Added CVSS Scores

Former-commit-id: 2feda15c4f42461b87a2a4e5941a32eb98a918de
2026-01-14 15:53:36 +01:00 · 2013-01-13 16:48:27 -05:00
7 changed files with 372 additions and 21 deletions
--- a/README.txt
+++ b/README.txt
@@ -7,8 +7,8 @@ If found, it will generate a report linking to the associated CVE entries.
 Usage:
 $ mvn package
 $ cd target
-$ java -jar DependencyCheck-0.2.5.1.jar -h
-$ java -jar DependencyCheck-0.2.5.1.jar -a Testing -out . -scan ./test-classes/org.mortbay.jetty.jar -scan ./test-classes/struts2-core-2.1.2.jar -scan ./lib
+$ java -jar DependencyCheck-0.2.5.2.jar -h
+$ java -jar DependencyCheck-0.2.5.2.jar -a Testing -out . -scan ./test-classes/org.mortbay.jetty.jar -scan ./test-classes/struts2-core-2.1.2.jar -scan ./lib

 Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.

--- a/pom.xml
+++ b/pom.xml
@@ -23,7 +23,7 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses/>.

    <groupId>org.codesecure</groupId>
    <artifactId>DependencyCheck</artifactId>
-    <version>0.2.5.1</version>
+    <version>0.2.5.2</version>
    <packaging>jar</packaging>

    <name>DependencyCheck</name>
--- a/src/main/java/org/codesecure/dependencycheck/data/nvdcve/CveDB.java
+++ b/src/main/java/org/codesecure/dependencycheck/data/nvdcve/CveDB.java
@@ -76,8 +76,10 @@ public class CveDB {
    /**
     * SQL Statement to create the vulnerability table
     */
-    public static final String CREATE_TABLE_VULNERABILITY = "CREATE TABLE IF NOT EXISTS vulnerability "
-            + "(cveid CHAR(13) PRIMARY KEY, description varchar(8000))";
+    public static final String CREATE_TABLE_VULNERABILITY = "CREATE TABLE IF NOT EXISTS vulnerability (cveid CHAR(13) PRIMARY KEY, "
+            + "description varchar(8000), cwe varchar(10), cvssScore DECIMAL(3,1), cvssAccessVector varchar(20), "
+            + "cvssAccessComplexity varchar(20), cvssAuthentication varchar(20), cvssConfidentialityImpact varchar(20), "
+            + "cvssIntegrityImpact varchar(20), cvssAvailabilityImpact varchar(20))";
    /**
     * SQL Statement to delete references by CVEID
     */
@@ -102,7 +104,9 @@ public class CveDB {
    /**
     * SQL Statement to insert a new vulnerability
     */
-    public static final String INSERT_VULNERABILITY = "INSERT INTO vulnerability (cveid, description) VALUES (?, ?)";
+    public static final String INSERT_VULNERABILITY = "INSERT INTO vulnerability (cveid, description, cwe, cvssScore, cvssAccessVector, "
+            + "cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact) "
+            + "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
    /**
     * SQL Statement to find CVE entries based on CPE data
     */
@@ -119,7 +123,7 @@ public class CveDB {
    /**
     * SQL Statement to select a vulnerability by CVEID
     */
-    public static final String SELECT_VULNERABILITY = "SELECT cveid, description FROM vulnerability WHERE cveid = ?";
+    public static final String SELECT_VULNERABILITY = "SELECT cveid, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact FROM vulnerability WHERE cveid = ?";
    //</editor-fold>

