mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-14 15:53:36 +01:00
Compare commits
10 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
4dba00ad38 | ||
|
|
283acc5e30 | ||
|
|
cfece9499b | ||
|
|
276078a2e3 | ||
|
|
9e4b39988f | ||
|
|
9a9f03e730 | ||
|
|
d37ea348bf | ||
|
|
9478d5aea3 | ||
|
|
c2dbe4c821 | ||
|
|
41f631d1c0 |
@@ -7,8 +7,8 @@ If found, it will generate a report linking to the associated CVE entries.
|
||||
Usage:
|
||||
$ mvn package
|
||||
$ cd target
|
||||
$ java -jar DependencyCheck-0.2.5.1.jar -h
|
||||
$ java -jar DependencyCheck-0.2.5.1.jar -a Testing -out . -scan ./test-classes/org.mortbay.jetty.jar -scan ./test-classes/struts2-core-2.1.2.jar -scan ./lib
|
||||
$ java -jar dependency-check-0.2.6.0.jar -h
|
||||
$ java -jar dependency-check-0.2.6.0.jar -a Testing -out . -scan ./test-classes/org.mortbay.jetty.jar -scan ./test-classes/struts2-core-2.1.2.jar -scan ./lib
|
||||
|
||||
Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.
|
||||
|
||||
|
||||
14
pom.xml
14
pom.xml
@@ -14,16 +14,15 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with DependencyCheck. If not, see <http://www.gnu.org/licenses/>.
|
||||
along with DependencyCheck. If not, see <http://www.gnu.org/licenses />.
|
||||
-->
|
||||
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
|
||||
<groupId>org.codesecure</groupId>
|
||||
<artifactId>DependencyCheck</artifactId>
|
||||
<version>0.2.5.1</version>
|
||||
<artifactId>dependency-check</artifactId>
|
||||
<version>0.2.6.0</version>
|
||||
<packaging>jar</packaging>
|
||||
|
||||
<name>DependencyCheck</name>
|
||||
@@ -50,7 +49,8 @@ along with DependencyCheck. If not, see <http://www.gnu.org/licenses/>.
|
||||
<connection>scm:git:git@github.com:jeremylong/DependencyCheck.git</connection>
|
||||
<url>https://github.com/jeremylong/DependencyCheck.git</url>
|
||||
<developerConnection>scm:git:git@github.com:jeremylong/DependencyCheck.git</developerConnection>
|
||||
</scm>
|
||||
<tag>dependency-check-0.2.6.0</tag>
|
||||
</scm>
|
||||
<issueManagement>
|
||||
<system>github</system>
|
||||
<url>https://github.com/jeremylong/DependencyCheck/issues</url>
|
||||
@@ -110,7 +110,7 @@ along with DependencyCheck. If not, see <http://www.gnu.org/licenses/>.
|
||||
<artifactId>maven-javadoc-plugin</artifactId>
|
||||
<version>2.8.1</version>
|
||||
<configuration>
|
||||
<bottom>Copyright© 2012 Jeremy Long. All Rights Reserved.</bottom>
|
||||
<bottom>Copyright© 2012 Jeremy Long. All Rights Reserved.</bottom>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
|
||||
@@ -95,7 +95,7 @@ public class FileNameAnalyzer implements Analyzer {
|
||||
String fileName = dependency.getFileName();
|
||||
int pos = fileName.lastIndexOf(".");
|
||||
if (pos > 0) {
|
||||
fileName = fileName.substring(0, pos - 1);
|
||||
fileName = fileName.substring(0, pos);
|
||||
}
|
||||
|
||||
dependency.getProductEvidence().addEvidence("file", "name",
|
||||
|
||||
@@ -68,7 +68,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
/**
|
||||
* The phase that this analyzer is intended to run in.
|
||||
*/
|
||||
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INITIAL;
|
||||
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
|
||||
/**
|
||||
* A list of elements in the manifest to ignore.
|
||||
*/
|
||||
@@ -648,13 +648,21 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
}
|
||||
|
||||
private void addPredefinedData(Dependency dependency) {
|
||||
Evidence spring = new Evidence("Manifest",
|
||||
Evidence springTest1 = new Evidence("Manifest",
|
||||
"Implementation-Title",
|
||||
"Spring Framework",
|
||||
Evidence.Confidence.HIGH);
|
||||
|
||||
if (dependency.getProductEvidence().getEvidence().contains(spring)) {
|
||||
Evidence springTest2 = new Evidence("Manifest",
|
||||
"Implementation-Title",
|
||||
"org.springframework.core",
|
||||
Evidence.Confidence.HIGH);
|
||||
|
||||
Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
|
||||
if (evidence.contains(springTest1) || evidence.contains(springTest2)) {
|
||||
dependency.getProductEvidence().addEvidence("a priori", "product", "springsource_spring_framework", Evidence.Confidence.HIGH);
|
||||
dependency.getVendorEvidence().addEvidence("a priori", "vendor", "SpringSource", Evidence.Confidence.HIGH);
|
||||
dependency.getVendorEvidence().addEvidence("a priori", "vendor", "vmware", Evidence.Confidence.HIGH);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -149,7 +149,8 @@ public class SpringCleaningAnalyzer extends AbstractAnalyzer {
|
||||
|
||||
private boolean isSpringFrameworkCpe(Identifier identifier) {
|
||||
return "cpe".equals(identifier.getType())
|
||||
&& identifier.getValue().startsWith("cpe:/a:springsource:spring_framework:");
|
||||
&& (identifier.getValue().startsWith("cpe:/a:springsource:spring_framework:")
|
||||
|| identifier.getValue().startsWith("cpe:/a:vmware:springsource_spring_framework"));
|
||||
}
|
||||
|
||||
private boolean isCoreFramework(String filename) {
|
||||
|
||||
@@ -144,7 +144,6 @@ public class CPEAnalyzer implements org.codesecure.dependencycheck.analyzer.Anal
|
||||
for (Entry e : entries) {
|
||||
if (verifyEntry(e, dependency)) {
|
||||
found = true;
|
||||
|
||||
dependency.addIdentifier(
|
||||
"cpe",
|
||||
e.getName(),
|
||||
@@ -421,17 +420,24 @@ public class CPEAnalyzer implements org.codesecure.dependencycheck.analyzer.Anal
|
||||
*/
|
||||
private boolean verifyEntry(final Entry entry, final Dependency dependency) {
|
||||
boolean isValid = false;
|
||||
if (dependency.getProductEvidence().containsUsedString(entry.getProduct())
|
||||
&& dependency.getVendorEvidence().containsUsedString(entry.getVendor())) {
|
||||
//TODO - determine if this is right? Should we be carrying too much about the
|
||||
// version at this point? Likely need to implement the versionAnalyzer....
|
||||
if (dependency.getVersionEvidence().containsUsedString(entry.getVersion())) {
|
||||
isValid = true;
|
||||
}
|
||||
|
||||
if (collectionContainsStrings(dependency.getProductEvidence(), entry.getProduct())
|
||||
&& collectionContainsStrings(dependency.getVendorEvidence(), entry.getVendor())
|
||||
&& collectionContainsStrings(dependency.getVersionEvidence(), entry.getVersion())) {
|
||||
isValid = true;
|
||||
}
|
||||
return isValid;
|
||||
}
|
||||
|
||||
private boolean collectionContainsStrings(EvidenceCollection ec, String text) {
|
||||
String[] words = text.split("[\\s_-]");
|
||||
boolean contains = true;
|
||||
for (String word : words) {
|
||||
contains &= ec.containsUsedString(word);
|
||||
}
|
||||
return contains;
|
||||
}
|
||||
|
||||
/**
|
||||
* Analyzes a dependency and attempts to determine if there are any CPE
|
||||
* identifiers for this dependency.
