Added CVSS Scores

Former-commit-id: 2feda15c4f42461b87a2a4e5941a32eb98a918de

README.txt

@@ -7,8 +7,8 @@ If found, it will generate a report linking to the associated CVE entries.
 Usage:
 $ mvn package
 $ cd target
-$ java -jar DependencyCheck-0.2.5.0.jar -h
+$ java -jar DependencyCheck-0.2.5.2.jar -h
-$ java -jar DependencyCheck-0.2.5.0.jar -a Testing -out . -scan ./test-classes/org.mortbay.jetty.jar -scan ./test-classes/struts2-core-2.1.2.jar -scan ./lib
+$ java -jar DependencyCheck-0.2.5.2.jar -a Testing -out . -scan ./test-classes/org.mortbay.jetty.jar -scan ./test-classes/struts2-core-2.1.2.jar -scan ./lib
 
 Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.
 

pom.xml

@@ -23,7 +23,7 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses/>.
 
     <groupId>org.codesecure</groupId>
     <artifactId>DependencyCheck</artifactId>
-    <version>0.2.5.0</version>
+    <version>0.2.5.2</version>
     <packaging>jar</packaging>
 
     <name>DependencyCheck</name>
@@ -55,6 +55,15 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses/>.
         <system>github</system>
         <url>https://github.com/jeremylong/DependencyCheck/issues</url>
     </issueManagement>
+    <mailingLists>
+        <mailingList>
+            <name>Dependency Check</name>
+            <subscribe>dependency-check+subscribe@googlegroups.com</subscribe>
+            <unsubscribe>dependency-check+unsubscribe@googlegroups.com</unsubscribe>
+            <post>dependency-check@googlegroups.com</post>
+            <archive>https://groups.google.com/forum/?fromgroups#!forum/dependency-check</archive>
+        </mailingList>
+    </mailingLists>
     <licenses>
         <license>
             <name>GNU General Public License version 3</name>
@@ -257,7 +266,7 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses/>.
                             <reportSets>
                                 <reportSet>
                                     <reports>
-                                  <!--<report>mailing-list</report>-->
+                                        <report>mailing-list</report>
                                   <!--<report>cim</report>-->
                                         <report>index</report>
                                         <report>summary</report>
@@ -463,7 +472,7 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses/>.
         <!-- The following dependencies are only scanned during integration testing -->
         <!--<dependency>
             <groupId>org.springframework</groupId>
-            <artifactId>spring-beans</artifactId>
+            <artifactId>spring-webmvc</artifactId>
             <version>2.5.5</version>
             <scope>test</scope>
         </dependency>-->

src/main/java/org/codesecure/dependencycheck/Engine.java

@@ -19,9 +19,7 @@
 package org.codesecure.dependencycheck;
 
 import java.util.EnumMap;
-import org.codesecure.dependencycheck.dependency.Dependency;
 import java.io.File;
-import java.io.IOException;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -33,10 +31,10 @@ import org.codesecure.dependencycheck.analyzer.AnalysisException;
 import org.codesecure.dependencycheck.analyzer.AnalysisPhase;
 import org.codesecure.dependencycheck.analyzer.Analyzer;
 import org.codesecure.dependencycheck.analyzer.AnalyzerService;
-import org.codesecure.dependencycheck.analyzer.ArchiveAnalyzer;
 import org.codesecure.dependencycheck.data.CachedWebDataSource;
 import org.codesecure.dependencycheck.data.UpdateException;
 import org.codesecure.dependencycheck.data.UpdateService;
+import org.codesecure.dependencycheck.dependency.Dependency;
 import org.codesecure.dependencycheck.utils.FileUtils;
 
 /**
@@ -188,9 +186,9 @@ public class Engine {
      * Runs the analyzers against all of the dependencies.
      */
     public void analyzeDependencies() {
+        //phase one initilize
         for (AnalysisPhase phase : AnalysisPhase.values()) {
             List<Analyzer> analyzerList = analyzers.get(phase);
-
             for (Analyzer a : analyzerList) {
                 try {
                     a.initialize();
@@ -204,41 +202,34 @@ public class Engine {
                     }
                     continue;
                 }
+            }
+        }
+
+        // analysis phases
+        for (AnalysisPhase phase : AnalysisPhase.values()) {
+            List<Analyzer> analyzerList = analyzers.get(phase);
+
+            for (Analyzer a : analyzerList) {
                 for (Dependency d : dependencies) {
                     if (a.supportsExtension(d.getFileExtension())) {
                         try {
-                            if (a instanceof ArchiveAnalyzer) {
+                            a.analyze(d, this);
-                                ArchiveAnalyzer aa = (ArchiveAnalyzer) a;
-                                aa.analyze(d, this);
-                            } else {
-                                a.analyze(d);
-                            }
                         } catch (AnalysisException ex) {
                             d.addAnalysisException(ex);
-                        } catch (IOException ex) {
-                            String msg = String.format("IOException occured while analyzing the file '%s'.",
-                                    d.getActualFilePath());
-                            Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg, ex);
                         }
                     }
                 }
-                try {
-                    a.close();
-                } catch (Exception ex) {
-                    Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, null, ex);
-                }
             }
         }
 
