| Classes in this File | Line Coverage | Branch Coverage | Complexity | ||||
| SuppressionRule |
|
| 2.5416666666666665;2.542 |
| 1 | /* | |
| 2 | * This file is part of dependency-check-core. | |
| 3 | * | |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); | |
| 5 | * you may not use this file except in compliance with the License. | |
| 6 | * You may obtain a copy of the License at | |
| 7 | * | |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 | |
| 9 | * | |
| 10 | * Unless required by applicable law or agreed to in writing, software | |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, | |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| 13 | * See the License for the specific language governing permissions and | |
| 14 | * limitations under the License. | |
| 15 | * | |
| 16 | * Copyright (c) 2013 Jeremy Long. All Rights Reserved. | |
| 17 | */ | |
| 18 | package org.owasp.dependencycheck.suppression; | |
| 19 | ||
| 20 | import java.util.ArrayList; | |
| 21 | import java.util.Iterator; | |
| 22 | import java.util.List; | |
| 23 | import org.owasp.dependencycheck.dependency.Dependency; | |
| 24 | import org.owasp.dependencycheck.dependency.Identifier; | |
| 25 | import org.owasp.dependencycheck.dependency.Vulnerability; | |
| 26 | ||
| 27 | /** | |
| 28 | * | |
| 29 | * @author Jeremy Long <jeremy.long@owasp.org> | |
| 30 | */ | |
| 31 | 23 | public class SuppressionRule { |
| 32 | ||
| 33 | /** | |
| 34 | * The file path for the suppression. | |
| 35 | */ | |
| 36 | private PropertyType filePath; | |
| 37 | ||
| 38 | /** | |
| 39 | * Get the value of filePath. | |
| 40 | * | |
| 41 | * @return the value of filePath | |
| 42 | */ | |
| 43 | public PropertyType getFilePath() { | |
| 44 | return filePath; | |
| 45 | } | |
| 46 | ||
| 47 | /** | |
| 48 | * Set the value of filePath. | |
| 49 | * | |
| 50 | * @param filePath new value of filePath | |
| 51 | */ | |
| 52 | public void setFilePath(PropertyType filePath) { | |
| 53 | this.filePath = filePath; | |
| 54 | } | |
| 55 | /** | |
| 56 | * The sha1 hash. | |
| 57 | */ | |
| 58 | private String sha1; | |
| 59 | ||
| 60 | /** | |
| 61 | * Get the value of sha1. | |
| 62 | * | |
| 63 | * @return the value of sha1 | |
| 64 | */ | |
| 65 | public String getSha1() { | |
| 66 | return sha1; | |
| 67 | } | |
| 68 | ||
| 69 | /** | |
| 70 | * Set the value of sha1. | |
| 71 | * | |
| 72 | * @param sha1 new value of sha1 | |
| 73 | */ | |
| 74 | public void setSha1(String sha1) { | |
| 75 | this.sha1 = sha1; | |
| 76 | } | |
| 77 | /** | |
| 78 | * A list of CPEs to suppression | |
| 79 | */ | |
| 80 | 23 | private List<PropertyType> cpe = new ArrayList<PropertyType>(); |
| 81 | ||
| 82 | /** | |
| 83 | * Get the value of cpe. | |
| 84 | * | |
| 85 | * @return the value of cpe | |
| 86 | */ | |
| 87 | public List<PropertyType> getCpe() { | |
| 88 | return cpe; | |
| 89 | } | |
| 90 | ||
| 91 | /** | |
| 92 | * Set the value of cpe. | |
| 93 | * | |
| 94 | * @param cpe new value of cpe | |
| 95 | */ | |
| 96 | public void setCpe(List<PropertyType> cpe) { | |
| 97 | this.cpe = cpe; | |
| 98 | } | |
| 99 | ||
| 100 | /** | |
| 101 | * Adds the cpe to the cpe list. | |
| 102 | * | |
| 103 | * @param cpe the cpe to add | |
| 104 | */ | |
| 105 | public void addCpe(PropertyType cpe) { | |
| 106 | 8 | this.cpe.add(cpe); |
| 107 | 8 | } |
| 108 | ||
| 109 | /** | |
| 110 | * Returns whether or not this suppression rule as CPE entries. | |
| 111 | * | |
| 112 | * @return whether or not this suppression rule as CPE entries | |
| 113 | */ | |
| 114 | public boolean hasCpe() { | |
| 115 | 10 | return cpe.size() > 0; |
| 116 | } | |
| 117 | /** | |
| 118 | * The list of cvssBelow scores. | |
| 119 | */ | |
| 120 | 23 | private List<Float> cvssBelow = new ArrayList<Float>(); |
| 121 | ||
| 122 | /** | |
