github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-16 08:36:55 +01:00
Code Issues Packages Projects Releases Wiki Activity

change in namespace as this is now an OWASP project

Browse Source 
Former-commit-id: dc00f98a142bef2560d90f3b851844f352fbf262
This commit is contained in:
Jeremy Long
2013-03-03 08:57:38 -05:00
parent f6f68655fb
commit ea1fb191a9
141 changed files with 2729 additions and 2330 deletions
Download Patch File Download Diff File Expand all files Collapse all files

440
src/main/java/org/owasp/dependencycheck/dependency/Dependency.java Normal file
View File

@@ -0,0 +1,440 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.dependency;
import java.io.File;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.dependencycheck.utils.Checksum;
import org.owasp.dependencycheck.utils.FileUtils;
/**
* A program dependency. This object is one of the core components within
* DependencyCheck. It is used to collect information about the dependency in
* the form of evidence. The Evidence is then used to determine if there are any
* known, published, vulnerabilities associated with the program dependency.
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class Dependency {
/**
* The actual file path of the dependency on disk.
*/
private String actualFilePath = null;
/**
* The file path to display.
*/
private String filePath = null;
/**
* The file name of the dependency.
*/
private String fileName = null;
/**
* The file extension of the dependency.
*/
private String fileExtension = null;
/**
* The md5 hash of the dependency.
*/
private String md5sum = null;
/**
* The SHA1 hash of the dependency.
*/
private String sha1sum = null;
/**
* A list of Identifiers.
*/
private List<Identifier> identifiers = null;
/**
* A collection of vendor evidence.
*/
protected EvidenceCollection vendorEvidence = null;
/**
* A collection of product evidence.
*/
protected EvidenceCollection productEvidence = null;
/**
* A collection of version evidence.
*/
protected EvidenceCollection versionEvidence = null;
/**
* Constructs a new Dependency object.
*/
public Dependency() {
vendorEvidence = new EvidenceCollection();
productEvidence = new EvidenceCollection();
versionEvidence = new EvidenceCollection();
identifiers = new ArrayList<Identifier>();
vulnerabilities = new TreeSet<Vulnerability>(new VulnerabilityComparator());
}
/**
* Constructs a new Dependency object.
*
* @param file the File to create the dependency object from.
*/
public Dependency(File file) {
this();
this.actualFilePath = file.getPath();
this.filePath = this.actualFilePath;
this.fileName = file.getName();
this.fileExtension = FileUtils.getFileExtension(fileName);
determineHashes(file);
}
/**
* Returns the file name of the dependency.
*
* @return the file name of the dependency.
*/
public String getFileName() {
return this.fileName;
}
/**
* Sets the file name of the dependency.
*
* @param fileName the file name of the dependency.
*/
public void setFileName(String fileName) {
this.fileName = fileName;
}
/**
* Sets the actual file path of the dependency on disk.
*
* @param actualFilePath the file path of the dependency.
*/
public void setActualFilePath(String actualFilePath) {
this.actualFilePath = actualFilePath;
}
/**
* Gets the file path of the dependency.
*
* @return the file path of the dependency.
*/
public String getActualFilePath() {
return this.actualFilePath;
}
/**
* Sets the file path of the dependency.
*
* @param filePath the file path of the dependency.
*/
public void setFilePath(String filePath) {
this.filePath = filePath;
}
/**
* <p>Gets the file path of the dependency.</p> <p><b>NOTE:</b> This may not
* be the actual path of the file on disk. The actual path of the file on
* disk can be obtained via the getActualFilePath().</p>
*
* @return the file path of the dependency.
*/
public String getFilePath() {
return this.filePath;
}
/**
* Sets the file name of the dependency.
*
* @param fileExtension the file name of the dependency.
*/
public void setFileExtension(String fileExtension) {
this.fileExtension = fileExtension;
}
/**
* Gets the file extension of the dependency.
*
* @return the file extension of the dependency.
*/
public String getFileExtension() {
return this.fileExtension;
}
/**
* Returns the MD5 Checksum of the dependency file.
*
* @return the MD5 Checksum
*/
public String getMd5sum() {
return this.md5sum;
}
/**
* Sets the MD5 Checksum of the dependency.
*
* @param md5sum the MD5 Checksum
*/
public void setMd5sum(String md5sum) {
this.md5sum = md5sum;
}
/**
* Returns the SHA1 Checksum of the dependency.
*
* @return the SHA1 Checksum
*/
public String getSha1sum() {
return this.sha1sum;
}
/**
* Sets the SHA1 Checksum of the dependency.
*
* @param sha1sum the SHA1 Checksum
