def test_parse_file_with_single_dependency_with_related_no_vulnerability(self):
content = """<?xml version="1.0"?>
<analysis xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.1.3.xsd">
<scanInfo>
</scanInfo>
<projectInfo>
<name>Test Project</name>
<reportDate>2016-11-05T14:52:15.748-0400</reportDate>
<credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits>
</projectInfo>
<dependencies>
<dependency>
<fileName>component1.dll</fileName>
<filePath>C:\\Projectsestproject\\libraries\\component1.dll</filePath>
<md5>ba5a6a10bae6ce2abbabec9facae23a4</md5>
<sha1>ae917bbce68733468b1972113e0e1fc5dc7444a0</sha1>
<relatedDependencies>
<relatedDependency>
<fileName>adapter-ear8.ear: dom4j-2.1.1.jar</fileName>
<filePath>/var/lib/adapter-ear8.ear/dom4j-2.1.1.jar</filePath>
<sha256>a520752f350909c191db45a598a88fcca2fa5db17a340dee6b3d0e36f4122e11</sha256>
<sha1>080c5a481cd7abf27bfd4b48edf73b1cb214085e</sha1>
<md5>add18b9f953221ff565cf7a34aac0ed9</md5>
</relatedDependency>
</relatedDependencies>
<evidenceCollected>
<evidence type="vendor" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>component1.dll</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>component1</value>
</evidence>
<evidence type="version" confidence="MEDIUM">
<source>file</source>
<name>name</name>
<value>component1</value>
</evidence>
<evidence type="version" confidence="MEDIUM">
<source>file</source>
<name>version</name>
<value>1</value>
</evidence>
</evidenceCollected>
</dependency>
</dependencies>
</analysis>
"""
testfile = TestFile("dependency-check-report.xml", content)
parser = DependencyCheckParser()
findings = parser.get_findings(testfile, Test())
items = findings
self.assertEqual(0, len(items))
def test_parse_finding(self):
finding_xml = """<vulnerability xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.1.3.xsd">
<name>CVE-0000-0001</name>
<cvssScore>7.5</cvssScore>
<cvssAccessVector>NETWORK</cvssAccessVector>
<cvssAccessComplexity>LOW</cvssAccessComplexity>
<cvssAuthenticationr>NONE</cvssAuthenticationr>
<cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact>
<cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact>
<cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact>
<severity>High</severity>
<cwe>CWE-00 Bad Vulnerability</cwe>
<description>Description of a bad vulnerability.</description>
<references>
<reference>
<source>Reference1</source>
<url>http://localhost/badvulnerability.htm</url>
<name>Reference Name</name>
</reference>
<reference>
<source>MISC</source>
<url>http://localhost2/reference_for_badvulnerability.pdf</url>
<name>Reference for a bad vulnerability</name>
</reference>
</references>
<vulnerableSoftware>
<software>cpe:/a:component2:component2:1.0</software>
</vulnerableSoftware>
</vulnerability>"""
vulnerability = ElementTree.fromstring(finding_xml)
expected_references = 'name: Reference Name\nsource: Reference1\nurl: http://localhost/badvulnerability.htm\n\n'
expected_references += 'name: Reference for a bad vulnerability\nsource: MISC\n'
expected_references += 'url: http://localhost2/reference_for_badvulnerability.pdf\n\n'
testfile = TestFile('dp_finding.xml', finding_xml)
parser = DependencyCheckParser(testfile, Test())
finding = parser.get_finding_from_vulnerability(vulnerability,
'testfile.jar', Test())
self.assertEqual('testfile.jar | CVE-0000-0001', finding.title)
self.assertEqual('High', finding.severity)
self.assertEqual(
'Description of a bad vulnerability.',
finding.description)
self.assertEqual(expected_references, finding.references)
def test_parse_java_6_5_3(self):
"""Test with version 6.5.3"""
with open(path.join(path.dirname(__file__), "../scans/dependency_check/version-6.5.3.xml")) as test_file:
parser = DependencyCheckParser()
findings = parser.get_findings(test_file, Test())
items = findings
self.assertEqual(1, len(items))
i = 0
with self.subTest(i=i):
self.assertEqual(items[i].component_name, "org.apache.logging.log4j:log4j-api")
