Coverage Report

Coverage Report - org.owasp.dependencycheck.suppression.SuppressionRule

Classes in this File

Line Coverage

Branch Coverage

Complexity

SuppressionRule

96%

96/100

89%

61/68

2.542

 /*
  * This file is part of dependency-check-core.
  *
  * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
  * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
  * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.suppression;
 
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 
 /**
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class SuppressionRule {
 
     /**
      * The file path for the suppression.
      */
     private PropertyType filePath;
 
     /**
      * Get the value of filePath.
      *
      * @return the value of filePath
      */
     public PropertyType getFilePath() {
         return filePath;
     }
 
     /**
      * Set the value of filePath.
      *
      * @param filePath new value of filePath
      */
     public void setFilePath(PropertyType filePath) {
         this.filePath = filePath;
     }
     /**
      * The sha1 hash.
      */
     private String sha1;
 
     /**
      * Get the value of sha1.
      *
      * @return the value of sha1
      */
     public String getSha1() {
         return sha1;
     }
 
     /**
      * Set the value of sha1.
      *
      * @param sha1 new value of sha1
      */
     public void setSha1(String sha1) {
         this.sha1 = sha1;
     }
     /**
      * A list of CPEs to suppression
      */
     private List<PropertyType> cpe = new ArrayList<PropertyType>();
 
     /**
      * Get the value of cpe.
      *
      * @return the value of cpe
      */
     public List<PropertyType> getCpe() {
         return cpe;
     }
 
     /**
      * Set the value of cpe.
      *
      * @param cpe new value of cpe
      */
     public void setCpe(List<PropertyType> cpe) {
         this.cpe = cpe;
     }
 
     /**
      * Adds the cpe to the cpe list.
      *
      * @param cpe the cpe to add
      */
     public void addCpe(PropertyType cpe) {
         this.cpe.add(cpe);
     }
 
     /**
      * Returns whether or not this suppression rule as CPE entries.
      *
      * @return whether or not this suppression rule as CPE entries
      */
     public boolean hasCpe() {
         return cpe.size() > 0;
     }
     /**
      * The list of cvssBelow scores.
      */
     private List<Float> cvssBelow = new ArrayList<Float>();
 
     /**
      * Get the value of cvssBelow.
      *
      * @return the value of cvssBelow
      */
     public List<Float> getCvssBelow() {
         return cvssBelow;
     }
 
     /**
      * Set the value of cvssBelow.
      *
      * @param cvssBelow new value of cvssBelow
      */
     public void setCvssBelow(List<Float> cvssBelow) {
         this.cvssBelow = cvssBelow;
     }
 
     /**
      * Adds the cvss to the cvssBelow list.
      *
      * @param cvss the cvss to add
      */
     public void addCvssBelow(Float cvss) {
         this.cvssBelow.add(cvss);
     }
 
     /**
      * Returns whether or not this suppression rule has cvss suppressions.
      *
      * @return whether or not this suppression rule has cvss suppressions
      */
     public boolean hasCvssBelow() {
         return cvssBelow.size() > 0;
     }
     /**
      * The list of cwe entries to suppress.
      */
     private List<String> cwe = new ArrayList<String>();
 
     /**
      * Get the value of cwe.
      *
      * @return the value of cwe
      */
     public List<String> getCwe() {
         return cwe;
     }
 
     /**
      * Set the value of cwe.
      *
      * @param cwe new value of cwe
      */
     public void setCwe(List<String> cwe) {
         this.cwe = cwe;
     }
 
     /**
      * Adds the cwe to the cwe list.
      *
      * @param cwe the cwe to add
      */
     public void addCwe(String cwe) {
         this.cwe.add(cwe);
     }
 
     /**
      * Returns whether this suppression rule has CWE entries.
      *
      * @return whether this suppression rule has CWE entries
      */
     public boolean hasCwe() {
         return cwe.size() > 0;
     }
     /**
      * The list of cve entries to suppress.
      */
     private List<String> cve = new ArrayList<String>();
 
     /**
      * Get the value of cve.
      *
      * @return the value of cve
      */
     public List<String> getCve() {
         return cve;
     }
 
     /**
      * Set the value of cve.
      *
      * @param cve new value of cve
      */
     public void setCve(List<String> cve) {
         this.cve = cve;
     }
 
     /**
      * Adds the cve to the cve list.
      *
      * @param cve the cve to add
      */
     public void addCve(String cve) {
         this.cve.add(cve);
     }
 
     /**
      * Returns whether this suppression rule has CVE entries.
      *
      * @return whether this suppression rule has CVE entries
      */
     public boolean hasCve() {
         return cve.size() > 0;
     }
 
