1 /*
2 * This file is part of dependency-check-core.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17 */
18 package org.owasp.dependencycheck.dependency;
19
20 import java.io.Serializable;
21 import java.util.Set;
22 import java.util.SortedSet;
23 import java.util.TreeSet;
24 import java.util.Iterator;
25
26 /**
27 * Contains the information about a vulnerability.
28 *
29 * @author Jeremy Long
30 */
31 public class Vulnerability implements Serializable, Comparable<Vulnerability> {
32
33 /**
34 * The serial version uid.
35 */
36 private static final long serialVersionUID = 307319490326651052L;
37
38 /**
39 * The name of the vulnerability.
40 */
41 private String name;
42
43 /**
44 * Get the value of name.
45 *
46 * @return the value of name
47 */
48 public String getName() {
49 return name;
50 }
51
52 /**
53 * Set the value of name.
54 *
55 * @param name new value of name
56 */
57 public void setName(String name) {
58 this.name = name;
59 }
60 /**
61 * the description of the vulnerability.
62 */
63 private String description;
64
65 /**
66 * Get the value of description.
67 *
68 * @return the value of description
69 */
70 public String getDescription() {
71 return description;
72 }
73
74 /**
75 * Set the value of description.
76 *
77 * @param description new value of description
78 */
79 public void setDescription(String description) {
80 this.description = description;
81 }
82 /**
83 * References for this vulnerability.
84 */
85 private SortedSet<Reference> references = new TreeSet<Reference>();
86
87 /**
88 * Get the value of references.
89 *
90 * @return the value of references
91 */
92 public Set<Reference> getReferences() {
93 return references;
94 }
95
96 /**
97 * Set the value of references.
98 *
99 * @param references new value of references
100 */
101 public void setReferences(SortedSet<Reference> references) {
102 this.references = references;
103 }
104
105 /**
106 * Adds a reference to the references collection.
107 *
108 * @param ref a reference for the vulnerability
109 */
110 public void addReference(Reference ref) {
111 this.references.add(ref);
112 }
113
114 /**
115 * Adds a reference.
116 *
117 * @param referenceSource the source of the reference
118 * @param referenceName the referenceName of the reference
119 * @param referenceUrl the url of the reference
120 */
121 public void addReference(String referenceSource, String referenceName, String referenceUrl) {
122 final Reference ref = new Reference();
123 ref.setSource(referenceSource);
124 ref.setName(referenceName);
125 ref.setUrl(referenceUrl);
126 this.references.add(ref);
127 }
128 /**
129 * A set of vulnerable software.
130 */
131 private SortedSet<VulnerableSoftware> vulnerableSoftware = new TreeSet<VulnerableSoftware>();
132
133 /**
134 * Get the value of vulnerableSoftware.
135 *
136 * @return the value of vulnerableSoftware
137 */
138 public Set<VulnerableSoftware> getVulnerableSoftware() {
139 return vulnerableSoftware;
140 }
141
142 /**
143 * Set the value of vulnerableSoftware.
144 *
145 * @param vulnerableSoftware new value of vulnerableSoftware
146 */
147 public void setVulnerableSoftware(SortedSet<VulnerableSoftware> vulnerableSoftware) {
148 this.vulnerableSoftware = vulnerableSoftware;
149 }
150
151 /**
152 * Adds an entry for vulnerable software.
153 *
154 * @param cpe string representation of a CPE entry
155 * @return if the add succeeded
156 */
157 public boolean addVulnerableSoftware(String cpe) {
158 return addVulnerableSoftware(cpe, null);
159 }
160
161 /**
162 * Adds an entry for vulnerable software.
163 *
164 * @param cpe string representation of a cpe
165 * @param previousVersion the previous version (previousVersion - cpe would be considered vulnerable)
166 * @return if the add succeeded
167 */
168 public boolean addVulnerableSoftware(String cpe, String previousVersion) {
169 final VulnerableSoftware vs = new VulnerableSoftware();
170 vs.setCpe(cpe);
171 if (previousVersion != null) {
172 vs.setPreviousVersion(previousVersion);
173 }
174 return updateVulnerableSoftware(vs);
175 }
176
177 /**
178 * Adds or updates a vulnerable software entry.
