Added CVSS Scores

Former-commit-id: 2feda15c4f42461b87a2a4e5941a32eb98a918de

README.txt

@@ -7,8 +7,8 @@ If found, it will generate a report linking to the associated CVE entries.
 Usage:
 $ mvn package
 $ cd target
-$ java -jar DependencyCheck-0.2.5.1.jar -h
+$ java -jar DependencyCheck-0.2.5.2.jar -h
-$ java -jar DependencyCheck-0.2.5.1.jar -a Testing -out . -scan ./test-classes/org.mortbay.jetty.jar -scan ./test-classes/struts2-core-2.1.2.jar -scan ./lib
+$ java -jar DependencyCheck-0.2.5.2.jar -a Testing -out . -scan ./test-classes/org.mortbay.jetty.jar -scan ./test-classes/struts2-core-2.1.2.jar -scan ./lib
 
 Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.
 

pom.xml

@@ -23,7 +23,7 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses/>.
 
     <groupId>org.codesecure</groupId>
     <artifactId>DependencyCheck</artifactId>
-    <version>0.2.5.1</version>
+    <version>0.2.5.2</version>
     <packaging>jar</packaging>
 
     <name>DependencyCheck</name>

src/main/java/org/codesecure/dependencycheck/data/nvdcve/CveDB.java

@@ -76,8 +76,10 @@ public class CveDB {
     /**
      * SQL Statement to create the vulnerability table
      */
-    public static final String CREATE_TABLE_VULNERABILITY = "CREATE TABLE IF NOT EXISTS vulnerability "
+    public static final String CREATE_TABLE_VULNERABILITY = "CREATE TABLE IF NOT EXISTS vulnerability (cveid CHAR(13) PRIMARY KEY, "
-            + "(cveid CHAR(13) PRIMARY KEY, description varchar(8000))";
+            + "description varchar(8000), cwe varchar(10), cvssScore DECIMAL(3,1), cvssAccessVector varchar(20), "
+            + "cvssAccessComplexity varchar(20), cvssAuthentication varchar(20), cvssConfidentialityImpact varchar(20), "
+            + "cvssIntegrityImpact varchar(20), cvssAvailabilityImpact varchar(20))";
     /**
      * SQL Statement to delete references by CVEID
      */
@@ -102,7 +104,9 @@ public class CveDB {
     /**
      * SQL Statement to insert a new vulnerability
      */
-    public static final String INSERT_VULNERABILITY = "INSERT INTO vulnerability (cveid, description) VALUES (?, ?)";
+    public static final String INSERT_VULNERABILITY = "INSERT INTO vulnerability (cveid, description, cwe, cvssScore, cvssAccessVector, "
+            + "cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact) "
+            + "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
     /**
      * SQL Statement to find CVE entries based on CPE data
      */
@@ -119,7 +123,7 @@ public class CveDB {
     /**
      * SQL Statement to select a vulnerability by CVEID
      */
-    public static final String SELECT_VULNERABILITY = "SELECT cveid, description FROM vulnerability WHERE cveid = ?";
+    public static final String SELECT_VULNERABILITY = "SELECT cveid, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact FROM vulnerability WHERE cveid = ?";
     //</editor-fold>
 
     //<editor-fold defaultstate="collapsed" desc="Collection of CallableStatements to work with the DB">
@@ -144,7 +148,7 @@ public class CveDB {
      */
     private CallableStatement insertSoftware = null;
     /**
-     * insert vulnerability - parameters (cveid, description)
+     * insert vulnerability - parameters (cveid, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact)
      */
     private CallableStatement insertVulnerability = null;
     /**
@@ -269,6 +273,15 @@ public class CveDB {
                 vuln = new Vulnerability();
                 vuln.setName(cve);
                 vuln.setDescription(rsV.getString(2));
+                vuln.setCwe(rsV.getString(3));
+                vuln.setCvssScore(rsV.getFloat(4));
+                vuln.setCvssAccessVector(rsV.getString(5));
+                vuln.setCvssAccessComplexity(rsV.getString(6));
+                vuln.setCvssAuthentication(rsV.getString(7));
+                vuln.setCvssConfidentialityImpact(rsV.getString(8));
+                vuln.setCvssIntegrityImpact(rsV.getString(9));
+                vuln.setCvssAvailabilityImpact(rsV.getString(10));
+
                 selectReferences.setString(1, cve);
                 rsR = selectReferences.executeQuery();
                 while (rsR.next()) {
@@ -333,6 +346,14 @@ public class CveDB {
 