*/
public void setSha1sum(String sha1sum) {
this.sha1sum = sha1sum;
}
/**
* Returns a List of Identifiers.
*
* @return an ArrayList of Identifiers.
*/
public List<Identifier> getIdentifiers() {
return this.identifiers;
}
/**
* Sets a List of Identifiers.
*
* @param identifiers A list of Identifiers.
*/
public void setIdentifiers(List<Identifier> identifiers) {
this.identifiers = identifiers;
}
/**
* Adds an entry to the list of detected Identifiers for the dependency
* file.
*
* @param type the type of identifier (such as CPE).
* @param value the value of the identifier.
* @param url the URL of the identifier.
*/
public void addIdentifier(String type, String value, String url) {
Identifier i = new Identifier(type, value, url);
this.identifiers.add(i);
}
/**
* Returns the evidence used to identify this dependency.
*
* @return an EvidenceCollection.
*/
public EvidenceCollection getEvidence() {
return EvidenceCollection.merge(this.productEvidence, this.vendorEvidence, this.versionEvidence);
}
/**
* Returns the evidence used to identify this dependency.
*
* @return an EvidenceCollection.
*/
public EvidenceCollection getEvidenceUsed() {
return EvidenceCollection.mergeUsed(this.productEvidence, this.vendorEvidence, this.versionEvidence);
}
/**
* Gets the Vendor Evidence.
*
* @return an EvidenceCollection.
*/
public EvidenceCollection getVendorEvidence() {
return this.vendorEvidence;
}
/**
* Gets the Product Evidence.
*
* @return an EvidenceCollection.
*/
public EvidenceCollection getProductEvidence() {
return this.productEvidence;
}
/**
* Gets the Version Evidence.
*
* @return an EvidenceCollection.
*/
public EvidenceCollection getVersionEvidence() {
return this.versionEvidence;
}
/**
* A list of exceptions that occurred during analysis of this dependency.
*/
protected List<Exception> analysisExceptions = new ArrayList<Exception>();
/**
* Get the value of analysisExceptions
*
* @return the value of analysisExceptions
*/
public List<Exception> getAnalysisExceptions() {
return analysisExceptions;
}
/**
* Set the value of analysisExceptions
*
* @param analysisExceptions new value of analysisExceptions
*/
public void setAnalysisExceptions(List<Exception> analysisExceptions) {
this.analysisExceptions = analysisExceptions;
}
/**
* Adds an exception to the analysis exceptions collection.
*
* @param ex an exception.
*/
public void addAnalysisException(Exception ex) {
this.analysisExceptions.add(ex);
}
/**
* The description of the JAR file.
*/
protected String description;
/**
* Get the value of description
*
* @return the value of description
*/
public String getDescription() {
return description;
}
/**
* Set the value of description
*
* @param description new value of description
*/
public void setDescription(String description) {
this.description = description;
}
/**
* The license that this dependency uses.
*/
private String license;
/**
* Get the value of license
*
* @return the value of license
*/
public String getLicense() {
return license;
}
/**
* Set the value of license
*
* @param license new value of license
*/
public void setLicense(String license) {
this.license = license;
}
/**
* Determines if the specified string was used when searching. This is
* currently only used in test.
*
* @param str is the string that is being checked if it was used.
* @return true or false.
*/
public boolean containsUsedString(String str) {
if (str == null) {
return false;
}
if (vendorEvidence.containsUsedString(str)) {
return true;
}
if (productEvidence.containsUsedString(str)) {
return true;
}
if (versionEvidence.containsUsedString(str)) {
return true;
}
return false;
}
/**
* A list of vulnerabilities for this dependency
*/
private SortedSet<Vulnerability> vulnerabilities;
/**
* Get the list of vulnerabilities
*
* @return the list of vulnerabilities
*/
public Set<Vulnerability> getVulnerabilities() {
return vulnerabilities;
}
/**
* Set the value of vulnerabilities
*
* @param vulnerabilities new value of vulnerabilities
*/
public void setVulnerabilities(SortedSet<Vulnerability> vulnerabilities) {
this.vulnerabilities = vulnerabilities;
}
private void determineHashes(File file) {
String md5 = null;
String sha1 = null;
try {
md5 = Checksum.getMD5Checksum(file);
sha1 = Checksum.getSHA1Checksum(file);
} catch (IOException ex) {
Logger.getLogger(Dependency.class.getName()).log(Level.SEVERE, null, ex);
} catch (NoSuchAlgorithmException ex) {
Logger.getLogger(Dependency.class.getName()).log(Level.SEVERE, null, ex);
}
this.setMd5sum(md5);
this.setSha1sum(sha1);
}
/**
* Adds a vulnerability to the dependency.
*
* @param vulnerability a vulnerability outlining a vulnerability.
*/
public void addVulnerability(Vulnerability vulnerability) {
this.vulnerabilities.add(vulnerability);
}
}

