1 /*
2 * This file is part of dependency-check-core.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17 */
18 package org.owasp.dependencycheck.dependency;
19
20 import java.io.Serializable;
21 import java.util.Set;
22 import java.util.SortedSet;
23 import java.util.TreeSet;
24 import org.apache.commons.lang3.builder.CompareToBuilder;
25
26 /**
27 * Contains the information about a vulnerability.
28 *
29 * @author Jeremy Long
30 */
31 public class Vulnerability implements Serializable, Comparable<Vulnerability> {
32
33 /**
34 * The serial version uid.
35 */
36 private static final long serialVersionUID = 307319490326651052L;
37
38 /**
39 * The name of the vulnerability.
40 */
41 private String name;
42
43 /**
44 * Get the value of name.
45 *
46 * @return the value of name
47 */
48 public String getName() {
49 return name;
50 }
51
52 /**
53 * Set the value of name.
54 *
55 * @param name new value of name
56 */
57 public void setName(String name) {
58 this.name = name;
59 }
60 /**
61 * the description of the vulnerability.
62 */
63 private String description;
64
65 /**
66 * Get the value of description.
67 *
68 * @return the value of description
69 */
70 public String getDescription() {
71 return description;
72 }
73
74 /**
75 * Set the value of description.
76 *
77 * @param description new value of description
78 */
79 public void setDescription(String description) {
80 this.description = description;
81 }
82 /**
83 * References for this vulnerability.
84 */
85 private SortedSet<Reference> references = new TreeSet<Reference>();
86
87 /**
88 * Get the value of references.
89 *
90 * @return the value of references
91 */
92 public Set<Reference> getReferences() {
93 return references;
94 }
95
96 /**
97 * Set the value of references.
98 *
99 * @param references new value of references
100 */
101 public void setReferences(SortedSet<Reference> references) {
102 this.references = references;
103 }
104
105 /**
106 * Adds a reference to the references collection.
107 *
108 * @param ref a reference for the vulnerability
109 */
110 public void addReference(Reference ref) {
111 this.references.add(ref);
112 }
113
114 /**
115 * Adds a reference.
116 *
117 * @param referenceSource the source of the reference
118 * @param referenceName the referenceName of the reference
119 * @param referenceUrl the url of the reference
120 */
121 public void addReference(String referenceSource, String referenceName, String referenceUrl) {
122 final Reference ref = new Reference();
123 ref.setSource(referenceSource);
124 ref.setName(referenceName);
125 ref.setUrl(referenceUrl);
126 this.references.add(ref);
127 }
128 /**
129 * A set of vulnerable software.
130 */
131 private SortedSet<VulnerableSoftware> vulnerableSoftware = new TreeSet<VulnerableSoftware>();
132
133 /**
134 * Get the value of vulnerableSoftware.
135 *
136 * @return the value of vulnerableSoftware
137 */
138 public Set<VulnerableSoftware> getVulnerableSoftware() {
139 return vulnerableSoftware;
140 }
141
142 /**
143 * Set the value of vulnerableSoftware.
144 *
145 * @param vulnerableSoftware new value of vulnerableSoftware
146 */
147 public void setVulnerableSoftware(SortedSet<VulnerableSoftware> vulnerableSoftware) {
148 this.vulnerableSoftware = vulnerableSoftware;
149 }
150
151 /**
152 * Adds an entry for vulnerable software.
153 *
154 * @param cpe string representation of a CPE entry
155 * @return if the add succeeded
156 */
157 public boolean addVulnerableSoftware(String cpe) {
158 return addVulnerableSoftware(cpe, null);
159 }
160
161 /**
162 * Adds an entry for vulnerable software.
163 *
164 * @param cpe string representation of a cpe
165 * @param previousVersion the previous version (previousVersion - cpe would
166 * be considered vulnerable)
167 * @return if the add succeeded
168 */
169 public boolean addVulnerableSoftware(String cpe, String previousVersion) {
170 final VulnerableSoftware vs = new VulnerableSoftware();
171 vs.setCpe(cpe);
172 if (previousVersion != null) {
173 vs.setPreviousVersion(previousVersion);
174 }
175 return updateVulnerableSoftware(vs);
176 }
177
178 /**
179 * Adds or updates a vulnerable software entry.