             insertVulnerability.setString(1, vuln.getName());
             insertVulnerability.setString(2, vuln.getDescription());
+            insertVulnerability.setString(3, vuln.getCwe());
+            insertVulnerability.setFloat(4, vuln.getCvssScore());
+            insertVulnerability.setString(5, vuln.getCvssAccessVector());
+            insertVulnerability.setString(6, vuln.getCvssAccessComplexity());
+            insertVulnerability.setString(7, vuln.getCvssAuthentication());
+            insertVulnerability.setString(8, vuln.getCvssConfidentialityImpact());
+            insertVulnerability.setString(9, vuln.getCvssIntegrityImpact());
+            insertVulnerability.setString(10, vuln.getCvssAvailabilityImpact());
             insertVulnerability.execute();
 
             insertReference.setString(1, vuln.getName());

src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java

@@ -77,7 +77,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
     /**
      * The current version of the database
      */
-    public static final String DATABASE_VERSION = "2.0";
+    public static final String DATABASE_VERSION = "2.1";
 
     /**
      * <p>Downloads the latest NVD CVE XML file from the web and imports it into

src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java

@@ -21,6 +21,8 @@ package org.codesecure.dependencycheck.data.nvdcve.xml;
 import java.io.IOException;
 import java.util.List;
 import java.util.Map;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import org.apache.lucene.index.CorruptIndexException;
 import org.codesecure.dependencycheck.data.cpe.Index;
 import org.codesecure.dependencycheck.data.nvdcve.CveDB;
@@ -75,6 +77,22 @@ public class NvdCve20Handler extends DefaultHandler {
             if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) {
                 throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported");
             }
+        } else if (current.isVulnCWENode()) {
+            vulnerability.setCwe(attributes.getValue("id"));
+        } else if (current.isCVSSScoreNode()) {
+            nodeText = new StringBuilder(5);
+        } else if (current.isCVSSAccessVectorNode()) {
+            nodeText = new StringBuilder(20);
+        } else if (current.isCVSSAccessComplexityNode()) {
+            nodeText = new StringBuilder(20);
+        } else if (current.isCVSSAuthenticationNode()) {
+            nodeText = new StringBuilder(20);
+        } else if (current.isCVSSAvailabilityImpactNode()) {
+            nodeText = new StringBuilder(20);
+        } else if (current.isCVSSConfidentialityImpactNode()) {
+            nodeText = new StringBuilder(20);
+        } else if (current.isCVSSIntegrityImpactNode()) {
+            nodeText = new StringBuilder(20);
         }
     }
 
@@ -101,6 +119,32 @@ public class NvdCve20Handler extends DefaultHandler {
                 }
             }
             vulnerability = null;
+        } else if (current.isCVSSScoreNode()) {
+            try {
+                float score = Float.parseFloat(nodeText.toString());
+                vulnerability.setCvssScore(score);
+            } catch (NumberFormatException ex) {
+                Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, null, ex);
+            }
+            nodeText = null;
+        } else if (current.isCVSSAccessVectorNode()) {
+            vulnerability.setCvssAccessVector(nodeText.toString());
+            nodeText = null;
+        } else if (current.isCVSSAccessComplexityNode()) {
+            vulnerability.setCvssAccessComplexity(nodeText.toString());
+            nodeText = null;
+        } else if (current.isCVSSAuthenticationNode()) {
+            vulnerability.setCvssAuthentication(nodeText.toString());
+            nodeText = null;
+        } else if (current.isCVSSAvailabilityImpactNode()) {
+            vulnerability.setCvssAvailabilityImpact(nodeText.toString());
+            nodeText = null;
+        } else if (current.isCVSSConfidentialityImpactNode()) {
+            vulnerability.setCvssConfidentialityImpact(nodeText.toString());
+            nodeText = null;
+        } else if (current.isCVSSIntegrityImpactNode()) {
+            vulnerability.setCvssIntegrityImpact(nodeText.toString());
+            nodeText = null;
         } else if (current.isVulnProductNode()) {
             String cpe = nodeText.toString();
             if (cpe.startsWith("cpe:/a:")) {
@@ -217,6 +261,40 @@ public class NvdCve20Handler extends DefaultHandler {
          * A node type in the NVD CVE Schema 2.0
          */
         public static final String VULN_SUMMARY = "vuln:summary";
+
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String VULN_CWE = "vuln:cwe";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_SCORE = "cvss:score";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_ACCESS_VECTOR = "cvss:access-vector";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_ACCESS_COMPLEXITY = "cvss:access-complexity";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_AUTHENTICATION = "cvss:authentication";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_CONFIDENTIALITY_IMPACT = "cvss:confidentiality-impact";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_INTEGRITY_IMPACT = "cvss:integrity-impact";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_AVAILABILITY_IMPACT = "cvss:availability-impact";
+
         private String node = null;
 