     /**
      * Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS
      * scores should be suppressed. If any should be, they are removed from the
      * dependency.
      *
      * @param dependency a project dependency to analyze
      */
     public void process(Dependency dependency) {
         if (filePath != null && !filePath.matches(dependency.getFilePath())) {
             return;
         }
         if (sha1 != null && !sha1.equalsIgnoreCase(dependency.getSha1sum())) {
             return;
         }
         if (this.hasCpe()) {
             final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
             while (itr.hasNext()) {
                 final Identifier i = itr.next();
                 for (PropertyType c : this.cpe) {
                     if (cpeMatches(c, i)) {
                         itr.remove();
                         break;
                     }
                 }
             }
         }
         if (hasCve() || hasCwe() || hasCvssBelow()) {
             final Iterator<Vulnerability> itr = dependency.getVulnerabilities().iterator();
             while (itr.hasNext()) {
                 boolean remove = false;
                 final Vulnerability v = itr.next();
                 for (String entry : this.cve) {
                     if (entry.equalsIgnoreCase(v.getName())) {
                         remove = true;
                         break;
                     }
                 }
                 if (!remove) {
                     for (String entry : this.cwe) {
                         if (v.getCwe() != null) {
                             final String toMatch = String.format("CWE-%s ", entry);
                             final String toTest = v.getCwe().substring(0, toMatch.length()).toUpperCase();
                             if (toTest.equals(toMatch)) {
                                 remove = true;
                                 break;
                             }
                         }
                     }
                 }
                 if (!remove) {
                     for (float cvss : this.cvssBelow) {
                         if (v.getCvssScore() < cvss) {
                             remove = true;
                             break;
                         }
                     }
                 }
                 if (remove) {
                     itr.remove();
                 }
             }
         }
     }
 
     /**
      * Identifies if the cpe specified by the cpe suppression rule does not
      * specify a version.
      *
      * @param c a suppression rule identifier
      * @return true if the property type does not specify a version; otherwise
      * false
      */
     boolean cpeHasNoVersion(PropertyType c) {
         if (c.isRegex()) {
             return false;
         } // cpe:/a:jboss:jboss:1.0.0:
         if (countCharacter(c.getValue(), ':') == 3) {
             return true;
         }
         return false;
     }
 
     /**
      * Counts the number of occurrences of the character found within the
      * string.
      *
      * @param str the string to check
      * @param c the character to count
      * @return the number of times the character is found in the string
      */
     int countCharacter(String str, char c) {
         int count = 0;
         int pos = str.indexOf(c) + 1;
         while (pos > 0) {
             count += 1;
             pos = str.indexOf(c, pos) + 1;
         }
         return count;
     }
 