180 *
181 * @param vulnSoftware the vulnerable software
182 * @return if the update succeeded
183 */
184 public boolean updateVulnerableSoftware(VulnerableSoftware vulnSoftware) {
185 if (vulnerableSoftware.contains(vulnSoftware)) {
186 vulnerableSoftware.remove(vulnSoftware);
187 }
188 return vulnerableSoftware.add(vulnSoftware);
189 }
190 /**
191 * The CWE for the vulnerability.
192 */
193 private String cwe;
194
195 /**
196 * Get the value of cwe.
197 *
198 * @return the value of cwe
199 */
200 public String getCwe() {
201 return cwe;
202 }
203
204 /**
205 * Set the value of cwe.
206 *
207 * @param cwe new value of cwe
208 */
209 public void setCwe(String cwe) {
210 this.cwe = cwe;
211 }
212 /**
213 * CVSS Score.
214 */
215 private float cvssScore;
216
217 /**
218 * Get the value of cvssScore.
219 *
220 * @return the value of cvssScore
221 */
222 public float getCvssScore() {
223 return cvssScore;
224 }
225
226 /**
227 * Set the value of cvssScore.
228 *
229 * @param cvssScore new value of cvssScore
230 */
231 public void setCvssScore(float cvssScore) {
232 this.cvssScore = cvssScore;
233 }
234 /**
235 * CVSS Access Vector.
236 */
237 private String cvssAccessVector;
238
239 /**
240 * Get the value of cvssAccessVector.
241 *
242 * @return the value of cvssAccessVector
243 */
244 public String getCvssAccessVector() {
245 return cvssAccessVector;
246 }
247
248 /**
249 * Set the value of cvssAccessVector.
250 *
251 * @param cvssAccessVector new value of cvssAccessVector
252 */
253 public void setCvssAccessVector(String cvssAccessVector) {
254 this.cvssAccessVector = cvssAccessVector;
255 }
256 /**
257 * CVSS Access Complexity.
258 */
259 private String cvssAccessComplexity;
260
261 /**
262 * Get the value of cvssAccessComplexity.
263 *
264 * @return the value of cvssAccessComplexity
265 */
266 public String getCvssAccessComplexity() {
267 return cvssAccessComplexity;
268 }
269
270 /**
271 * Set the value of cvssAccessComplexity.
272 *
273 * @param cvssAccessComplexity new value of cvssAccessComplexity
274 */
275 public void setCvssAccessComplexity(String cvssAccessComplexity) {
276 this.cvssAccessComplexity = cvssAccessComplexity;
277 }
278 /**
279 * CVSS Authentication.
280 */
281 private String cvssAuthentication;
282
283 /**
284 * Get the value of cvssAuthentication.
285 *
286 * @return the value of cvssAuthentication
287 */
288 public String getCvssAuthentication() {
289 return cvssAuthentication;
290 }
291
292 /**
293 * Set the value of cvssAuthentication.
294 *
295 * @param cvssAuthentication new value of cvssAuthentication
296 */
297 public void setCvssAuthentication(String cvssAuthentication) {
298 this.cvssAuthentication = cvssAuthentication;
299 }
300 /**
301 * CVSS Confidentiality Impact.
302 */
303 private String cvssConfidentialityImpact;
304
305 /**
306 * Get the value of cvssConfidentialityImpact.
307 *
308 * @return the value of cvssConfidentialityImpact
309 */
310 public String getCvssConfidentialityImpact() {
311 return cvssConfidentialityImpact;
312 }
313
314 /**
315 * Set the value of cvssConfidentialityImpact.
316 *
317 * @param cvssConfidentialityImpact new value of cvssConfidentialityImpact
318 */
319 public void setCvssConfidentialityImpact(String cvssConfidentialityImpact) {
320 this.cvssConfidentialityImpact = cvssConfidentialityImpact;
321 }
322 /**
323 * CVSS Integrity Impact.
324 */
325 private String cvssIntegrityImpact;
326
327 /**
328 * Get the value of cvssIntegrityImpact.