         /**
@@ -299,6 +377,72 @@ public class NvdCve20Handler extends DefaultHandler {
         public boolean isVulnSummaryNode() {
             return VULN_SUMMARY.equals(node);
         }
+
+        /**
+         * Checks if the handler is at the VULN_CWE node
+         *
+         * @return true or false
+         */
+        public boolean isVulnCWENode() {
+            return VULN_CWE.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_SCORE node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSScoreNode() {
+            return CVSS_SCORE.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_ACCESS_VECTOR node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSAccessVectorNode() {
+            return CVSS_ACCESS_VECTOR.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_ACCESS_COMPLEXITY node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSAccessComplexityNode() {
+            return CVSS_ACCESS_COMPLEXITY.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_AUTHENTICATION node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSAuthenticationNode() {
+            return CVSS_AUTHENTICATION.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_CONFIDENTIALITY_IMPACT node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSConfidentialityImpactNode() {
+            return CVSS_CONFIDENTIALITY_IMPACT.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_INTEGRITY_IMPACT node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSIntegrityImpactNode() {
+            return CVSS_INTEGRITY_IMPACT.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_AVAILABILITY_IMPACT node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSAvailabilityImpactNode() {
+            return CVSS_AVAILABILITY_IMPACT.equals(node);
+        }
+
     }
     // </editor-fold>
 }

src/main/java/org/codesecure/dependencycheck/dependency/Vulnerability.java

@@ -142,7 +142,6 @@ public class Vulnerability implements Serializable {
         this.vulnerableSoftware = vulnerableSoftware;
     }
 