-        //Now cycle through all of the analyzers one last time to call
+        //close/cleanup
-        // cleanup on any archiveanalyzers. These should only exist in the
-        // initial phase, but we are going to be thourough just in case.
         for (AnalysisPhase phase : AnalysisPhase.values()) {
             List<Analyzer> analyzerList = analyzers.get(phase);
             for (Analyzer a : analyzerList) {
-                if (a instanceof ArchiveAnalyzer) {
+                try {
-                    ArchiveAnalyzer aa = (ArchiveAnalyzer) a;
+                    a.close();
-                    aa.cleanup();
+                } catch (Exception ex) {
+                    Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, null, ex);
                 }
             }
         }

src/main/java/org/codesecure/dependencycheck/analyzer/Analyzer.java

@@ -19,6 +19,7 @@
 package org.codesecure.dependencycheck.analyzer;
 
 import java.util.Set;
+import org.codesecure.dependencycheck.Engine;
 import org.codesecure.dependencycheck.dependency.Dependency;
 
 /**
@@ -37,10 +38,12 @@ public interface Analyzer {
      * description or license information for the dependency it should be added.
      *
      * @param dependency a dependency to analyze.
+     * @param engine the engine that is scanning the dependencies - this is useful
+     * if we need to check other dependencies
      * @throws AnalysisException is thrown if there is an error analyzing the
      * dependency file
      */
-    void analyze(Dependency dependency) throws AnalysisException;
+    void analyze(Dependency dependency, Engine engine) throws AnalysisException;
 
     /**
      * <p>Returns a list of supported file extensions. An example would be an

src/main/java/org/codesecure/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -1,48 +0,0 @@
-/*
- * This file is part of DependencyCheck.
- *
- * DependencyCheck is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
- *
- * DependencyCheck is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
- *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
- */
-package org.codesecure.dependencycheck.analyzer;
-
-import org.codesecure.dependencycheck.dependency.Dependency;
-import java.io.IOException;
-import org.codesecure.dependencycheck.Engine;
-
-/**
- * An interface that defines an Analyzer that is used to expand archives and
- * allow the engine to scan the contents.
- *
- * @author Jeremy Long (jeremy.long@gmail.com)
- */
-public interface ArchiveAnalyzer {
-
-    /**
-     * An ArchiveAnalyzer expands an archive and calls the scan method of the
-     * engine on the exploded contents.
-     *
-     * @param dependency a dependency to analyze.
-     * @param engine the engine that is scanning the dependencies.
-     * @throws IOException is thrown if there is an error reading the dependency
-     * file
-     */
-    void analyze(Dependency dependency, Engine engine) throws IOException;
-
-    /**
-     * Cleans any temporary files generated when analyzing the archive.
-     */
-    void cleanup();
-}

src/main/java/org/codesecure/dependencycheck/analyzer/FileNameAnalyzer.java

@@ -21,6 +21,7 @@ package org.codesecure.dependencycheck.analyzer;
 import org.codesecure.dependencycheck.dependency.Dependency;
 import org.codesecure.dependencycheck.dependency.Evidence;
 import java.util.Set;
+import org.codesecure.dependencycheck.Engine;
 
 /**
  *
@@ -85,10 +86,11 @@ public class FileNameAnalyzer implements Analyzer {
      * Collects information about the file name.
      *
      * @param dependency the dependency to analyze.
+     * @param engine the engine that is scanning the dependencies
      * @throws AnalysisException is thrown if there is an error reading the JAR
      * file.
      */
-    public void analyze(Dependency dependency) throws AnalysisException {
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
 
         String fileName = dependency.getFileName();
         int pos = fileName.lastIndexOf(".");

src/main/java/org/codesecure/dependencycheck/analyzer/JarAnalyzer.java

@@ -23,6 +23,7 @@ import java.io.FileInputStream;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.xml.bind.JAXBException;
+import org.codesecure.dependencycheck.Engine;
 import org.codesecure.dependencycheck.dependency.Dependency;
 import org.codesecure.dependencycheck.dependency.Evidence;
 import org.codesecure.dependencycheck.dependency.EvidenceCollection;
@@ -54,7 +55,7 @@ import org.codesecure.dependencycheck.utils.NonClosingStream;
  *
  * @author Jeremy Long (jeremy.long@gmail.com)
  */
-public class JarAnalyzer extends AbstractAnalyzer {
+public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
 
     /**
      * The system independent newline character.
@@ -178,10 +179,11 @@ public class JarAnalyzer extends AbstractAnalyzer {
      * checksums to identify the correct CPE information.
      *
      * @param dependency the dependency to analyze.
+     * @param engine the engine that is scanning the dependencies
      * @throws AnalysisException is thrown if there is an error reading the JAR
      * file.
      */
-    public void analyze(Dependency dependency) throws AnalysisException {
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         try {
             parseManifest(dependency);
             analyzePackageNames(dependency);

src/main/java/org/codesecure/dependencycheck/analyzer/SpringCleaningAnalyzer.java

