1 /*
2 * This file is part of dependency-check-core.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17 */
18 package org.owasp.dependencycheck.dependency;
19
20 import java.io.Serializable;
21 import java.util.Set;
22 import java.util.SortedSet;
23 import java.util.TreeSet;
24
25 /**
26 * Contains the information about a vulnerability.
27 *
28 * @author Jeremy Long
29 */
30 public class Vulnerability implements Serializable, Comparable<Vulnerability> {
31
32 /**
33 * The serial version uid.
34 */
35 private static final long serialVersionUID = 307319490326651052L;
36
37 /**
38 * The name of the vulnerability.
39 */
40 private String name;
41
42 /**
43 * Get the value of name.
44 *
45 * @return the value of name
46 */
47 public String getName() {
48 return name;
49 }
50
51 /**
52 * Set the value of name.
53 *
54 * @param name new value of name
55 */
56 public void setName(String name) {
57 this.name = name;
58 }
59 /**
60 * the description of the vulnerability.
61 */
62 private String description;
63
64 /**
65 * Get the value of description.
66 *
67 * @return the value of description
68 */
69 public String getDescription() {
70 return description;
71 }
72
73 /**
74 * Set the value of description.
75 *
76 * @param description new value of description
77 */
78 public void setDescription(String description) {
79 this.description = description;
80 }
81 /**
82 * References for this vulnerability.
83 */
84 private SortedSet<Reference> references = new TreeSet<Reference>();
85
86 /**
87 * Get the value of references.
88 *
89 * @return the value of references
90 */
91 public Set<Reference> getReferences() {
92 return references;
93 }
94
95 /**
96 * Set the value of references.
97 *
98 * @param references new value of references
99 */
100 public void setReferences(SortedSet<Reference> references) {
101 this.references = references;
102 }
103
104 /**
105 * Adds a reference to the references collection.
106 *
107 * @param ref a reference for the vulnerability
108 */
109 public void addReference(Reference ref) {
110 this.references.add(ref);
111 }
112
113 /**
114 * Adds a reference.
115 *
116 * @param referenceSource the source of the reference
117 * @param referenceName the referenceName of the reference
118 * @param referenceUrl the url of the reference
119 */
120 public void addReference(String referenceSource, String referenceName, String referenceUrl) {
121 final Reference ref = new Reference();
122 ref.setSource(referenceSource);
123 ref.setName(referenceName);
124 ref.setUrl(referenceUrl);
125 this.references.add(ref);
126 }
127 /**
128 * A set of vulnerable software.
129 */
130 private SortedSet<VulnerableSoftware> vulnerableSoftware = new TreeSet<VulnerableSoftware>();
131
132 /**
133 * Get the value of vulnerableSoftware.
134 *
135 * @return the value of vulnerableSoftware
136 */
137 public Set<VulnerableSoftware> getVulnerableSoftware() {
138 return vulnerableSoftware;
139 }
140
141 /**
142 * Set the value of vulnerableSoftware.
143 *
144 * @param vulnerableSoftware new value of vulnerableSoftware
145 */
146 public void setVulnerableSoftware(SortedSet<VulnerableSoftware> vulnerableSoftware) {
147 this.vulnerableSoftware = vulnerableSoftware;
148 }
149
150 /**
151 * Adds an entry for vulnerable software.
152 *
153 * @param cpe string representation of a CPE entry
154 * @return if the add succeeded
155 */
156 public boolean addVulnerableSoftware(String cpe) {
157 return addVulnerableSoftware(cpe, null);
158 }
159
160 /**
161 * Adds an entry for vulnerable software.
162 *
163 * @param cpe string representation of a cpe
164 * @param previousVersion the previous version (previousVersion - cpe would be considered vulnerable)
165 * @return if the add succeeded
166 */
167 public boolean addVulnerableSoftware(String cpe, String previousVersion) {
168 final VulnerableSoftware vs = new VulnerableSoftware();
169 vs.setCpe(cpe);
170 if (previousVersion != null) {
171 vs.setPreviousVersion(previousVersion);
172 }
173 return updateVulnerableSoftware(vs);
174 }
175
176 /**
177 * Adds or updates a vulnerable software entry.