329 *
330 * @return the value of cvssIntegrityImpact
331 */
332 public String getCvssIntegrityImpact() {
333 return cvssIntegrityImpact;
334 }
335
336 /**
337 * Set the value of cvssIntegrityImpact.
338 *
339 * @param cvssIntegrityImpact new value of cvssIntegrityImpact
340 */
341 public void setCvssIntegrityImpact(String cvssIntegrityImpact) {
342 this.cvssIntegrityImpact = cvssIntegrityImpact;
343 }
344 /**
345 * CVSS Availability Impact.
346 */
347 private String cvssAvailabilityImpact;
348
349 /**
350 * Get the value of cvssAvailabilityImpact.
351 *
352 * @return the value of cvssAvailabilityImpact
353 */
354 public String getCvssAvailabilityImpact() {
355 return cvssAvailabilityImpact;
356 }
357
358 /**
359 * Set the value of cvssAvailabilityImpact.
360 *
361 * @param cvssAvailabilityImpact new value of cvssAvailabilityImpact
362 */
363 public void setCvssAvailabilityImpact(String cvssAvailabilityImpact) {
364 this.cvssAvailabilityImpact = cvssAvailabilityImpact;
365 }
366
367 @Override
368 public boolean equals(Object obj) {
369 if (obj == null) {
370 return false;
371 }
372 if (getClass() != obj.getClass()) {
373 return false;
374 }
375 final Vulnerability other = (Vulnerability) obj;
376 if ((this.name == null) ? (other.name != null) : !this.name.equals(other.name)) {
377 return false;
378 }
379 return true;
380 }
381
382 @Override
383 public int hashCode() {
384 int hash = 5;
385 hash = 41 * hash + (this.name != null ? this.name.hashCode() : 0);
386 return hash;
387 }
388
389 @Override
390 public String toString() {
391 final StringBuilder sb = new StringBuilder("Vulnerability ");
392 sb.append(this.name);
393 sb.append("\nReferences:\n");
394 for (Reference reference : this.references) {
395 sb.append("=> ");
396 sb.append(reference);
397 sb.append("\n");
398 }
399 sb.append("\nSoftware:\n");
400 for (VulnerableSoftware software : this.vulnerableSoftware) {
401 sb.append("=> ");
402 sb.append(software);
403 sb.append("\n");
404 }
405 return sb.toString();
406 }
407
408 /**
409 * Compares two vulnerabilities.
410 *
411 * @param v a vulnerability to be compared
412 * @return a negative integer, zero, or a positive integer as this object is
413 * less than, equal to, or greater than the specified vulnerability
414 */
415 @Override
416 public int compareTo(Vulnerability v) {
417 return new CompareToBuilder()
418 .append(this.name, v.name)
419 .toComparison();
420 //return v.getName().compareTo(this.getName());
421 }
422
423 /**
424 * The CPE id that caused this vulnerability to be flagged.
425 */
426 private String matchedCPE;
427 /**
428 * Whether or not all previous versions were affected.
429 */
430 private String matchedAllPreviousCPE;
431
432 /**
433 * Sets the CPE that caused this vulnerability to be flagged.
434 *
435 * @param cpeId a CPE identifier
436 * @param previous a flag indicating whether or not all previous versions
437 * were affected (any non-null value is considered true)
438 */
439 public void setMatchedCPE(String cpeId, String previous) {
440 matchedCPE = cpeId;
441 matchedAllPreviousCPE = previous;
442 }
443
444 /**
445 * Get the value of matchedCPE.
446 *
447 * @return the value of matchedCPE
448 */
449 public String getMatchedCPE() {
450 return matchedCPE;
451 }
452
453 /**
454 * Get the value of matchedAllPreviousCPE.
455 *
456 * @return the value of matchedAllPreviousCPE
457 */
458 public String getMatchedAllPreviousCPE() {
459 return matchedAllPreviousCPE;
460 }
461
462 /**
463 * Determines whether or not matchedAllPreviousCPE has been set.
464 *
465 * @return true if matchedAllPreviousCPE is not null; otherwise false
466 */
467 public boolean hasMatchedAllPreviousCPE() {
468 return matchedAllPreviousCPE != null;
469 }
470 }