|
||||
|
||||
@@ -40,6 +40,8 @@ import org.codesecure.dependencycheck.data.lucene.AbstractIndex;
|
||||
import org.codesecure.dependencycheck.utils.Settings;
|
||||
import org.codesecure.dependencycheck.data.lucene.FieldAnalyzer;
|
||||
import org.codesecure.dependencycheck.data.lucene.SearchFieldAnalyzer;
|
||||
import org.codesecure.dependencycheck.data.lucene.SearchVersionAnalyzer;
|
||||
import org.codesecure.dependencycheck.data.lucene.VersionAnalyzer;
|
||||
|
||||
/**
|
||||
* The Index class is used to utilize and maintain the CPE Index.
|
||||
@@ -97,7 +99,8 @@ public class Index extends AbstractIndex {
|
||||
public Analyzer createIndexingAnalyzer() {
|
||||
Map fieldAnalyzers = new HashMap();
|
||||
|
||||
fieldAnalyzers.put(Fields.VERSION, new KeywordAnalyzer());
|
||||
//fieldAnalyzers.put(Fields.VERSION, new KeywordAnalyzer());
|
||||
fieldAnalyzers.put(Fields.VERSION, new VersionAnalyzer(Version.LUCENE_40));
|
||||
fieldAnalyzers.put(Fields.NAME, new KeywordAnalyzer());
|
||||
|
||||
PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(
|
||||
@@ -117,8 +120,9 @@ public class Index extends AbstractIndex {
|
||||
public Analyzer createSearchingAnalyzer() {
|
||||
Map fieldAnalyzers = new HashMap();
|
||||
|
||||
fieldAnalyzers.put(Fields.VERSION, new KeywordAnalyzer());
|
||||
fieldAnalyzers.put(Fields.NAME, new KeywordAnalyzer());
|
||||
//fieldAnalyzers.put(Fields.VERSION, new KeywordAnalyzer());
|
||||
fieldAnalyzers.put(Fields.VERSION, new SearchVersionAnalyzer(Version.LUCENE_40));
|
||||
productSearchFieldAnalyzer = new SearchFieldAnalyzer(Version.LUCENE_40);
|
||||
vendorSearchFieldAnalyzer = new SearchFieldAnalyzer(Version.LUCENE_40);
|
||||
fieldAnalyzers.put(Fields.PRODUCT, productSearchFieldAnalyzer);
|
||||
|
||||
@@ -0,0 +1,75 @@
|
||||
/*
|
||||
* This file is part of DependencyCheck.
|
||||
*
|
||||
* DependencyCheck is free software: you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the Free
|
||||
* Software Foundation, either version 3 of the License, or (at your option) any
|
||||
* later version.
|
||||
*
|
||||
* DependencyCheck is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
|
||||
*
|
||||
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.codesecure.dependencycheck.data.cwe;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.ObjectInputStream;
|
||||
import java.util.HashMap;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author Jeremy Long (jeremy.long@gmail.com)
|
||||
*/
|
||||
public class CweDB {
|
||||
|
||||
private CweDB() {
|
||||
//empty contructor for utility class
|
||||
}
|
||||
private static final HashMap<String, String> CWE = loadData();
|
||||
|
||||
private static HashMap<String, String> loadData() {
|
||||
ObjectInputStream oin = null;
|
||||
try {
|
||||
String filePath = "data/cwe.hashmap.serialized";
|
||||
InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath);
|
||||
oin = new ObjectInputStream(input);
|
||||
@SuppressWarnings("unchecked")
|
||||
HashMap<String, String> data = (HashMap<String, String>) oin.readObject();
|
||||
return data;
|
||||
} catch (ClassNotFoundException ex) {
|
||||
Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
|
||||
} finally {
|
||||
if (oin != null) {
|
||||
try {
|
||||
oin.close();
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
|
||||
}
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>Returns the full CWE name from the CWE ID.</p>
|
||||
* @param cweId te CWE ID
|
||||
* @return the full name of the CWE
|
||||
*/
|
||||
public static String getCweName(String cweId) {
|
||||
if (cweId != null) {
|
||||
return CWE.get(cweId);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,52 @@
|
||||
/*
|
||||
* This file is part of DependencyCheck.
|
||||
*
|
||||
* DependencyCheck is free software: you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the Free
|
||||
* Software Foundation, either version 3 of the License, or (at your option) any
|
||||
* later version.
|
||||
*
|
||||
* DependencyCheck is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
|
||||
*
|
||||
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.codesecure.dependencycheck.data.cwe;
|
||||
|
||||
import java.util.HashMap;
|
||||
import org.xml.sax.Attributes;
|
||||
import org.xml.sax.SAXException;
|
||||
import org.xml.sax.helpers.DefaultHandler;
|
||||
|
||||
/**
|
||||
* A SAX Handler that will parse the CWE XML.
|
||||
*
|
||||
* @author Jeremy Long (jeremy.long@gmail.com)
|
||||
*/
|
||||
public class CweHandler extends DefaultHandler {
|
||||
|
||||
private HashMap<String, String> cwe = new HashMap<String, String>();
|
||||
|
||||
/**
|
||||
* Returns the HashMap of CWE entries (CWE-ID, Full CWE Name).
|
||||
* @return a HashMap of CWE entries <String, String>
|
||||
*/
|
||||
public HashMap<String, String> getCwe() {
|
||||
return cwe;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
|
||||
|
||||
if ("Weakness".equals(qName) || "Category".equals(qName)) {
|
||||
String id = "CWE-" + attributes.getValue("ID");
|
||||
String name = attributes.getValue("Name");
|
||||
cwe.put(id, name);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,12 @@
|
||||
/**
|
||||
* <html>
|
||||
* <head>
|
||||
* <title>org.codesecure.dependencycheck.data.cwe</title>
|
||||
* </head>
|
||||
* <body>
|
||||
* Contains classes for working with the CWE Database.
|
||||
* </body>
|
||||
* </html>
|
||||
*/
|
||||
|
||||
package org.codesecure.dependencycheck.data.cwe;
|
||||
@@ -0,0 +1,70 @@
|
||||
/*
|
||||
* This file is part of DependencyCheck.
|
||||
*
|
||||
* DependencyCheck is free software: you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the Free
|
||||
* Software Foundation, either version 3 of the License, or (at your option) any
|
||||
* later version.
|
||||
*
|
||||
* DependencyCheck is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
|
||||
*
|
||||
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.codesecure.dependencycheck.data.lucene;
|
||||
|
||||
import java.io.Reader;
|
||||
import org.apache.lucene.analysis.Analyzer;
|
||||
import org.apache.lucene.analysis.TokenStream;
|
||||
import org.apache.lucene.analysis.Tokenizer;
|
||||
import org.apache.lucene.analysis.core.LowerCaseFilter;
|
||||
import org.apache.lucene.analysis.core.WhitespaceTokenizer;
|
||||
import org.apache.lucene.util.Version;
|
||||
|
||||
/**
|
||||
* SearchVersionAnalyzer is a Lucene Analyzer used to analyze version information.
