From 2b21c7b4f336e2f62d23f322cbc50d45949e9b34 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 1 Dec 2024 08:40:47 -0500 Subject: [PATCH] feat: report on CVSS v4 resolves #7201 --- .../owasp/dependencycheck/taskdefs/Check.java | 1 + .../java/org/owasp/dependencycheck/App.java | 7 +- .../agent/DependencyCheckScanAgent.java | 1 + .../dependencycheck/reporting/ReportTool.java | 5 +- .../dependencycheck/reporting/SarifRule.java | 49 ++- .../xml/suppression/SuppressionRule.java | 5 + .../resources/schema/dependency-check.4.1.xsd | 339 ++++++++++++++++++ .../main/resources/templates/csvReport.vsl | 4 +- .../main/resources/templates/gitlabReport.vsl | 2 + .../main/resources/templates/htmlReport.vsl | 22 +- .../resources/templates/jenkinsReport.vsl | 13 +- .../main/resources/templates/jsonReport.vsl | 132 +++++++ .../main/resources/templates/junitReport.vsl | 10 +- .../main/resources/templates/sarifReport.vsl | 5 + .../main/resources/templates/xmlReport.vsl | 258 ++++++++++++- .../reporting/ReportGeneratorIT.java | 2 +- .../maven/BaseDependencyCheckMojo.java | 8 +- 17 files changed, 842 insertions(+), 21 deletions(-) create mode 100644 core/src/main/resources/schema/dependency-check.4.1.xsd diff --git a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java index 1033ab41425..32493f5211a 100644 --- a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java +++ b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java @@ -2296,6 +2296,7 @@ private void checkForFailure(Dependency[] dependencies) throws BuildException { for (Vulnerability v : d.getVulnerabilities()) { if ((v.getCvssV2() != null && v.getCvssV2().getCvssData().getBaseScore() >= failBuildOnCVSS) || (v.getCvssV3() != null && v.getCvssV3().getCvssData().getBaseScore() >= failBuildOnCVSS) + || (v.getCvssV4() != null && v.getCvssV4().getCvssData().getBaseScore() >= failBuildOnCVSS) || (v.getUnscoredSeverity() != null && SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) >= failBuildOnCVSS) //safety net to fail on any if for some reason the above misses on 0 || (failBuildOnCVSS <= 0.0f)) { diff --git a/cli/src/main/java/org/owasp/dependencycheck/App.java b/cli/src/main/java/org/owasp/dependencycheck/App.java index bac9da24cc3..889e63ba6d4 100644 --- a/cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/cli/src/main/java/org/owasp/dependencycheck/App.java @@ -314,15 +314,20 @@ private int determineReturnCode(Engine engine, float cvssFailScore) { && v.getCvssV2().getCvssData().getBaseScore() != null ? v.getCvssV2().getCvssData().getBaseScore() : -1; final Double cvssV3 = v.getCvssV3() != null && v.getCvssV3().getCvssData() != null && v.getCvssV3().getCvssData().getBaseScore() != null ? v.getCvssV3().getCvssData().getBaseScore() : -1; + final Double cvssV4 = v.getCvssV4() != null && v.getCvssV4().getCvssData() != null + && v.getCvssV4().getCvssData().getBaseScore() != null ? v.getCvssV4().getCvssData().getBaseScore() : -1; final Double unscoredCvss = v.getUnscoredSeverity() != null ? SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) : -1; if (cvssV2 >= cvssFailScore || cvssV3 >= cvssFailScore + || cvssV4 >= cvssFailScore || unscoredCvss >= cvssFailScore //safety net to fail on any if for some reason the above misses on 0 || (cvssFailScore <= 0.0f)) { double score = 0.0; - if (cvssV3 >= 0.0) { + if (cvssV4 >= 0.0) { + score = cvssV4; + } else if (cvssV3 >= 0.0) { score = cvssV3; } else if (cvssV2 >= 0.0) { score = cvssV2; diff --git a/core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java b/core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java index 5d8f3eb2541..9208ece537e 100644 --- a/core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java +++ b/core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java @@ -1006,6 +1006,7 @@ private void checkForFailure(Dependency[] dependencies) throws ScanAgentExceptio for (Vulnerability v : d.getVulnerabilities()) { if ((v.getCvssV2() != null && v.getCvssV2().getCvssData().getBaseScore() >= failBuildOnCVSS) || (v.getCvssV3() != null && v.getCvssV3().getCvssData().getBaseScore() >= failBuildOnCVSS) + || (v.getCvssV4() != null && v.getCvssV4().getCvssData().getBaseScore() >= failBuildOnCVSS) || (v.getUnscoredSeverity() != null && SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) >= failBuildOnCVSS) //safety net to fail on any if for some reason the above misses on 0 || (failBuildOnCVSS <= 0.0f)) { diff --git a/core/src/main/java/org/owasp/dependencycheck/reporting/ReportTool.java b/core/src/main/java/org/owasp/dependencycheck/reporting/ReportTool.java index 27cb3245df7..32615f7e347 100644 --- a/core/src/main/java/org/owasp/dependencycheck/reporting/ReportTool.java +++ b/core/src/main/java/org/owasp/dependencycheck/reporting/ReportTool.java @@ -99,7 +99,8 @@ public Collection convertToSarifRules(List dependencies) buildDescription(v.getDescription(), v.getKnownExploitedVulnerability()), v.getSource().name(), v.getCvssV2(), - v.getCvssV3()); + v.getCvssV3(), + v.getCvssV4()); rules.put(v.getName(), r); } } @@ -114,6 +115,8 @@ private String determineScore(Vulnerability vuln) { } else { return