View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.dependency;
19  
20  import java.io.Serializable;
21  import java.util.Set;
22  import java.util.SortedSet;
23  import java.util.TreeSet;
24  
25  /**
26   * Contains the information about a vulnerability.
27   *
28   * @author Jeremy Long
29   */
30  public class Vulnerability implements Serializable, Comparable<Vulnerability> {
31  
32      /**
33       * The serial version uid.
34       */
35      private static final long serialVersionUID = 307319490326651052L;
36      /**
37       * The name of the vulnerability.
38       */
39      private String name;
40  
41      /**
42       * Get the value of name.
43       *
44       * @return the value of name
45       */
46      public String getName() {
47          return name;
48      }
49  
50      /**
51       * Set the value of name.
52       *
53       * @param name new value of name
54       */
55      public void setName(String name) {
56          this.name = name;
57      }
58      /**
59       * the description of the vulnerability.
60       */
61      private String description;
62  
63      /**
64       * Get the value of description.
65       *
66       * @return the value of description
67       */
68      public String getDescription() {
69          return description;
70      }
71  
72      /**
73       * Set the value of description.
74       *
75       * @param description new value of description
76       */
77      public void setDescription(String description) {
78          this.description = description;
79      }
80      /**
81       * References for this vulnerability.
82       */
83      private SortedSet<Reference> references = new TreeSet<Reference>();
84  
85      /**
86       * Get the value of references.
87       *
88       * @return the value of references
89       */
90      public Set<Reference> getReferences() {
91          return references;
92      }
93  
94      /**
95       * Set the value of references.
96       *
97       * @param references new value of references
98       */
99      public void setReferences(SortedSet<Reference> references) {
100         this.references = references;
101     }
102 
103     /**
104      * Adds a reference to the references collection.
105      *
106      * @param ref a reference for the vulnerability
107      */
108     public void addReference(Reference ref) {
109         this.references.add(ref);
110     }
111 
112     /**
113      * Adds a reference.
114      *
115      * @param referenceSource the source of the reference
116      * @param referenceName the referenceName of the reference
117      * @param referenceUrl the url of the reference
118      */
119     public void addReference(String referenceSource, String referenceName, String referenceUrl) {
120         final Reference ref = new Reference();
121         ref.setSource(referenceSource);
122         ref.setName(referenceName);
123         ref.setUrl(referenceUrl);
124         this.references.add(ref);
125     }
126     /**
127      * A set of vulnerable software.
128      */
129     private SortedSet<VulnerableSoftware> vulnerableSoftware = new TreeSet<VulnerableSoftware>();
130 
131     /**
132      * Get the value of vulnerableSoftware.
133      *
134      * @return the value of vulnerableSoftware
135      */
136     public Set<VulnerableSoftware> getVulnerableSoftware() {
137         return vulnerableSoftware;
138     }
139 
140     /**
141      * Set the value of vulnerableSoftware.
142      *
143      * @param vulnerableSoftware new value of vulnerableSoftware
144      */
145     public void setVulnerableSoftware(SortedSet<VulnerableSoftware> vulnerableSoftware) {
146         this.vulnerableSoftware = vulnerableSoftware;
147     }
148 
149     /**
150      * Adds an entry for vulnerable software.
151      *
152      * @param cpe string representation of a CPE entry
153      * @return if the add succeeded
154      */
155     public boolean addVulnerableSoftware(String cpe) {
156         return addVulnerableSoftware(cpe, null);
157     }
158 
159     /**
160      * Adds an entry for vulnerable software.
161      *
162      * @param cpe string representation of a cpe
163      * @param previousVersion the previous version (previousVersion - cpe would be considered vulnerable)
164      * @return if the add succeeded
165      */
166     public boolean addVulnerableSoftware(String cpe, String previousVersion) {
167         final VulnerableSoftware vs = new VulnerableSoftware();
168         vs.setCpe(cpe);
169         if (previousVersion != null) {
170             vs.setPreviousVersion(previousVersion);
171         }
172         return updateVulnerableSoftware(vs);
173     }
174 
175     /**
176      * Adds or updates a vulnerable software entry.