|
||||
*
|
||||
* @author Jeremy Long (jeremy.long@gmail.com)
|
||||
*/
|
||||
public class SearchVersionAnalyzer extends Analyzer {
|
||||
//TODO consider implementing payloads/custom attributes...
|
||||
// use custom attributes for major, minor, x, x, x, rcx
|
||||
// these can then be used to weight the score for searches on the version.
|
||||
// see http://lucene.apache.org/core/3_6_1/api/core/org/apache/lucene/analysis/package-summary.html#package_description
|
||||
// look at this article to implement
|
||||
// http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/
|
||||
|
||||
/**
|
||||
* The Lucene Version used
|
||||
*/
|
||||
private Version version = null;
|
||||
|
||||
/**
|
||||
* Creates a new SearchVersionAnalyzer
|
||||
* @param version the Lucene version
|
||||
*/
|
||||
public SearchVersionAnalyzer(Version version) {
|
||||
this.version = version;
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates the TokenStreamComponents
|
||||
*
|
||||
* @param fieldName the field name being analyzed
|
||||
* @param reader the reader containing the input
|
||||
* @return the TokenStreamComponents
|
||||
*/
|
||||
@Override
|
||||
protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
|
||||
Tokenizer source = new WhitespaceTokenizer(version, reader);
|
||||
TokenStream stream = source;
|
||||
stream = new LowerCaseFilter(version, stream);
|
||||
stream = new VersionTokenizingFilter(stream);
|
||||
return new TokenStreamComponents(source, stream);
|
||||
}
|
||||
}
|
||||
@@ -18,16 +18,52 @@
|
||||
*/
|
||||
package org.codesecure.dependencycheck.data.lucene;
|
||||
|
||||
import java.io.Reader;
|
||||
import org.apache.lucene.analysis.Analyzer;
|
||||
import org.apache.lucene.analysis.TokenStream;
|
||||
import org.apache.lucene.analysis.Tokenizer;
|
||||
import org.apache.lucene.analysis.core.LowerCaseFilter;
|
||||
import org.apache.lucene.analysis.core.WhitespaceTokenizer;
|
||||
import org.apache.lucene.util.Version;
|
||||
|
||||
/**
|
||||
* VersionAnalyzer is a Lucene Analyzer used to analyze version information.
|
||||
*
|
||||
* @author Jeremy Long (jeremy.long@gmail.com)
|
||||
*/
|
||||
public class VersionAnalyzer {
|
||||
//TODO Implement this...
|
||||
public class VersionAnalyzer extends Analyzer {
|
||||
//TODO consider implementing payloads/custom attributes...
|
||||
// use custom attributes for major, minor, x, x, x, rcx
|
||||
// these can then be used to weight the score for searches on the version.
|
||||
// see http://lucene.apache.org/core/3_6_1/api/core/org/apache/lucene/analysis/package-summary.html#package_description
|
||||
// look at this article to implement
|
||||
// http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/
|
||||
|
||||
/**
|
||||
* The Lucene Version used
|
||||
*/
|
||||
private Version version = null;
|
||||
|
||||
/**
|
||||
* Creates a new VersionAnalyzer
|
||||
* @param version the Lucene version
|
||||
*/
|
||||
public VersionAnalyzer(Version version) {
|
||||
this.version = version;
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates the TokenStreamComponents
|
||||
*
|
||||
* @param fieldName the field name being analyzed
|
||||
* @param reader the reader containing the input
|
||||
* @return the TokenStreamComponents
|
||||
*/
|
||||
@Override
|
||||
protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
|
||||
Tokenizer source = new WhitespaceTokenizer(version, reader);
|
||||
TokenStream stream = source;
|
||||
stream = new LowerCaseFilter(version, stream);
|
||||
return new TokenStreamComponents(source, stream);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,100 @@
|
||||
/*
|
||||
* This file is part of DependencyCheck.
|
||||
*
|
||||
* DependencyCheck is free software: you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the Free
|
||||
* Software Foundation, either version 3 of the License, or (at your option) any
|
||||
* later version.
|
||||
*
|
||||
* DependencyCheck is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
|
||||
*
|
||||
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.codesecure.dependencycheck.data.lucene;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.LinkedList;
|
||||
import org.apache.lucene.analysis.TokenFilter;
|
||||
import org.apache.lucene.analysis.TokenStream;
|
||||
import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
|
||||
|
||||
/**
|
||||
* <p>Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
|
||||
* <p><b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
|
||||
*
|
||||
* @author Jeremy Long (jeremy.long@gmail.com)
|
||||
*/
|
||||
public final class VersionTokenizingFilter extends TokenFilter {
|
||||
|
||||
private final CharTermAttribute termAtt = addAttribute(CharTermAttribute.class);
|
||||
/**
|
||||
* A collection of tokens to add to the stream.
|
||||
*/
|
||||
protected LinkedList<String> tokens = null;
|
||||
|
||||
/**
|
||||
* Consructs a new VersionTokenizingFilter
|
||||
* @param stream the TokenStream that this filter will process
|
||||
*/
|
||||
public VersionTokenizingFilter(TokenStream stream) {
|
||||
super(stream);
|
||||
tokens = new LinkedList<String>();
|
||||
}
|
||||
|
||||
/**
|
||||
* Increments the underlying TokenStream and sets CharTermAtttributes to
|
||||
* construct an expanded set of tokens by concatenting tokens with the
|
||||
* previous token.
|
||||
*
|
||||
* @return whether or not we have hit the end of the TokenStream
|
||||
* @throws IOException is thrown when an IOException occurs
|
||||
*/
|
||||
@Override
|
||||
public boolean incrementToken() throws IOException {
|
||||
if (tokens.size() == 0 && input.incrementToken()) {
|
||||
String version = new String(termAtt.buffer(), 0, termAtt.length());
|
||||
analyzeVersion(version);
|
||||
}
|
||||
return addTerm();
|
||||
}
|
||||
|
||||
/**
|
||||
* Adds a term, if one exists, from the tokens collection..
|
||||
* @return
|
||||
*/
|
||||
private boolean addTerm() {
|
||||
boolean termAdded = tokens.size() > 0;
|
||||
if (termAdded) {
|
||||
String version = tokens.pop();
|
||||
clearAttributes();
|
||||
termAtt.append(version);
|
||||
}
|
||||
return termAdded;
|
||||
}
|
||||
|
||||
//major.minor[.maintenance[.build]]
|
||||
private void analyzeVersion(String version) {
|
||||
//todo should we also be splitting on dash or underscore? we would need
|
||||
// to incorporate the dash or underscore back in...