179 *
180 * @param vulnSoftware the vulnerable software
181 * @return if the update succeeded
182 */
183 public boolean updateVulnerableSoftware(VulnerableSoftware vulnSoftware) {
184 if (vulnerableSoftware.contains(vulnSoftware)) {
185 vulnerableSoftware.remove(vulnSoftware);
186 }
187 return vulnerableSoftware.add(vulnSoftware);
188 }
189 /**
190 * The CWE for the vulnerability.
191 */
192 private String cwe;
193
194 /**
195 * Get the value of cwe.
196 *
197 * @return the value of cwe
198 */
199 public String getCwe() {
200 return cwe;
201 }
202
203 /**
204 * Set the value of cwe.
205 *
206 * @param cwe new value of cwe
207 */
208 public void setCwe(String cwe) {
209 this.cwe = cwe;
210 }
211 /**
212 * CVSS Score.
213 */
214 private float cvssScore;
215
216 /**
217 * Get the value of cvssScore.
218 *
219 * @return the value of cvssScore
220 */
221 public float getCvssScore() {
222 return cvssScore;
223 }
224
225 /**
226 * Set the value of cvssScore.
227 *
228 * @param cvssScore new value of cvssScore
229 */
230 public void setCvssScore(float cvssScore) {
231 this.cvssScore = cvssScore;
232 }
233 /**
234 * CVSS Access Vector.
235 */
236 private String cvssAccessVector;
237
238 /**
239 * Get the value of cvssAccessVector.
240 *
241 * @return the value of cvssAccessVector
242 */
243 public String getCvssAccessVector() {
244 return cvssAccessVector;
245 }
246
247 /**
248 * Set the value of cvssAccessVector.
249 *
250 * @param cvssAccessVector new value of cvssAccessVector
251 */
252 public void setCvssAccessVector(String cvssAccessVector) {
253 this.cvssAccessVector = cvssAccessVector;
254 }
255 /**
256 * CVSS Access Complexity.
257 */
258 private String cvssAccessComplexity;
259
260 /**
261 * Get the value of cvssAccessComplexity.
262 *
263 * @return the value of cvssAccessComplexity
264 */
265 public String getCvssAccessComplexity() {
266 return cvssAccessComplexity;
267 }
268
269 /**
270 * Set the value of cvssAccessComplexity.
271 *
272 * @param cvssAccessComplexity new value of cvssAccessComplexity
273 */
274 public void setCvssAccessComplexity(String cvssAccessComplexity) {
275 this.cvssAccessComplexity = cvssAccessComplexity;
276 }
277 /**
278 * CVSS Authentication.
279 */
280 private String cvssAuthentication;
281
282 /**
283 * Get the value of cvssAuthentication.
284 *
285 * @return the value of cvssAuthentication
286 */
287 public String getCvssAuthentication() {
288 return cvssAuthentication;
289 }
290
291 /**
292 * Set the value of cvssAuthentication.
293 *
294 * @param cvssAuthentication new value of cvssAuthentication
295 */
296 public void setCvssAuthentication(String cvssAuthentication) {
297 this.cvssAuthentication = cvssAuthentication;
298 }
299 /**
300 * CVSS Confidentiality Impact.
301 */
302 private String cvssConfidentialityImpact;
303
304 /**
305 * Get the value of cvssConfidentialityImpact.
306 *
307 * @return the value of cvssConfidentialityImpact
308 */
309 public String getCvssConfidentialityImpact() {
310 return cvssConfidentialityImpact;
311 }
312
313 /**
314 * Set the value of cvssConfidentialityImpact.
315 *
316 * @param cvssConfidentialityImpact new value of cvssConfidentialityImpact
317 */
318 public void setCvssConfidentialityImpact(String cvssConfidentialityImpact) {
319 this.cvssConfidentialityImpact = cvssConfidentialityImpact;
320 }
321 /**
322 * CVSS Integrity Impact.
323 */
324 private String cvssIntegrityImpact;
325
326 /**
327 * Get the value of cvssIntegrityImpact.