normalizeSeverity(vuln.getUnscoredSeverity().toLowerCase()); } + } else if (vuln.getCvssV4() != null && vuln.getCvssV4().getCvssData().getBaseSeverity() != null) { + return normalizeSeverity(vuln.getCvssV4().getCvssData().getBaseSeverity().value().toLowerCase()); } else if (vuln.getCvssV3() != null && vuln.getCvssV3().getCvssData().getBaseSeverity() != null) { return normalizeSeverity(vuln.getCvssV3().getCvssData().getBaseSeverity().value().toLowerCase()); } else if (vuln.getCvssV2() != null && vuln.getCvssV2().getCvssData().getBaseSeverity() != null) { diff --git a/core/src/main/java/org/owasp/dependencycheck/reporting/SarifRule.java b/core/src/main/java/org/owasp/dependencycheck/reporting/SarifRule.java index 57a0f339ae1..a0981ef0059 100644 --- a/core/src/main/java/org/owasp/dependencycheck/reporting/SarifRule.java +++ b/core/src/main/java/org/owasp/dependencycheck/reporting/SarifRule.java @@ -19,6 +19,7 @@ import io.github.jeremylong.openvulnerability.client.nvd.CvssV2; import io.github.jeremylong.openvulnerability.client.nvd.CvssV3; +import io.github.jeremylong.openvulnerability.client.nvd.CvssV4; /** * @@ -138,6 +139,14 @@ public class SarifRule { * CVSS V3 field. */ private String cvssv3Version; + /** + * CVSS V4 field. + */ + private String cvssv4BaseScore; + /** + * CVSS V4 Vector. + */ + private String cvssv4Vector; /** * The source of the rule. */ @@ -154,7 +163,7 @@ public class SarifRule { * @param cvssV3 the CVSS v3 score */ public SarifRule(String name, String shortDescription, String fullDescription, - String source, CvssV2 cvssV2, CvssV3 cvssV3) { + String source, CvssV2 cvssV2, CvssV3 cvssV3, CvssV4 cvssV4) { this.id = name; this.name = name; this.shortDescription = shortDescription; @@ -232,6 +241,12 @@ public SarifRule(String name, String shortDescription, String fullDescription, } this.cvssv3Version = cvssV3.getCvssData().getVersion().name(); } + if (cvssV4 != null && cvssV4.getCvssData() != null) { + if (cvssV4.getCvssData().getBaseScore() != null) { + this.cvssv4BaseScore = cvssV4.getCvssData().getBaseScore().toString(); + } + this.cvssv4Vector = cvssV4.toString(); + } } /** @@ -757,4 +772,36 @@ public void setId(String id) { this.id = id; } + /** + * Get the value of CVSS4 Base Score. + * + * @return the value of CVSS4 Base Score + */ + public String getCvssv4BaseScore() { + return cvssv4BaseScore; + } + + /** + * Set the value of CVSS4 Base Score. + * @param cvssv4BaseScore new value of CVSS4 Base Score + */ + public void setCvssv4BaseScore(String cvssv4BaseScore) { + this.cvssv4BaseScore = cvssv4BaseScore; + } + + /** + * Get the Cvssv4 Vector. + * @return the Cvssv4 Vector + */ + public String getCvssv4Vector() { + return cvssv4Vector; + } + + /** + * Set the Cvssv4 Vector. + * @param cvssv4Vector new value of Cvssv4 Vector + */ + public void setCvssv4Vector(String cvssv4Vector) { + this.cvssv4Vector = cvssv4Vector; + } } diff --git a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java index 9b4a0b662d8..de007453a97 100644 --- a/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java +++ b/core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java @@ -537,6 +537,11 @@ public void process(Dependency dependency) { removeVulns.add(v); break; } + if (v.getCvssV4() != null && v.getCvssV4().getCvssData().getBaseScore().compareTo(cvss) < 0) { + remove = true; + removeVulns.add(v); + break; + } } } if (remove && !isBase()) { diff --git a/core/src/main/resources/schema/dependency-check.4.1.xsd b/core/src/main/resources/schema/dependency-check.4.1.xsd new file mode 100644 index 00000000000..aa9a4584391 --- /dev/null +++ b/core/src/main/resources/schema/dependency-check.4.1.xsd @@ -0,0 +1,339 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/core/src/main/resources/templates/csvReport.vsl b/core/src/main/resources/templates/csvReport.vsl index e421db6b8b9..620a52098b3 100644 --- a/core/src/main/resources/templates/csvReport.vsl +++ b/core/src/main/resources/templates/csvReport.vsl @@ -17,7 +17,7 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved. @author Jeremy Long @version 1 *### -"Project","ScanDate","DependencyName","DependencyPath","Description","License","Md5","Sha1","Identifiers","CPE","CVE","CWE","Vulnerability","Source","CVSSv2_Severity","CVSSv2_Score","CVSSv2","CVSSv3_BaseSeverity","CVSSv3_BaseScore","CVSSv3","CPE Confidence","Evidence Count","VendorProject","Product","Name","DateAdded","ShortDescription","RequiredAction","DueDate","Notes"#[[ +"Project","ScanDate","DependencyName","DependencyPath","Description","License","Md5","Sha1","Identifiers","CPE","CVE","CWE","Vulnerability","Source","CVSSv2_Severity","CVSSv2_Score","CVSSv2","CVSSv3_BaseSeverity","CVSSv3_BaseScore","CVSSv3","CVSSv4_BaseSeverity","CVSSv4_BaseScore","CVSSv4","CPE Confidence","Evidence Count","VendorProject","Product","Name","DateAdded","ShortDescription","RequiredAction","DueDate","Notes"#[[ ]]##foreach($dependency in $dependencies)#if($dependency.getVulnerabilities().size()>0)#foreach($vuln in $dependency.getVulnerabilities(true)) -$enc.csv($applicationName),$enc.csv($scanDate),$enc.csv($dependency.DisplayFileName),$enc.csv($dependency.FilePath),$enc.csv($dependency.description),$enc.csv($dependency.license),#if(!