|
||||
String[] versionParts = version.split("\\.");
|
||||
String dottedVersion = null;
|
||||
for (int x = 0; x < versionParts.length; x++) {
|
||||
String current = versionParts[x];
|
||||
if (!current.matches("^/d+$")) {
|
||||
tokens.add(current);
|
||||
}
|
||||
if (dottedVersion == null) {
|
||||
dottedVersion = current;
|
||||
} else {
|
||||
dottedVersion = dottedVersion + "." + current;
|
||||
}
|
||||
tokens.add(dottedVersion);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -33,6 +33,7 @@ import java.util.List;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
import org.codesecure.dependencycheck.data.cpe.Entry;
|
||||
import org.codesecure.dependencycheck.data.cwe.CweDB;
|
||||
import org.codesecure.dependencycheck.dependency.Reference;
|
||||
import org.codesecure.dependencycheck.dependency.Vulnerability;
|
||||
import org.codesecure.dependencycheck.dependency.VulnerableSoftware;
|
||||
@@ -46,7 +47,6 @@ import org.codesecure.dependencycheck.utils.Settings;
|
||||
public class CveDB {
|
||||
|
||||
//<editor-fold defaultstate="collapsed" desc="Constants to create, maintain, and retrieve data from the CVE Database">
|
||||
|
||||
/**
|
||||
* SQL Statement to create an index on the reference table
|
||||
*/
|
||||
@@ -76,8 +76,10 @@ public class CveDB {
|
||||
/**
|
||||
* SQL Statement to create the vulnerability table
|
||||
*/
|
||||
public static final String CREATE_TABLE_VULNERABILITY = "CREATE TABLE IF NOT EXISTS vulnerability "
|
||||
+ "(cveid CHAR(13) PRIMARY KEY, description varchar(8000))";
|
||||
public static final String CREATE_TABLE_VULNERABILITY = "CREATE TABLE IF NOT EXISTS vulnerability (cveid CHAR(13) PRIMARY KEY, "
|
||||
+ "description varchar(8000), cwe varchar(10), cvssScore DECIMAL(3,1), cvssAccessVector varchar(20), "
|
||||
+ "cvssAccessComplexity varchar(20), cvssAuthentication varchar(20), cvssConfidentialityImpact varchar(20), "
|
||||
+ "cvssIntegrityImpact varchar(20), cvssAvailabilityImpact varchar(20))";
|
||||
/**
|
||||
* SQL Statement to delete references by CVEID
|
||||
*/
|
||||
@@ -102,7 +104,9 @@ public class CveDB {
|
||||
/**
|
||||
* SQL Statement to insert a new vulnerability
|
||||
*/
|
||||
public static final String INSERT_VULNERABILITY = "INSERT INTO vulnerability (cveid, description) VALUES (?, ?)";
|
||||
public static final String INSERT_VULNERABILITY = "INSERT INTO vulnerability (cveid, description, cwe, cvssScore, cvssAccessVector, "
|
||||
+ "cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact) "
|
||||
+ "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
|
||||
/**
|
||||
* SQL Statement to find CVE entries based on CPE data
|
||||
*/
|
||||
@@ -119,9 +123,9 @@ public class CveDB {
|
||||
/**
|
||||
* SQL Statement to select a vulnerability by CVEID
|
||||
*/
|
||||
public static final String SELECT_VULNERABILITY = "SELECT cveid, description FROM vulnerability WHERE cveid = ?";
|
||||
public static final String SELECT_VULNERABILITY = "SELECT cveid, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, "
|
||||
+ "cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact FROM vulnerability WHERE cveid = ?";
|
||||
//</editor-fold>
|
||||
|
||||
//<editor-fold defaultstate="collapsed" desc="Collection of CallableStatements to work with the DB">
|
||||
/**
|
||||
* delete reference - parameters (cveid)
|
||||
@@ -144,7 +148,8 @@ public class CveDB {
|
||||
*/
|
||||
private CallableStatement insertSoftware = null;
|
||||
/**
|
||||
* insert vulnerability - parameters (cveid, description)
|
||||
* insert vulnerability - parameters (cveid, description, cwe, cvssScore, cvssAccessVector,
|
||||
* cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact)
|
||||
*/
|
||||
private CallableStatement insertVulnerability = null;
|
||||
/**
|
||||
@@ -164,7 +169,6 @@ public class CveDB {
|
||||
*/
|
||||
private CallableStatement selectSoftware = null;
|
||||
//</editor-fold>
|
||||
|
||||
/**
|
||||
* Database connection
|
||||
*/
|
||||
@@ -269,6 +273,22 @@ public class CveDB {
|
||||
vuln = new Vulnerability();
|
||||
vuln.setName(cve);
|
||||
vuln.setDescription(rsV.getString(2));
|
||||
String cwe = rsV.getString(3);
|
||||
if (cwe != null) {
|
||||
String name = CweDB.getCweName(cwe);
|
||||
if (name != null) {
|
||||
cwe += " " + name;
|
||||
}
|
||||
}
|
||||
vuln.setCwe(cwe);
|
||||
vuln.setCvssScore(rsV.getFloat(4));
|
||||
vuln.setCvssAccessVector(rsV.getString(5));
|
||||
vuln.setCvssAccessComplexity(rsV.getString(6));
|
||||
vuln.setCvssAuthentication(rsV.getString(7));
|
||||
vuln.setCvssConfidentialityImpact(rsV.getString(8));
|
||||
vuln.setCvssIntegrityImpact(rsV.getString(9));
|
||||
vuln.setCvssAvailabilityImpact(rsV.getString(10));
|
||||
|
||||
selectReferences.setString(1, cve);
|
||||
rsR = selectReferences.executeQuery();
|
||||
while (rsR.next()) {
|
||||
@@ -333,6 +353,14 @@ public class CveDB {
|
||||
|
||||
insertVulnerability.setString(1, vuln.getName());
|
||||
insertVulnerability.setString(2, vuln.getDescription());
|
||||
insertVulnerability.setString(3, vuln.getCwe());
|
||||
insertVulnerability.setFloat(4, vuln.getCvssScore());
|
||||
insertVulnerability.setString(5, vuln.getCvssAccessVector());
|
||||
insertVulnerability.setString(6, vuln.getCvssAccessComplexity());
|
||||
insertVulnerability.setString(7, vuln.getCvssAuthentication());
|
||||
insertVulnerability.setString(8, vuln.getCvssConfidentialityImpact());
|
||||
insertVulnerability.setString(9, vuln.getCvssIntegrityImpact());
|
||||
insertVulnerability.setString(10, vuln.getCvssAvailabilityImpact());
|
||||
insertVulnerability.execute();
|
||||
|
||||
insertReference.setString(1, vuln.getName());
|
||||
|
||||
@@ -77,7 +77,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
|
||||
/**
|
||||
* The current version of the database
|
||||
*/
|
||||
public static final String DATABASE_VERSION = "2.0";
|
||||
public static final String DATABASE_VERSION = "2.2";
|
||||
|
||||
/**
|
||||
* <p>Downloads the latest NVD CVE XML file from the web and imports it into
|
||||
|
||||
@@ -21,6 +21,8 @@ package org.codesecure.dependencycheck.data.nvdcve.xml;
|
||||
import java.io.IOException;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
import org.apache.lucene.index.CorruptIndexException;
|
||||
import org.codesecure.dependencycheck.data.cpe.Index;
|
||||
import org.codesecure.dependencycheck.data.nvdcve.CveDB;
|
||||
@@ -75,6 +77,22 @@ public class NvdCve20Handler extends DefaultHandler {
|
||||
if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) {
|
||||
throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported");
|
||||
}
|
||||