-
     /**
      * Adds an entry for vulnerable software
      * @param cpe string representation of a CPE entry
@@ -178,6 +177,182 @@ public class Vulnerability implements Serializable {
         }
         return vulnerableSoftware.add(vulnSoftware);
     }
+    /**
+     * The CWE for the vulnerability
+     */
+    protected String cwe;
+
+    /**
+     * Get the value of cwe
+     *
+     * @return the value of cwe
+     */
+    public String getCwe() {
+        return cwe;
+    }
+
+    /**
+     * Set the value of cwe
+     *
+     * @param cwe new value of cwe
+     */
+    public void setCwe(String cwe) {
+        this.cwe = cwe;
+    }
+    /**
+     * CVSS Score
+     */
+    protected float cvssScore;
+
+    /**
+     * Get the value of cvssScore
+     *
+     * @return the value of cvssScore
+     */
+    public float getCvssScore() {
+        return cvssScore;
+    }
+
+    /**
+     * Set the value of cvssScore
+     *
+     * @param cvssScore new value of cvssScore
+     */
+    public void setCvssScore(float cvssScore) {
+        this.cvssScore = cvssScore;
+    }
+    /**
+     * CVSS Access Vector
+     */
+    protected String cvssAccessVector;
+
+    /**
+     * Get the value of cvssAccessVector
+     *
+     * @return the value of cvssAccessVector
+     */
+    public String getCvssAccessVector() {
+        return cvssAccessVector;
+    }
+
+    /**
+     * Set the value of cvssAccessVector
+     *
+     * @param cvssAccessVector new value of cvssAccessVector
+     */
+    public void setCvssAccessVector(String cvssAccessVector) {
+        this.cvssAccessVector = cvssAccessVector;
+    }
+    /**
+     * CVSS Access Complexity
+     */
+    protected String cvssAccessComplexity;
+
+    /**
+     * Get the value of cvssAccessComplexity
+     *
+     * @return the value of cvssAccessComplexity
+     */
+    public String getCvssAccessComplexity() {
+        return cvssAccessComplexity;
+    }
+
+    /**
+     * Set the value of cvssAccessComplexity
+     *
+     * @param cvssAccessComplexity new value of cvssAccessComplexity
+     */
+    public void setCvssAccessComplexity(String cvssAccessComplexity) {
+        this.cvssAccessComplexity = cvssAccessComplexity;
+    }
+    /**
+     * CVSS Authentication
+     */
+    protected String cvssAuthentication;
+
+    /**
+     * Get the value of cvssAuthentication
+     *
+     * @return the value of cvssAuthentication
+     */
+    public String getCvssAuthentication() {
+        return cvssAuthentication;
+    }
+
+    /**
+     * Set the value of cvssAuthentication
+     *
+     * @param cvssAuthentication new value of cvssAuthentication
+     */
+    public void setCvssAuthentication(String cvssAuthentication) {
+        this.cvssAuthentication = cvssAuthentication;
+    }
+    /**
+     * CVSS Confidentiality Impact
+     */
+    protected String cvssConfidentialityImpact;
+
+    /**
+     * Get the value of cvssConfidentialityImpact
+     *
+     * @return the value of cvssConfidentialityImpact
+     */
+    public String getCvssConfidentialityImpact() {
+        return cvssConfidentialityImpact;
+    }
+
+    /**
+     * Set the value of cvssConfidentialityImpact
+     *
+     * @param cvssConfidentialityImpact new value of cvssConfidentialityImpact
+     */
+    public void setCvssConfidentialityImpact(String cvssConfidentialityImpact) {
+        this.cvssConfidentialityImpact = cvssConfidentialityImpact;
+    }
+    /**
+     * CVSS Integrity Impact
+     */
+    protected String cvssIntegrityImpact;
+
+    /**
+     * Get the value of cvssIntegrityImpact
+     *
+     * @return the value of cvssIntegrityImpact
+     */
+    public String getCvssIntegrityImpact() {
+        return cvssIntegrityImpact;
+    }
+
+    /**
+     * Set the value of cvssIntegrityImpact
+     *
+     * @param cvssIntegrityImpact new value of cvssIntegrityImpact
+     */
+    public void setCvssIntegrityImpact(String cvssIntegrityImpact) {
+        this.cvssIntegrityImpact = cvssIntegrityImpact;
+    }
+    /**
+     * CVSS Availability Impact
+     */
+    protected String cvssAvailabilityImpact;
+
+    /**
+     * Get the value of cvssAvailabilityImpact
+     *
+     * @return the value of cvssAvailabilityImpact
+     */
+    public String getCvssAvailabilityImpact() {
+        return cvssAvailabilityImpact;
+    }
+
+    /**
+     * Set the value of cvssAvailabilityImpact
+     *
+     * @param cvssAvailabilityImpact new value of cvssAvailabilityImpact
+     */
+    public void setCvssAvailabilityImpact(String cvssAvailabilityImpact) {
+        this.cvssAvailabilityImpact = cvssAvailabilityImpact;
+    }
 
     @Override
     public boolean equals(Object obj) {

src/main/resources/templates/HtmlReport.vsl

@@ -385,6 +385,17 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                     <div id="content$cnt" class="subsectioncontent standardsubsection">
                         #foreach($vuln in $dependency.getVulnerabilities())
                             <p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$esc.url($vuln.name)">$esc.html($vuln.name)</a></b></p>
+                            <p>Severity:
+                            #if ($vuln.cvssScore<4.0)
+                                Low
+                            #else
+                                #if ($vuln.cvssScore>=7.0)
+                                    High
+                                #else
+                                    Medium
+                                #end
+                            #end
+                            <br/>CVSS Score: $vuln.cvssScore</p>
                             <p>$esc.html($vuln.description)
                                 #if ($vuln.getReferences().size()>0)
                                     <ul>