468bc415b4378 Mon Sep 17 00:00:00 2001 From: Prakhash Date: Fri, 24 Feb 2017 14:43:46 +0530 Subject: [PATCH 05/12] formatting issues reported by the codacy is done --- .../dependencycheck/dependency/Vulnerability.java | 10 +++++----- .../xml/suppression/SuppressionRule.java | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java index 43077cfd1..f980936ab 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java @@ -94,6 +94,10 @@ public class Vulnerability implements Serializable, Comparable { * Whether or not all previous versions were affected. */ private String matchedAllPreviousCPE; + /** + * The notes for the vulnerability. + */ + private String notes; /** * Get the value of name. @@ -118,6 +122,7 @@ public class Vulnerability implements Serializable, Comparable { * * @return the value of description */ + public String getDescription() { return description; } @@ -279,11 +284,6 @@ public class Vulnerability implements Serializable, Comparable { this.cwe = cwe; } - /** - * The notes for the vulnerability. - */ - private String notes; - /** * Get the value of notes from suppression notes. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java index 24a8fa5c6..f00390351 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java @@ -180,7 +180,7 @@ public class SuppressionRule { * The notes added in suppression file */ - private String notes = new String(); + private String notes; /** * Get the value of notes. From a87391e6098f926f0e1d9d9a5d6906d655b2a779 Mon Sep 17 00:00:00 2001 From: Prakhash Date: Fri, 24 Feb 2017 14:54:45 +0530 Subject: [PATCH 06/12] formatting issues reported by the codacy is fixed --- .../xml/suppression/SuppressionRule.java | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java index f00390351..e253094fd 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java @@ -59,6 +59,11 @@ public class SuppressionRule { * A Maven GAV to suppression. */ private PropertyType gav = null; + /** + * The notes added in suppression file + */ + + private String notes; /** * A flag indicating whether or not the suppression rule is a core/base rule @@ -175,13 +180,6 @@ public class SuppressionRule { return !cvssBelow.isEmpty(); } - - /** - * The notes added in suppression file - */ - - private String notes; - /** * Get the value of notes. * From 5f7486f851f42d3d0242eb1d40cdea63b50924fc Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 25 Feb 2017 15:53:12 -0500 Subject: [PATCH 07/12] updates to 673 --- .../dependency/Identifier.java | 265 ++++++++++-------- .../dependency/Vulnerability.java | 24 +- .../xml/suppression/SuppressionHandler.java | 81 ++++-- .../xml/suppression/SuppressionRule.java | 47 ++++ .../resources/schema/dependency-check.1.4.xsd | 200 +++++++++++++ 5 files changed, 466 insertions(+), 151 deletions(-) create mode 100644 dependency-check-core/src/main/resources/schema/dependency-check.1.4.xsd diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java index e376c03dd..a9ff9ca41 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java @@ -20,21 +20,161 @@ package org.owasp.dependencycheck.dependency; import java.io.Serializable; /** + * In identifier such as a CPE or dependency coordinates (i.e. GAV). * * @author Jeremy Long */ public class Identifier implements Serializable, Comparable { + // /** * The serial version UID for serialization. */ private static final long serialVersionUID = 1L; + /** + * The confidence that this is the correct identifier. + */ + private Confidence confidence; + /** + * The value of the identifier + */ + private String value; + /** + * The url for the identifier. + */ + private String url; + /** + * The type of the identifier. + */ + private String type; + /** + * A description of the identifier. + */ + private String description; + /** + * Notes about the vulnerability. Generally used for suppression + * information. + */ + private String notes; + // + + // + /** + * Get the value of confidence. + * + * @return the value of confidence + */ + public Confidence getConfidence() { + return confidence; + } /** - * Default constructor. Should only be used for automatic class - * creation as is the case with many XML parsers (for the parsing - * of the Dependency-Check XML report). For all other use-cases, - * please use the non-default constructors. + * Set the value of confidence. + * + * @param confidence new value of confidence + */ + public void setConfidence(Confidence confidence) { + this.confidence = confidence; + } + + /** + * Get the value of value. + * + * @return the value of value + */ + public String getValue() { + return value; + } + + /** + * Set the value of value. + * + * @param value new value of value + */ + public void setValue(String value) { + this.value = value; + } + + /** + * Get the value of url. + * + * @return the value of url + */ + public String getUrl() { + return url; + } + + /** + * Set the value of url. + * + * @param url new value of url + */ + public void setUrl(String url) { + this.url = url; + } + + /** + * Get the value of type. + * + * @return the value of type + */ + public String getType() { + return type; + } + + /** + *