    //<editor-fold defaultstate="collapsed" desc="Collection of CallableStatements to work with the DB">
@@ -144,7 +148,7 @@ public class CveDB {
     */
    private CallableStatement insertSoftware = null;
    /**
-     * insert vulnerability - parameters (cveid, description)
+     * insert vulnerability - parameters (cveid, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact)
     */
    private CallableStatement insertVulnerability = null;
    /**
@@ -269,6 +273,15 @@ public class CveDB {
                vuln = new Vulnerability();
                vuln.setName(cve);
                vuln.setDescription(rsV.getString(2));
+                vuln.setCwe(rsV.getString(3));
+                vuln.setCvssScore(rsV.getFloat(4));
+                vuln.setCvssAccessVector(rsV.getString(5));
+                vuln.setCvssAccessComplexity(rsV.getString(6));
+                vuln.setCvssAuthentication(rsV.getString(7));
+                vuln.setCvssConfidentialityImpact(rsV.getString(8));
+                vuln.setCvssIntegrityImpact(rsV.getString(9));
+                vuln.setCvssAvailabilityImpact(rsV.getString(10));
+
                selectReferences.setString(1, cve);
                rsR = selectReferences.executeQuery();
                while (rsR.next()) {
@@ -333,6 +346,14 @@ public class CveDB {

            insertVulnerability.setString(1, vuln.getName());
            insertVulnerability.setString(2, vuln.getDescription());
+            insertVulnerability.setString(3, vuln.getCwe());
+            insertVulnerability.setFloat(4, vuln.getCvssScore());
+            insertVulnerability.setString(5, vuln.getCvssAccessVector());
+            insertVulnerability.setString(6, vuln.getCvssAccessComplexity());
+            insertVulnerability.setString(7, vuln.getCvssAuthentication());
+            insertVulnerability.setString(8, vuln.getCvssConfidentialityImpact());
+            insertVulnerability.setString(9, vuln.getCvssIntegrityImpact());
+            insertVulnerability.setString(10, vuln.getCvssAvailabilityImpact());
            insertVulnerability.execute();

            insertReference.setString(1, vuln.getName());
--- a/src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java
+++ b/src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java
@@ -77,7 +77,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
    /**
     * The current version of the database
     */
-    public static final String DATABASE_VERSION = "2.0";
+    public static final String DATABASE_VERSION = "2.1";

    /**
     * <p>Downloads the latest NVD CVE XML file from the web and imports it into
--- a/src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java
+++ b/src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java
@@ -21,6 +21,8 @@ package org.codesecure.dependencycheck.data.nvdcve.xml;
 import java.io.IOException;
 import java.util.List;
 import java.util.Map;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import org.apache.lucene.index.CorruptIndexException;
 import org.codesecure.dependencycheck.data.cpe.Index;
 import org.codesecure.dependencycheck.data.nvdcve.CveDB;
@@ -75,6 +77,22 @@ public class NvdCve20Handler extends DefaultHandler {
            if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) {
                throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported");
            }
+        } else if (current.isVulnCWENode()) {
+            vulnerability.setCwe(attributes.getValue("id"));
+        } else if (current.isCVSSScoreNode()) {
+            nodeText = new StringBuilder(5);
+        } else if (current.isCVSSAccessVectorNode()) {
+            nodeText = new StringBuilder(20);
+        } else if (current.isCVSSAccessComplexityNode()) {
+            nodeText = new StringBuilder(20);
+        } else if (current.isCVSSAuthenticationNode()) {
+            nodeText = new StringBuilder(20);
+        } else if (current.isCVSSAvailabilityImpactNode()) {
+            nodeText = new StringBuilder(20);
+        } else if (current.isCVSSConfidentialityImpactNode()) {
+            nodeText = new StringBuilder(20);
+        } else if (current.isCVSSIntegrityImpactNode()) {
+            nodeText = new StringBuilder(20);
        }
    }