225
src/main/java/org/owasp/dependencycheck/dependency/Evidence.java Normal file
View File

@@ -0,0 +1,225 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.dependency;
/**
* Evidence is a piece of information about a Dependency.
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class Evidence {
/**
* The confidence that the evidence is "high" quality.
*/
public enum Confidence {
/**
* High confidence evidence.
*/
HIGH,
/**
* Medium confidence evidence.
*/
MEDIUM,
/**
* Low confidence evidence.
*/
LOW
}
/**
* Creates a new Evidence object.
*/
public Evidence() {
}
/**
* Creates a new Evidence objects.
*
* @param source the source of the evidence.
* @param name the name of the evidence.
* @param value the value of the evidence.
* @param confidence the confidence of the evidence.
*/
public Evidence(String source, String name, String value, Confidence confidence) {
this.source = source;
this.name = name;
this.value = value;
this.confidence = confidence;
}
/**
* The name of the evidence.
*/
protected String name;
/**
* Get the value of name
*
* @return the value of name
*/
public String getName() {
return name;
}
/**
* Set the value of name
*
* @param name new value of name
*/
public void setName(String name) {
this.name = name;
}
/**
* The source of the evidence.
*/
protected String source;
/**
* Get the value of source
*
* @return the value of source
*/
public String getSource() {
return source;
}
/**
* Set the value of source
*
* @param source new value of source
*/
public void setSource(String source) {
this.source = source;
}
/**
* The value of the evidence.
*/
protected String value;
/**
* Get the value of value
*
* @return the value of value
*/
public String getValue() {
used = true;
return value;
}
/**
* Set the value of value
*
* @param value new value of value
*/
public void setValue(String value) {
this.value = value;
}
/**
* A value indicating if the Evidence has been "used" (aka read).
*/
protected boolean used;
/**
* Get the value of used
*
* @return the value of used
*/
public boolean isUsed() {
return used;
}
/**
* Set the value of used
*
* @param used new value of used
*/
public void setUsed(boolean used) {
this.used = used;
}
/**
* The confidence level for the evidence.
*/
protected Confidence confidence;
/**
* Get the value of confidence
*
* @return the value of confidence
*/
public Confidence getConfidence() {
return confidence;
}
/**
* Set the value of confidence
*
* @param confidence new value of confidence
*/
public void setConfidence(Confidence confidence) {
this.confidence = confidence;
}
/**
* Implements the hashCode for Evidence.
*
* @return hash code.
*/
@Override
public int hashCode() {
int hash = 3;
hash = 67 * hash + (this.name != null ? this.name.hashCode() : 0);
hash = 67 * hash + (this.source != null ? this.source.hashCode() : 0);
hash = 67 * hash + (this.value != null ? this.value.hashCode() : 0);
hash = 67 * hash + (this.confidence != null ? this.confidence.hashCode() : 0);
return hash;
}
/**
* Implements equals for Evidence.
*
* @param that an object to check the equality of.
* @return whether the two objects are equal.
*/
@Override
public boolean equals(Object that) {
if (this == that) {
return true;
}
if (!(that instanceof Evidence)) {
return false;
}
Evidence e = (Evidence) that;
return testEquality(name, e.name) && testEquality(source, e.source) && testEquality(value, e.value)
&& (confidence == null ? e.confidence == null : confidence == e.confidence);
}
/**
* Simple equality test for use within the equals method. This does a case
* insensitive compare.
*
* @param l a string to compare.
* @param r another string to compare.
* @return whether the two strings are the same.
*/
private boolean testEquality(String l, String r) {
return l == null ? r == null : l.equalsIgnoreCase(r);
}
}