+ * Set the value of type.

+ * Example would be "CPE".

+ * + * @param type new value of type + */ + public void setType(String type) { + this.type = type; + } + + /** + * Get the value of description. + * + * @return the value of description + */ + public String getDescription() { + return description; + } + + /** + * Set the value of description. + * + * @param description new value of description + */ + public void setDescription(String description) { + this.description = description; + } + + /** + * Get the value of notes from suppression notes. + * + * @return the value of notes + */ + public String getNotes() { + return notes; + } + + /** + * Set the value of notes. + * + * @param notes new value of notes + */ + public void setNotes(String notes) { + this.notes = notes; + } + // + + /** + * Default constructor. Should only be used for automatic class creation as + * is the case with many XML parsers (for the parsing of the + * Dependency-Check XML report). For all other use-cases, please use the + * non-default constructors. */ public Identifier() { } @@ -65,120 +205,6 @@ public class Identifier implements Serializable, Comparable { this.description = description; } - /** - * The confidence that this is the correct identifier. - */ - private Confidence confidence; - - /** - * Get the value of confidence. - * - * @return the value of confidence - */ - public Confidence getConfidence() { - return confidence; - } - - /** - * Set the value of confidence. - * - * @param confidence new value of confidence - */ - public void setConfidence(Confidence confidence) { - this.confidence = confidence; - } - - /** - * The value of the identifier - */ - private String value; - - /** - * Get the value of value. - * - * @return the value of value - */ - public String getValue() { - return value; - } - - /** - * Set the value of value. - * - * @param value new value of value - */ - public void setValue(String value) { - this.value = value; - } - /** - * The url for the identifier. - */ - private String url; - - /** - * Get the value of url. - * - * @return the value of url - */ - public String getUrl() { - return url; - } - - /** - * Set the value of url. - * - * @param url new value of url - */ - public void setUrl(String url) { - this.url = url; - } - /** - * The type of the identifier. - */ - private String type; - - /** - * Get the value of type. - * - * @return the value of type - */ - public String getType() { - return type; - } - - /** - *

- * Set the value of type.

- * Example would be "CPE".