     /**
      * Determines if the cpeEntry specified as a PropertyType matches the given
      * Identifier.
      *
      * @param cpeEntry a suppression rule entry
      * @param identifier a CPE identifier to check
      * @return true if the entry matches; otherwise false
      */
     boolean cpeMatches(PropertyType cpeEntry, Identifier identifier) {
         if (cpeEntry.matches(identifier.getValue())) {
             return true;
         } else if (cpeHasNoVersion(cpeEntry)) {
             if (cpeEntry.isCaseSensitive()) {
                 if (identifier.getValue().startsWith(cpeEntry.getValue())) {
                     return true;
                 }
             } else {
                 final String id = identifier.getValue().toLowerCase();
                 final String check = cpeEntry.getValue().toLowerCase();
                 if (id.startsWith(check)) {
                     return true;
                 }
             }
         }
         return false;
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Dependency-check-core is free software: you can redistribute it and/or modify it
5		* under the terms of the GNU General Public License as published by the Free
6		* Software Foundation, either version 3 of the License, or (at your option) any
7		* later version.
8		*
9		* Dependency-check-core is distributed in the hope that it will be useful, but
10		* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11		* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
12		* details.
13		*
14		* You should have received a copy of the GNU General Public License along with
15		* dependency-check-core. If not, see http://www.gnu.org/licenses/.
16		*
17		* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
18		*/
19		package org.owasp.dependencycheck.suppression;
20
21		import java.util.ArrayList;
22		import java.util.Iterator;
23		import java.util.List;
24		import org.owasp.dependencycheck.dependency.Dependency;
25		import org.owasp.dependencycheck.dependency.Identifier;
26		import org.owasp.dependencycheck.dependency.Vulnerability;
27
28		/**
29		*
30		* @author Jeremy Long <jeremy.long@owasp.org>
31		*/
32	23	public class SuppressionRule {
33
34		/**
35		* The file path for the suppression.
36		*/
37		private PropertyType filePath;
38
39		/**
40		* Get the value of filePath.
41		*
42		* @return the value of filePath
43		*/
44		public PropertyType getFilePath() {
45	1	return filePath;
46		}
47
48		/**
49		* Set the value of filePath.
50		*
51		* @param filePath new value of filePath
52		*/
53		public void setFilePath(PropertyType filePath) {
54	8	this.filePath = filePath;
55	8	}
56		/**
57		* The sha1 hash.
58		*/
59		private String sha1;
60
61		/**
62		* Get the value of sha1.
63		*
64		* @return the value of sha1
65		*/
66		public String getSha1() {
67	1	return sha1;
68		}
69
70		/**
71		* Set the value of sha1.
72		*
73		* @param sha1 new value of sha1
74		*/
75		public void setSha1(String sha1) {
76	4	this.sha1 = sha1;
77	4	}
78		/**
79		* A list of CPEs to suppression
80		*/
81	23	private List<PropertyType> cpe = new ArrayList<PropertyType>();
82
83		/**
84		* Get the value of cpe.
85		*
86		* @return the value of cpe
87		*/
88		public List<PropertyType> getCpe() {
89	1	return cpe;
90		}
91
92		/**
93		* Set the value of cpe.
94		*
95		* @param cpe new value of cpe
96		*/
97		public void setCpe(List<PropertyType> cpe) {
98	1	this.cpe = cpe;
99	1	}
100
101		/**
102		* Adds the cpe to the cpe list.
103		*
104		* @param cpe the cpe to add
105		*/
106		public void addCpe(PropertyType cpe) {
107	8	this.cpe.add(cpe);
108	8	}
109
110		/**
111		* Returns whether or not this suppression rule as CPE entries.
112		*
113		* @return whether or not this suppression rule as CPE entries
114		*/
115		public boolean hasCpe() {
116	10	return cpe.size() > 0;
117		}
118		/**
119		* The list of cvssBelow scores.
120		*/
121	23	private List<Float> cvssBelow = new ArrayList<Float>();
122
123		/**
124		* Get the value of cvssBelow.
125		*
126		* @return the value of cvssBelow
127		*/
128		public List<Float> getCvssBelow() {
129	1	return cvssBelow;
130		}
131
132		/**
133		* Set the value of cvssBelow.
134		*
135		* @param cvssBelow new value of cvssBelow
136		*/
137		public void setCvssBelow(List<Float> cvssBelow) {
138	1	this.cvssBelow = cvssBelow;
139	1	}
140
141		/**
142		* Adds the cvss to the cvssBelow list.
143		*
144		* @param cvss the cvss to add
145		*/
146		public void addCvssBelow(Float cvss) {
147	5	this.cvssBelow.add(cvss);
148	5	}
149
150		/**
151		* Returns whether or not this suppression rule has cvss suppressions.
152		*
153		* @return whether or not this suppression rule has cvss suppressions
154		*/
155		public boolean hasCvssBelow() {
156	7	return cvssBelow.size() > 0;
157		}
158		/**
159		* The list of cwe entries to suppress.
160		*/
161	23	private List<String> cwe = new ArrayList<String>();
162
163		/**
164		* Get the value of cwe.
165		*
166		* @return the value of cwe
167		*/