266
src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java Normal file
View File

@@ -0,0 +1,266 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.dependency;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.owasp.dependencycheck.utils.Filter;
/**
* Used to maintain a collection of Evidence.
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class EvidenceCollection implements Iterable<Evidence> {
/**
* Used to iterate over high confidence evidence contained in the
* collection.
*/
private static final Filter<Evidence> HIGH_CONFIDENCE =
new Filter<Evidence>() {
public boolean passes(Evidence evidence) {
return evidence.getConfidence() == Evidence.Confidence.HIGH;
}
};
/**
* Used to iterate over medium confidence evidence contained in the
* collection.
*/
private static final Filter<Evidence> MEDIUM_CONFIDENCE =
new Filter<Evidence>() {
public boolean passes(Evidence evidence) {
return evidence.getConfidence() == Evidence.Confidence.MEDIUM;
}
};
/*
* Used to iterate over low confidence evidence contained in the collection.
*/
private static final Filter<Evidence> LOW_CONFIDENCE =
new Filter<Evidence>() {
public boolean passes(Evidence evidence) {
return evidence.getConfidence() == Evidence.Confidence.LOW;
}
};
/**
* Used to iterate over evidence that has was used (aka read) from the
* collection.
*/
private static final Filter<Evidence> EVIDENCE_USED =
new Filter<Evidence>() {
public boolean passes(Evidence evidence) {
return evidence.isUsed();
}
};
/**
* Used to iterate over evidence of the specified confidence.
*
* @param confidence the confidence level for the evidence to be iterated
* over.
* @return Iterable<Evidence>.
*/
public final Iterable<Evidence> iterator(Evidence.Confidence confidence) {
if (confidence == Evidence.Confidence.HIGH) {
return EvidenceCollection.HIGH_CONFIDENCE.filter(this.list);
} else if (confidence == Evidence.Confidence.MEDIUM) {
return EvidenceCollection.MEDIUM_CONFIDENCE.filter(this.list);
} else {
return EvidenceCollection.LOW_CONFIDENCE.filter(this.list);
}
}
private Set<Evidence> list = null;
private Set<String> weightedStrings = null;
/**
* Creates a new EvidenceCollection.
*/
public EvidenceCollection() {
list = new HashSet<Evidence>();
weightedStrings = new HashSet<String>();
}
/**
* Adds evidence to the collection.
*
* @param e Evidence.
*/
public void addEvidence(Evidence e) {
list.add(e);
}
/**
* Creates an Evidence object from the parameters and adds the resulting
* object to the collection.
*
* @param source the source of the Evidence.
* @param name the name of the Evidence.
* @param value the value of the Evidence.
* @param confidence the confidence of the Evidence.
*/
public void addEvidence(String source, String name, String value, Evidence.Confidence confidence) {
Evidence e = new Evidence(source, name, value, confidence);
addEvidence(e);
}
/**
* Adds term to the weighting collection. The terms added here are used
* later to boost the score of other terms. This is a way of combining
* evidence from multiple sources to boost the confidence of the given
* evidence.
*
* Example: The term 'Apache' is found in the manifest of a JAR and is added
* to the Collection. When we parse the package names within the JAR file we
* may add these package names to the "weighted" strings collection to boost
* the score in the Lucene query. That way when we construct the Lucene
* query we find the term Apache in the collection AND in the weighted
* strings; as such, we will boost the confidence of the term Apache.
*
* @param str to add to the weighting collection.
*/
public void addWeighting(String str) {
weightedStrings.add(str);
}
/**
* Returns a set of Weightings - a list of terms that are believed to be of
* higher confidence when also found in another location.
*
* @return Set<String>
*/
public Set<String> getWeighting() {
return weightedStrings;
}
/**
* Returns the set of evidence.
*
* @return the set of evidence.
*/
public Set<Evidence> getEvidence() {
return list;
}
/**
* Implements the iterator interface for the Evidence Collection.
*
* @return an Iterator<Evidence>.
*/
public Iterator<Evidence> iterator() {
return list.iterator();
}
/**
* Used to determine if a given string was used (aka read).
*
* @param text the string to search for.
* @return whether or not the string was used.
*/
public boolean containsUsedString(String text) {
if (text == null) {
return false;
}
text = text.toLowerCase();
for (Evidence e : this.list) {
if (e.used && e.value.toLowerCase().contains(text)) {
return true;
}
}
return false;
}
/**
* Returns whether or not the collection contains evidence of a specified
* Confidence.
*
* @param confidence A Confidence value.
* @return boolean.
*/
public boolean contains(Evidence.Confidence confidence) {
for (Evidence e : list) {
if (e.confidence == confidence) {
return true;
}
}
return false;
}
/**
* Merges multiple EvidenceCollections together, only merging evidence that
* was used, into a new EvidenceCollection.
*
* @param ec One or more EvidenceCollections.
* @return a new EvidenceCollection containing the used evidence.
*/
public static EvidenceCollection mergeUsed(EvidenceCollection... ec) {
EvidenceCollection ret = new EvidenceCollection();
for (EvidenceCollection col : ec) {
for (Evidence e : col.list) {
if (e.isUsed()) {
ret.addEvidence(e);
}
}
}
return ret;
}
/**
* Merges multiple EvidenceCollections together.
*
* @param ec One or more EvidenceCollections.
* @return a new EvidenceCollection.
*/
public static EvidenceCollection merge(EvidenceCollection... ec) {
EvidenceCollection ret = new EvidenceCollection();
for (EvidenceCollection col : ec) {
ret.list.addAll(col.list);
ret.weightedStrings.addAll(col.weightedStrings);
}
return ret;
}
/**
* Returns a string of evidence 'values'.
*
* @return a string containing the evidence.
*/
@Override
public String toString() {
StringBuilder sb = new StringBuilder();
for (Evidence e : this.list) {
sb.append(e.getValue()).append(' ');
}
return sb.toString();
}
/**
* Returns the number of elements in the EvidenceCollection.
*
* @return the number of elements in the collection.
*/
public int size() {
return list.size();
}
}