- * - * @param type new value of type - */ - public void setType(String type) { - this.type = type; - } - /** - * A description of the identifier. - */ - private String description; - - /** - * Get the value of description. - * - * @return the value of description - */ - public String getDescription() { - return description; - } - - /** - * Set the value of description. - * - * @param description new value of description - */ - public void setDescription(String description) { - this.description = description; - } - @Override public boolean equals(Object obj) { if (obj == null) { @@ -213,7 +239,8 @@ public class Identifier implements Serializable, Comparable { } /** - * Implementation of the comparator interface. This compares the value of the identifier only. + * Implementation of the comparator interface. This compares the value of + * the identifier only. * * @param o the object being compared * @return an integer indicating the ordering diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java index 1720edda8..ef6ad813d 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java @@ -94,6 +94,11 @@ public class Vulnerability implements Serializable, Comparable { * Whether or not all previous versions were affected. */ private String matchedAllPreviousCPE; + /** + * Notes about the vulnerability. Generally used for suppression + * information. + */ + private String notes; /** * Get the value of name. @@ -405,6 +410,24 @@ public class Vulnerability implements Serializable, Comparable { this.cvssAvailabilityImpact = cvssAvailabilityImpact; } + /** + * Get the value of notes from suppression notes. + * + * @return the value of notes + */ + public String getNotes() { + return notes; + } + + /** + * Set the value of notes. + * + * @param notes new value of cwe + */ + public void setNotes(String notes) { + this.notes = notes; + } + @Override public boolean equals(Object obj) { if (obj == null) { @@ -456,7 +479,6 @@ public class Vulnerability implements Serializable, Comparable { return new CompareToBuilder() .append(this.name, v.name) .toComparison(); - //return v.getName().compareTo(this.getName()); } /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java index 6c7f5f314..b82147cc6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java @@ -46,6 +46,12 @@ public class SuppressionHandler extends DefaultHandler { * The CVE element name. */ public static final String CVE = "cve"; + + /** + * The CVE element name. + */ + public static final String NOTES = "notes"; + /** * The CPE element name. */ @@ -65,7 +71,16 @@ public class SuppressionHandler extends DefaultHandler { /** * A list of suppression rules. */ - private final List suppressionRules = new ArrayList<>(); + private final List suppressionRules = new ArrayList(); + + /** + * Get the value of suppressionRules. + * + * @return the value of suppressionRules + */ + public List getSuppressionRules() { + return suppressionRules; + } /** * The current rule being read. */ @@ -79,15 +94,6 @@ public class SuppressionHandler extends DefaultHandler { */ private StringBuilder currentText; - /** - * Get the value of suppressionRules. - * - * @return the value of suppressionRules - */ - public List getSuppressionRules() { - return suppressionRules; - } - /** * Handles the start element event. * @@ -122,27 +128,40 @@ public class SuppressionHandler extends DefaultHandler { */ @Override public void endElement(String uri, String localName, String qName) throws SAXException { - if (SUPPRESS.equals(qName)) { - suppressionRules.add(rule); - rule = null; - } else if (FILE_PATH.equals(qName)) { - final PropertyType pt = processPropertyType(); - rule.setFilePath(pt); - } else if (SHA1.equals(qName)) { - rule.setSha1(currentText.toString()); - } else if (GAV.equals(qName)) { - final PropertyType pt = processPropertyType(); - rule.setGav(pt); - } else if (CPE.equals(qName)) { - final PropertyType pt = processPropertyType(); - rule.addCpe(pt); - } else if (CWE.equals(qName)) { - rule.addCwe(currentText.toString()); - } else if (CVE.equals(qName)) { - rule.addCve(currentText.toString()); - } else if (CVSS_BELOW.equals(qName)) { - final float cvss = Float.parseFloat(currentText.toString()); - rule.addCvssBelow(cvss); + if (null != qName) { + switch (qName) { + case SUPPRESS: + suppressionRules.add(rule); + rule = null; + break; + case FILE_PATH: + rule.setFilePath(processPropertyType()); + break; + case SHA1: + rule.setSha1(currentText.toString()); + break; + case GAV: + rule.setGav(processPropertyType()); + break; + case CPE: + rule.addCpe(processPropertyType()); + break; + case CWE: + rule.addCwe(currentText.toString()); + break; + case CVE: + rule.addCve(currentText.toString()); + break; + case NOTES: + rule.addNotes(currentText.toString()); + break; + case CVSS_BELOW: + final float cvss = Float.parseFloat(currentText.toString()); + rule.addCvssBelow(cvss); + break; + default: + break; + } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java index 312cfb02b..ca6c7ab05 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java @@ -59,6 +59,11 @@ public class SuppressionRule { * A Maven GAV to suppression. */ private PropertyType gav = null; + /** + * The notes added in suppression file + */ + + private String notes; /** * A flag indicating whether or not the suppression rule is a core/base rule @@ -175,6 +180,42 @@ public class SuppressionRule { return !cvssBelow.isEmpty(); } + /** + * Get the value of notes. + * + * @return the value of notes + */ + public String getNotes() { + return notes; + } + + /** + * Set the value of notes. + * + * @param notes new value of cve + */ + public void setNotes(String notes) { + this.notes = notes; + } + + /** + * Adds the notes to the cve list. + * + * @param notes the cve to add + */ + public void addNotes(String notes) { + this.notes = notes; + } + + /** + * Returns whether this suppression rule has notes entries. + * + * @return whether this suppression rule has notes entries + */ + public boolean hasNotes() { + return !cve.isEmpty(); + } + /** * Get the value of CWE. * @@ -328,6 +369,9 @@ public class SuppressionRule { for (PropertyType c : this.cpe) { if (identifierMatches("cpe", c, i)) { if (!isBase()) { + if (this.notes != null) { + i.setNotes(this.notes); + } dependency.addSuppressedIdentifier(i); } itr.remove(); @@ -369,6 +413,9 @@ public class SuppressionRule { } if (remove) { if (!isBase()) { + if (this.notes != null) { + v.setNotes(this.notes); + } dependency.addSuppressedVulnerability(v); } itr.remove(); diff --git a/dependency-check-core/src/main/resources/schema/dependency-check.1.4.xsd b/dependency-check-core/src/main/resources/schema/dependency-check.1.4.xsd new file mode 100644 index 000000000..01178fa7e --- /dev/null +++ b/dependency-check-core/src/main/resources/schema/dependency-check.1.4.xsd @@ -0,0 +1,200 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file From d180208e3413d398f5da1ccb12036958013ee716 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 25 Feb 2017 16:08:44 -0500 Subject: [PATCH 08/12] interim --- .../dependency/Vulnerability.java | 29 +---------- .../reporting/ReportGenerator.java | 50 +------------------ .../xml/suppression/SuppressionHandler.java | 38 ++++++-------- .../xml/suppression/SuppressionRule.java | 43 +--------------- .../resources/schema/dependency-check.1.3.xsd | 1 - 5 files changed, 18 insertions(+), 143 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java index f980936ab..01ea8c8f6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java @@ -94,10 +94,6 @@ public class Vulnerability implements Serializable, Comparable { * Whether or not all previous versions were affected. */ private String matchedAllPreviousCPE; - /** - * The notes for the vulnerability. - */ - private String notes; /** * Get the value of name. @@ -122,7 +118,6 @@ public class Vulnerability implements Serializable, Comparable { * * @return the value of description */ - public String getDescription() { return description; } @@ -284,28 +279,6 @@ public class Vulnerability implements Serializable, Comparable { this.cwe = cwe; } - /** - * Get the value of notes from suppression notes. - * - * @return the value of notes - */ - public String getNotes() { - return