328 *
329 * @return the value of cvssIntegrityImpact
330 */
331 public String getCvssIntegrityImpact() {
332 return cvssIntegrityImpact;
333 }
334
335 /**
336 * Set the value of cvssIntegrityImpact.
337 *
338 * @param cvssIntegrityImpact new value of cvssIntegrityImpact
339 */
340 public void setCvssIntegrityImpact(String cvssIntegrityImpact) {
341 this.cvssIntegrityImpact = cvssIntegrityImpact;
342 }
343 /**
344 * CVSS Availability Impact.
345 */
346 private String cvssAvailabilityImpact;
347
348 /**
349 * Get the value of cvssAvailabilityImpact.
350 *
351 * @return the value of cvssAvailabilityImpact
352 */
353 public String getCvssAvailabilityImpact() {
354 return cvssAvailabilityImpact;
355 }
356
357 /**
358 * Set the value of cvssAvailabilityImpact.
359 *
360 * @param cvssAvailabilityImpact new value of cvssAvailabilityImpact
361 */
362 public void setCvssAvailabilityImpact(String cvssAvailabilityImpact) {
363 this.cvssAvailabilityImpact = cvssAvailabilityImpact;
364 }
365
366 @Override
367 public boolean equals(Object obj) {
368 if (obj == null) {
369 return false;
370 }
371 if (getClass() != obj.getClass()) {
372 return false;
373 }
374 final Vulnerability other = (Vulnerability) obj;
375 if ((this.name == null) ? (other.name != null) : !this.name.equals(other.name)) {
376 return false;
377 }
378 return true;
379 }
380
381 @Override
382 public int hashCode() {
383 int hash = 5;
384 hash = 41 * hash + (this.name != null ? this.name.hashCode() : 0);
385 return hash;
386 }
387
388 @Override
389 public String toString() {
390 final StringBuilder sb = new StringBuilder("Vulnerability ");
391 sb.append(this.name);
392 sb.append("\nReferences:\n");
393 for (Iterator i = this.references.iterator(); i.hasNext();) {
394 sb.append("=> ");
395 sb.append(i.next());
396 sb.append("\n");
397 }
398 sb.append("\nSoftware:\n");
399 for (Iterator i = this.vulnerableSoftware.iterator(); i.hasNext();) {
400 sb.append("=> ");
401 sb.append(i.next());
402 sb.append("\n");
403 }
404 return sb.toString();
405 }
406 /**
407 * Compares two vulnerabilities.
408 *
409 * @param v a vulnerability to be compared
410 * @return a negative integer, zero, or a positive integer as this object is less than, equal to, or greater than
411 * the specified vulnerability
412 */
413 @Override
414 public int compareTo(Vulnerability v) {
415 return v.getName().compareTo(this.getName());
416 }
417
418 /**
419 * The CPE id that caused this vulnerability to be flagged.
420 */
421 private String matchedCPE;
422 /**
423 * Whether or not all previous versions were affected.
424 */
425 private String matchedAllPreviousCPE;
426
427 /**
428 * Sets the CPE that caused this vulnerability to be flagged.
429 *
430 * @param cpeId a CPE identifier
431 * @param previous a flag indicating whether or not all previous versions were affected (any non-null value is
432 * considered true)
433 */
434 public void setMatchedCPE(String cpeId, String previous) {
435 matchedCPE = cpeId;
436 matchedAllPreviousCPE = previous;
437 }
438
439 /**
440 * Get the value of matchedCPE.
441 *
442 * @return the value of matchedCPE
443 */
444 public String getMatchedCPE() {
445 return matchedCPE;
446 }
447
448 /**
449 * Get the value of matchedAllPreviousCPE.
450 *
451 * @return the value of matchedAllPreviousCPE
452 */
453 public String getMatchedAllPreviousCPE() {
454 return matchedAllPreviousCPE;
455 }
456
457 /**
458 * Determines whether or not matchedAllPreviousCPE has been set.
459 *
460 * @return true if matchedAllPreviousCPE is not null; otherwise false
461 */
462 public boolean hasMatchedAllPreviousCPE() {
463 return matchedAllPreviousCPE != null;
464 }
465 }