168
src/main/java/org/owasp/dependencycheck/dependency/Identifier.java Normal file
View File

@@ -0,0 +1,168 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.dependency;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class Identifier {
/**
* Constructs a new Identifier with the specified data.
*
* @param type the identifier type.
* @param value the identifier value.
* @param url the identifier url.
*/
Identifier(String type, String value, String url) {
this.type = type;
this.value = value;
this.url = url;
}
/**
* Constructs a new Identifier with the specified data.
*
* @param type the identifier type.
* @param value the identifier value.
* @param url the identifier url.
* @param description the description of the identifier.
*/
Identifier(String type, String value, String url, String description) {
this(type, value, url);
this.description = description;
}
/**
* The value of the identifier
*/
protected String value;
/**
* Get the value of value
*
* @return the value of value
*/
public String getValue() {
return value;
}
/**
* Set the value of value
*
* @param value new value of value
*/
public void setValue(String value) {
this.value = value;
}
/**
* The url for the identifier
*/
protected String url;
/**
* Get the value of url
*
* @return the value of url
*/
public String getUrl() {
return url;
}
/**
* Set the value of url
*
* @param url new value of url
*/
public void setUrl(String url) {
this.url = url;
}
/**
* The type of the identifier
*/
protected String type;
/**
* Get the value of type
*
* @return the value of type
*/
public String getType() {
return type;
}
/**
* <p>Set the value of type.</p><p>Example would be "CPE".</p>
*
* @param type new value of type
*/
public void setType(String type) {
this.type = type;
}
/**
* A description of the identifier.
*/
protected String description;
/**
* Get the value of description
*
* @return the value of description
*/
public String getDescription() {
return description;
}
/**
* Set the value of description
*
* @param description new value of description
*/
public void setDescription(String description) {
this.description = description;
}
@Override
public boolean equals(Object obj) {
if (obj == null) {
return false;
}
if (getClass() != obj.getClass()) {
return false;
}
final Identifier other = (Identifier) obj;
if ((this.value == null) ? (other.value != null) : !this.value.equals(other.value)) {
return false;
}
if ((this.type == null) ? (other.type != null) : !this.type.equals(other.type)) {
return false;
}
return true;
}
@Override
public int hashCode() {
int hash = 5;
hash = 53 * hash + (this.value != null ? this.value.hashCode() : 0);
hash = 53 * hash + (this.type != null ? this.type.hashCode() : 0);
return hash;
}
}

129
src/main/java/org/owasp/dependencycheck/dependency/Reference.java Normal file
View File