168		public List<String> getCwe() {
169	1	return cwe;
170		}
171
172		/**
173		* Set the value of cwe.
174		*
175		* @param cwe new value of cwe
176		*/
177		public void setCwe(List<String> cwe) {
178	1	this.cwe = cwe;
179	1	}
180
181		/**
182		* Adds the cwe to the cwe list.
183		*
184		* @param cwe the cwe to add
185		*/
186		public void addCwe(String cwe) {
187	2	this.cwe.add(cwe);
188	2	}
189
190		/**
191		* Returns whether this suppression rule has CWE entries.
192		*
193		* @return whether this suppression rule has CWE entries
194		*/
195		public boolean hasCwe() {
196	8	return cwe.size() > 0;
197		}
198		/**
199		* The list of cve entries to suppress.
200		*/
201	23	private List<String> cve = new ArrayList<String>();
202
203		/**
204		* Get the value of cve.
205		*
206		* @return the value of cve
207		*/
208		public List<String> getCve() {
209	1	return cve;
210		}
211
212		/**
213		* Set the value of cve.
214		*
215		* @param cve new value of cve
216		*/
217		public void setCve(List<String> cve) {
218	1	this.cve = cve;
219	1	}
220
221		/**
222		* Adds the cve to the cve list.
223		*
224		* @param cve the cve to add
225		*/
226		public void addCve(String cve) {
227	7	this.cve.add(cve);
228	7	}
229
230		/**
231		* Returns whether this suppression rule has CVE entries.
232		*
233		* @return whether this suppression rule has CVE entries
234		*/
235		public boolean hasCve() {
236	10	return cve.size() > 0;
237		}
238
239		/**
240		* Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS
241		* scores should be suppressed. If any should be, they are removed from the
242		* dependency.
243		*
244		* @param dependency a project dependency to analyze
245		*/
246		public void process(Dependency dependency) {
247	9	if (filePath != null && !filePath.matches(dependency.getFilePath())) {
248	0	return;
249		}
250	9	if (sha1 != null && !sha1.equalsIgnoreCase(dependency.getSha1sum())) {
251	1	return;
252		}
253	8	if (this.hasCpe()) {
254	3	final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
255	8	while (itr.hasNext()) {
256	5	final Identifier i = itr.next();
257	5	for (PropertyType c : this.cpe) {
258	9	if (cpeMatches(c, i)) {
259	4	itr.remove();
260	4	break;
261		}
262	5	}
263	5	}
264		}
265	8	if (hasCve() \|\| hasCwe() \|\| hasCvssBelow()) {
266	5	final Iterator<Vulnerability> itr = dependency.getVulnerabilities().iterator();
267	10	while (itr.hasNext()) {
268	5	boolean remove = false;
269	5	final Vulnerability v = itr.next();
270	5	for (String entry : this.cve) {
271	3	if (entry.equalsIgnoreCase(v.getName())) {
272	1	remove = true;
273	1	break;
274		}
275	2	}
276	5	if (!remove) {
277	4	for (String entry : this.cwe) {
278	1	if (v.getCwe() != null) {
279	1	final String toMatch = String.format("CWE-%s ", entry);
280	1	final String toTest = v.getCwe().substring(0, toMatch.length()).toUpperCase();
281	1	if (toTest.equals(toMatch)) {
282	1	remove = true;
283	1	break;
284		}
285		}
286	0	}
287		}
288	5	if (!remove) {
289	3	for (float cvss : this.cvssBelow) {
290	3	if (v.getCvssScore() < cvss) {
291	1	remove = true;
292	1	break;
293		}
294	2	}
295		}
296	5	if (remove) {
297	3	itr.remove();
298		}
299	5	}
300		}
301	8	}
302
303		/**
304		* Identifies if the cpe specified by the cpe suppression rule does not
305		* specify a version.
306		*
307		* @param c a suppression rule identifier
308		* @return true if the property type does not specify a version; otherwise
309		* false
310		*/
311		boolean cpeHasNoVersion(PropertyType c) {
312	14	if (c.isRegex()) {
313	2	return false;
314		} // cpe:/a:jboss:jboss:1.0.0:
315	12	if (countCharacter(c.getValue(), ':') == 3) {
316	3	return true;
317		}
318	9	return false;
319		}
320
321		/**
322		* Counts the number of occurrences of the character found within the
323		* string.
324		*
325		* @param str the string to check
326		* @param c the character to count
327		* @return the number of times the character is found in the string
328		*/
329		int countCharacter(String str, char c) {
330	15	int count = 0;
331	15	int pos = str.indexOf(c) + 1;
332	66	while (pos > 0) {
333	51	count += 1;
334	51	pos = str.indexOf(c, pos) + 1;
335		}
336	15	return count;
337		}
338
339		/**
340		* Determines if the cpeEntry specified as a PropertyType matches the given
341		* Identifier.
342		*
343		* @param cpeEntry a suppression rule entry
344		* @param identifier a CPE identifier to check
345		* @return true if the entry matches; otherwise false
346		*/
347		boolean cpeMatches(PropertyType cpeEntry, Identifier identifier) {
348	16	if (cpeEntry.matches(identifier.getValue())) {
349	5	return true;
350	11	} else if (cpeHasNoVersion(cpeEntry)) {
351	2	if (cpeEntry.isCaseSensitive()) {
352	0	if (identifier.getValue().startsWith(cpeEntry.getValue())) {
353	0	return true;
354		}
355		} else {
356	2	final String id = identifier.getValue().toLowerCase();
357	2	final String check = cpeEntry.getValue().toLowerCase();
358	2	if (id.startsWith(check)) {
359	2	return true;
360		}
361		}
362		}
363	9	return false;
364		}
365		}