@@ -0,0 +1,158 @@
+/*
+ * This file is part of DependencyCheck.
+ *
+ * DependencyCheck is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * DependencyCheck is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.codesecure.dependencycheck.analyzer;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import org.codesecure.dependencycheck.Engine;
+import org.codesecure.dependencycheck.dependency.Dependency;
+import org.codesecure.dependencycheck.dependency.Identifier;
+
+/**
+ * This analyzer ensures that the Spring Framework Core CPE identifiers are only associated
+ * with the "core" jar files. If there are other Spring JARs, such as spring-beans, and
+ * spring-core is in the scanned dependencies then only the spring-core will have a reference
+ * to the CPE values (if there are any for the version of spring being used).
+ *
+ * @author Jeremy Long (jeremy.long@gmail.com)
+ */
+public class SpringCleaningAnalyzer extends AbstractAnalyzer {
+
+    /**
+     * The set of file extensions supported by this analyzer.
+     */
+    private static final Set<String> EXTENSIONS = newHashSet("jar");
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Jar Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
+
+    /**
+     * Returns a list of file EXTENSIONS supported by this analyzer.
+     *
+     * @return a list of file EXTENSIONS supported by this analyzer.
+     */
+    public Set<String> getSupportedExtensions() {
+        return EXTENSIONS;
+    }
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns whether or not this analyzer can process the given extension.
+     *
+     * @param extension the file extension to test for support.
+     * @return whether or not the specified file extension is supported by tihs
+     * analyzer.
+     */
+    public boolean supportsExtension(String extension) {
+        return EXTENSIONS.contains(extension);
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * The initialize method does nothing for this Analyzer
+     * @throws Exception never thrown by this analyzer
+     */
+    public void initialize() throws Exception {
+        //do nothing
+    }
+
+    /**
+     * The close method does nothing for this Analyzer
+     * @throws Exception never thrown by this analyzer
+     */
+    public void close() throws Exception {
+        //do nothing
+    }
+    private List<Identifier> springVersions = null;
+
+    /**
+     * Determines if several "spring" libraries were scanned and trimes the
+     * cpe:/a:springsource:spring_framework:[version] from the none "core" framework
+     * if the core framework was part of the scan.
+     *
+     * @param dependency the dependency to analyze.
+     * @param engine the engine that is scanning the dependencies
+     * @throws AnalysisException is thrown if there is an error reading the JAR
+     * file.
+     */
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+
+        collectSpringFrameworkIdentifiers(engine);
+
+        List<Identifier> identifiersToRemove = new ArrayList<Identifier>();
+        for (Identifier identifier : dependency.getIdentifiers()) {
+            if (springVersions.contains(identifier) && !isCoreFramework(dependency.getFileName())) {
+                identifiersToRemove.add(identifier);
+            }
+        }
+
+        for (Identifier i : identifiersToRemove) {
+            dependency.getIdentifiers().remove(i);
+        }
+    }
+
+    private void collectSpringFrameworkIdentifiers(Engine engine) {
+        //check to see if any of the libs are the core framework
+        if (springVersions == null) {
+            springVersions = new ArrayList<Identifier>();
+            for (Dependency d : engine.getDependencies()) {
+                if (supportsExtension(d.getFileExtension())) {
+                    for (Identifier i : d.getIdentifiers()) {
+                        if (isSpringFrameworkCpe(i)) {
+                            if (isCoreFramework(d.getFileName())) {
+                                springVersions.add(i);
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    private boolean isSpringFrameworkCpe(Identifier identifier) {
+        return "cpe".equals(identifier.getType())
+                && identifier.getValue().startsWith("cpe:/a:springsource:spring_framework:");
+    }
+
+    private boolean isCoreFramework(String filename) {
+        return filename.toLowerCase().matches("^spring([ _-]?core)?[ _-]?\\d.*");
+    }
+}

src/main/java/org/codesecure/dependencycheck/data/cpe/CPEAnalyzer.java

@@ -29,6 +29,7 @@ import org.apache.lucene.index.CorruptIndexException;
 import org.apache.lucene.queryparser.classic.ParseException;
 import org.apache.lucene.search.ScoreDoc;
 import org.apache.lucene.search.TopDocs;
+import org.codesecure.dependencycheck.Engine;
 import org.codesecure.dependencycheck.analyzer.AnalysisException;
 import org.codesecure.dependencycheck.analyzer.AnalysisPhase;
 import org.codesecure.dependencycheck.data.lucene.LuceneUtils;
@@ -436,10 +437,11 @@ public class CPEAnalyzer implements org.codesecure.dependencycheck.analyzer.Anal
      * identifiers for this dependency.
      *
      * @param dependency The Dependency to analyze.
+     * @param engine The analysis engine
      * @throws AnalysisException is thrown if there is an issue analyzing the
      * dependency.
      */
-    public void analyze(Dependency dependency) throws AnalysisException {
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         try {
             determineCPE(dependency);
         } catch (CorruptIndexException ex) {