$dependency.isVirtual())$enc.csv($dependency.Md5sum)#else""#end,#if(!$dependency.isVirtual())$enc.csv($dependency.Sha1sum)#else""#end,$enc.csvIdentifiers($dependency.softwareIdentifiers),$enc.csvIdentifiers($dependency.vulnerableSoftwareIdentifiers),$enc.csv($vuln.name),$enc.csv($vuln.getCwes().toString()),$enc.csv($vuln.description),$enc.csv($vuln.getSource().name()),#if($vuln.cvssV2)$enc.csv($vuln.cvssV2.cvssData.baseSeverity)#else""#end,#if($vuln.cvssV2)$enc.csv($vuln.cvssV2.cvssData.baseScore)#else""#end,#if($vuln.cvssV2)$enc.csv($vuln.cvssV2.toString())#else""#end,#if($vuln.cvssV3)$enc.csv($vuln.cvssV3.cvssData.baseSeverity)#else""#end,#if($vuln.cvssV3)$enc.csv($vuln.cvssV3.cvssData.baseScore)#else""#end,#if($vuln.cvssV3)$enc.csv($vuln.cvssV3.toString())#else""#end,$enc.csvCpeConfidence($dependency.softwareIdentifiers),$dependency.size(),#if($vuln.getKnownExploitedVulnerability())$enc.csv($vuln.getKnownExploitedVulnerability().getVendorProject()),$enc.csv($vuln.getKnownExploitedVulnerability().getProduct()),$enc.csv($vuln.getKnownExploitedVulnerability().getVulnerabilityName()),$enc.csv($vuln.getKnownExploitedVulnerability().getDateAdded()),$enc.csv($vuln.getKnownExploitedVulnerability().getShortDescription()),$enc.csv($vuln.getKnownExploitedVulnerability().getRequiredAction()),$enc.csv($vuln.getKnownExploitedVulnerability().getDueDate()),$enc.csv($vuln.getKnownExploitedVulnerability().getNotes())#else"","","","","","","",""#end +$enc.csv($applicationName),$enc.csv($scanDate),$enc.csv($dependency.DisplayFileName),$enc.csv($dependency.FilePath),$enc.csv($dependency.description),$enc.csv($dependency.license),#if(!$dependency.isVirtual())$enc.csv($dependency.Md5sum)#else""#end,#if(!$dependency.isVirtual())$enc.csv($dependency.Sha1sum)#else""#end,$enc.csvIdentifiers($dependency.softwareIdentifiers),$enc.csvIdentifiers($dependency.vulnerableSoftwareIdentifiers),$enc.csv($vuln.name),$enc.csv($vuln.getCwes().toString()),$enc.csv($vuln.description),$enc.csv($vuln.getSource().name()),#if($vuln.cvssV2)$enc.csv($vuln.cvssV2.cvssData.baseSeverity)#else""#end,#if($vuln.cvssV2)$enc.csv($vuln.cvssV2.cvssData.baseScore)#else""#end,#if($vuln.cvssV2)$enc.csv($vuln.cvssV2.toString())#else""#end,#if($vuln.cvssV3)$enc.csv($vuln.cvssV3.cvssData.baseSeverity)#else""#end,#if($vuln.cvssV3)$enc.csv($vuln.cvssV3.cvssData.baseScore)#else""#end,#if($vuln.cvssV3)$enc.csv($vuln.cvssV3.toString())#else""#end,#if($vuln.cvssV4)$enc.csv($vuln.cvssV4.cvssData.baseSeverity)#else""#end,#if($vuln.cvssV4)$enc.csv($vuln.cvssV4.cvssData.baseScore)#else""#end,#if($vuln.cvssV4)$enc.csv($vuln.cvssV4.toString())#else""#end,$enc.csvCpeConfidence($dependency.softwareIdentifiers),$dependency.size(),#if($vuln.getKnownExploitedVulnerability())$enc.csv($vuln.getKnownExploitedVulnerability().getVendorProject()),$enc.csv($vuln.getKnownExploitedVulnerability().getProduct()),$enc.csv($vuln.getKnownExploitedVulnerability().getVulnerabilityName()),$enc.csv($vuln.getKnownExploitedVulnerability().getDateAdded()),$enc.csv($vuln.getKnownExploitedVulnerability().getShortDescription()),$enc.csv($vuln.getKnownExploitedVulnerability().getRequiredAction()),$enc.csv($vuln.getKnownExploitedVulnerability().getDueDate()),$enc.csv($vuln.getKnownExploitedVulnerability().getNotes())#else"","","","","","","",""#end #end#end#end \ No newline at end of file diff --git a/core/src/main/resources/templates/gitlabReport.vsl b/core/src/main/resources/templates/gitlabReport.vsl index 9ae4812b6f9..389fba4fdcc 100644 --- a/core/src/main/resources/templates/gitlabReport.vsl +++ b/core/src/main/resources/templates/gitlabReport.vsl @@ -106,6 +106,8 @@ #else #set($severity = $rpt.normalizeSeverity($vulnerability.unscoredSeverity)) #end + #elseif($vulnerability.cvssV4 && $vulnerability.cvssV4.cvssData && $vulnerability.cvssV4.cvssData.baseSeverity) + #set($severity = $rpt.normalizeSeverity($vulnerability.cvssV4.cvssData.baseSeverity)) #elseif($vulnerability.cvssV3 && $vulnerability.cvssV3.cvssData && $vulnerability.cvssV3.cvssData.baseSeverity) #set($severity = $rpt.normalizeSeverity($vulnerability.cvssV3.cvssData.baseSeverity)) #elseif($vulnerability.cvssV2 && $vulnerability.cvssV2.cvssData && $vulnerability.cvssV2.cvssData.baseSeverity) diff --git a/core/src/main/resources/templates/htmlReport.vsl b/core/src/main/resources/templates/htmlReport.vsl index a4ca6781e80..dfa1804706a 100644 --- a/core/src/main/resources/templates/htmlReport.vsl +++ b/core/src/main/resources/templates/htmlReport.vsl @@ -825,7 +825,9 @@ Getting Help:
  • Base Score: $enc.html($vuln.getCvssV2().getCvssData().getBaseSeverity()) ($vuln.getCvssV2().getCvssData().getBaseScore())
  • -
  • Vector: $enc.html($vuln.getCvssV2().toString())
  • +
  • Vector: $enc.html($vuln.getCvssV2().toString())
  • #end #if($vuln.getCvssV3()) CVSSv3:
    • Base Score: $enc.html($vuln.getCvssV3().getCvssData().getBaseSeverity()) ($vuln.getCvssV3().getCvssData().getBaseScore())
    • -
    • Vector: $enc.html($vuln.getCvssV3().toString())
    +
  • Vector: $enc.html($vuln.getCvssV3().toString())