self.assertEqual(items[i].component_version, "2.12.4")
self.assertIn(
"Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.",
items[i].description,
)
self.assertEqual(items[i].severity, "Low")
self.assertEqual(items[i].file_path, "log4j-api-2.12.4.jar")
self.assertEqual(
items[i].date, datetime(2022, 1, 15, 14, 31, 13, 42600, tzinfo=timezone.utc)
) # 2022-01-15T14:31:13.042600508Z
def import_parser_factory(file, test, active, verified, scan_type=None):
if scan_type is None:
scan_type = test.test_type.name
if scan_type == "Burp Scan":
parser = BurpXmlParser(file, test)
elif scan_type == "Burp Enterprise Scan":
parser = BurpEnterpriseHtmlParser(file, test)
elif scan_type == "Nessus Scan":
filename = file.name.lower()
if filename.endswith("csv"):
parser = NessusCSVParser(file, test)
elif filename.endswith("xml") or filename.endswith("nessus"):
parser = NessusXMLParser(file, test)
elif scan_type == "Clair Scan":
parser = ClairParser(file, test)
elif scan_type == "Nmap Scan":
parser = NmapXMLParser(file, test)
elif scan_type == "Nikto Scan":
parser = NiktoXMLParser(file, test)
elif scan_type == "Nexpose Scan":
parser = NexposeFullXmlParser(file, test)
elif scan_type == "Veracode Scan":
parser = VeracodeXMLParser(file, test)
elif scan_type == "Checkmarx Scan":
parser = CheckmarxXMLParser(file, test)
elif scan_type == "Checkmarx Scan detailed":
parser = CheckmarxXMLParser(file, test, 'detailed')
elif scan_type == "Contrast Scan":
parser = ContrastCSVParser(file, test)
elif scan_type == "Crashtest Security JSON File":
parser = CrashtestSecurityJsonParser(file, test)
elif scan_type == "Crashtest Security XML File":
parser = CrashtestSecurityXmlParser(file, test)
elif scan_type == "Bandit Scan":
parser = BanditParser(file, test)
elif scan_type == "ESLint Scan":
parser = ESLintParser(file, test)
elif scan_type == "ZAP Scan":
parser = ZapXmlParser(file, test)
elif scan_type == "AppSpider Scan":
parser = AppSpiderXMLParser(file, test)
elif scan_type == "Arachni Scan":
parser = ArachniJSONParser(file, test)
elif scan_type == 'VCG Scan':
parser = VCGParser(file, test)
elif scan_type == 'Dependency Check Scan':
parser = DependencyCheckParser(file, test)
elif scan_type == 'Dependency Track Finding Packaging Format (FPF) Export':
parser = DependencyTrackParser(file, test)
elif scan_type == 'Retire.js Scan':
parser = RetireJsParser(file, test)
elif scan_type == 'Node Security Platform Scan':
parser = NspParser(file, test)
elif scan_type == 'NPM Audit Scan':
parser = NpmAuditParser(file, test)
elif scan_type == 'PHP Symfony Security Check':
parser = PhpSymfonySecurityCheckParser(file, test)
elif scan_type == 'Generic Findings Import':
parser = GenericFindingUploadCsvParser(file, test, active, verified)
elif scan_type == 'Qualys Scan':
parser = QualysParser(file, test)
elif scan_type == 'Qualys Infrastructure Scan (WebGUI XML)':
parser = QualysInfraScanParser(file, test)
elif scan_type == 'Qualys Webapp Scan':
parser = QualysWebAppParser(file, test)
elif scan_type == "OpenVAS CSV":
parser = OpenVASUploadCsvParser(file, test)
elif scan_type == 'Snyk Scan':
parser = SnykParser(file, test)
elif scan_type == 'SKF Scan':
parser = SKFCsvParser(file, test)
elif scan_type == 'SSL Labs Scan':
parser = SSLlabsParser(file, test)
elif scan_type == 'Trufflehog Scan':
parser = TruffleHogJSONParser(file, test)
elif scan_type == 'Clair Klar Scan':
parser = ClairKlarParser(file, test)
elif scan_type == 'Gosec Scanner':
parser = GosecScannerParser(file, test)
elif scan_type == 'Trustwave Scan (CSV)':
parser = TrustwaveUploadCsvParser(file, test)
elif scan_type == 'Netsparker Scan':
parser = NetsparkerParser(file, test)
elif scan_type == 'PHP Security Audit v2':
parser = PhpSecurityAuditV2(file, test)
elif scan_type == 'Acunetix Scan':
parser = AcunetixScannerParser(file, test)
elif scan_type == 'Fortify Scan':
parser = FortifyXMLParser(file, test)
elif scan_type == 'SonarQube Scan':