@@ -0,0 +1,129 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.dependency;
import java.io.Serializable;
/**
* An external reference for a vulnerability. This contains a name, URL, and a
* source.
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class Reference implements Serializable {
private static final long serialVersionUID = -3444464824563008021L;
/**
* The name of the reference.
*/
private String name;
/**
* Get the value of name
*
* @return the value of name
*/
public String getName() {
return name;
}
/**
* Set the value of name
*
* @param name new value of name
*/
public void setName(String name) {
this.name = name;
}
/**
* the url for the reference
*/
private String url;
/**
* Get the value of url
*
* @return the value of url
*/
public String getUrl() {
return url;
}
/**
* Set the value of url
*
* @param url new value of url
*/
public void setUrl(String url) {
this.url = url;
}
/**
* the source of the reference.
*/
private String source;
/**
* Get the value of source
*
* @return the value of source
*/
public String getSource() {
return source;
}
/**
* Set the value of source
*
* @param source new value of source
*/
public void setSource(String source) {
this.source = source;
}
@Override
public boolean equals(Object obj) {
if (obj == null) {
return false;
}
if (getClass() != obj.getClass()) {
return false;
}
final Reference other = (Reference) obj;
if ((this.name == null) ? (other.name != null) : !this.name.equals(other.name)) {
return false;
}
if ((this.url == null) ? (other.url != null) : !this.url.equals(other.url)) {
return false;
}
if ((this.source == null) ? (other.source != null) : !this.source.equals(other.source)) {
return false;
}
return true;
}
@Override
public int hashCode() {
int hash = 5;
hash = 67 * hash + (this.name != null ? this.name.hashCode() : 0);
hash = 67 * hash + (this.url != null ? this.url.hashCode() : 0);
hash = 67 * hash + (this.source != null ? this.source.hashCode() : 0);
return hash;
}
}

387
src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java Normal file
View File