178 *
179 * @param vulnSoftware the vulnerable software
180 * @return if the update succeeded
181 */
182 public boolean updateVulnerableSoftware(VulnerableSoftware vulnSoftware) {
183 if (vulnerableSoftware.contains(vulnSoftware)) {
184 vulnerableSoftware.remove(vulnSoftware);
185 }
186 return vulnerableSoftware.add(vulnSoftware);
187 }
188 /**
189 * The CWE for the vulnerability.
190 */
191 private String cwe;
192
193 /**
194 * Get the value of cwe.
195 *
196 * @return the value of cwe
197 */
198 public String getCwe() {
199 return cwe;
200 }
201
202 /**
203 * Set the value of cwe.
204 *
205 * @param cwe new value of cwe
206 */
207 public void setCwe(String cwe) {
208 this.cwe = cwe;
209 }
210 /**
211 * CVSS Score.
212 */
213 private float cvssScore;
214
215 /**
216 * Get the value of cvssScore.
217 *
218 * @return the value of cvssScore
219 */
220 public float getCvssScore() {
221 return cvssScore;
222 }
223
224 /**
225 * Set the value of cvssScore.
226 *
227 * @param cvssScore new value of cvssScore
228 */
229 public void setCvssScore(float cvssScore) {
230 this.cvssScore = cvssScore;
231 }
232 /**
233 * CVSS Access Vector.
234 */
235 private String cvssAccessVector;
236
237 /**
238 * Get the value of cvssAccessVector.
239 *
240 * @return the value of cvssAccessVector
241 */
242 public String getCvssAccessVector() {
243 return cvssAccessVector;
244 }
245
246 /**
247 * Set the value of cvssAccessVector.
248 *
249 * @param cvssAccessVector new value of cvssAccessVector
250 */
251 public void setCvssAccessVector(String cvssAccessVector) {
252 this.cvssAccessVector = cvssAccessVector;
253 }
254 /**
255 * CVSS Access Complexity.
256 */
257 private String cvssAccessComplexity;
258
259 /**
260 * Get the value of cvssAccessComplexity.
261 *
262 * @return the value of cvssAccessComplexity
263 */
264 public String getCvssAccessComplexity() {
265 return cvssAccessComplexity;
266 }
267
268 /**
269 * Set the value of cvssAccessComplexity.
270 *
271 * @param cvssAccessComplexity new value of cvssAccessComplexity
272 */
273 public void setCvssAccessComplexity(String cvssAccessComplexity) {
274 this.cvssAccessComplexity = cvssAccessComplexity;
275 }
276 /**
277 * CVSS Authentication.
278 */
279 private String cvssAuthentication;
280
281 /**
282 * Get the value of cvssAuthentication.
283 *
284 * @return the value of cvssAuthentication
285 */
286 public String getCvssAuthentication() {
287 return cvssAuthentication;
288 }
289
290 /**
291 * Set the value of cvssAuthentication.
292 *
293 * @param cvssAuthentication new value of cvssAuthentication
294 */
295 public void setCvssAuthentication(String cvssAuthentication) {
296 this.cvssAuthentication = cvssAuthentication;
297 }
298 /**
299 * CVSS Confidentiality Impact.
300 */
301 private String cvssConfidentialityImpact;
302
303 /**
304 * Get the value of cvssConfidentialityImpact.
305 *
306 * @return the value of cvssConfidentialityImpact
307 */
308 public String getCvssConfidentialityImpact() {
309 return cvssConfidentialityImpact;
310 }
311
312 /**
313 * Set the value of cvssConfidentialityImpact.
314 *
315 * @param cvssConfidentialityImpact new value of cvssConfidentialityImpact
316 */
317 public void setCvssConfidentialityImpact(String cvssConfidentialityImpact) {
318 this.cvssConfidentialityImpact = cvssConfidentialityImpact;
319 }
320 /**
321 * CVSS Integrity Impact.
322 */
323 private String cvssIntegrityImpact;
324
325 /**
326 * Get the value of cvssIntegrityImpact.