@@ -101,6 +119,32 @@ public class NvdCve20Handler extends DefaultHandler {
                }
            }
            vulnerability = null;
+        } else if (current.isCVSSScoreNode()) {
+            try {
+                float score = Float.parseFloat(nodeText.toString());
+                vulnerability.setCvssScore(score);
+            } catch (NumberFormatException ex) {
+                Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, null, ex);
+            }
+            nodeText = null;
+        } else if (current.isCVSSAccessVectorNode()) {
+            vulnerability.setCvssAccessVector(nodeText.toString());
+            nodeText = null;
+        } else if (current.isCVSSAccessComplexityNode()) {
+            vulnerability.setCvssAccessComplexity(nodeText.toString());
+            nodeText = null;
+        } else if (current.isCVSSAuthenticationNode()) {
+            vulnerability.setCvssAuthentication(nodeText.toString());
+            nodeText = null;
+        } else if (current.isCVSSAvailabilityImpactNode()) {
+            vulnerability.setCvssAvailabilityImpact(nodeText.toString());
+            nodeText = null;
+        } else if (current.isCVSSConfidentialityImpactNode()) {
+            vulnerability.setCvssConfidentialityImpact(nodeText.toString());
+            nodeText = null;
+        } else if (current.isCVSSIntegrityImpactNode()) {
+            vulnerability.setCvssIntegrityImpact(nodeText.toString());
+            nodeText = null;
        } else if (current.isVulnProductNode()) {
            String cpe = nodeText.toString();
            if (cpe.startsWith("cpe:/a:")) {
@@ -217,6 +261,40 @@ public class NvdCve20Handler extends DefaultHandler {
         * A node type in the NVD CVE Schema 2.0
         */
        public static final String VULN_SUMMARY = "vuln:summary";
+
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String VULN_CWE = "vuln:cwe";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_SCORE = "cvss:score";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_ACCESS_VECTOR = "cvss:access-vector";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_ACCESS_COMPLEXITY = "cvss:access-complexity";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_AUTHENTICATION = "cvss:authentication";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_CONFIDENTIALITY_IMPACT = "cvss:confidentiality-impact";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_INTEGRITY_IMPACT = "cvss:integrity-impact";
+        /**
+         * A node type in the NVD CVE Schema 2.0
+         */
+        public static final String CVSS_AVAILABILITY_IMPACT = "cvss:availability-impact";
+
        private String node = null;

        /**
@@ -299,6 +377,72 @@ public class NvdCve20Handler extends DefaultHandler {
        public boolean isVulnSummaryNode() {
            return VULN_SUMMARY.equals(node);
        }
+
+        /**
+         * Checks if the handler is at the VULN_CWE node
+         *
+         * @return true or false
+         */
+        public boolean isVulnCWENode() {
+            return VULN_CWE.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_SCORE node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSScoreNode() {
+            return CVSS_SCORE.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_ACCESS_VECTOR node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSAccessVectorNode() {
+            return CVSS_ACCESS_VECTOR.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_ACCESS_COMPLEXITY node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSAccessComplexityNode() {
+            return CVSS_ACCESS_COMPLEXITY.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_AUTHENTICATION node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSAuthenticationNode() {
+            return CVSS_AUTHENTICATION.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_CONFIDENTIALITY_IMPACT node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSConfidentialityImpactNode() {
+            return CVSS_CONFIDENTIALITY_IMPACT.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_INTEGRITY_IMPACT node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSIntegrityImpactNode() {
+            return CVSS_INTEGRITY_IMPACT.equals(node);
+        }
+        /**
+         * Checks if the handler is at the CVSS_AVAILABILITY_IMPACT node
+         *
+         * @return true or false
+         */
+        public boolean isCVSSAvailabilityImpactNode() {
+            return CVSS_AVAILABILITY_IMPACT.equals(node);
+        }
+
    }
    // </editor-fold>
 }
--- a/src/main/java/org/codesecure/dependencycheck/dependency/Vulnerability.java
+++ b/src/main/java/org/codesecure/dependencycheck/dependency/Vulnerability.java
@@ -142,7 +142,6 @@ public class Vulnerability implements Serializable {
        this.vulnerableSoftware = vulnerableSoftware;
    }

