Skip to content

Commit

Permalink
Merge branch 'main' into ossUpdate
Browse files Browse the repository at this point in the history
  • Loading branch information
@jeremylong
jeremylong authored Jan 14, 2023
2 parents b27fdd1 + d8b5847 commit dc761ef
Show file tree
Hide file tree
Showing 7 changed files with 300 additions and 23 deletions.
4 changes: 4 additions & 0 deletions core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathMSBuildProjectParser.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,10 @@ public List<NugetPackageReference> parse(InputStream stream) throws MSBuildProje
final NamedNodeMap attrs = node.getAttributes();

final String include = attrs.getNamedItem("Include").getNodeValue();
if (include == null) {
// Issue 5144 work-around for NPE on packageReferences other than includes
continue;
}
String version = null;

if (attrs.getNamedItem("Version") != null) {
Expand Down
15 changes: 0 additions & 15 deletions core/src/main/resources/schema/dependency-check.2.5.xsd
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,21 +195,6 @@
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="includedBy" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="reference" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="type" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="relatedDependencies" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
Expand Down
285 changes: 285 additions & 0 deletions core/src/main/resources/schema/dependency-check.3.1.xsd
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,285 @@
<?xml version="1.0" encoding="utf-8"?>
<xs:schema id="analysis"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified"
targetNamespace="https://jeremylong.github.io/DependencyCheck/dependency-check.3.1.xsd"
xmlns:dc="https://jeremylong.github.io/DependencyCheck/dependency-check.3.1.xsd">
<xs:complexType name="exception">
<xs:sequence>
<xs:element name="message" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="stackTrace" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="trace" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="cause" type="dc:exception" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="scanInfo">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="engineVersion" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="dataSource">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="timestamp" type="xs:string" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:element name="analysisExceptions" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="exception" type="dc:exception"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="projectInfo">
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="groupID" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="artifactID" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="version" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="reportDate" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="credits" type="xs:string" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="identifier">
<xs:sequence>
<xs:element name="id" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="url" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="notes" type="xs:string" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="confidence" type="xs:string" use="optional"/>
</xs:complexType>
<xs:complexType name="relatedDependency">
<xs:sequence>
<xs:element name="fileName" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="filePath" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="sha256" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="sha1" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="md5" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="identifiers" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="package" type="dc:identifier"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="isVirtual" type="xs:boolean" use="optional"/>
</xs:complexType>
<xs:complexType name="evidence">
<xs:sequence>
<xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="value" type="xs:string" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="type" type="xs:string" use="required"/>
<xs:attribute name="confidence" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="cvssV2">
<xs:sequence>
<xs:element name="score" type="xs:decimal" minOccurs="1" maxOccurs="1"/>
<xs:element name="accessVector" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="accessComplexity" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="authenticationr" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="confidentialImpact" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="integrityImpact" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="availabilityImpact" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="severity" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="version" type="xs:decimal" minOccurs="0" maxOccurs="1"/>
<xs:element name="exploitabilityScore" type="xs:decimal" minOccurs="0" maxOccurs="1"/>
<xs:element name="impactScore" type="xs:decimal" minOccurs="0" maxOccurs="1"/>
<xs:element name="acInsufInfo" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
<xs:element name="obtainAllPrivilege" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
<xs:element name="obtainUserPrivilege" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
<xs:element name="obtainOtherPrivilege" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
<xs:element name="userInteractionRequired" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="cvssV3">
<xs:sequence>
<xs:element name="baseScore" type="xs:decimal" minOccurs="1" maxOccurs="1"/>
<xs:element name="attackVector" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="attackComplexity" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="privilegesRequired" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="userInteraction" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="scope" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="confidentialityImpact" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="integrityImpact" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="availabilityImpact" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="baseSeverity" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="exploitabilityScore" type="xs:decimal" minOccurs="0" maxOccurs="1"/>
<xs:element name="impactScore" type="xs:decimal" minOccurs="0" maxOccurs="1"/>
<xs:element name="version" type="xs:decimal" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="reference">
<xs:sequence>
<xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="url" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="software">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="vulnerabilityIdMatched" type="xs:boolean"/>
<xs:attribute name="versionStartIncluding" type="xs:string"/>
<xs:attribute name="versionStartExcluding" type="xs:string"/>
<xs:attribute name="versionEndIncluding" type="xs:string"/>
<xs:attribute name="versionEndExcluding" type="xs:string"/>
<xs:attribute name="vulnerable" type="xs:boolean"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="severity">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="unscored" type="xs:boolean"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="knownExploitedVulnerability">
<xs:sequence>
<xs:element name="vendorProject" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="product" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="name" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="dateAdded" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="requiredAction" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="dueDate" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="notes" type="xs:string" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="vulnerability">
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="knownExploitedVulnerability" type="dc:knownExploitedVulnerability" minOccurs="0" maxOccurs="1"/>
<xs:element name="severity" type="dc:severity" minOccurs="0" maxOccurs="1"/>
<xs:element name="cvssV2" type="dc:cvssV2" minOccurs="0" maxOccurs="1"/>
<xs:element name="cvssV3" type="dc:cvssV3" minOccurs="0" maxOccurs="1"/>
<xs:element name="cwes" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="cwe" type="xs:string" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="description" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="notes" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="references" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="reference" type="dc:reference"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="vulnerableSoftware" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="software" type="dc:software"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="source" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="dependency">
<xs:sequence>
<xs:element name="fileName" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="filePath" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="md5" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="sha1" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="sha256" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="license" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="projectReferences" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="projectReference" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="includedBy" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="reference" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="type" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="relatedDependencies" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="relatedDependency" type="dc:relatedDependency"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="evidenceCollected" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="evidence" type="dc:evidence"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="identifiers" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="package" type="dc:identifier"/>
</xs:sequence>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="vulnerabilityIds" type="dc:identifier"/>
</xs:sequence>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="suppressedVulnerabilityIds" type="dc:identifier"/>
</xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="vulnerabilities" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="vulnerability" type="dc:vulnerability"/>
</xs:sequence>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="suppressedVulnerability" type="dc:vulnerability"/>
</xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="isVirtual" type="xs:boolean" use="required"/>
</xs:complexType>
<xs:element name="analysis">
<xs:complexType>
<xs:sequence>
<xs:element name="scanInfo" type="dc:scanInfo"/>
<xs:element name="projectInfo" type="dc:projectInfo"/>
<xs:element name="dependencies">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="dependency" type="dc:dependency"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
2 changes: 1 addition & 1 deletion core/src/main/resources/templates/xmlReport.vsl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ Copyright (c) 2018 Jeremy Long. All Rights Reserved.
@version 2.0

*#<?xml version="1.0"?>
<analysis xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.3.0.xsd">
<analysis xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.3.1.xsd">
<scanInfo>
<engineVersion>$version</engineVersion>
#foreach($prop in $properties.getMetaData().entrySet())
Expand Down
2 changes: 1 addition & 1 deletion core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -198,7 +198,7 @@ public void generateReport(Settings settings, File writeTo, File writeJsonTo, Fi
engine.writeReports("Test Report", "org.owasp", "dependency-check-core", "1.4.8", writeSarifTo, "SARIF", exceptions);
}
//Test XML
InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/dependency-check.3.0.xsd");
InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/dependency-check.3.1.xsd");
StreamSource xsdSource = new StreamSource(xsdStream);
StreamSource xmlSource = new StreamSource(writeTo);
SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
Expand Down
Loading

0 comments on commit dc761ef

Please sign in to comment.