} else if (current.isVulnCWENode()) {
|
||||
vulnerability.setCwe(attributes.getValue("id"));
|
||||
} else if (current.isCVSSScoreNode()) {
|
||||
nodeText = new StringBuilder(5);
|
||||
} else if (current.isCVSSAccessVectorNode()) {
|
||||
nodeText = new StringBuilder(20);
|
||||
} else if (current.isCVSSAccessComplexityNode()) {
|
||||
nodeText = new StringBuilder(20);
|
||||
} else if (current.isCVSSAuthenticationNode()) {
|
||||
nodeText = new StringBuilder(20);
|
||||
} else if (current.isCVSSAvailabilityImpactNode()) {
|
||||
nodeText = new StringBuilder(20);
|
||||
} else if (current.isCVSSConfidentialityImpactNode()) {
|
||||
nodeText = new StringBuilder(20);
|
||||
} else if (current.isCVSSIntegrityImpactNode()) {
|
||||
nodeText = new StringBuilder(20);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -101,6 +119,32 @@ public class NvdCve20Handler extends DefaultHandler {
|
||||
}
|
||||
}
|
||||
vulnerability = null;
|
||||
} else if (current.isCVSSScoreNode()) {
|
||||
try {
|
||||
float score = Float.parseFloat(nodeText.toString());
|
||||
vulnerability.setCvssScore(score);
|
||||
} catch (NumberFormatException ex) {
|
||||
Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, null, ex);
|
||||
}
|
||||
nodeText = null;
|
||||
} else if (current.isCVSSAccessVectorNode()) {
|
||||
vulnerability.setCvssAccessVector(nodeText.toString());
|
||||
nodeText = null;
|
||||
} else if (current.isCVSSAccessComplexityNode()) {
|
||||
vulnerability.setCvssAccessComplexity(nodeText.toString());
|
||||
nodeText = null;
|
||||
} else if (current.isCVSSAuthenticationNode()) {
|
||||
vulnerability.setCvssAuthentication(nodeText.toString());
|
||||
nodeText = null;
|
||||
} else if (current.isCVSSAvailabilityImpactNode()) {
|
||||
vulnerability.setCvssAvailabilityImpact(nodeText.toString());
|
||||
nodeText = null;
|
||||
} else if (current.isCVSSConfidentialityImpactNode()) {
|
||||
vulnerability.setCvssConfidentialityImpact(nodeText.toString());
|
||||
nodeText = null;
|
||||
} else if (current.isCVSSIntegrityImpactNode()) {
|
||||
vulnerability.setCvssIntegrityImpact(nodeText.toString());
|
||||
nodeText = null;
|
||||
} else if (current.isVulnProductNode()) {
|
||||
String cpe = nodeText.toString();
|
||||
if (cpe.startsWith("cpe:/a:")) {
|
||||
@@ -217,6 +261,40 @@ public class NvdCve20Handler extends DefaultHandler {
|
||||
* A node type in the NVD CVE Schema 2.0
|
||||
*/
|
||||
public static final String VULN_SUMMARY = "vuln:summary";
|
||||
|
||||
/**
|
||||
* A node type in the NVD CVE Schema 2.0
|
||||
*/
|
||||
public static final String VULN_CWE = "vuln:cwe";
|
||||
/**
|
||||
* A node type in the NVD CVE Schema 2.0
|
||||
*/
|
||||
public static final String CVSS_SCORE = "cvss:score";
|
||||
/**
|
||||
* A node type in the NVD CVE Schema 2.0
|
||||
*/
|
||||
public static final String CVSS_ACCESS_VECTOR = "cvss:access-vector";
|
||||
/**
|
||||
* A node type in the NVD CVE Schema 2.0
|
||||
*/
|
||||
public static final String CVSS_ACCESS_COMPLEXITY = "cvss:access-complexity";
|
||||
/**
|
||||
* A node type in the NVD CVE Schema 2.0
|
||||
*/
|
||||
public static final String CVSS_AUTHENTICATION = "cvss:authentication";
|
||||
/**
|
||||
* A node type in the NVD CVE Schema 2.0
|
||||
*/
|
||||
public static final String CVSS_CONFIDENTIALITY_IMPACT = "cvss:confidentiality-impact";
|
||||
/**
|
||||
* A node type in the NVD CVE Schema 2.0
|
||||
*/
|
||||
public static final String CVSS_INTEGRITY_IMPACT = "cvss:integrity-impact";
|
||||
/**
|
||||
* A node type in the NVD CVE Schema 2.0
|
||||
*/
|
||||
public static final String CVSS_AVAILABILITY_IMPACT = "cvss:availability-impact";
|
||||
|
||||
private String node = null;
|
||||
|
||||
/**
|
||||
@@ -299,6 +377,72 @@ public class NvdCve20Handler extends DefaultHandler {
|
||||
public boolean isVulnSummaryNode() {
|
||||
return VULN_SUMMARY.equals(node);
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if the handler is at the VULN_CWE node
|
||||
*
|
||||
* @return true or false
|
||||
*/
|
||||
public boolean isVulnCWENode() {
|
||||
return VULN_CWE.equals(node);
|
||||
}
|
||||
/**
|
||||
* Checks if the handler is at the CVSS_SCORE node
|
||||
*
|
||||
* @return true or false
|
||||
*/
|
||||
public boolean isCVSSScoreNode() {
|
||||
return CVSS_SCORE.equals(node);
|
||||
}
|
||||
/**
|
||||
* Checks if the handler is at the CVSS_ACCESS_VECTOR node
|
||||
*
|
||||
* @return true or false
|
||||
*/
|
||||
public boolean isCVSSAccessVectorNode() {
|
||||
return CVSS_ACCESS_VECTOR.equals(node);
|
||||
}
|
||||
/**
|
||||
* Checks if the handler is at the CVSS_ACCESS_COMPLEXITY node
|
||||
*
|
||||
* @return true or false
|
||||
*/
|
||||
public boolean isCVSSAccessComplexityNode() {
|
||||
return CVSS_ACCESS_COMPLEXITY.equals(node);
|
||||
}
|
||||
/**
|
||||
* Checks if the handler is at the CVSS_AUTHENTICATION node
|
||||
*
|
||||
* @return true or false
|
||||
*/
|
||||
public boolean isCVSSAuthenticationNode() {
|
||||
return CVSS_AUTHENTICATION.equals(node);
|
||||
}
|
||||
/**
|
||||
* Checks if the handler is at the CVSS_CONFIDENTIALITY_IMPACT node
|
||||
*
|
||||
* @return true or false
|
||||
*/
|
||||
public boolean isCVSSConfidentialityImpactNode() {
|
||||
return CVSS_CONFIDENTIALITY_IMPACT.equals(node);
|
||||
}
|
||||
/**
|
||||
* Checks if the handler is at the CVSS_INTEGRITY_IMPACT node
|
||||
*
|
||||
* @return true or false
|
||||
*/
|
||||
public boolean isCVSSIntegrityImpactNode() {
|
||||
return CVSS_INTEGRITY_IMPACT.equals(node);
|
||||
}
|
||||
/**
|
||||
* Checks if the handler is at the CVSS_AVAILABILITY_IMPACT node
|
||||
*
|
||||
* @return true or false
|
||||
*/
|
||||
public boolean isCVSSAvailabilityImpactNode() {
|
||||
return CVSS_AVAILABILITY_IMPACT.equals(node);
|
||||
}
|
||||
|
||||
}
|
||||
// </editor-fold>
|
||||
}
|
||||
|
||||
@@ -23,6 +23,9 @@ import java.io.IOException;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.SortedSet;
|
||||
import java.util.TreeSet;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
import org.codesecure.dependencycheck.utils.Checksum;
|
||||
@@ -87,7 +90,7 @@ public class Dependency {
|
||||
productEvidence = new EvidenceCollection();
|
||||
versionEvidence = new EvidenceCollection();
|
||||
identifiers = new ArrayList<Identifier>();
|
||||
vulnerabilities = new ArrayList<Vulnerability>();
|
||||
vulnerabilities = new TreeSet<Vulnerability>(new VulnerabilityComparator());
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -366,7 +369,8 @@ public class Dependency {
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines if the specified string was used when searching.