| 123 | * Get the value of cvssBelow. | |
| 124 | * | |
| 125 | * @return the value of cvssBelow | |
| 126 | */ | |
| 127 | public List<Float> getCvssBelow() { | |
| 128 | return cvssBelow; | |
| 129 | } | |
| 130 | ||
| 131 | /** | |
| 132 | * Set the value of cvssBelow. | |
| 133 | * | |
| 134 | * @param cvssBelow new value of cvssBelow | |
| 135 | */ | |
| 136 | public void setCvssBelow(List<Float> cvssBelow) { | |
| 137 | this.cvssBelow = cvssBelow; | |
| 138 | } | |
| 139 | ||
| 140 | /** | |
| 141 | * Adds the cvss to the cvssBelow list. | |
| 142 | * | |
| 143 | * @param cvss the cvss to add | |
| 144 | */ | |
| 145 | public void addCvssBelow(Float cvss) { | |
| 146 | 5 | this.cvssBelow.add(cvss); |
| 147 | 5 | } |
| 148 | ||
| 149 | /** | |
| 150 | * Returns whether or not this suppression rule has cvss suppressions. | |
| 151 | * | |
| 152 | * @return whether or not this suppression rule has cvss suppressions | |
| 153 | */ | |
| 154 | public boolean hasCvssBelow() { | |
| 155 | 7 | return cvssBelow.size() > 0; |
| 156 | } | |
| 157 | /** | |
| 158 | * The list of cwe entries to suppress. | |
| 159 | */ | |
| 160 | 23 | private List<String> cwe = new ArrayList<String>(); |
| 161 | ||
| 162 | /** | |
| 163 | * Get the value of cwe. | |
| 164 | * | |
| 165 | * @return the value of cwe | |
| 166 | */ | |
| 167 | public List<String> getCwe() { | |
| 168 | return cwe; | |
| 169 | } | |
| 170 | ||
| 171 | /** | |
| 172 | * Set the value of cwe. | |
| 173 | * | |
| 174 | * @param cwe new value of cwe | |
| 175 | */ | |
| 176 | public void setCwe(List<String> cwe) { | |
| 177 | this.cwe = cwe; | |
| 178 | } | |
| 179 | ||
| 180 | /** | |
| 181 | * Adds the cwe to the cwe list. | |
| 182 | * | |
| 183 | * @param cwe the cwe to add | |
| 184 | */ | |
| 185 | public void addCwe(String cwe) { | |
| 186 | 2 | this.cwe.add(cwe); |
| 187 | 2 | } |
| 188 | ||
| 189 | /** | |
| 190 | * Returns whether this suppression rule has CWE entries. | |
| 191 | * | |
| 192 | * @return whether this suppression rule has CWE entries | |
| 193 | */ | |
| 194 | public boolean hasCwe() { | |
| 195 | 8 | return cwe.size() > 0; |
| 196 | } | |
| 197 | /** | |
| 198 | * The list of cve entries to suppress. | |
| 199 | */ | |
| 200 | 23 | private List<String> cve = new ArrayList<String>(); |
| 201 | ||
| 202 | /** | |
| 203 | * Get the value of cve. | |
| 204 | * | |
| 205 | * @return the value of cve | |
| 206 | */ | |
| 207 | public List<String> getCve() { | |
| 208 | return cve; | |
| 209 | } | |
| 210 | ||
| 211 | /** | |
| 212 | * Set the value of cve. | |
| 213 | * | |
| 214 | * @param cve new value of cve | |
| 215 | */ | |
| 216 | public void setCve(List<String> cve) { | |
| 217 | this.cve = cve; | |
| 218 | } | |
| 219 | ||
| 220 | /** | |
| 221 | * Adds the cve to the cve list. | |
| 222 | * | |
| 223 | * @param cve the cve to add | |
| 224 | */ | |
| 225 | public void addCve(String cve) { | |
| 226 | 7 | this.cve.add(cve); |
| 227 | 7 | } |
| 228 | ||
| 229 | /** | |
| 230 | * Returns whether this suppression rule has CVE entries. | |
| 231 | * | |
| 232 | * @return whether this suppression rule has CVE entries | |
| 233 | */ | |
| 234 | public boolean hasCve() { | |
| 235 | 10 | return cve.size() > 0; |
| 236 | } | |
| 237 | ||
| 238 | /** | |
| 239 | * Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any | |
| 240 | * should be, they are removed from the dependency. | |
| 241 | * | |
| 242 | * @param dependency a project dependency to analyze | |
| 243 | */ | |
| 244 | public void process(Dependency dependency) { | |
| 245 | 9 | if (filePath != null && !filePath.matches(dependency.getFilePath())) { |
| 246 | 0 | return; |
| 247 | } | |
| 248 | 9 | if (sha1 != null && !sha1.equalsIgnoreCase(dependency.getSha1sum())) { |
| 249 | 1 | return; |
| 250 | } | |
| 251 | 8 | if (this.hasCpe()) { |