notes; - } - - /** - * Set the value of notes. - * - * @param notes new value of cwe - */ - public void setNotes(String notes) { - this.notes = notes; - } - - /** - * CVSS Score. - */ - /** * Get the value of cvssScore. * @@ -524,4 +497,4 @@ public class Vulnerability implements Serializable, Comparable { public boolean hasMatchedAllPreviousCPE() { return matchedAllPreviousCPE != null; } -} +} \ No newline at end of file diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java index af10abb51..e56f4fc75 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java @@ -28,8 +28,6 @@ import java.io.OutputStream; import java.io.OutputStreamWriter; import java.io.UnsupportedEncodingException; import java.util.List; - -import org.apache.commons.lang3.StringUtils; import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; import org.apache.velocity.context.Context; @@ -40,12 +38,8 @@ import org.joda.time.format.DateTimeFormatter; import org.owasp.dependencycheck.analyzer.Analyzer; import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.dependency.Vulnerability; import org.owasp.dependencycheck.exception.ReportException; import org.owasp.dependencycheck.utils.Settings; -import org.owasp.dependencycheck.xml.suppression.SuppressionParseException; -import org.owasp.dependencycheck.xml.suppression.SuppressionParser; -import org.owasp.dependencycheck.xml.suppression.SuppressionRule; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -122,55 +116,15 @@ public class ReportGenerator { final String scanDateXML = dateFormatXML.print(dt); context.put("applicationName", applicationName); + context.put("dependencies", dependencies); context.put("analyzers", analyzers); context.put("properties", properties); context.put("scanDate", scanDate); context.put("scanDateXML", scanDateXML); context.put("enc", enc); - context.put("dependencies", addNotesToReport(dependencies)); context.put("version", Settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown")); } - /** - * creates a suppression note adder to dependency - * - * @param dependencies the list of dependencies - * @return dependencies with notes added suppressed vulnerabilities - */ - - public List addNotesToReport(List dependencies){ - final String suppressionFilePath = Settings.getString(Settings.KEYS.SUPPRESSION_FILE); - - if(StringUtils.isBlank(suppressionFilePath)){ - return dependencies; - } - - final SuppressionParser parser1 = new SuppressionParser(); - List suppressionRule=null; - - if(!suppressionFilePath.isEmpty()){ - try { - suppressionRule=parser1.parseSuppressionRules(new File(suppressionFilePath)); - } catch (SuppressionParseException e) { - e.printStackTrace(); - } - } - - for(Dependency dependency:dependencies){ - for(Vulnerability suppressedVulnerability: dependency.getSuppressedVulnerabilities()){ - for(SuppressionRule suppressionRule1:suppressionRule){ - for(String cve: suppressionRule1.getCve()){ - if(suppressedVulnerability.getName().equals(cve)){ - suppressedVulnerability.setNotes(suppressionRule1.getNotes()); - } - - } - } - } - } - return dependencies; - } - /** * Creates a new Velocity Engine. * @@ -378,4 +332,4 @@ public class ReportGenerator { } } } -} +} \ No newline at end of file diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java index f63e00279..590f55199 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java @@ -46,12 +46,6 @@ public class SuppressionHandler extends DefaultHandler { * The CVE element name. */ public static final String CVE = "cve"; - - /** - * The CVE element name. - */ - public static final String NOTES = "notes"; - /** * The CPE element name. */ @@ -71,16 +65,7 @@ public class SuppressionHandler extends DefaultHandler { /** * A list of suppression rules. */ - private final List suppressionRules = new ArrayList(); - - /** - * Get the value of suppressionRules. - * - * @return the value of suppressionRules - */ - public List getSuppressionRules() { - return suppressionRules; - } + private final List suppressionRules = new ArrayList<>(); /** * The current rule being read. */ @@ -94,6 +79,15 @@ public class SuppressionHandler extends DefaultHandler { */ private StringBuilder currentText; + /** + * Get the value of suppressionRules. + * + * @return the value of suppressionRules + */ + public List getSuppressionRules() { + return suppressionRules; + } + /** * Handles the start element event. * @@ -146,11 +140,7 @@ public class SuppressionHandler extends DefaultHandler { rule.addCwe(currentText.toString()); } else if (CVE.equals(qName)) { rule.addCve(currentText.toString()); - } - else if (NOTES.equals(qName)) { - rule.addNotes(currentText.toString()); - } - else if (CVSS_BELOW.equals(qName)) { + } else if (CVSS_BELOW.equals(qName)) { final float cvss = Float.parseFloat(currentText.toString()); rule.addCvssBelow(cvss); } @@ -170,8 +160,8 @@ public class SuppressionHandler extends DefaultHandler { } /** - * Processes field members that have been collected during the characters and startElement method to construct a - * PropertyType object. + * Processes field members that have been collected during the characters + * and startElement method to construct a PropertyType object. * * @return a PropertyType object */ @@ -190,4 +180,4 @@ public class SuppressionHandler extends DefaultHandler { } return pt; } -} +} \ No newline at end of file diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java index e253094fd..9ba1a6239 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java @@ -59,11 +59,6 @@ public class SuppressionRule { * A Maven GAV to suppression. */ private PropertyType gav = null; - /** - * The notes added in suppression file - */ - - private String notes; /** * A flag indicating whether or not the suppression rule is a core/base rule @@ -180,42 +175,6 @@ public class SuppressionRule { return !cvssBelow.isEmpty(); } - /** - * Get the value of notes. - * - * @return the value of notes - */ - public String getNotes() { - return notes; - } - - /** - * Set the value of notes. - * - * @param notes new value of cve - */ - public void setNotes(String notes) { - this.notes = notes; - } - - /** - * Adds the notes to the cve list. - * - * @param notes the cve to add - */ - public void addNotes(String notes) { - this.notes=notes; - } - - /** - * Returns whether this suppression rule has notes entries. - * - * @return whether this suppression rule has notes entries - */ - public boolean hasNotes() { - return !cve.isEmpty(); - } - /** * Get the value of CWE. * @@ -523,4 +482,4 @@ public class SuppressionRule { sb.append('}'); return sb.toString(); } -} +} \ No newline at end of file diff --git a/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd index 615844c10..023eb6f15 100644 --- a/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd +++ b/dependency-check-core/src/main/resources/schema/dependency-check.1.3.xsd @@ -211,7 +211,6 @@ - From e0d5651b7558ee99e18bd3285ee1181e21472baa Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 26 Feb 2017 07:50:35 -0500 Subject: [PATCH 09/12] updated to add notes --- .../main/resources/templates/HtmlReport.vsl | 40 ++++++++++++++----- .../main/resources/templates/XmlReport.vsl | 22 +++++++++- 2 files changed, 51 insertions(+), 11 deletions(-) diff --git a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl index 02035e96e..62e7b8b26 100644 --- a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl +++ b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl @@ -812,8 +812,15 @@ Getting Help: suppress #end - #if ($id.description) -
$enc.html($id.description) + #if ($id.description || $id.notes) +
    + #if ($id.description) +
  • Description: $enc.html($id.description)
    • + #end + #if ($id.notes) +
  • Notes: $enc.xml($id.notes)
    • + #end +
#end #end @@ -838,15 +845,18 @@ Getting Help: CVSS Score: $vuln.cvssScore (AV:$enc.html($vuln.cvssAccessVector.substring(0,1))/AC:$enc.html($vuln.cvssAccessComplexity.substring(0,1))/Au:$enc.html($vuln.cvssAuthentication.substring(0,1))/C:$enc.html($vuln.cvssConfidentialityImpact.substring(0,1))/I:$enc.html($vuln.cvssIntegrityImpact.substring(0,1))/A:$enc.html($vuln.cvssAvailabilityImpact.substring(0,1))) #if ($vuln.cwe)
CWE: $vuln.cwe + #end + #if ($vuln.notes) +
Notes: $enc.xml($vuln.notes) #end