@@ -0,0 +1,387 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.dependency;
import java.io.Serializable;
import java.util.HashSet;
import java.util.Set;
/**
* Contains the information about a vulnerability.
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class Vulnerability implements Serializable, Comparable<Vulnerability> {
private static final long serialVersionUID = 307319490326651052L;
/**
* The name of the vulnerability
*/
private String name;
/**
* Get the value of name
*
* @return the value of name
*/
public String getName() {
return name;
}
/**
* Set the value of name
*
* @param name new value of name
*/
public void setName(String name) {
this.name = name;
}
/**
* the description of the vulnerability
*/
private String description;
/**
* Get the value of description
*
* @return the value of description
*/
public String getDescription() {
return description;
}
/**
* Set the value of description
*
* @param description new value of description
*/
public void setDescription(String description) {
this.description = description;
}
/**
* References for this vulnerability
*/
private Set<Reference> references = new HashSet<Reference>();
/**
* Get the value of references
*
* @return the value of references
*/
public Set<Reference> getReferences() {
return references;
}
/**
* Set the value of references
*
* @param references new value of references
*/
public void setReferences(Set<Reference> references) {
this.references = references;
}
/**
* Adds a reference to the references collection
*
* @param ref a reference for the vulnerability
*/
public void addReference(Reference ref) {
this.references.add(ref);
}
/**
* Adds a reference
* @param referenceSource the source of the reference
* @param referenceName the referenceName of the reference
* @param referenceUrl the url of the reference
*/
public void addReference(String referenceSource, String referenceName, String referenceUrl) {
Reference ref = new Reference();
ref.setSource(referenceSource);
ref.setName(referenceName);
ref.setUrl(referenceUrl);
this.references.add(ref);
}
/**
* a set of vulnerable software
*/
protected Set<VulnerableSoftware> vulnerableSoftware = new HashSet<VulnerableSoftware>();
/**
* Get the value of vulnerableSoftware
*
* @return the value of vulnerableSoftware
*/
public Set<VulnerableSoftware> getVulnerableSoftware() {
return vulnerableSoftware;
}
/**
* Set the value of vulnerableSoftware
*
* @param vulnerableSoftware new value of vulnerableSoftware
*/
public void setVulnerableSoftware(Set<VulnerableSoftware> vulnerableSoftware) {
this.vulnerableSoftware = vulnerableSoftware;
}
/**
* Adds an entry for vulnerable software
* @param cpe string representation of a CPE entry
* @return if the add succeeded
*/
public boolean addVulnerableSoftware(String cpe) {
return addVulnerableSoftware(cpe, null);
}
/**
* Adds an entry for vulnerable software
* @param cpe string representation of a cpe
* @param previousVersion the previous version (previousVersion - cpe would be considered vulnerable)
* @return if the add succeeded
*/
public boolean addVulnerableSoftware(String cpe, String previousVersion) {
VulnerableSoftware vs = new VulnerableSoftware();
vs.setCpe(cpe);
if (previousVersion != null) {
vs.setPreviousVersion(previousVersion);
}
return updateVulnerableSoftware(vs);
}
/**
* Adds or updates a vulnerable software entry
* @param vulnSoftware the vulnerable software
* @return if the update succeeded
*/
public boolean updateVulnerableSoftware(VulnerableSoftware vulnSoftware) {
if (vulnerableSoftware.contains(vulnSoftware)) {
vulnerableSoftware.remove(vulnSoftware);
}
return vulnerableSoftware.add(vulnSoftware);
}
/**
* The CWE for the vulnerability
*/
protected String cwe;
/**
* Get the value of cwe
*
* @return the value of cwe
*/
public String getCwe() {
return cwe;
}
/**
* Set the value of cwe
*
* @param cwe new value of cwe
*/
public void setCwe(String cwe) {
this.cwe = cwe;
}
/**
* CVSS Score
*/
protected float cvssScore;
/**
* Get the value of cvssScore
*
* @return the value of cvssScore
*/
public float getCvssScore() {
return cvssScore;
}
/**
* Set the value of cvssScore
*
* @param cvssScore new value of cvssScore
*/
public void setCvssScore(float cvssScore) {
this.cvssScore = cvssScore;
}
/**
* CVSS Access Vector
*/
protected String cvssAccessVector;
/**
* Get the value of cvssAccessVector
*
* @return the value of cvssAccessVector
*/
public String getCvssAccessVector() {
return cvssAccessVector;
}
/**
* Set the value of cvssAccessVector
*
* @param cvssAccessVector new value of cvssAccessVector
*/
public void setCvssAccessVector(String cvssAccessVector) {
this.cvssAccessVector = cvssAccessVector;
}
/**
* CVSS Access Complexity
*/
protected String cvssAccessComplexity;
/**
* Get the value of cvssAccessComplexity
*
* @return the value of cvssAccessComplexity
*/
public String getCvssAccessComplexity() {
return cvssAccessComplexity;
}
/**
* Set the value of cvssAccessComplexity
*
* @param cvssAccessComplexity new value of cvssAccessComplexity
*/
public void setCvssAccessComplexity(String cvssAccessComplexity) {
this.cvssAccessComplexity = cvssAccessComplexity;
}
/**
* CVSS Authentication
*/
protected String cvssAuthentication;
/**
* Get the value of cvssAuthentication
*
* @return the value of cvssAuthentication
*/
public String getCvssAuthentication() {
return cvssAuthentication;
}
/**
* Set the value of cvssAuthentication
*
* @param cvssAuthentication new value of cvssAuthentication
*/
public void setCvssAuthentication(String cvssAuthentication) {
this.cvssAuthentication = cvssAuthentication;
}
/**
* CVSS Confidentiality Impact
*/
protected String cvssConfidentialityImpact;
/**
* Get the value of cvssConfidentialityImpact
*
* @return the value of cvssConfidentialityImpact
*/
public String getCvssConfidentialityImpact() {
return cvssConfidentialityImpact;
}
/**
* Set the value of cvssConfidentialityImpact
*
* @param cvssConfidentialityImpact new value of cvssConfidentialityImpact
*/
public void setCvssConfidentialityImpact(String cvssConfidentialityImpact) {
this.cvssConfidentialityImpact = cvssConfidentialityImpact;
}
/**
* CVSS Integrity Impact
*/
protected String cvssIntegrityImpact;
/**
* Get the value of cvssIntegrityImpact
*
* @return the value of cvssIntegrityImpact
*/
public String getCvssIntegrityImpact() {
return cvssIntegrityImpact;
}
/**
* Set the value of cvssIntegrityImpact
*
* @param cvssIntegrityImpact new value of cvssIntegrityImpact
*/
public void setCvssIntegrityImpact(String cvssIntegrityImpact) {
this.cvssIntegrityImpact = cvssIntegrityImpact;
}
/**
* CVSS Availability Impact
*/
protected String cvssAvailabilityImpact;
/**
* Get the value of cvssAvailabilityImpact
*
* @return the value of cvssAvailabilityImpact
*/
public String getCvssAvailabilityImpact() {
return cvssAvailabilityImpact;
}
/**
* Set the value of cvssAvailabilityImpact
*
* @param cvssAvailabilityImpact new value of cvssAvailabilityImpact
*/
public void setCvssAvailabilityImpact(String cvssAvailabilityImpact) {
this.cvssAvailabilityImpact = cvssAvailabilityImpact;
}
@Override
public boolean equals(Object obj) {
if (obj == null) {
return false;
}
if (getClass() != obj.getClass()) {
return false;
}
final Vulnerability other = (Vulnerability) obj;
if ((this.name == null) ? (other.name != null) : !this.name.equals(other.name)) {
return false;
}
return true;
}
@Override
public int hashCode() {
int hash = 5;
hash = 41 * hash + (this.name != null ? this.name.hashCode() : 0);
return hash;
}
/**
* Compares two vulnerabilities
*
* @param v a vulnerability to be compared
* @return a negative integer, zero, or a positive integer as this object is less than, equal to, or greater than the specified vulnerability
*/
public int compareTo(Vulnerability v) {
return v.getName().compareTo(this.getName());
}
}