src/main/java/org/codesecure/dependencycheck/data/nvdcve/CveDB.java

@@ -76,8 +76,10 @@ public class CveDB {
     /**
      * SQL Statement to create the vulnerability table
      */
-    public static final String CREATE_TABLE_VULNERABILITY = "CREATE TABLE IF NOT EXISTS vulnerability "
+    public static final String CREATE_TABLE_VULNERABILITY = "CREATE TABLE IF NOT EXISTS vulnerability (cveid CHAR(13) PRIMARY KEY, "
-            + "(cveid CHAR(13) PRIMARY KEY, description varchar(8000))";
+            + "description varchar(8000), cwe varchar(10), cvssScore DECIMAL(3,1), cvssAccessVector varchar(20), "
+            + "cvssAccessComplexity varchar(20), cvssAuthentication varchar(20), cvssConfidentialityImpact varchar(20), "
+            + "cvssIntegrityImpact varchar(20), cvssAvailabilityImpact varchar(20))";
     /**
      * SQL Statement to delete references by CVEID
      */
@@ -102,7 +104,9 @@ public class CveDB {
     /**
      * SQL Statement to insert a new vulnerability
      */
-    public static final String INSERT_VULNERABILITY = "INSERT INTO vulnerability (cveid, description) VALUES (?, ?)";
+    public static final String INSERT_VULNERABILITY = "INSERT INTO vulnerability (cveid, description, cwe, cvssScore, cvssAccessVector, "
+            + "cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact) "
+            + "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
     /**
      * SQL Statement to find CVE entries based on CPE data
      */
@@ -119,7 +123,7 @@ public class CveDB {
     /**
      * SQL Statement to select a vulnerability by CVEID
      */
-    public static final String SELECT_VULNERABILITY = "SELECT cveid, description FROM vulnerability WHERE cveid = ?";
+    public static final String SELECT_VULNERABILITY = "SELECT cveid, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact FROM vulnerability WHERE cveid = ?";
     //</editor-fold>
 
     //<editor-fold defaultstate="collapsed" desc="Collection of CallableStatements to work with the DB">
@@ -144,7 +148,7 @@ public class CveDB {
      */
     private CallableStatement insertSoftware = null;
     /**
-     * insert vulnerability - parameters (cveid, description)
+     * insert vulnerability - parameters (cveid, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact)
      */
     private CallableStatement insertVulnerability = null;
     /**
@@ -269,6 +273,15 @@ public class CveDB {
                 vuln = new Vulnerability();
                 vuln.setName(cve);
                 vuln.setDescription(rsV.getString(2));
+                vuln.setCwe(rsV.getString(3));
+                vuln.setCvssScore(rsV.getFloat(4));
+                vuln.setCvssAccessVector(rsV.getString(5));
+                vuln.setCvssAccessComplexity(rsV.getString(6));
+                vuln.setCvssAuthentication(rsV.getString(7));
+                vuln.setCvssConfidentialityImpact(rsV.getString(8));
+                vuln.setCvssIntegrityImpact(rsV.getString(9));
+                vuln.setCvssAvailabilityImpact(rsV.getString(10));
+
                 selectReferences.setString(1, cve);
                 rsR = selectReferences.executeQuery();
                 while (rsR.next()) {
@@ -333,6 +346,14 @@ public class CveDB {
 
             insertVulnerability.setString(1, vuln.getName());
             insertVulnerability.setString(2, vuln.getDescription());
+            insertVulnerability.setString(3, vuln.getCwe());
+            insertVulnerability.setFloat(4, vuln.getCvssScore());
+            insertVulnerability.setString(5, vuln.getCvssAccessVector());
+            insertVulnerability.setString(6, vuln.getCvssAccessComplexity());
+            insertVulnerability.setString(7, vuln.getCvssAuthentication());
+            insertVulnerability.setString(8, vuln.getCvssConfidentialityImpact());
+            insertVulnerability.setString(9, vuln.getCvssIntegrityImpact());
+            insertVulnerability.setString(10, vuln.getCvssAvailabilityImpact());
             insertVulnerability.execute();
 
             insertReference.setString(1, vuln.getName());

src/main/java/org/codesecure/dependencycheck/data/nvdcve/NvdCveAnalyzer.java

@@ -22,6 +22,7 @@ import java.io.IOException;
 import java.sql.SQLException;
 import java.util.List;
 import java.util.Set;
+import org.codesecure.dependencycheck.Engine;
 import org.codesecure.dependencycheck.analyzer.AnalysisException;
 import org.codesecure.dependencycheck.analyzer.AnalysisPhase;
 import org.codesecure.dependencycheck.dependency.Dependency;
@@ -92,11 +93,12 @@ public class NvdCveAnalyzer implements org.codesecure.dependencycheck.analyzer.A
      * Analyzes a dependency and attempts to determine if there are any CPE
      * identifiers for this dependency.
      *
-     * @param dependency The Dependency to analyze.
+     * @param dependency The Dependency to analyze
+     * @param engine The analysis engine
      * @throws AnalysisException is thrown if there is an issue analyzing the
-     * dependency.
+     * dependency
      */
-    public void analyze(Dependency dependency) throws AnalysisException {
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         for (Identifier id : dependency.getIdentifiers()) {
             if ("cpe".equals(id.getType())) {
                 try {

src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java

@@ -77,7 +77,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
     /**
      * The current version of the database
      */
-    public static final String DATABASE_VERSION = "2.0";
+    public static final String DATABASE_VERSION = "2.1";
 