|
||||
* Determines if the specified string was used when searching. This is
|
||||
* currently only used in test.
|
||||
*
|
||||
* @param str is the string that is being checked if it was used.
|
||||
* @return true or false.
|
||||
@@ -390,14 +394,14 @@ public class Dependency {
|
||||
/**
|
||||
* A list of vulnerabilities for this dependency
|
||||
*/
|
||||
private List<Vulnerability> vulnerabilities;
|
||||
private SortedSet<Vulnerability> vulnerabilities;
|
||||
|
||||
/**
|
||||
* Get the list of vulnerabilities
|
||||
*
|
||||
* @return the list of vulnerabilities
|
||||
*/
|
||||
public List<Vulnerability> getVulnerabilities() {
|
||||
public Set<Vulnerability> getVulnerabilities() {
|
||||
return vulnerabilities;
|
||||
}
|
||||
|
||||
@@ -406,7 +410,7 @@ public class Dependency {
|
||||
*
|
||||
* @param vulnerabilities new value of vulnerabilities
|
||||
*/
|
||||
public void setVulnerabilities(List<Vulnerability> vulnerabilities) {
|
||||
public void setVulnerabilities(SortedSet<Vulnerability> vulnerabilities) {
|
||||
this.vulnerabilities = vulnerabilities;
|
||||
}
|
||||
|
||||
|
||||
@@ -27,7 +27,7 @@ import java.util.Set;
|
||||
*
|
||||
* @author Jeremy
|
||||
*/
|
||||
public class Vulnerability implements Serializable {
|
||||
public class Vulnerability implements Serializable, Comparable<Vulnerability> {
|
||||
|
||||
private static final long serialVersionUID = 307319490326651052L;
|
||||
/**
|
||||
@@ -142,7 +142,6 @@ public class Vulnerability implements Serializable {
|
||||
this.vulnerableSoftware = vulnerableSoftware;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Adds an entry for vulnerable software
|
||||
* @param cpe string representation of a CPE entry
|
||||
@@ -178,6 +177,182 @@ public class Vulnerability implements Serializable {
|
||||
}
|
||||
return vulnerableSoftware.add(vulnSoftware);
|
||||
}
|
||||
/**
|
||||
* The CWE for the vulnerability
|
||||
*/
|
||||
protected String cwe;
|
||||
|
||||
/**
|
||||
* Get the value of cwe
|
||||
*
|
||||
* @return the value of cwe
|
||||
*/
|
||||
public String getCwe() {
|
||||
return cwe;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of cwe
|
||||
*
|
||||
* @param cwe new value of cwe
|
||||
*/
|
||||
public void setCwe(String cwe) {
|
||||
this.cwe = cwe;
|
||||
}
|
||||
/**
|
||||
* CVSS Score
|
||||
*/
|
||||
protected float cvssScore;
|
||||
|
||||
/**
|
||||
* Get the value of cvssScore
|
||||
*
|
||||
* @return the value of cvssScore
|
||||
*/
|
||||
public float getCvssScore() {
|
||||
return cvssScore;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of cvssScore
|
||||
*
|
||||
* @param cvssScore new value of cvssScore
|
||||
*/
|
||||
public void setCvssScore(float cvssScore) {
|
||||
this.cvssScore = cvssScore;
|
||||
}
|
||||
/**
|
||||
* CVSS Access Vector
|
||||
*/
|
||||
protected String cvssAccessVector;
|
||||
|
||||
/**
|
||||
* Get the value of cvssAccessVector
|
||||
*
|
||||
* @return the value of cvssAccessVector
|
||||
*/
|
||||
public String getCvssAccessVector() {
|
||||
return cvssAccessVector;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of cvssAccessVector
|
||||
*
|
||||
* @param cvssAccessVector new value of cvssAccessVector
|
||||
*/
|
||||
public void setCvssAccessVector(String cvssAccessVector) {
|
||||
this.cvssAccessVector = cvssAccessVector;
|
||||
}
|
||||
/**
|
||||
* CVSS Access Complexity
|
||||
*/
|
||||
protected String cvssAccessComplexity;
|
||||
|
||||
/**
|
||||
* Get the value of cvssAccessComplexity
|
||||
*
|
||||
* @return the value of cvssAccessComplexity
|
||||
*/
|
||||
public String getCvssAccessComplexity() {
|
||||
return cvssAccessComplexity;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of cvssAccessComplexity
|
||||
*
|
||||
* @param cvssAccessComplexity new value of cvssAccessComplexity
|
||||
*/
|
||||
public void setCvssAccessComplexity(String cvssAccessComplexity) {
|
||||
this.cvssAccessComplexity = cvssAccessComplexity;
|
||||
}
|
||||
/**
|
||||
* CVSS Authentication
|
||||
*/
|
||||
protected String cvssAuthentication;
|
||||
|
||||
/**
|
||||
* Get the value of cvssAuthentication
|
||||
*
|
||||
* @return the value of cvssAuthentication
|
||||
*/
|
||||
public String getCvssAuthentication() {
|
||||
return cvssAuthentication;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of cvssAuthentication
|
||||
*
|
||||
* @param cvssAuthentication new value of cvssAuthentication
|
||||
*/
|
||||
public void setCvssAuthentication(String cvssAuthentication) {
|
||||
this.cvssAuthentication = cvssAuthentication;
|
||||
}
|
||||
/**
|
||||
* CVSS Confidentiality Impact
|
||||
*/
|
||||
protected String cvssConfidentialityImpact;
|
||||
|
||||
/**
|
||||
* Get the value of cvssConfidentialityImpact
|
||||
*
|
||||
* @return the value of cvssConfidentialityImpact
|
||||
*/
|
||||
public String getCvssConfidentialityImpact() {
|
||||
return cvssConfidentialityImpact;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of cvssConfidentialityImpact
|
||||
*
|
||||
* @param cvssConfidentialityImpact new value of cvssConfidentialityImpact
|
||||
*/
|
||||
public void setCvssConfidentialityImpact(String cvssConfidentialityImpact) {
|
||||
this.cvssConfidentialityImpact = cvssConfidentialityImpact;
|
||||
}
|
||||
/**
|
||||
* CVSS Integrity Impact
|
||||
*/
|
||||
protected String cvssIntegrityImpact;
|
||||
|
||||
/**
|
||||
* Get the value of cvssIntegrityImpact
|
||||
*
|
||||
* @return the value of cvssIntegrityImpact
|
||||
*/
|
||||
public String getCvssIntegrityImpact() {
|
||||
return cvssIntegrityImpact;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of cvssIntegrityImpact
|
||||
*
|
||||
* @param cvssIntegrityImpact new value of cvssIntegrityImpact
|
||||
*/
|
||||
public void setCvssIntegrityImpact(String cvssIntegrityImpact) {
|
||||
this.cvssIntegrityImpact = cvssIntegrityImpact;
|
||||
}
|
||||
/**
|
||||
* CVSS Availability Impact
|
||||
*/
|
||||
protected String cvssAvailabilityImpact;
|
||||
|
||||
/**
|
||||
* Get the value of cvssAvailabilityImpact
|
||||
*
|
||||
* @return the value of cvssAvailabilityImpact
|
||||
*/
|
||||
public String getCvssAvailabilityImpact() {
|
||||
return cvssAvailabilityImpact;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of cvssAvailabilityImpact
|
||||
*
|
||||
* @param cvssAvailabilityImpact new value of cvssAvailabilityImpact
|
||||
*/
|
||||
public void setCvssAvailabilityImpact(String cvssAvailabilityImpact) {
|
||||
this.cvssAvailabilityImpact = cvssAvailabilityImpact;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean equals(Object obj) {
|
||||
@@ -200,4 +375,13 @@ public class Vulnerability implements Serializable {
|
||||
hash = 41 * hash + (this.name != null ? this.name.hashCode() : 0);
|
||||
return hash;
|
||||
}
|
||||
/**
|
||||
* Compares two vulnerabilities
|
||||
*
|
||||
* @param v a vulnerabilitiy to be compared
|
||||
* @return a negative integer, zero, or a positive integer as this object is less than, equal to, or greater than the specified vulnerability
|
||||
*/
|
||||
public int compareTo(Vulnerability v) {
|
||||
return v.getName().compareTo(this.getName());
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,40 @@
|
||||
/*
|
||||
* This file is part of DependencyCheck.