-
    /**
     * Adds an entry for vulnerable software
     * @param cpe string representation of a CPE entry
@@ -178,6 +177,182 @@ public class Vulnerability implements Serializable {
        }
        return vulnerableSoftware.add(vulnSoftware);
    }
+    /**
+     * The CWE for the vulnerability
+     */
+    protected String cwe;
+
+    /**
+     * Get the value of cwe
+     *
+     * @return the value of cwe
+     */
+    public String getCwe() {
+        return cwe;
+    }
+
+    /**
+     * Set the value of cwe
+     *
+     * @param cwe new value of cwe
+     */
+    public void setCwe(String cwe) {
+        this.cwe = cwe;
+    }
+    /**
+     * CVSS Score
+     */
+    protected float cvssScore;
+
+    /**
+     * Get the value of cvssScore
+     *
+     * @return the value of cvssScore
+     */
+    public float getCvssScore() {
+        return cvssScore;
+    }
+
+    /**
+     * Set the value of cvssScore
+     *
+     * @param cvssScore new value of cvssScore
+     */
+    public void setCvssScore(float cvssScore) {
+        this.cvssScore = cvssScore;
+    }
+    /**
+     * CVSS Access Vector
+     */
+    protected String cvssAccessVector;
+
+    /**
+     * Get the value of cvssAccessVector
+     *
+     * @return the value of cvssAccessVector
+     */
+    public String getCvssAccessVector() {
+        return cvssAccessVector;
+    }
+
+    /**
+     * Set the value of cvssAccessVector
+     *
+     * @param cvssAccessVector new value of cvssAccessVector
+     */
+    public void setCvssAccessVector(String cvssAccessVector) {
+        this.cvssAccessVector = cvssAccessVector;
+    }
+    /**
+     * CVSS Access Complexity
+     */
+    protected String cvssAccessComplexity;
+
+    /**
+     * Get the value of cvssAccessComplexity
+     *
+     * @return the value of cvssAccessComplexity
+     */
+    public String getCvssAccessComplexity() {
+        return cvssAccessComplexity;
+    }
+
+    /**
+     * Set the value of cvssAccessComplexity
+     *
+     * @param cvssAccessComplexity new value of cvssAccessComplexity
+     */
+    public void setCvssAccessComplexity(String cvssAccessComplexity) {
+        this.cvssAccessComplexity = cvssAccessComplexity;
+    }
+    /**
+     * CVSS Authentication
+     */
+    protected String cvssAuthentication;
+
+    /**
+     * Get the value of cvssAuthentication
+     *
+     * @return the value of cvssAuthentication
+     */
+    public String getCvssAuthentication() {
+        return cvssAuthentication;
+    }
+
+    /**
+     * Set the value of cvssAuthentication
+     *
+     * @param cvssAuthentication new value of cvssAuthentication
+     */
+    public void setCvssAuthentication(String cvssAuthentication) {
+        this.cvssAuthentication = cvssAuthentication;
+    }
+    /**
+     * CVSS Confidentiality Impact
+     */
+    protected String cvssConfidentialityImpact;
+
+    /**
+     * Get the value of cvssConfidentialityImpact
+     *
+     * @return the value of cvssConfidentialityImpact
+     */
+    public String getCvssConfidentialityImpact() {
+        return cvssConfidentialityImpact;
+    }
+
+    /**
+     * Set the value of cvssConfidentialityImpact
+     *
+     * @param cvssConfidentialityImpact new value of cvssConfidentialityImpact
+     */
+    public void setCvssConfidentialityImpact(String cvssConfidentialityImpact) {
+        this.cvssConfidentialityImpact = cvssConfidentialityImpact;
+    }
+    /**
+     * CVSS Integrity Impact
+     */
+    protected String cvssIntegrityImpact;
+
+    /**
+     * Get the value of cvssIntegrityImpact
+     *
+     * @return the value of cvssIntegrityImpact
+     */
+    public String getCvssIntegrityImpact() {
+        return cvssIntegrityImpact;
+    }
+
+    /**
+     * Set the value of cvssIntegrityImpact
+     *
+     * @param cvssIntegrityImpact new value of cvssIntegrityImpact
+     */
+    public void setCvssIntegrityImpact(String cvssIntegrityImpact) {
+        this.cvssIntegrityImpact = cvssIntegrityImpact;
+    }
+    /**
+     * CVSS Availability Impact
+     */
+    protected String cvssAvailabilityImpact;
+
+    /**
+     * Get the value of cvssAvailabilityImpact
+     *
+     * @return the value of cvssAvailabilityImpact
+     */
+    public String getCvssAvailabilityImpact() {
+        return cvssAvailabilityImpact;
+    }
+
+    /**
+     * Set the value of cvssAvailabilityImpact
+     *
+     * @param cvssAvailabilityImpact new value of cvssAvailabilityImpact
+     */
+    public void setCvssAvailabilityImpact(String cvssAvailabilityImpact) {
+        this.cvssAvailabilityImpact = cvssAvailabilityImpact;
+    }