     /**
      * <p>Downloads the latest NVD CVE XML file from the web and imports it into

src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java

@@ -21,6 +21,8 @@ package org.codesecure.dependencycheck.data.nvdcve.xml;
 import java.io.IOException;
 import java.util.List;
 import java.util.Map;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import org.apache.lucene.index.CorruptIndexException;
 import org.codesecure.dependencycheck.data.cpe.Index;
 import org.codesecure.dependencycheck.data.nvdcve.CveDB;
@@ -75,6 +77,22 @@ public class NvdCve20Handler extends DefaultHandler {
             if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) {
                 throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported");
             }
+        } else if (current.isVulnCWENode()) {
+            vulnerability.setCwe(attributes.getValue("id"));
+        } else if (current.isCVSSScoreNode()) {
+            nodeText = new StringBuilder(5);
+        } else if (current.isCVSSAccessVectorNode()) {
+            nodeText = new StringBuilder(20);
+        } else if (current.isCVSSAccessComplexityNode()) {
+            nodeText = new StringBuilder(20);
+        } else if (current.isCVSSAuthenticationNode()) {
+            nodeText = new StringBuilder(20);
+        } else if (current.isCVSSAvailabilityImpactNode()) {
+            nodeText = new StringBuilder(20);
+        } else if (current.isCVSSConfidentialityImpactNode()) {
+            nodeText = new StringBuilder(20);
+        } else if (current.isCVSSIntegrityImpactNode()) {
+            nodeText = new StringBuilder(20);
         }
     }
 
@@ -101,6 +119,32 @@ public class NvdCve20Handler extends DefaultHandler {
                 }
             }
             vulnerability = null;
+        } else if (current.isCVSSScoreNode()) {
+            try {
+                float score = Float.parseFloat(nodeText.toString());
+                vulnerability.setCvssScore(score);
+            } catch (NumberFormatException ex) {
+                Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, null, ex);
+            }
+            nodeText = null;
+        } else if (current.isCVSSAccessVectorNode()) {
+            vulnerability.setCvssAccessVector(nodeText.toString());
+            nodeText = null;
+        } else if (current.isCVSSAccessComplexityNode()) {
+            vulnerability.setCvssAccessComplexity(nodeText.toString());
+            nodeText = null;
+        } else if (current.isCVSSAuthenticationNode()) {
+            vulnerability.setCvssAuthentication(nodeText.toString());
+            nodeText = null;
+        } else if (current.isCVSSAvailabilityImpactNode()) {
+            vulnerability.setCvssAvailabilityImpact(nodeText.toString());
+            nodeText = null;
+        } else if (current.isCVSSConfidentialityImpactNode()) {
+            vulnerability.setCvssConfidentialityImpact(nodeText.toString());
+            nodeText = null;
+        } else if (current.isCVSSIntegrityImpactNode()) {
+            vulnerability.setCvssIntegrityImpact(nodeText.toString());
+            nodeText = null;
         } else if (current.isVulnProductNode()) {
             String cpe = nodeText.toString();
             if (cpe.startsWith("cpe:/a:")) {
@@ -217,6 +261,40 @@ public class NvdCve20Handler extends DefaultHandler {
          * A node type in the NVD CVE Schema 2.0
          */
         public static final String VULN_SUMMARY = "vuln:summary";
+
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String VULN_CWE = "vuln:cwe";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_SCORE = "cvss:score";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_ACCESS_VECTOR = "cvss:access-vector";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_ACCESS_COMPLEXITY = "cvss:access-complexity";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_AUTHENTICATION = "cvss:authentication";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_CONFIDENTIALITY_IMPACT = "cvss:confidentiality-impact";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_INTEGRITY_IMPACT = "cvss:integrity-impact";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_AVAILABILITY_IMPACT = "cvss:availability-impact";
+
         private String node = null;
 
         /**
@@ -299,6 +377,72 @@ public class NvdCve20Handler extends DefaultHandler {
         public boolean isVulnSummaryNode() {
             return VULN_SUMMARY.equals(node);
         }
+
+        /**
+         * Checks if the handler is at the VULN_CWE node
+         *
+         * @return true or false
+         */
+        public boolean isVulnCWENode() {
+            return VULN_CWE.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_SCORE node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSScoreNode() {
+            return CVSS_SCORE.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_ACCESS_VECTOR node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSAccessVectorNode() {
+            return CVSS_ACCESS_VECTOR.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_ACCESS_COMPLEXITY node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSAccessComplexityNode() {
+            return CVSS_ACCESS_COMPLEXITY.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_AUTHENTICATION node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSAuthenticationNode() {
+            return CVSS_AUTHENTICATION.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_CONFIDENTIALITY_IMPACT node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSConfidentialityImpactNode() {
+            return CVSS_CONFIDENTIALITY_IMPACT.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_INTEGRITY_IMPACT node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSIntegrityImpactNode() {
+            return CVSS_INTEGRITY_IMPACT.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_AVAILABILITY_IMPACT node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSAvailabilityImpactNode() {
+            return CVSS_AVAILABILITY_IMPACT.equals(node);
+        }
+
     }
     // </editor-fold>
 }