177      *
178      * @param vulnSoftware the vulnerable software
179      * @return if the update succeeded
180      */
181     public boolean updateVulnerableSoftware(VulnerableSoftware vulnSoftware) {
182         if (vulnerableSoftware.contains(vulnSoftware)) {
183             vulnerableSoftware.remove(vulnSoftware);
184         }
185         return vulnerableSoftware.add(vulnSoftware);
186     }
187     /**
188      * The CWE for the vulnerability.
189      */
190     private String cwe;
191 
192     /**
193      * Get the value of cwe.
194      *
195      * @return the value of cwe
196      */
197     public String getCwe() {
198         return cwe;
199     }
200 
201     /**
202      * Set the value of cwe.
203      *
204      * @param cwe new value of cwe
205      */
206     public void setCwe(String cwe) {
207         this.cwe = cwe;
208     }
209     /**
210      * CVSS Score.
211      */
212     private float cvssScore;
213 
214     /**
215      * Get the value of cvssScore.
216      *
217      * @return the value of cvssScore
218      */
219     public float getCvssScore() {
220         return cvssScore;
221     }
222 
223     /**
224      * Set the value of cvssScore.
225      *
226      * @param cvssScore new value of cvssScore
227      */
228     public void setCvssScore(float cvssScore) {
229         this.cvssScore = cvssScore;
230     }
231     /**
232      * CVSS Access Vector.
233      */
234     private String cvssAccessVector;
235 
236     /**
237      * Get the value of cvssAccessVector.
238      *
239      * @return the value of cvssAccessVector
240      */
241     public String getCvssAccessVector() {
242         return cvssAccessVector;
243     }
244 
245     /**
246      * Set the value of cvssAccessVector.
247      *
248      * @param cvssAccessVector new value of cvssAccessVector
249      */
250     public void setCvssAccessVector(String cvssAccessVector) {
251         this.cvssAccessVector = cvssAccessVector;
252     }
253     /**
254      * CVSS Access Complexity.
255      */
256     private String cvssAccessComplexity;
257 
258     /**
259      * Get the value of cvssAccessComplexity.
260      *
261      * @return the value of cvssAccessComplexity
262      */
263     public String getCvssAccessComplexity() {
264         return cvssAccessComplexity;
265     }
266 
267     /**
268      * Set the value of cvssAccessComplexity.
269      *
270      * @param cvssAccessComplexity new value of cvssAccessComplexity
271      */
272     public void setCvssAccessComplexity(String cvssAccessComplexity) {
273         this.cvssAccessComplexity = cvssAccessComplexity;
274     }
275     /**
276      * CVSS Authentication.
277      */
278     private String cvssAuthentication;
279 
280     /**
281      * Get the value of cvssAuthentication.
282      *
283      * @return the value of cvssAuthentication
284      */
285     public String getCvssAuthentication() {
286         return cvssAuthentication;
287     }
288 
289     /**
290      * Set the value of cvssAuthentication.
291      *
292      * @param cvssAuthentication new value of cvssAuthentication
293      */
294     public void setCvssAuthentication(String cvssAuthentication) {
295         this.cvssAuthentication = cvssAuthentication;
296     }
297     /**
298      * CVSS Confidentiality Impact.
299      */
300     private String cvssConfidentialityImpact;
301 
302     /**
303      * Get the value of cvssConfidentialityImpact.
304      *
305      * @return the value of cvssConfidentialityImpact
306      */
307     public String getCvssConfidentialityImpact() {
308         return cvssConfidentialityImpact;
309     }
310 
311     /**
312      * Set the value of cvssConfidentialityImpact.