  • + #end + #if($vuln.getCvssV4()) + CVSSv4: +
    • Base Score: $enc.html($vuln.getCvssV4().getCvssData().getBaseSeverity()) ($vuln.getCvssV4().getCvssData().getBaseScore())
    • +
    • Vector: $enc.html($vuln.getCvssV4().toString())
    #end #if ($vuln.unscoredSeverity) Unscored: @@ -1223,12 +1230,17 @@ Getting Help:
  • Base Score: $enc.html($vuln.getCvssV2().getCvssData().getBaseSeverity()) ($vuln.getCvssV2().getCvssData().getBaseScore())
  • -
  • Vector: $enc.html($vuln.getCvssV2().toString())
  • +
  • Vector: $enc.html($vuln.getCvssV2().toString())
  • #end #if($vuln.getCvssV3()) CVSSv3:
    • $enc.html($vuln.getCvssV3().getCvssData().getBaseSeverity()) ($vuln.getCvssV3().getCvssData().getBaseScore())
    • -
    • $enc.html($vuln.getCvssV3().toString())
    +
  • $enc.html($vuln.getCvssV3().toString())
  • + #end + #if($vuln.getCvssV4()) + CVSSv4: +
    • $enc.html($vuln.getCvssV4().getCvssData().getBaseSeverity()) ($vuln.getCvssV4().getCvssData().getBaseScore())
    • +
    • $enc.html($vuln.getCvssV4().toString())
    #end #if ($vuln.unscoredSeverity) Unscored: diff --git a/core/src/main/resources/templates/jenkinsReport.vsl b/core/src/main/resources/templates/jenkinsReport.vsl index c759ab323bf..4225624e47c 100644 --- a/core/src/main/resources/templates/jenkinsReport.vsl +++ b/core/src/main/resources/templates/jenkinsReport.vsl @@ -575,7 +575,9 @@ Getting Help:
  • Base Score: $enc.html($vuln.getCvssV2().getCvssData().getBaseSeverity()) ($vuln.getCvssV2().getCvssData().getBaseScore())
  • -
  • Vector: $enc.html($vuln.getCvssV2().toString())
  • +
  • Vector: $enc.html($vuln.getCvssV2().toString())
  • #end #if($vuln.getCvssV3()) CVSSv3:
    • Base Score: $enc.html($vuln.getCvssV3().getCvssData().getBaseSeverity()) ($vuln.getCvssV3().getCvssData().getBaseScore())
    • -
    • Vector: $enc.html($vuln.getCvssV3().toString())
    +
  • Vector: $enc.html($vuln.getCvssV3().toString())
  • + #end + #if($vuln.getCvssV4()) + CVSSv4: +
    • Base Score: $enc.html($vuln.getCvssV4().getCvssData().getBaseSeverity()) ($vuln.getCvssV4().getCvssData().getBaseScore())
    • +
    • Vector: $enc.html($vuln.getCvssV4().toString())
    #end #if ($vuln.unscoredSeverity) Unscored: diff --git a/core/src/main/resources/templates/jsonReport.vsl b/core/src/main/resources/templates/jsonReport.vsl index 3acf46ca073..88ef3a41835 100644 --- a/core/src/main/resources/templates/jsonReport.vsl +++ b/core/src/main/resources/templates/jsonReport.vsl @@ -196,6 +196,8 @@ }, #end #if($vuln.UnscoredSeverity)"unscored": "true", "severity" : "#if($vuln.unscoredSeverity.equals("0.0"))Unknown#else$enc.json($vuln.unscoredSeverity)#end", +#elseif($vuln.cvssV4 && $vuln.cvssV4.cvssData && $vuln.cvssV4.cvssData.baseSeverity) + "severity" : "$enc.json($vuln.cvssV4.cvssData.baseSeverity)", #elseif($vuln.cvssV3 && $vuln.cvssV3.cvssData && $vuln.cvssV3.cvssData.baseSeverity) "severity" : "$enc.json($vuln.cvssV3.cvssData.baseSeverity)", #elseif($vuln.cvssV2 && $vuln.cvssV2.cvssData && $vuln.cvssV2.cvssData.baseSeverity) @@ -238,6 +240,136 @@ #if($vuln.cvssV3.cvssData.version),"version": "$enc.json($vuln.cvssV3.cvssData.version)"#end }, #end +#if($vuln.cvssV4) + "cvssv4": { +#if($vuln.cvssV4.source) + "source": "$enc.json($vuln.cvssV4.source)", +#end +#if($vuln.cvssV4.type) + "type": "$enc.json($vuln.cvssV4.type)", +#end +#if($vuln.cvssV4.cvssData.version) + "version": "$enc.json($vuln.cvssV4.cvssData.version)", +#end +#if($vuln.cvssV4.cvssData.vectorString) + "vectorString": "$enc.json($vuln.cvssV4.cvssData.vectorString)", +#end +#if($vuln.cvssV4.cvssData.attackVector) + "attackVector": "$enc.json($vuln.cvssV4.cvssData.attackVector)", +#end +#if($vuln.cvssV4.cvssData.attackComplexity) + "attackComplexity": "$enc.json($vuln.cvssV4.cvssData.attackComplexity)", +#end +#if($vuln.cvssV4.cvssData.attackRequirements) + "attackRequirements": "$enc.json($vuln.cvssV4.cvssData.attackRequirements)", +#end +#if($vuln.cvssV4.cvssData.privilegesRequired) + "privilegesRequired": "$enc.json($vuln.cvssV4.cvssData.privilegesRequired)", +#end +#if($vuln.cvssV4.cvssData.userInteraction) + "userInteraction": "$enc.json($vuln.cvssV4.cvssData.userInteraction)", +#end +#if($vuln.cvssV4.cvssData.vulnerableSystemConfidentiality) + "vulnerableSystemConfidentiality": "$enc.json($vuln.cvssV4.cvssData.vulnerableSystemConfidentiality)", +#end +#if($vuln.cvssV4.cvssData.vulnerableSystemIntegrity) + "vulnerableSystemIntegrity": "$enc.json($vuln.cvssV4.cvssData.vulnerableSystemIntegrity)", +#end +#if($vuln.cvssV4.cvssData.vulnerableSystemAvailability) + "vulnerableSystemAvailability": "$enc.json($vuln.cvssV4.cvssData.vulnerableSystemAvailability)", +#end +#if($vuln.cvssV4.cvssData.subsequentSystemConfidentiality) + "subsequentSystemConfidentiality": "$enc.json($vuln.cvssV4.cvssData.subsequentSystemConfidentiality)", +#end +#if($vuln.cvssV4.cvssData.subsequentSystemIntegrity) + "subsequentSystemIntegrity": "$enc.json($vuln.cvssV4.cvssData.subsequentSystemIntegrity)", +#end +#if($vuln.cvssV4.cvssData.subsequentSystemAvailability) + "subsequentSystemAvailability": "$enc.json($vuln.cvssV4.cvssData.subsequentSystemAvailability)", +#end +#if($vuln.cvssV4.cvssData.exploitMaturity) + "exploitMaturity": "$enc.json($vuln.cvssV4.cvssData.exploitMaturity)", +#end +#if($vuln.cvssV4.cvssData.confidentialityRequirements) + "confidentialityRequirements": "$enc.json($vuln.cvssV4.cvssData.confidentialityRequirements)", +#end +#if($vuln.cvssV4.cvssData.integrityRequirements) + "integrityRequirements": "$enc.json($vuln.cvssV4.cvssData.integrityRequirements)", +#end +#if($vuln.cvssV4.cvssData.availabilityRequirements) + "availabilityRequirements": "$enc.json($vuln.cvssV4.cvssData.availabilityRequirements)", +#end +#if($vuln.cvssV4.cvssData.modifiedAttackVector) + "modifiedAttackVector": "$enc.json($vuln.cvssV4.cvssData.modifiedAttackVector)", +#end +#if($vuln.cvssV4.cvssData.modifiedAttackComplexity) + "modifiedAttackComplexity": "$enc.json($vuln.cvssV4.cvssData.modifiedAttackComplexity)", +#end +#if($vuln.cvssV4.cvssData.modifiedAttackRequirements) + "modifiedAttackRequirements": "$enc.json($vuln.cvssV4.cvssData.modifiedAttackRequirements)", +#end +#if($vuln.cvssV4.cvssData.modifiedPrivilegesRequired) + "modifiedPrivilegesRequired": "$enc.json($vuln.cvssV4.cvssData.modifiedPrivilegesRequired)", +#end +#if($vuln.cvssV4.cvssData.modifiedUserInteraction) + "modifiedUserInteraction": "$enc.json($vuln.cvssV4.cvssData.modifiedUserInteraction)", +#end +#if($vuln.cvssV4.cvssData.modifiedVulnerableSystemConfidentiality) + "modifiedVulnerableSystemConfidentiality": "$enc.json($vuln.cvssV4.cvssData.modifiedVulnerableSystemConfidentiality)", +#end +#if($vuln.cvssV4.cvssData.modifiedVulnerableSystemIntegrity) + "modifiedVulnerableSystemIntegrity": "$enc.json($vuln.cvssV4.cvssData.modifiedVulnerableSystemIntegrity)", +#end +#if($vuln.cvssV4.cvssData.modifiedVulnerableSystemAvailability) + "modifiedVulnerableSystemAvailability": "$enc.json($vuln.cvssV4.cvssData.modifiedVulnerableSystemAvailability)", +#end +#if($vuln.cvssV4.cvssData.modifiedSubsequentSystemConfidentiality) + "modifiedSubsequentSystemConfidentiality": "$enc.json($vuln.cvssV4.cvssData.modifiedSubsequentSystemConfidentiality)", +#end +#if($vuln.cvssV4.cvssData.modifiedSubsequentSystemIntegrity) + "modifiedSubsequentSystemIntegrity": "$enc.json($vuln.cvssV4.cvssData.modifiedSubsequentSystemIntegrity)", +#end +#if($vuln.cvssV4.cvssData.modifiedSubsequentSystemAvailability) + "modifiedSubsequentSystemAvailability": "$enc.json($vuln.cvssV4.cvssData.modifiedSubsequentSystemAvailability)", +#end +#if($vuln.cvssV4.cvssData.safety) + "safety": "$enc.json($vuln.cvssV4.cvssData.safety)", +#end +#if($vuln.cvssV4.cvssData.automatable) + "automatable": "$enc.json($vuln.cvssV4.cvssData.automatable)", +#end +#if($vuln.cvssV4.cvssData.recovery) + "recovery": "$enc.json($vuln.cvssV4.cvssData.recovery)", +#end +#if($vuln.cvssV4.cvssData.valueDensity) + "valueDensity": "$enc.json($vuln.cvssV4.cvssData.valueDensity)", +#end +#if($vuln.cvssV4.cvssData.vulnerabilityResponseEffort) + "vulnerabilityResponseEffort": "$enc.json($vuln.cvssV4.cvssData.vulnerabilityResponseEffort)", +#end +#if($vuln.cvssV4.cvssData.providerUrgency) + "providerUrgency": "$enc.json($vuln.cvssV4.cvssData.providerUrgency)", +#end +#if($vuln.cvssV4.cvssData.baseScore) + "baseScore": $vuln.cvssV4.cvssData.baseScore, +#end +#if($vuln.cvssV4.cvssData.baseSeverity) + "baseSeverity": "$enc.json($vuln.cvssV4.cvssData.baseSeverity)", +#end +#if($vuln.cvssV4.cvssData.threatScore) + "threatScore": $vuln.cvssV4.cvssData.threatScore, +#end +#if($vuln.cvssV4.cvssData.threatSeverity) + "threatSeverity": "$enc.json($vuln.cvssV4.cvssData.threatSeverity)", +#end +#if($vuln.cvssV4.cvssData.environmentalScore) + "environmentalScore": $vuln.cvssV4.cvssData.environmentalScore, +#end +#if($vuln.cvssV4.cvssData.environmentalSeverity) + "environmentalSeverity": "$enc.json($vuln.cvssV4.cvssData.environmentalSeverity)" +#end + }, +#end #if (!$vuln.cwe.cwes.isEmpty()) "cwes": [ #set($addComma=0) diff --git a/core/src/main/resources/templates/junitReport.vsl b/core/src/main/resources/templates/junitReport.vsl index 463419857ce..342080a0b67 100644 --- a/core/src/main/resources/templates/junitReport.vsl +++ b/core/src/main/resources/templates/junitReport.vsl @@ -30,7 +30,7 @@ #set($vulnCount=$vulnCount+$dependency.getVulnerabilities().size()) #end #foreach($vuln in $dependency.getVulnerabilities()) - #if(!($vuln.cvssV3 && $vuln.cvssV3.cvssData.baseScore >= $junitFailOnCvss) && !($vuln.cvssV2 && $vuln.cvssV2.cvssData.baseScore >= $junitFailOnCvss) && !($vuln.unscoredSeverity && $rpt.estimateSeverity($vuln.unscoredSeverity) >= $junitFailOnCvss)) + #if(!($vuln.cvssV4 && $vuln.cvssV4.cvssData.baseScore >= $junitFailOnCvss) && !($vuln.cvssV3 && $vuln.cvssV3.cvssData.baseScore >= $junitFailOnCvss) && !($vuln.cvssV2 && $vuln.cvssV2.cvssData.baseScore >= $junitFailOnCvss) && !($vuln.unscoredSeverity && $rpt.estimateSeverity($vuln.unscoredSeverity) >= $junitFailOnCvss)) #set($vulnCount=$vulnCount - 1) #end #end @@ -48,7 +48,7 @@ #set($skipped=$dependency.getSuppressedVulnerabilities().size()) #set($failed=$dependency.getVulnerabilities().size()) #foreach($vuln in $dependency.getVulnerabilities()) - #if( !