    @Override
    public boolean equals(Object obj) {
--- a/src/main/resources/templates/HtmlReport.vsl
+++ b/src/main/resources/templates/HtmlReport.vsl
@@ -48,12 +48,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                        $(header).addClass("expandablesubsection");
                        $(header).removeClass("collaspablesubsection");
                    }
-                    
+
                });
            });
        </script>
        <style type="text/css">
-            
+
            .rounded-corners {
                -moz-border-radius: 20px;
                -webkit-border-radius: 20px;
@@ -81,7 +81,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                /*background-image: url(img/minus.gif);*/
                background-image: url(data:image/gif;base64,R0lGODlhDAAMAIABAICAgP///yH5BAEAAAEALAAAAAAMAAwAAAIajI8Hy22Q1IszQHphW3ZuXUUZ1ZXi8zFkUgAAOw==);
                background-repeat: no-repeat;
-                background-position: 98% 50%;  
+                background-position: 98% 50%;
                -moz-border-radius-bottomleft:0px; /* bottom left corner */
                -webkit-border-bottom-left-radius:0px; /* bottom left corner */
                border-bottom-left-radius: 0px;
@@ -93,7 +93,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                border-bottom-left-radius: 0px;
                border-bottom: 0px solid #ffffff;
            }
-                        
+
            .content {
                margin-top:0px;
                margin-left:20px;
@@ -102,7 +102,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                background: #ffffff;
                padding: 20px;
            }
-            
+
            .sectionheader {
                background-color: #cccccc;
                margin-top: 20px;
@@ -148,12 +148,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                margin-right:20px;
                margin-bottom:10px;
                background: #ffffff;
-                
+
                padding-top: 10px;
                padding-bottom: 20px;
                padding-left:20px;
                padding-right:20px;
-                
+
                border-top: 0px;
                border-right: 1px solid #ccc;
                border-left: 1px solid #ccc;
@@ -175,7 +175,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                border-bottom-right-radius: 15px;
                border-bottom-left-radius: 15px;
            }
-            
+
            .subsectionheader {
                background-color: #cccccc;
                margin-top: 20px;
@@ -295,10 +295,10 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                </div>
                <h2>Dependencies</h2>
                #set($cnt=0)
-                #foreach($dependency in $dependencies) 
+                #foreach($dependency in $dependencies)
                    <h3 class="subsectionheader standardsubsection"><a name="$esc.html($dependency.FilePath)"></a>$esc.html($dependency.FileName)</h3>
                    <div class="subsectioncontent">
-                        #if ($dependency.description) 
+                        #if ($dependency.description)
                            <p><b>Description:</b>&nbsp;$esc.html($dependency.description)<br/></p>
                        #end
                        <p>
@@ -385,6 +385,17 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                    <div id="content$cnt" class="subsectioncontent standardsubsection">
                        #foreach($vuln in $dependency.getVulnerabilities())
                            <p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$esc.url($vuln.name)">$esc.html($vuln.name)</a></b></p>
+                            <p>Severity:
+                            #if ($vuln.cvssScore<4.0)
+                                Low
+                            #else
+                                #if ($vuln.cvssScore>=7.0)
+                                    High
+                                #else
+                                    Medium
+                                #end
+                            #end
+                            <br/>CVSS Score: $vuln.cvssScore</p>
                            <p>$esc.html($vuln.description)
                                #if ($vuln.getReferences().size()>0)
                                    <ul>
@@ -400,6 +411,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                </div>
                #end
            </div>
-        </div>        
+        </div>
    </body>
 </html>