src/main/java/org/codesecure/dependencycheck/dependency/Identifier.java

@@ -138,4 +138,31 @@ public class Identifier {
     public void setDescription(String description) {
         this.description = description;
     }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (obj == null) {
+            return false;
+        }
+        if (getClass() != obj.getClass()) {
+            return false;
+        }
+        final Identifier other = (Identifier) obj;
+        if ((this.value == null) ? (other.value != null) : !this.value.equals(other.value)) {
+            return false;
+        }
+        if ((this.type == null) ? (other.type != null) : !this.type.equals(other.type)) {
+            return false;
+        }
+        return true;
+    }
+
+    @Override
+    public int hashCode() {
+        int hash = 5;
+        hash = 53 * hash + (this.value != null ? this.value.hashCode() : 0);
+        hash = 53 * hash + (this.type != null ? this.type.hashCode() : 0);
+        return hash;
+    }
+
 }

src/main/java/org/codesecure/dependencycheck/dependency/Vulnerability.java

@@ -142,7 +142,6 @@ public class Vulnerability implements Serializable {
         this.vulnerableSoftware = vulnerableSoftware;
     }
 
-
     /**
      * Adds an entry for vulnerable software
      * @param cpe string representation of a CPE entry
@@ -178,6 +177,182 @@ public class Vulnerability implements Serializable {
         }
         return vulnerableSoftware.add(vulnSoftware);
     }
+    /**
+     * The CWE for the vulnerability
+     */
+    protected String cwe;
+
+    /**
+     * Get the value of cwe
+     *
+     * @return the value of cwe
+     */
+    public String getCwe() {
+        return cwe;
+    }
+
+    /**
+     * Set the value of cwe
+     *
+     * @param cwe new value of cwe
+     */
+    public void setCwe(String cwe) {
+        this.cwe = cwe;
+    }
+    /**
+     * CVSS Score
+     */
+    protected float cvssScore;
+
+    /**
+     * Get the value of cvssScore
+     *
+     * @return the value of cvssScore
+     */
+    public float getCvssScore() {
+        return cvssScore;
+    }
+
+    /**
+     * Set the value of cvssScore
+     *
+     * @param cvssScore new value of cvssScore
+     */
+    public void setCvssScore(float cvssScore) {
+        this.cvssScore = cvssScore;
+    }
+    /**
+     * CVSS Access Vector
+     */
+    protected String cvssAccessVector;
+
+    /**
+     * Get the value of cvssAccessVector
+     *
+     * @return the value of cvssAccessVector
+     */
+    public String getCvssAccessVector() {
+        return cvssAccessVector;
+    }
+
+    /**
+     * Set the value of cvssAccessVector
+     *
+     * @param cvssAccessVector new value of cvssAccessVector
+     */
+    public void setCvssAccessVector(String cvssAccessVector) {
+        this.cvssAccessVector = cvssAccessVector;
+    }
+    /**
+     * CVSS Access Complexity
+     */
+    protected String cvssAccessComplexity;
+
+    /**
+     * Get the value of cvssAccessComplexity
+     *
+     * @return the value of cvssAccessComplexity
+     */
+    public String getCvssAccessComplexity() {
+        return cvssAccessComplexity;
+    }
+
+    /**
+     * Set the value of cvssAccessComplexity
+     *
+     * @param cvssAccessComplexity new value of cvssAccessComplexity
+     */
+    public void setCvssAccessComplexity(String cvssAccessComplexity) {
+        this.cvssAccessComplexity = cvssAccessComplexity;
+    }
+    /**
+     * CVSS Authentication
+     */
+    protected String cvssAuthentication;
+
+    /**
+     * Get the value of cvssAuthentication
+     *
+     * @return the value of cvssAuthentication
+     */
+    public String getCvssAuthentication() {
+        return cvssAuthentication;
+    }
+
+    /**
+     * Set the value of cvssAuthentication
+     *
+     * @param cvssAuthentication new value of cvssAuthentication
+     */
+    public void setCvssAuthentication(String cvssAuthentication) {
+        this.cvssAuthentication = cvssAuthentication;
+    }
+    /**
+     * CVSS Confidentiality Impact
+     */
+    protected String cvssConfidentialityImpact;
+
+    /**
+     * Get the value of cvssConfidentialityImpact
+     *
+     * @return the value of cvssConfidentialityImpact
+     */
+    public String getCvssConfidentialityImpact() {
+        return cvssConfidentialityImpact;
+    }
+
+    /**
+     * Set the value of cvssConfidentialityImpact
+     *
+     * @param cvssConfidentialityImpact new value of cvssConfidentialityImpact
+     */
+    public void setCvssConfidentialityImpact(String cvssConfidentialityImpact) {
+        this.cvssConfidentialityImpact = cvssConfidentialityImpact;
+    }
+    /**
+     * CVSS Integrity Impact
+     */
+    protected String cvssIntegrityImpact;
+
+    /**
+     * Get the value of cvssIntegrityImpact
+     *
+     * @return the value of cvssIntegrityImpact
+     */
+    public String getCvssIntegrityImpact() {
+        return cvssIntegrityImpact;
+    }
+
+    /**
+     * Set the value of cvssIntegrityImpact
+     *
+     * @param cvssIntegrityImpact new value of cvssIntegrityImpact
+     */
+    public void setCvssIntegrityImpact(String cvssIntegrityImpact) {
+        this.cvssIntegrityImpact = cvssIntegrityImpact;
+    }
+    /**
+     * CVSS Availability Impact
+     */
+    protected String cvssAvailabilityImpact;
+
+    /**
+     * Get the value of cvssAvailabilityImpact
+     *
+     * @return the value of cvssAvailabilityImpact
+     */
+    public String getCvssAvailabilityImpact() {
+        return cvssAvailabilityImpact;
+    }
+
+    /**
+     * Set the value of cvssAvailabilityImpact
+     *
+     * @param cvssAvailabilityImpact new value of cvssAvailabilityImpact
+     */
+    public void setCvssAvailabilityImpact(String cvssAvailabilityImpact) {
+        this.cvssAvailabilityImpact = cvssAvailabilityImpact;
+    }
 