parser = SonarQubeHtmlParser(file, test)
elif scan_type == 'SonarQube Scan detailed':
parser = SonarQubeHtmlParser(file, test, 'detailed')
elif scan_type == SCAN_SONARQUBE_API:
parser = SonarQubeApiImporter(test)
elif scan_type == 'MobSF Scan':
parser = MobSFParser(file, test)
elif scan_type == 'AWS Scout2 Scan':
parser = AWSScout2Parser(file, test)
elif scan_type == 'AWS Prowler Scan':
parser = AWSProwlerParser(file, test)
elif scan_type == 'Brakeman Scan':
parser = BrakemanScanParser(file, test)
elif scan_type == 'SpotBugs Scan':
parser = SpotbugsXMLParser(file, test)
elif scan_type == 'Safety Scan':
parser = SafetyParser(file, test)
elif scan_type == 'DawnScanner Scan':
parser = DawnScannerParser(file, test)
elif scan_type == 'Anchore Engine Scan':
parser = AnchoreEngineScanParser(file, test)
elif scan_type == 'Bundler-Audit Scan':
parser = BundlerAuditParser(file, test)
elif scan_type == 'Twistlock Image Scan':
parser = TwistlockParser(file, test)
elif scan_type == 'IBM AppScan DAST':
parser = IbmAppScanDASTXMLParser(file, test)
elif scan_type == 'Kiuwan Scan':
parser = KiuwanCSVParser(file, test)
elif scan_type == 'Blackduck Hub Scan':
parser = BlackduckHubCSVParser(file, test)
elif scan_type == 'Blackduck Component Risk':
parser = BlackduckHubParser(file, test)
elif scan_type == 'Sonatype Application Scan':
parser = SonatypeJSONParser(file, test)
elif scan_type == 'Openscap Vulnerability Scan':
parser = OpenscapXMLParser(file, test)
elif scan_type == 'Immuniweb Scan':
parser = ImmuniwebXMLParser(file, test)
elif scan_type == 'Wapiti Scan':
parser = WapitiXMLParser(file, test)
elif scan_type == 'Cobalt.io Scan':
parser = CobaltCSVParser(file, test)
elif scan_type == 'Mozilla Observatory Scan':
parser = MozillaObservatoryJSONParser(file, test)
elif scan_type == 'Whitesource Scan':
parser = WhitesourceJSONParser(file, test)
elif scan_type == 'Microfocus Webinspect Scan':
parser = MicrofocusWebinspectXMLParser(file, test)
elif scan_type == 'Wpscan':
parser = WpscanJSONParser(file, test)
elif scan_type == 'Sslscan':
parser = SslscanXMLParser(file, test)
elif scan_type == 'JFrog Xray Scan':
parser = XrayJSONParser(file, test)
elif scan_type == 'Sslyze Scan':
parser = SslyzeXmlParser(file, test)
elif scan_type == 'Testssl Scan':
parser = TestsslCSVParser(file, test)
elif scan_type == 'Hadolint Dockerfile check':
parser = HadolintParser(file, test)
elif scan_type == 'Aqua Scan':
parser = AquaJSONParser(file, test)
elif scan_type == 'HackerOne Cases':
parser = HackerOneJSONParser(file, test)
elif scan_type == 'Xanitizer Scan':
parser = XanitizerXMLParser(file, test)
elif scan_type == 'Trivy Scan':
parser = TrivyParser(file, test)
elif scan_type == 'Outpost24 Scan':
parser = Outpost24Parser(file, test)
elif scan_type == 'DSOP Scan':
parser = DsopParser(file, test)
elif scan_type == 'Anchore Enterprise Policy Check':
parser = AnchoreEnterprisePolicyCheckParser(file, test)
elif scan_type == 'Gitleaks Scan':
parser = GitleaksJSONParser(file, test)
elif scan_type == 'Harbor Vulnerability Scan':
parser = HarborVulnerabilityParser(file, test)
elif scan_type == 'Github Vulnerability Scan':
parser = GithubVulnerabilityParser(file, test)
elif scan_type == 'Choctaw Hog Scan':
parser = ChoctawhogParser(file, test)
elif scan_type == 'GitLab SAST Report':
parser = GitlabSastReportParser(file, test)
elif scan_type == 'Yarn Audit Scan':
parser = YarnAuditParser(file, test)
elif scan_type == 'BugCrowd Scan':
parser = BugCrowdCSVParser(file, test)
elif scan_type == 'HuskyCI Report':
parser = HuskyCIReportParser(file, test)
elif scan_type == 'CCVS Report':
parser = CCVSReportParser(file, test)
else:
raise ValueError('Unknown Test Type')
return parser
def test_parse_file_with_single_vulnerability_has_single_finding(self):
content = """<?xml version="1.0"?>
<analysis xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.1.3.xsd">
<scanInfo>
</scanInfo>
<projectInfo>
<name>Test Project</name>