| 252 | 3 | final Iterator<Identifier> itr = dependency.getIdentifiers().iterator(); |
| 253 | 8 | while (itr.hasNext()) { |
| 254 | 5 | final Identifier i = itr.next(); |
| 255 | 5 | for (PropertyType c : this.cpe) { |
| 256 | 9 | if (cpeMatches(c, i)) { |
| 257 | 4 | itr.remove(); |
| 258 | 4 | break; |
| 259 | } | |
| 260 | 5 | } |
| 261 | 5 | } |
| 262 | } | |
| 263 | 8 | if (hasCve() || hasCwe() || hasCvssBelow()) { |
| 264 | 5 | final Iterator<Vulnerability> itr = dependency.getVulnerabilities().iterator(); |
| 265 | 10 | while (itr.hasNext()) { |
| 266 | 5 | boolean remove = false; |
| 267 | 5 | final Vulnerability v = itr.next(); |
| 268 | 5 | for (String entry : this.cve) { |
| 269 | 3 | if (entry.equalsIgnoreCase(v.getName())) { |
| 270 | 1 | remove = true; |
| 271 | 1 | break; |
| 272 | } | |
| 273 | 2 | } |
| 274 | 5 | if (!remove) { |
| 275 | 4 | for (String entry : this.cwe) { |
| 276 | 1 | if (v.getCwe() != null) { |
| 277 | 1 | final String toMatch = String.format("CWE-%s ", entry); |
| 278 | 1 | final String toTest = v.getCwe().substring(0, toMatch.length()).toUpperCase(); |
| 279 | 1 | if (toTest.equals(toMatch)) { |
| 280 | 1 | remove = true; |
| 281 | 1 | break; |
| 282 | } | |
| 283 | } | |
| 284 | 0 | } |
| 285 | } | |
| 286 | 5 | if (!remove) { |
| 287 | 3 | for (float cvss : this.cvssBelow) { |
| 288 | 3 | if (v.getCvssScore() < cvss) { |
| 289 | 1 | remove = true; |
| 290 | 1 | break; |
| 291 | } | |
| 292 | 2 | } |
| 293 | } | |
| 294 | 5 | if (remove) { |
| 295 | 3 | itr.remove(); |
| 296 | } | |
| 297 | 5 | } |
| 298 | } | |
| 299 | 8 | } |
| 300 | ||
| 301 | /** | |
| 302 | * Identifies if the cpe specified by the cpe suppression rule does not specify a version. | |
| 303 | * | |
| 304 | * @param c a suppression rule identifier | |
| 305 | * @return true if the property type does not specify a version; otherwise false | |
| 306 | */ | |
| 307 | boolean cpeHasNoVersion(PropertyType c) { | |
| 308 | 14 | if (c.isRegex()) { |
| 309 | 2 | return false; |
| 310 | } // cpe:/a:jboss:jboss:1.0.0: | |
| 311 | 12 | if (countCharacter(c.getValue(), ':') == 3) { |
| 312 | 3 | return true; |
| 313 | } | |
| 314 | 9 | return false; |
| 315 | } | |
| 316 | ||
| 317 | /** | |
| 318 | * Counts the number of occurrences of the character found within the string. | |
| 319 | * | |
| 320 | * @param str the string to check | |
| 321 | * @param c the character to count | |
| 322 | * @return the number of times the character is found in the string | |
| 323 | */ | |
| 324 | int countCharacter(String str, char c) { | |
| 325 | 15 | int count = 0; |
| 326 | 15 | int pos = str.indexOf(c) + 1; |
| 327 | 66 | while (pos > 0) { |
| 328 | 51 | count += 1; |
| 329 | 51 | pos = str.indexOf(c, pos) + 1; |
| 330 | } | |
| 331 | 15 | return count; |
| 332 | } | |
| 333 | ||
| 334 | /** | |
| 335 | * Determines if the cpeEntry specified as a PropertyType matches the given Identifier. | |
| 336 | * | |
| 337 | * @param cpeEntry a suppression rule entry | |
| 338 | * @param identifier a CPE identifier to check | |
| 339 | * @return true if the entry matches; otherwise false | |
| 340 | */ | |
| 341 | boolean cpeMatches(PropertyType cpeEntry, Identifier identifier) { | |
| 342 | 16 | if (cpeEntry.matches(identifier.getValue())) { |
| 343 | 5 | return true; |
| 344 | 11 | } else if (cpeHasNoVersion(cpeEntry)) { |
| 345 | 2 | if (cpeEntry.isCaseSensitive()) { |
| 346 | 0 | if (identifier.getValue().startsWith(cpeEntry.getValue())) { |
| 347 | 0 | return true; |
| 348 | } | |
| 349 | } else { | |
| 350 | 2 | final String id = identifier.getValue().toLowerCase(); |
| 351 | 2 | final String check = cpeEntry.getValue().toLowerCase(); |
| 352 | 2 | if (id.startsWith(check)) { |
| 353 | 2 | return true; |
| 354 | } | |
| 355 | } | |
| 356 | } | |
| 357 | 9 | return false; |
| 358 | } | |
| 359 | } |