     @Override
     public boolean equals(Object obj) {

src/main/resources/META-INF/services/org.codesecure.dependencycheck.analyzer.Analyzer

@@ -1,4 +1,5 @@
 org.codesecure.dependencycheck.analyzer.JarAnalyzer
 org.codesecure.dependencycheck.analyzer.FileNameAnalyzer
+org.codesecure.dependencycheck.analyzer.SpringCleaningAnalyzer
 org.codesecure.dependencycheck.data.cpe.CPEAnalyzer
 org.codesecure.dependencycheck.data.nvdcve.NvdCveAnalyzer

src/main/resources/configuration/dependencycheck.properties

@@ -22,7 +22,7 @@ cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modifie
 # holds 8 days of updates, we are using 7 just to be safe.
 cve.url.modified.validfordays=7
 # the number of cve.urls
-cve.url.count=11
+cve.url.count=12
 # the paths to the various nvd cve files (schema version 2.0)
 cve.url-2.0.1=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2002.xml
 cve.url-2.0.2=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2003.xml
@@ -35,6 +35,7 @@ cve.url-2.0.8=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2009.xml
 cve.url-2.0.9=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2010.xml
 cve.url-2.0.10=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2011.xml
 cve.url-2.0.11=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2012.xml
+cve.url-2.0.12=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2013.xml
 
 # the paths to the various nvd cve files (schema version 1.2).
 cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
@@ -48,4 +49,5 @@ cve.url-1.2.7=http://nvd.nist.gov/download/nvdcve-2008.xml
 cve.url-1.2.8=http://nvd.nist.gov/download/nvdcve-2009.xml
 cve.url-1.2.9=http://nvd.nist.gov/download/nvdcve-2010.xml
 cve.url-1.2.10=http://nvd.nist.gov/download/nvdcve-2011.xml
-cve.url-1.2.11=http://nvd.nist.gov/download/nvdcve-2012.xml
+cve.url-1.2.11=http://nvd.nist.gov/download/nvdcve-2012.xml
+cve.url-1.2.12=http://nvd.nist.gov/download/nvdcve-2013.xml