|
||||
*
|
||||
* DependencyCheck is free software: you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the Free
|
||||
* Software Foundation, either version 3 of the License, or (at your option) any
|
||||
* later version.
|
||||
*
|
||||
* DependencyCheck is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
|
||||
*
|
||||
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.codesecure.dependencycheck.dependency;
|
||||
|
||||
import java.io.Serializable;
|
||||
import java.util.Comparator;
|
||||
|
||||
/**
|
||||
* Comparator for Vulnerability objects.
|
||||
* @author Jeremy Long (jeremy.long@gmail.com)
|
||||
*/
|
||||
public class VulnerabilityComparator implements Comparator<Vulnerability>, Serializable {
|
||||
private static final long serialVersionUID = 1L;
|
||||
|
||||
/**
|
||||
* Implements the comparison of vulnerabilities.
|
||||
* @param o1 a vulnerability
|
||||
* @param o2 a second vulnerability
|
||||
* @return the comparison
|
||||
*/
|
||||
public int compare(Vulnerability o1, Vulnerability o2) {
|
||||
return o2.getName().compareTo(o1.getName());
|
||||
}
|
||||
}
|
||||
BIN
src/main/resources/data/cwe.hashmap.serialized
Normal file
BIN
src/main/resources/data/cwe.hashmap.serialized
Normal file
Binary file not shown.
@@ -48,12 +48,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
$(header).addClass("expandablesubsection");
|
||||
$(header).removeClass("collaspablesubsection");
|
||||
}
|
||||
|
||||
|
||||
});
|
||||
});
|
||||
</script>
|
||||
<style type="text/css">
|
||||
|
||||
|
||||
.rounded-corners {
|
||||
-moz-border-radius: 20px;
|
||||
-webkit-border-radius: 20px;
|
||||
@@ -81,7 +81,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
/*background-image: url(img/minus.gif);*/
|
||||
background-image: url(data:image/gif;base64,R0lGODlhDAAMAIABAICAgP///yH5BAEAAAEALAAAAAAMAAwAAAIajI8Hy22Q1IszQHphW3ZuXUUZ1ZXi8zFkUgAAOw==);
|
||||
background-repeat: no-repeat;
|
||||
background-position: 98% 50%;
|
||||
background-position: 98% 50%;
|
||||
-moz-border-radius-bottomleft:0px; /* bottom left corner */
|
||||
-webkit-border-bottom-left-radius:0px; /* bottom left corner */
|
||||
border-bottom-left-radius: 0px;
|
||||
@@ -93,7 +93,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
border-bottom-left-radius: 0px;
|
||||
border-bottom: 0px solid #ffffff;
|
||||
}
|
||||
|
||||
|
||||
.content {
|
||||
margin-top:0px;
|
||||
margin-left:20px;
|
||||
@@ -102,7 +102,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
background: #ffffff;
|
||||
padding: 20px;
|
||||
}
|
||||
|
||||
|
||||
.sectionheader {
|
||||
background-color: #cccccc;
|
||||
margin-top: 20px;
|
||||
@@ -148,12 +148,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
margin-right:20px;
|
||||
margin-bottom:10px;
|
||||
background: #ffffff;
|
||||
|
||||
|
||||
padding-top: 10px;
|
||||
padding-bottom: 20px;
|
||||
padding-left:20px;
|
||||
padding-right:20px;
|
||||
|
||||
|
||||
border-top: 0px;
|
||||
border-right: 1px solid #ccc;
|
||||
border-left: 1px solid #ccc;
|
||||
@@ -175,7 +175,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
border-bottom-right-radius: 15px;
|
||||
border-bottom-left-radius: 15px;
|
||||
}
|
||||
|
||||
|
||||
.subsectionheader {
|
||||
background-color: #cccccc;
|
||||
margin-top: 20px;
|
||||
@@ -285,20 +285,24 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
<div class="sectioncontent">Report Generated On: $date<br/><br/>
|
||||
Dependencies Scanned: $dependencies.size()<br/><br/>
|
||||
<div class="indent">
|
||||
#set($lnkcnt=0)
|
||||
#foreach($dependency in $dependencies)
|
||||
#set($lnkcnt=$lnkcnt+1)
|
||||
#if($dependency.getVulnerabilities().size()>0)
|
||||
<a href="#$esc.html($esc.url($dependency.FilePath))">$esc.html($dependency.FileName)</a> <b style="color:#ff0000;">•</b><br/>
|
||||
<a href="#l${lnkcnt}_$esc.html($esc.url($dependency.Sha1sum))">$esc.html($dependency.FileName)</a> <b style="color:#ff0000;">•</b><br/>
|
||||
#else
|
||||
<a href="#$esc.html($esc.url($dependency.FilePath))">$esc.html($dependency.FileName)</a><br/>
|
||||
<a href="#l${lnkcnt}_$esc.html($esc.url($dependency.Sha1sum))">$esc.html($dependency.FileName)</a><br/>
|
||||
#end
|
||||
#end
|
||||
</div>
|
||||
<h2>Dependencies</h2>
|
||||
#set($lnkcnt=0)
|
||||
#set($cnt=0)
|
||||
#foreach($dependency in $dependencies)
|
||||
<h3 class="subsectionheader standardsubsection"><a name="$esc.html($dependency.FilePath)"></a>$esc.html($dependency.FileName)</h3>
|
||||
#foreach($dependency in $dependencies)
|
||||
#set($lnkcnt=$lnkcnt+1)
|
||||
<h3 class="subsectionheader standardsubsection"><a name="l${lnkcnt}_$esc.html($dependency.Sha1sum)"></a>$esc.html($dependency.FileName)</h3>
|
||||
<div class="subsectioncontent">
|
||||
#if ($dependency.description)
|
||||
#if ($dependency.description)
|
||||
<p><b>Description:</b> $esc.html($dependency.description)<br/></p>
|
||||
#end
|
||||
<p>
|
||||
@@ -359,14 +363,9 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
<h4 id="header$cnt" class="subsectionheader white">Identifiers</h4>
|
||||
##: <a href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$esc.url($cpevalue)" target="_blank">$esc.html($cpevalue)</a></h4>
|
||||
<div id="content$cnt" class="subsectioncontent standardsubsection">
|
||||
#if($cpeCount>1)
|
||||
Several possible CPEs where identified. If one of the following are correct please update the configuration
|
||||
to set the hash code for this file to the CPE entry below.<br/><br/>
|
||||
#end
|
||||
#if($dependency.getIdentifiers().size()==0)
|
||||
#if ($dependency.getIdentifiers().size()==0)