40
src/main/java/org/owasp/dependencycheck/dependency/VulnerabilityComparator.java Normal file
View File

@@ -0,0 +1,40 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.dependency;
import java.io.Serializable;
import java.util.Comparator;
/**
* Comparator for Vulnerability objects.
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class VulnerabilityComparator implements Comparator<Vulnerability>, Serializable {
private static final long serialVersionUID = 1L;
/**
* Implements the comparison of vulnerabilities.
* @param o1 a vulnerability
* @param o2 a second vulnerability
* @return the comparison
*/
public int compare(Vulnerability o1, Vulnerability o2) {
return o2.getName().compareTo(o1.getName());
}
}

104
src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java Normal file
View File

@@ -0,0 +1,104 @@
/*
* This file is part of DependencyCheck.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.dependency;
import java.io.Serializable;
import java.io.UnsupportedEncodingException;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.dependencycheck.data.cpe.Entry;
/**
* A record containing information about vulnerable software. This
* is referenced from a vulnerability.
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class VulnerableSoftware extends Entry implements Serializable {
private static final long serialVersionUID = 307319490326651052L;
/**
* Parse a CPE entry from the cpe string representation
*
* @param cpe a cpe entry (e.g. cpe:/a:vendor:software:version)
*/
public void setCpe(String cpe) {
try {
parseName(cpe);
} catch (UnsupportedEncodingException ex) {
Logger.getLogger(VulnerableSoftware.class.getName()).log(Level.SEVERE, null, ex);
setName(cpe);
}
}
/**
* If present, indicates that previous version are vulnerable
*/
protected String previousVersion = null;
/**
* Indicates if previous versions of this software are vulnerable
*
* @return if previous versions of this software are vulnerable
*/
public boolean hasPreviousVersion() {
return previousVersion != null;
}
/**
* Get the value of previousVersion
*
* @return the value of previousVersion
*/
public String getPreviousVersion() {
return previousVersion;
}
/**
* Set the value of previousVersion
*
* @param previousVersion new value of previousVersion
*/
public void setPreviousVersion(String previousVersion) {
this.previousVersion = previousVersion;
}
@Override
public boolean equals(Object obj) {
if (obj == null) {
return false;
}
if (getClass() != obj.getClass()) {
return false;
}
final VulnerableSoftware other = (VulnerableSoftware) obj;
if ((this.name == null) ? (other.name != null) : !this.name.equals(other.name)) {
return false;
}
return true;
}
@Override
public int hashCode() {
int hash = 7;
hash = 83 * hash + (this.name != null ? this.name.hashCode() : 0);
return hash;
}
}

12
src/main/java/org/owasp/dependencycheck/dependency/package-info.java Normal file
View File

@@ -0,0 +1,12 @@
/**
* <html>
* <head>
* <title>org.owasp.dependencycheck.dependency</title>
* </head>
* <body>
* Contains the core Dependency implementation.
* </body>
* </html>
*/
package org.owasp.dependencycheck.dependency;