src/main/resources/templates/HtmlReport.vsl

@@ -48,12 +48,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                         $(header).addClass("expandablesubsection");
                         $(header).removeClass("collaspablesubsection");
                     }
-                    
+
                 });
             });
         </script>
         <style type="text/css">
-            
+
             .rounded-corners {
                 -moz-border-radius: 20px;
                 -webkit-border-radius: 20px;
@@ -81,7 +81,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                 /*background-image: url(img/minus.gif);*/
                 background-image: url(data:image/gif;base64,R0lGODlhDAAMAIABAICAgP///yH5BAEAAAEALAAAAAAMAAwAAAIajI8Hy22Q1IszQHphW3ZuXUUZ1ZXi8zFkUgAAOw==);
                 background-repeat: no-repeat;
-                background-position: 98% 50%;  
+                background-position: 98% 50%;
                 -moz-border-radius-bottomleft:0px; /* bottom left corner */
                 -webkit-border-bottom-left-radius:0px; /* bottom left corner */
                 border-bottom-left-radius: 0px;
@@ -93,7 +93,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                 border-bottom-left-radius: 0px;
                 border-bottom: 0px solid #ffffff;
             }
-                        
+
             .content {
                 margin-top:0px;
                 margin-left:20px;
@@ -102,7 +102,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                 background: #ffffff;
                 padding: 20px;
             }
-            
+
             .sectionheader {
                 background-color: #cccccc;
                 margin-top: 20px;
@@ -148,12 +148,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                 margin-right:20px;
                 margin-bottom:10px;
                 background: #ffffff;
-                
+
                 padding-top: 10px;
                 padding-bottom: 20px;
                 padding-left:20px;
                 padding-right:20px;
-                
+
                 border-top: 0px;
                 border-right: 1px solid #ccc;
                 border-left: 1px solid #ccc;
@@ -175,7 +175,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                 border-bottom-right-radius: 15px;
                 border-bottom-left-radius: 15px;
             }
-            
+
             .subsectionheader {
                 background-color: #cccccc;
                 margin-top: 20px;
@@ -295,10 +295,10 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                 </div>
                 <h2>Dependencies</h2>
                 #set($cnt=0)
-                #foreach($dependency in $dependencies) 
+                #foreach($dependency in $dependencies)
                     <h3 class="subsectionheader standardsubsection"><a name="$esc.html($dependency.FilePath)"></a>$esc.html($dependency.FileName)</h3>
                     <div class="subsectioncontent">
-                        #if ($dependency.description) 
+                        #if ($dependency.description)
                             <p><b>Description:</b>&nbsp;$esc.html($dependency.description)<br/></p>
                         #end
                         <p>
@@ -385,6 +385,17 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                     <div id="content$cnt" class="subsectioncontent standardsubsection">
                         #foreach($vuln in $dependency.getVulnerabilities())
                             <p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$esc.url($vuln.name)">$esc.html($vuln.name)</a></b></p>
+                            <p>Severity:
+                            #if ($vuln.cvssScore<4.0)
+                                Low
+                            #else
+                                #if ($vuln.cvssScore>=7.0)
+                                    High
+                                #else
+                                    Medium
+                                #end
+                            #end
+                            <br/>CVSS Score: $vuln.cvssScore</p>
                             <p>$esc.html($vuln.description)
                                 #if ($vuln.getReferences().size()>0)
                                     <ul>
@@ -400,6 +411,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                 </div>
                 #end
             </div>
-        </div>        
+        </div>
     </body>
 </html>

src/test/java/org/codesecure/dependencycheck/analyzer/FileNameAnalyzerTest.java

@@ -19,7 +19,7 @@ import static org.junit.Assert.*;
  * @author Jeremy Long (jeremy.long@gmail.com)
  */
 public class FileNameAnalyzerTest {
-    
+
     public FileNameAnalyzerTest() {
     }
 
@@ -30,11 +30,11 @@ public class FileNameAnalyzerTest {
     @AfterClass
     public static void tearDownClass() throws Exception {
     }
-    
+
     @Before
     public void setUp() {
     }
-    
+
     @After
     public void tearDown() {
     }
@@ -97,7 +97,7 @@ public class FileNameAnalyzerTest {
         File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
         Dependency result = new Dependency(file);
         FileNameAnalyzer instance = new FileNameAnalyzer();
-        instance.analyze(result);
+        instance.analyze(result, null);
         assertTrue(result.getVendorEvidence().toString().toLowerCase().contains("struts"));
     }
 
@@ -119,7 +119,7 @@ public class FileNameAnalyzerTest {
     public void testClose() {
         System.out.println("close");
         FileNameAnalyzer instance = new FileNameAnalyzer();
-        instance.close();        
+        instance.close();
         assertTrue(true); //close does nothing.
     }
 }

src/test/java/org/codesecure/dependencycheck/analyzer/JarAnalyzerTest.java

@@ -53,14 +53,14 @@ public class JarAnalyzerTest {
         File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
         Dependency result = new Dependency(file);
         JarAnalyzer instance = new JarAnalyzer();
-        instance.analyze(result);
+        instance.analyze(result, null);
         assertTrue(result.getVendorEvidence().toString().toLowerCase().contains("apache"));
         assertTrue(result.getVendorEvidence().getWeighting().contains("apache"));
 
 
         file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath());
         result = new Dependency(file);
-        instance.analyze(result);
+        instance.analyze(result, null);
         boolean found = false;
         for (Evidence e : result.getProductEvidence()) {
             if (e.getName().equalsIgnoreCase("package-title")
@@ -93,7 +93,7 @@ public class JarAnalyzerTest {
 
         file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jmx.jar").getPath());
         result = new Dependency(file);
-        instance.analyze(result);
+        instance.analyze(result, null);
         assertEquals("org.mortbar,jmx.jar has version evidence?", result.getVersionEvidence().size(), 0);
     }
 

src/test/java/org/codesecure/dependencycheck/data/cpe/CPEAnalyzerTest.java

@@ -97,11 +97,11 @@ public class CPEAnalyzerTest extends BaseIndexTestCase {
         File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
         JarAnalyzer jarAnalyzer = new JarAnalyzer();
         Dependency depends = new Dependency(file);
-        jarAnalyzer.analyze(depends);
+        jarAnalyzer.analyze(depends, null);
 
         File fileSpring = new File(this.getClass().getClassLoader().getResource("spring-core-2.5.5.jar").getPath());
         Dependency spring = new Dependency(fileSpring);
-        jarAnalyzer.analyze(spring);
+        jarAnalyzer.analyze(spring, null);
 
         CPEAnalyzer instance = new CPEAnalyzer();
         instance.open();