313      *
314      * @param cvssConfidentialityImpact new value of cvssConfidentialityImpact
315      */
316     public void setCvssConfidentialityImpact(String cvssConfidentialityImpact) {
317         this.cvssConfidentialityImpact = cvssConfidentialityImpact;
318     }
319     /**
320      * CVSS Integrity Impact.
321      */
322     private String cvssIntegrityImpact;
323 
324     /**
325      * Get the value of cvssIntegrityImpact.
326      *
327      * @return the value of cvssIntegrityImpact
328      */
329     public String getCvssIntegrityImpact() {
330         return cvssIntegrityImpact;
331     }
332 
333     /**
334      * Set the value of cvssIntegrityImpact.
335      *
336      * @param cvssIntegrityImpact new value of cvssIntegrityImpact
337      */
338     public void setCvssIntegrityImpact(String cvssIntegrityImpact) {
339         this.cvssIntegrityImpact = cvssIntegrityImpact;
340     }
341     /**
342      * CVSS Availability Impact.
343      */
344     private String cvssAvailabilityImpact;
345 
346     /**
347      * Get the value of cvssAvailabilityImpact.
348      *
349      * @return the value of cvssAvailabilityImpact
350      */
351     public String getCvssAvailabilityImpact() {
352         return cvssAvailabilityImpact;
353     }
354 
355     /**
356      * Set the value of cvssAvailabilityImpact.
357      *
358      * @param cvssAvailabilityImpact new value of cvssAvailabilityImpact
359      */
360     public void setCvssAvailabilityImpact(String cvssAvailabilityImpact) {
361         this.cvssAvailabilityImpact = cvssAvailabilityImpact;
362     }
363 
364     @Override
365     public boolean equals(Object obj) {
366         if (obj == null) {
367             return false;
368         }
369         if (getClass() != obj.getClass()) {
370             return false;
371         }
372         final Vulnerability other = (Vulnerability) obj;
373         if ((this.name == null) ? (other.name != null) : !this.name.equals(other.name)) {
374             return false;
375         }
376         return true;
377     }
378 
379     @Override
380     public int hashCode() {
381         int hash = 5;
382         hash = 41 * hash + (this.name != null ? this.name.hashCode() : 0);
383         return hash;
384     }
385 
386     /**
387      * Compares two vulnerabilities.
388      *
389      * @param v a vulnerability to be compared
390      * @return a negative integer, zero, or a positive integer as this object is less than, equal to, or greater than
391      * the specified vulnerability
392      */
393     @Override
394     public int compareTo(Vulnerability v) {
395         return v.getName().compareTo(this.getName());
396     }
397 
398     /**
399      * The CPE id that caused this vulnerability to be flagged.
400      */
401     private String matchedCPE;
402     /**
403      * Whether or not all previous versions were affected.
404      */
405     private String matchedAllPreviousCPE;
406 
407     /**
408      * Sets the CPE that caused this vulnerability to be flagged.
409      *
410      * @param cpeId a CPE identifier
411      * @param previous a flag indicating whether or not all previous versions were affected (any non-null value is
412      * considered true)
413      */
414     public void setMatchedCPE(String cpeId, String previous) {
415         matchedCPE = cpeId;
416         matchedAllPreviousCPE = previous;
417     }
418 
419     /**
420      * Get the value of matchedCPE.
421      *
422      * @return the value of matchedCPE
423      */
424     public String getMatchedCPE() {
425         return matchedCPE;
426     }
427 
428     /**
429      * Get the value of matchedAllPreviousCPE.
430      *
431      * @return the value of matchedAllPreviousCPE
432      */
433     public String getMatchedAllPreviousCPE() {
434         return matchedAllPreviousCPE;
435     }
436 
437     /**
438      * Determines whether or not matchedAllPreviousCPE has been set.
439      *
440      * @return true if matchedAllPreviousCPE is not null; otherwise false
441      */
442     public boolean hasMatchedAllPreviousCPE() {
443         return matchedAllPreviousCPE != null;
444     }
445 }