|
||||
<ul><li><b>None</b></li></ul>
|
||||
#end
|
||||
#if($dependency.getIdentifiers().size()>0)
|
||||
#else ## ($dependency.getIdentifiers().size()>0)
|
||||
<ul>
|
||||
#foreach($id in $dependency.getIdentifiers())
|
||||
##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
|
||||
@@ -385,6 +384,18 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
<div id="content$cnt" class="subsectioncontent standardsubsection">
|
||||
#foreach($vuln in $dependency.getVulnerabilities())
|
||||
<p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$esc.url($vuln.name)">$esc.html($vuln.name)</a></b></p>
|
||||
<p>Severity:
|
||||
#if ($vuln.cvssScore<4.0)
|
||||
Low
|
||||
#elseif ($vuln.cvssScore>=7.0)
|
||||
High
|
||||
#else
|
||||
Medium
|
||||
#end
|
||||
<br/>CVSS Score: $vuln.cvssScore
|
||||
#if ($vuln.cwe)
|
||||
<br/>CWE: $vuln.cwe
|
||||
#end</p>
|
||||
<p>$esc.html($vuln.description)
|
||||
#if ($vuln.getReferences().size()>0)
|
||||
<ul>
|
||||
@@ -400,6 +411,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
</div>
|
||||
#end
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -103,14 +103,25 @@ public class CPEAnalyzerTest extends BaseIndexTestCase {
|
||||
Dependency spring = new Dependency(fileSpring);
|
||||
jarAnalyzer.analyze(spring, null);
|
||||
|
||||
File fileSpring3 = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
|
||||
Dependency spring3 = new Dependency(fileSpring3);
|
||||
jarAnalyzer.analyze(spring3, null);
|
||||
|
||||
CPEAnalyzer instance = new CPEAnalyzer();
|
||||
instance.open();
|
||||
String expResult = "cpe:/a:apache:struts:2.1.2";
|
||||
String expResultSpring = "cpe:/a:springsource:spring_framework:2.5.5";
|
||||
String expResultSpring3 = "cpe:/a:vmware:springsource_spring_framework:3.0.0";
|
||||
instance.determineCPE(depends);
|
||||
instance.determineCPE(spring);
|
||||
instance.determineCPE(spring3);
|
||||
instance.close();
|
||||
assertTrue("Incorrect match", depends.getIdentifiers().size() == 1);
|
||||
assertTrue("Incorrect match", depends.getIdentifiers().get(0).getValue().equals(expResult));
|
||||
assertTrue("Incorrect match size - struts", depends.getIdentifiers().size() == 1);
|
||||
assertTrue("Incorrect match - struts", depends.getIdentifiers().get(0).getValue().equals(expResult));
|
||||
assertTrue("Incorrect match size - spring", spring.getIdentifiers().size() == 1);
|
||||
assertTrue("Incorrect match - spring", spring.getIdentifiers().get(0).getValue().equals(expResultSpring));
|
||||
assertTrue("Incorrect match size - spring3 - " + spring3.getIdentifiers().size(), spring3.getIdentifiers().size() >= 9);
|
||||
//assertTrue("Incorrect match - spring3", spring3.getIdentifiers().get(0).getValue().equals(expResultSpring3));
|
||||
}
|
||||
|
||||
|
||||
|
||||
@@ -0,0 +1,78 @@
|
||||
/*
|
||||
* To change this template, choose Tools | Templates
|
||||
* and open the template in the editor.
|
||||
*/
|
||||
package org.codesecure.dependencycheck.data.cwe;
|
||||
|
||||
import java.io.ObjectOutputStream;
|
||||
import java.io.FileOutputStream;
|
||||
import java.util.Map;
|
||||
import java.io.File;
|
||||
import javax.xml.parsers.SAXParser;
|
||||
import javax.xml.parsers.SAXParserFactory;
|
||||
import org.junit.After;
|
||||
import org.junit.AfterClass;
|
||||
import org.junit.Before;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
import static org.junit.Assert.*;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author Jeremy Long (jeremy.long@gmail.com)
|
||||
*/
|
||||
public class CweDBTest {
|
||||
|
||||
public CweDBTest() {
|
||||
}
|
||||
|
||||
@BeforeClass
|
||||
public static void setUpClass() throws Exception {
|
||||
}
|
||||
|
||||
@AfterClass
|
||||
public static void tearDownClass() throws Exception {
|
||||
}
|
||||
|
||||
@Before
|
||||
public void setUp() {
|
||||
}
|
||||
|
||||
@After
|
||||
public void tearDown() {
|
||||
}
|
||||
|
||||
/**
|
||||
* Method to serlize the CWE HashMap. This is not used in
|
||||
* production; this is only used once during dev to create
|
||||
* the serialized hashmap.
|
||||
*/
|
||||
// @Test
|
||||
// public void testUpdate() throws Exception {
|
||||
// SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
// SAXParser saxParser = factory.newSAXParser();
|
||||
//
|
||||
// CweHandler handler = new CweHandler();
|
||||
// File file = new File(this.getClass().getClassLoader().getResource("cwe.2000.xml").getPath());
|
||||
//
|
||||
// saxParser.parse(file, handler);
|
||||
// System.out.println("Found " + handler.getCwe().size() + " cwe entries.");
|
||||
// Map<String,String> cwe = handler.getCwe();
|
||||
// FileOutputStream fout = new FileOutputStream("src/main/resources/data/cwe.hashmap.serialized");
|
||||
// ObjectOutputStream objOut = new ObjectOutputStream(fout);
|
||||
// objOut.writeObject(cwe);
|
||||
// objOut.close();
|
||||
// }
|
||||
|
||||
/**
|
||||
* Test of getCweName method, of class CweDB.
|
||||
*/
|
||||
@Test
|
||||
public void testGetCweName() {
|
||||
System.out.println("getCweName");
|
||||
String cweId = "CWE-16";
|
||||
String expResult = "Configuration";
|
||||
String result = CweDB.getCweName(cweId);
|
||||
assertEquals(expResult, result);
|
||||
}
|
||||
}
|
||||
176610
src/test/resources/cwe.2000.xml
Normal file
176610
src/test/resources/cwe.2000.xml
Normal file
File diff suppressed because it is too large
Load Diff
BIN
src/test/resources/spring-core-3.0.0.RELEASE.jar
Normal file
BIN
src/test/resources/spring-core-3.0.0.RELEASE.jar
Normal file
Binary file not shown.
Reference in New Issue
Block a user