($vuln.cvssV3 && $vuln.cvssV3.cvssData.baseScore >= $junitFailOnCvss) && !($vuln.cvssV2 && $vuln.cvssV2.cvssData.baseScore >= $junitFailOnCvss) && !($vuln.unscoredSeverity && $rpt.estimateSeverity($vuln.unscoredSeverity) >= $junitFailOnCvss)) + #if( !($vuln.cvssV4 && $vuln.cvssV4.cvssData.baseScore >= $junitFailOnCvss) && !($vuln.cvssV3 && $vuln.cvssV3.cvssData.baseScore >= $junitFailOnCvss) && !($vuln.cvssV2 && $vuln.cvssV2.cvssData.baseScore >= $junitFailOnCvss) && !($vuln.unscoredSeverity && $rpt.estimateSeverity($vuln.unscoredSeverity) >= $junitFailOnCvss)) #set($skipped=$skipped + 1) #set($failed=$failed - 1) #end @@ -70,12 +70,16 @@ #set($vulnerableName="") #end - #if($vuln.cvssV3 && $vuln.cvssV3.cvssData.baseScore >= $junitFailOnCvss) + #if($vuln.cvssV4 && $vuln.cvssV4.cvssData.baseScore >= $junitFailOnCvss) + + #elseif($vuln.cvssV3 && $vuln.cvssV3.cvssData.baseScore >= $junitFailOnCvss) #elseif($vuln.cvssV2 && $vuln.cvssV2.cvssData.baseScore >= $junitFailOnCvss) #elseif($vuln.unscoredSeverity && $rpt.estimateSeverity($vuln.unscoredSeverity) >= $junitFailOnCvss) + #elseif($vuln.cvssV4 && $vuln.cvssV4.cvssData.baseScore < $junitFailOnCvss) + #elseif($vuln.cvssV3 && $vuln.cvssV3.cvssData.baseScore < $junitFailOnCvss) #elseif($vuln.cvssV2 && $vuln.cvssV2.cvssData.baseScore < $junitFailOnCvss) diff --git a/core/src/main/resources/templates/sarifReport.vsl b/core/src/main/resources/templates/sarifReport.vsl index 29f22cb3948..56f05da78b4 100644 --- a/core/src/main/resources/templates/sarifReport.vsl +++ b/core/src/main/resources/templates/sarifReport.vsl @@ -55,6 +55,11 @@ For more information see [How dependency-check works](https://jeremylong.github. #if($rule.cvssv3ImpactScore)"cvssv3_impactScore": "$enc.json($rule.cvssv3ImpactScore)",#end #if($rule.cvssv3Version)"cvssv3_version": "$enc.json($rule.cvssv3Version)",#end #end + #if($rule.cvssv4Vector) + "cvssv4_baseScore": $rule.cvssv4BaseScore, + "security-severity": "$rule.cvssv4BaseScore", + "cvssv4_vector": "$enc.json($rule.cvssv4Vector)", + #end "source": "$enc.json($rule.getSource())" } }#end diff --git a/core/src/main/resources/templates/xmlReport.vsl b/core/src/main/resources/templates/xmlReport.vsl index 3ce02bee779..64e94abaaae 100644 --- a/core/src/main/resources/templates/xmlReport.vsl +++ b/core/src/main/resources/templates/xmlReport.vsl @@ -1,5 +1,5 @@ #** -This file is part of Dependency-Check. +This file is part of Dependency-Check. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -19,7 +19,7 @@ Copyright (c) 2018 Jeremy Long. All Rights Reserved. @version 2.0 *# - + $version #foreach($prop in $properties.getMetaData().entrySet()) @@ -229,6 +229,8 @@ Copyright (c) 2018 Jeremy Long. All Rights Reserved. #end #if($vuln.unscoredSeverity) #if($vuln.unscoredSeverity.equals("0.0"))Unknown#else$enc.xml($vuln.unscoredSeverity)#end +#elseif($vuln.cvssV4 && $vuln.cvssV4.cvssData.baseSeverity) + $enc.xml($vuln.cvssV4.cvssData.baseSeverity) #elseif($vuln.cvssV3 && $vuln.cvssV3.cvssData.baseSeverity) $enc.xml($vuln.cvssV3.cvssData.baseSeverity) #elseif($vuln.cvssV2 && $vuln.cvssV2.cvssData.baseSeverity) @@ -271,6 +273,132 @@ Copyright (c) 2018 Jeremy Long. All Rights Reserved. #if($vuln.cvssV3.cvssData.version)$enc.xml($vuln.cvssV3.cvssData.version)#end #end +#if($vuln.cvssV4) + + $enc.xml($vuln.cvssV4.source) + $enc.xml($vuln.cvssV4.type) +#if($vuln.cvssV4.cvssData.version) + $enc.xml($vuln.cvssV4.cvssData.version) +#end +#if($vuln.cvssV4.cvssData.vectorString) + $enc.xml($vuln.cvssV4.cvssData.vectorString) +#end +#if($vuln.cvssV4.cvssData.attackVector) + $enc.xml($vuln.cvssV4.cvssData.attackVector) +#end +#if($vuln.cvssV4.cvssData.attackComplexity) + $enc.xml($vuln.cvssV4.cvssData.attackComplexity) +#end +#if($vuln.cvssV4.cvssData.attackRequirements) + $enc.xml($vuln.cvssV4.cvssData.attackRequirements) +#end +#if($vuln.cvssV4.cvssData.privilegesRequired) + $enc.xml($vuln.cvssV4.cvssData.privilegesRequired) +#end +#if($vuln.cvssV4.cvssData.userInteraction) + $enc.xml($vuln.cvssV4.cvssData.userInteraction) +#end +#if($vuln.cvssV4.cvssData.vulnerableSystemConfidentiality) + $enc.xml($vuln.cvssV4.cvssData.vulnerableSystemConfidentiality) +#end +#if($vuln.cvssV4.cvssData.vulnerableSystemIntegrity) + $enc.xml($vuln.cvssV4.cvssData.vulnerableSystemIntegrity) +#end +#if($vuln.cvssV4.cvssData.vulnerableSystemAvailability) + $enc.xml($vuln.cvssV4.cvssData.vulnerableSystemAvailability) +#end +#if($vuln.cvssV4.cvssData.subsequentSystemConfidentiality) + $enc.xml($vuln.cvssV4.cvssData.subsequentSystemConfidentiality) +#end +#if($vuln.cvssV4.cvssData.subsequentSystemIntegrity) + $enc.xml($vuln.cvssV4.cvssData.subsequentSystemIntegrity) +#end +#if($vuln.cvssV4.cvssData.subsequentSystemAvailability) + $enc.xml($vuln.cvssV4.cvssData.subsequentSystemAvailability) +#end +#if($vuln.cvssV4.cvssData.exploitMaturity) + $enc.xml($vuln.cvssV4.cvssData.exploitMaturity) +#end +#if($vuln.cvssV4.cvssData.confidentialityRequirements) + $enc.xml($vuln.cvssV4.cvssData.confidentialityRequirements) +#end +#if($vuln.cvssV4.cvssData.integrityRequirements) + $enc.xml($vuln.cvssV4.cvssData.integrityRequirements) +#end +#if($vuln.cvssV4.cvssData.availabilityRequirements) + $enc.xml($vuln.cvssV4.cvssData.availabilityRequirements) +#end +#if($vuln.cvssV4.cvssData.modifiedAttackVector) + $enc.xml($vuln.cvssV4.cvssData.modifiedAttackVector) +#end +#if($vuln.cvssV4.cvssData.modifiedAttackComplexity) + $enc.xml($vuln.cvssV4.cvssData.modifiedAttackComplexity) +#end +#if($vuln.cvssV4.cvssData.modifiedAttackRequirements) + $enc.xml($vuln.cvssV4.cvssData.modifiedAttackRequirements) +#end +#if($vuln.cvssV4.cvssData.modifiedPrivilegesRequired) + $enc.xml($vuln.cvssV4.cvssData.modifiedPrivilegesRequired) +#end +#if($vuln.cvssV4.cvssData.modifiedUserInteraction) + $enc.xml($vuln.cvssV4.cvssData.modifiedUserInteraction) +#end +#if($vuln.cvssV4.cvssData.modifiedVulnerableSystemConfidentiality) + $enc.xml($vuln.cvssV4.cvssData.modifiedVulnerableSystemConfidentiality) +#end +#if($vuln.cvssV4.cvssData.modifiedVulnerableSystemIntegrity) + $enc.xml($vuln.cvssV4.cvssData.modifiedVulnerableSystemIntegrity) +#end +#if($vuln.cvssV4.cvssData.modifiedVulnerableSystemAvailability) + $enc.xml($vuln.cvssV4.cvssData.modifiedVulnerableSystemAvailability) +#end +#if($vuln.cvssV4.cvssData.modifiedSubsequentSystemConfidentiality) + $enc.xml($vuln.cvssV4.cvssData.modifiedSubsequentSystemConfidentiality) +#end +#if($vuln.cvssV4.cvssData.modifiedSubsequentSystemIntegrity) + $enc.xml($vuln.cvssV4.cvssData.modifiedSubsequentSystemIntegrity) +#end +#if($vuln.cvssV4.cvssData.modifiedSubsequentSystemAvailability) + $enc.xml($vuln.cvssV4.cvssData.modifiedSubsequentSystemAvailability) +#end +#if($vuln.cvssV4.cvssData.safety) + $enc.xml($vuln.cvssV4.cvssData.safety) +#end +#if($vuln.cvssV4.cvssData.automatable) + $enc.xml($vuln.cvssV4.cvssData.automatable) +#end +#if($vuln.cvssV4.cvssData.recovery) + $enc.xml($vuln.cvssV4.cvssData.recovery) +#end +#if($vuln.cvssV4.cvssData.valueDensity) + $enc.xml($vuln.cvssV4.cvssData.valueDensity) +#end +#if($vuln.cvssV4.cvssData.vulnerabilityResponseEffort) + $enc.xml($vuln.cvssV4.cvssData.vulnerabilityResponseEffort) +#end +#if($vuln.cvssV4.cvssData.providerUrgency) + $enc.xml($vuln.cvssV4.cvssData.providerUrgency) +#end +#if($vuln.cvssV4.cvssData.baseScore) + $enc.xml($vuln.cvssV4.cvssData.baseScore) +#end +#if($vuln.cvssV4.cvssData.baseSeverity) + $enc.xml($vuln.cvssV4.cvssData.baseSeverity) +#end +#if($vuln.cvssV4.cvssData.threatScore) + $enc.xml($vuln.cvssV4.cvssData.threatScore) +#end +#if($vuln.cvssV4.cvssData.threatSeverity) + $enc.xml($vuln.cvssV4.cvssData.threatSeverity) +#end +#if($vuln.cvssV4.cvssData.environmentalScore) + $enc.xml($vuln.cvssV4.cvssData.environmentalScore) +#end +#if($vuln.cvssV4.cvssData.environmentalSeverity) + $enc.xml($vuln.cvssV4.cvssData.environmentalSeverity) +#end + +#end #if (!$vuln.cwes.isEmpty()) #foreach($cweEntry in $vuln.cwes.entries) @@ -344,6 +472,132 @@ Copyright (c) 2018 Jeremy Long. All Rights Reserved. #if($vuln.cvssV3.cvssData.version)$enc.xml($vuln.cvssV3.cvssData.version)#end #end +#if($vuln.cvssV4) + + $enc.xml($vuln.cvssV4.source) + $enc.xml($vuln.cvssV4.type) +#if($vuln.cvssV4.cvssData.version) + $enc.xml($vuln.cvssV4.cvssData.version) +#end +#if($vuln.cvssV4.cvssData.vectorString) + $enc.xml($vuln.cvssV4.cvssData.vectorString) +#end +#if($vuln.cvssV4.cvssData.attackVector) + $enc.xml($vuln.cvssV4.cvssData.attackVector) +#end +#if($vuln.cvssV4.cvssData.attackComplexity) + $enc.xml($vuln.cvssV4.cvssData.attackComplexity) +#end +#if($vuln.cvssV4.cvssData.attackRequirements) + $enc.xml($vuln.cvssV4.cvssData.attackRequirements) +#end +#if($vuln.cvssV4.cvssData.privilegesRequired) + $enc.xml($vuln.cvssV4.cvssData.privilegesRequired) +#end +#if($vuln.cvssV4.cvssData.userInteraction) + $enc.xml($vuln.cvssV4.cvssData.userInteraction) +#end +#if($vuln.cvssV4.cvssData.vulnerableSystemConfidentiality) + $enc.xml($vuln.cvssV4.cvssData.vulnerableSystemConfidentiality) +#end +#if($vuln.cvssV4.cvssData.vulnerableSystemIntegrity) + $enc.xml($vuln.cvssV4.cvssData.vulnerableSystemIntegrity) +#end +#if($vuln.cvssV4.cvssData.vulnerableSystemAvailability) + $enc.xml($vuln.cvssV4.cvssData.vulnerableSystemAvailability) +#end +#if($vuln.cvssV4.cvssData.subsequentSystemConfidentiality) + $enc.xml($vuln.cvssV4.cvssData.subsequentSystemConfidentiality) +#end +#if($vuln.cvssV4.cvssData.subsequentSystemIntegrity) + $enc.xml($vuln.cvssV4.cvssData.subsequentSystemIntegrity) +#end +#if($vuln.cvssV4.cvssData.subsequentSystemAvailability) + $enc.xml($vuln.cvssV4.cvssData.subsequentSystemAvailability) +#end +#if($vuln.cvssV4.cvssData.exploitMaturity) + $enc.xml($vuln.cvssV4.cvssData.exploitMaturity) +#end +#if($vuln.cvssV4.cvssData.confidentialityRequirements) + $enc.xml($vuln.cvssV4.cvssData.confidentialityRequirements) +#end +#if($vuln.cvssV4.cvssData.integrityRequirements) + $enc.xml($vuln.cvssV4.cvssData.integrityRequirements) +#end +#if($vuln.cvssV4.cvssData.availabilityRequirements) + $enc.xml($vuln.cvssV4.cvssData.availabilityRequirements) +#end +#if($vuln.cvssV4.cvssData.modifiedAttackVector) + $enc.xml($vuln.cvssV4.cvssData.modifiedAttackVector) +#end +#if($vuln.cvssV4.cvssData.modifiedAttackComplexity) + $enc.xml($vuln.cvssV4.cvssData.modifiedAttackComplexity) +#end +#if($vuln.cvssV4.cvssData.modifiedAttackRequirements) + $enc.xml($vuln.cvssV4.cvssData.modifiedAttackRequirements) +#end +#if($vuln.cvssV4.cvssData.modifiedPrivilegesRequired) + $enc.xml($vuln.cvssV4.cvssData.modifiedPrivilegesRequired) +#end +#if($vuln.cvssV4.cvssData.modifiedUserInteraction) + $enc.xml($vuln.cvssV4.cvssData.modifiedUserInteraction) +#end +#if($vuln.cvssV4.cvssData.modifiedVulnerableSystemConfidentiality) + $enc.xml($vuln.cvssV4.cvssData.modifiedVulnerableSystemConfidentiality) +#end +#if($vuln.cvssV4.cvssData.modifiedVulnerableSystemIntegrity) + $enc.xml($vuln.cvssV4.cvssData.modifiedVulnerableSystemIntegrity) +#end +#if($vuln.cvssV4.cvssData.modifiedVulnerableSystemAvailability) + $enc.xml($vuln.cvssV4.cvssData.modifiedVulnerableSystemAvailability) +#end +#if($vuln.cvssV4.cvssData.modifiedSubsequentSystemConfidentiality) + $enc.xml($vuln.cvssV4.cvssData.modifiedSubsequentSystemConfidentiality) +#end +#if($vuln.cvssV4.cvssData.modifiedSubsequentSystemIntegrity) + $enc.xml($vuln.cvssV4.cvssData.modifiedSubsequentSystemIntegrity) +#end +#if($vuln.cvssV4.cvssData.modifiedSubsequentSystemAvailability) + $enc.xml($vuln.cvssV4.cvssData.modifiedSubsequentSystemAvailability) +#end +#if($vuln.cvssV4.cvssData.safety) + $enc.xml($vuln.cvssV4.cvssData.safety) +#end +#if($vuln.cvssV4.cvssData.automatable) + $enc.xml($vuln.cvssV4.cvssData.automatable) +#end +#if($vuln.cvssV4.cvssData.recovery) + $enc.xml($vuln.cvssV4.cvssData.recovery) +#end +#if($vuln.cvssV4.cvssData.valueDensity) + $enc.xml($vuln.cvssV4.cvssData.valueDensity) +#end +#if($vuln.cvssV4.cvssData.vulnerabilityResponseEffort) + $enc.xml($vuln.cvssV4.cvssData.vulnerabilityResponseEffort) +#end +#if($vuln.cvssV4.cvssData.providerUrgency) + $enc.xml($vuln.cvssV4.cvssData.providerUrgency) +#end +#if($vuln.cvssV4.cvssData.baseScore) + $enc.xml($vuln.cvssV4.cvssData.baseScore) +#end +#if($vuln.cvssV4.cvssData.baseSeverity) + $enc.xml($vuln.cvssV4.cvssData.baseSeverity) +#end +#if($vuln.cvssV4.cvssData.threatScore) + $enc.xml($vuln.cvssV4.cvssData.threatScore) +#end +#if($vuln.cvssV4.cvssData.threatSeverity) + $enc.xml($vuln.cvssV4.cvssData.threatSeverity) +#end +#if($vuln.cvssV4.cvssData.environmentalScore) + $enc.xml($vuln.cvssV4.cvssData.environmentalScore) +#end +#if($vuln.cvssV4.cvssData.environmentalSeverity) + $enc.xml($vuln.cvssV4.cvssData.environmentalSeverity) +#end + +#end #if (!$vuln.cwes.isEmpty()) #foreach($cweEntry in $vuln.cwes.entries) diff --git a/core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java b/core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java index 5910f8c17c3..7e3fe8daad1 100644 --- a/core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java +++ b/core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java @@ -198,7 +198,7 @@ public void generateReport(Settings settings, File writeTo, File writeJsonTo, Fi engine.writeReports("Test Report", "org.owasp", "dependency-check-core", "1.4.8", writeSarifTo, "SARIF", exceptions); } //Test XML - InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/dependency-check.4.0.xsd"); + InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/dependency-check.4.1.xsd"); StreamSource xsdSource = new StreamSource(xsdStream); StreamSource xmlSource = new StreamSource(writeTo); SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index 159aa780c7e..63fb28f8c6d 100644 --- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -2636,7 +2636,7 @@ protected Settings getSettings() { * * @param dependencies the list of dependency objects * @throws MojoFailureException thrown if a CVSS score is found that is - * higher then the threshold set + * higher than the threshold set */ protected void checkForFailure(Dependency[] dependencies) throws MojoFailureException { final StringBuilder ids = new StringBuilder(); @@ -2645,15 +2645,19 @@ protected void checkForFailure(Dependency[] dependencies) throws MojoFailureExce for (Vulnerability v : d.getVulnerabilities()) { final Double cvssV2 = v.getCvssV2() != null && v.getCvssV2().getCvssData() != null && v.getCvssV2().getCvssData().getBaseScore() != null ? v.getCvssV2().getCvssData().getBaseScore() : -1; final Double cvssV3 = v.getCvssV3() != null && v.getCvssV3().getCvssData() != null && v.getCvssV3().getCvssData().getBaseScore() != null ? v.getCvssV3().getCvssData().getBaseScore() : -1; + final Double cvssV4 = v.getCvssV4() != null && v.getCvssV4().getCvssData() != null && v.getCvssV4().getCvssData().getBaseScore() != null ? v.getCvssV4().getCvssData().getBaseScore() : -1; final Double unscoredCvss = v.getUnscoredSeverity() != null ? SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) : -1; if (failBuildOnAnyVulnerability || cvssV2 >= failBuildOnCVSS || cvssV3 >= failBuildOnCVSS + || cvssV4 >= failBuildOnCVSS || unscoredCvss >= failBuildOnCVSS //safety net to fail on any if for some reason the above misses on 0 || (failBuildOnCVSS <= 0.0)) { String name = v.getName(); - if (cvssV3 >= 0.0) { + if (cvssV4 >= 0.0) { + name += "(" + cvssV4 + ")"; + } else if (cvssV3 >= 0.0) { name += "(" + cvssV3 + ")"; } else if (cvssV2 >= 0.0) { name += "(" + cvssV2 + ")";