$enc.html($vuln.description) - #if ($vuln.getReferences().size()>0) -

+ #if ($vuln.getReferences().size()>0) +
    + #foreach($ref in $vuln.getReferences(true)) +
  • $enc.html($ref.source) - $ref.name
    • #end +
+ #end

#if ($vuln.getVulnerableSoftware().size()<2) @@ -947,8 +957,15 @@ Getting Help: Confidence:$id.confidence #end - #if ($id.description) -
$enc.html($id.description) + #if ($id.description || $id.notes) +
    + #if ($id.description) +
  • Description: $enc.html($id.description)
    • + #end + #if ($id.notes) +
  • Notes: $enc.xml($id.notes)
    • + #end +
#end #end @@ -973,6 +990,9 @@ Getting Help: CVSS Score: $vuln.cvssScore #if ($vuln.cwe)
CWE: $vuln.cwe + #end + #if ($vuln.notes) +
Notes: $enc.xml($vuln.notes) #end

$enc.html($vuln.description) #if ($vuln.getReferences().size()>0) diff --git a/dependency-check-core/src/main/resources/templates/XmlReport.vsl b/dependency-check-core/src/main/resources/templates/XmlReport.vsl index 859b0b974..143826c57 100644 --- a/dependency-check-core/src/main/resources/templates/XmlReport.vsl +++ b/dependency-check-core/src/main/resources/templates/XmlReport.vsl @@ -19,7 +19,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. @version 1.2 *# - + $version #foreach($prop in $properties.getMetaData().entrySet()) @@ -60,6 +60,9 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. ($id.value) #if( $id.url ) $enc.xml($id.url) +#end +#if ($id.notes) + $enc.xml($id.notes) #end #end @@ -101,6 +104,9 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. #end #if( $id.description ) $enc.xml($id.description) +#end +#if ($id.notes) + $enc.xml($id.notes) #end #end @@ -112,6 +118,9 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. #end #if( $id.description ) $enc.xml($id.description) +#end +#if ($id.notes) + $enc.xml($id.notes) #end #end @@ -140,6 +149,9 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. $enc.xml($vuln.cwe) #end $enc.xml($vuln.description) +#if ($vuln.notes) + $enc.xml($vuln.notes) +#end #foreach($ref in $vuln.getReferences()) @@ -160,6 +172,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. $enc.xml($vuln.name) $vuln.cvssScore + $enc.xml($vuln.cvssAccessVector) + $enc.xml($vuln.cvssAccessComplexity) + $enc.xml($vuln.cvssAuthentication) + $enc.xml($vuln.cvssConfidentialityImpact) + $enc.xml($vuln.cvssIntegrityImpact) + $enc.xml($vuln.cvssAvailabilityImpact) #if ($vuln.cvssScore<4.0) Low #elseif ($vuln.cvssScore>=7.0) @@ -171,7 +189,9 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. $enc.xml($vuln.cwe) #end $enc.xml($vuln.description) +#if ($vuln.notes) $enc.xml($vuln.notes) +#end #foreach($ref in $vuln.getReferences()) From 3e0843780852f6bc50b22d6d7b16305e8dc5fa0a Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 26 Feb 2017 07:52:02 -0500 Subject: [PATCH 10/12] updated to work with new schema --- .../reporting/ReportGeneratorIntegrationTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java index d99fc732b..5bc74e586 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java @@ -151,7 +151,7 @@ public class ReportGeneratorIntegrationTest extends BaseDBTestCase { engine.cleanup(); - InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/dependency-check.1.3.xsd"); + InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/dependency-check.1.4.xsd"); StreamSource xsdSource = new StreamSource(xsdStream); StreamSource xmlSource = new StreamSource(new File(writeTo)); SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); From b228d0884384034c744f56463a49ba9c180c3163 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 26 Feb 2017 09:16:16 -0500 Subject: [PATCH 11/12] removed typo --- .../src/main/resources/templates/HtmlReport.vsl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl index 62e7b8b26..8283a443a 100644 --- a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl +++ b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl @@ -1005,7 +1005,7 @@ Getting Help: #if ($vuln.getVulnerableSoftware().size()<2)

Vulnerable Software & Versions:

#else

Vulnerable Software & Versions: (show all)

    From e363e8109b83a758f5d5df756bfc6f5403ae4678 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 26 Feb 2017 09:16:53 -0500 Subject: [PATCH 12/12] added suppression notes --- .../ReportGeneratorIntegrationTest.java | 3 +++ .../test/resources/incorrectSuppressions.xml | 17 +++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 dependency-check-core/src/test/resources/incorrectSuppressions.xml diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java index 5bc74e586..93a88170f 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java @@ -123,6 +123,9 @@ public class ReportGeneratorIntegrationTest extends BaseDBTestCase { f.mkdir(); } String writeTo = "target/test-reports/Report.xml"; + File suppressionFile = BaseTest.getResourceAsFile(this, "incorrectSuppressions.xml"); + + Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile.getAbsolutePath()); //File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath()); File struts = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar"); diff --git a/dependency-check-core/src/test/resources/incorrectSuppressions.xml b/dependency-check-core/src/test/resources/incorrectSuppressions.xml new file mode 100644 index 000000000..9265da5ab --- /dev/null +++ b/dependency-check-core/src/test/resources/incorrectSuppressions.xml @@ -0,0 +1,17 @@ + + + + + ^jetty:org\.mortbay\.jetty:.*$ + cpe:/a:mortbay_jetty:jetty + + + + ^org\.apache\.struts:struts2-core:.*$ + CVE-2008-6504 + + \ No newline at end of file