327 *
328 * @return the value of cvssIntegrityImpact
329 */
330 public String getCvssIntegrityImpact() {
331 return cvssIntegrityImpact;
332 }
333
334 /**
335 * Set the value of cvssIntegrityImpact.
336 *
337 * @param cvssIntegrityImpact new value of cvssIntegrityImpact
338 */
339 public void setCvssIntegrityImpact(String cvssIntegrityImpact) {
340 this.cvssIntegrityImpact = cvssIntegrityImpact;
341 }
342 /**
343 * CVSS Availability Impact.
344 */
345 private String cvssAvailabilityImpact;
346
347 /**
348 * Get the value of cvssAvailabilityImpact.
349 *
350 * @return the value of cvssAvailabilityImpact
351 */
352 public String getCvssAvailabilityImpact() {
353 return cvssAvailabilityImpact;
354 }
355
356 /**
357 * Set the value of cvssAvailabilityImpact.
358 *
359 * @param cvssAvailabilityImpact new value of cvssAvailabilityImpact
360 */
361 public void setCvssAvailabilityImpact(String cvssAvailabilityImpact) {
362 this.cvssAvailabilityImpact = cvssAvailabilityImpact;
363 }
364
365 @Override
366 public boolean equals(Object obj) {
367 if (obj == null) {
368 return false;
369 }
370 if (getClass() != obj.getClass()) {
371 return false;
372 }
373 final Vulnerability other = (Vulnerability) obj;
374 if ((this.name == null) ? (other.name != null) : !this.name.equals(other.name)) {
375 return false;
376 }
377 return true;
378 }
379
380 @Override
381 public int hashCode() {
382 int hash = 5;
383 hash = 41 * hash + (this.name != null ? this.name.hashCode() : 0);
384 return hash;
385 }
386
387 @Override
388 public String toString() {
389 final StringBuilder sb = new StringBuilder("Vulnerability ");
390 sb.append(this.name);
391 sb.append("\nReferences:\n");
392 for (Reference reference : this.references) {
393 sb.append("=> ");
394 sb.append(reference);
395 sb.append("\n");
396 }
397 sb.append("\nSoftware:\n");
398 for (VulnerableSoftware software : this.vulnerableSoftware) {
399 sb.append("=> ");
400 sb.append(software);
401 sb.append("\n");
402 }
403 return sb.toString();
404 }
405 /**
406 * Compares two vulnerabilities.
407 *
408 * @param v a vulnerability to be compared
409 * @return a negative integer, zero, or a positive integer as this object is less than, equal to, or greater than
410 * the specified vulnerability
411 */
412 @Override
413 public int compareTo(Vulnerability v) {
414 return v.getName().compareTo(this.getName());
415 }
416
417 /**
418 * The CPE id that caused this vulnerability to be flagged.
419 */
420 private String matchedCPE;
421 /**
422 * Whether or not all previous versions were affected.
423 */
424 private String matchedAllPreviousCPE;
425
426 /**
427 * Sets the CPE that caused this vulnerability to be flagged.
428 *
429 * @param cpeId a CPE identifier
430 * @param previous a flag indicating whether or not all previous versions were affected (any non-null value is
431 * considered true)
432 */
433 public void setMatchedCPE(String cpeId, String previous) {
434 matchedCPE = cpeId;
435 matchedAllPreviousCPE = previous;
436 }
437
438 /**
439 * Get the value of matchedCPE.
440 *
441 * @return the value of matchedCPE
442 */
443 public String getMatchedCPE() {
444 return matchedCPE;
445 }
446
447 /**
448 * Get the value of matchedAllPreviousCPE.
449 *
450 * @return the value of matchedAllPreviousCPE
451 */
452 public String getMatchedAllPreviousCPE() {
453 return matchedAllPreviousCPE;
454 }
455
456 /**
457 * Determines whether or not matchedAllPreviousCPE has been set.
458 *
459 * @return true if matchedAllPreviousCPE is not null; otherwise false
460 */
461 public boolean hasMatchedAllPreviousCPE() {
462 return matchedAllPreviousCPE != null;
463 }
464 }