<reportDate>2016-11-05T14:52:15.748-0400</reportDate>
<credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits>
</projectInfo>
<dependencies>
<dependency>
<fileName>component1.dll</fileName>
<filePath>C:\\Projectsestproject\\libraries\\component1.dll</filePath>
<md5>ba5a6a10bae6ce2abbabec9facae23a4</md5>
<sha1>ae917bbce68733468b1972113e0e1fc5dc7444a0</sha1>
<evidenceCollected>
<evidence type="vendor" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>component1.dll</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>component1</value>
</evidence>
<evidence type="version" confidence="MEDIUM">
<source>file</source>
<name>name</name>
<value>component1</value>
</evidence>
<evidence type="version" confidence="MEDIUM">
<source>file</source>
<name>version</name>
<value>1</value>
</evidence>
</evidenceCollected>
</dependency>
<dependency>
<fileName>component2.dll</fileName>
<filePath>C:\\Projectestproject\\libraries\\component2.dll</filePath>
<md5>21b24bc199530e07cb15d93c7f929f04</md5>
<sha1>a29f196740ab608199488c574f536529b5c21242</sha1>
<evidenceCollected>
<evidence type="vendor" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>component2</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>component2</value>
</evidence>
</evidenceCollected>
<identifiers>
<identifier type="maven" confidence="HIGHEST">
<name>org.owasp:library:6.7.8</name>
<url>https://search.maven.org/remotecontent?filepath=xalan/serializer/2.7.1/serializer-2.7.1.jar</url>
</identifier>
</identifiers>
<vulnerabilities>
<vulnerability>
<name>CVE-0000-0001</name>
<cvssScore>7.5</cvssScore>
<cvssAccessVector>NETWORK</cvssAccessVector>
<cvssAccessComplexity>LOW</cvssAccessComplexity>
<cvssAuthenticationr>NONE</cvssAuthenticationr>
<cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact>
<cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact>
<cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact>
<severity>Moderate</severity>
<cwe>CWE-00 Bad Vulnerability</cwe>
<description>Description of a bad vulnerability.</description>
<references>
<reference>
<source>Reference1</source>
<url>http://localhost/badvulnerability.htm</url>
<name>Reference Name</name>
</reference>
<reference>
<source>MISC</source>
<url>http://localhost2/reference_for_badvulnerability.pdf</url>
<name>Reference for a bad vulnerability</name>
</reference>
</references>
<vulnerableSoftware>
<software>cpe:/a:component2:component2:1.0</software>
</vulnerableSoftware>
</vulnerability>
</vulnerabilities>
</dependency>
</dependencies>
</analysis>
"""
testfile = TestFile("dependency-check-report.xml", content)
parser = DependencyCheckParser()
findings = parser.get_findings(testfile, Test())
items = findings
self.assertEqual(1, len(items))
i = 0
with self.subTest(i=i):
self.assertEqual(items[i].title, "org.owasp:library:6.7.8 | CVE-0000-0001")
self.assertEqual(items[i].severity, "Medium")
self.assertEqual(items[i].component_name, "org.owasp:library")
self.assertEqual(items[i].component_version, "6.7.8")
self.assertEqual(
items[i].mitigation,
"Update org.owasp:library:6.7.8 to at least the version recommended in the description",
)
self.assertEqual(items[i].date, datetime(2016, 11, 5, 14, 52, 15, 748000, tzinfo=tzoffset(None, -14400)))
def test_parse_empty_file(self):
with open(path.join(path.dirname(__file__), "../scans/dependency_check/dc_empty.xml")) as test_file:
parser = DependencyCheckParser()
findings = parser.get_findings(test_file, Test())
self.assertEqual(0, len(findings))
def test_parse_file_with_multiple_vulnerabilities_has_multiple_findings(self):
content = """<?xml version="1.0"?>
<analysis xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.1.3.xsd">
<scanInfo>
</scanInfo>
<projectInfo>
<name>Test Project</name>
<reportDate>2016-11-05T14:52:15.748-0400</reportDate>
<credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits>
</projectInfo>
<dependencies>
<dependency>
<fileName>component1</fileName>
<filePath>C:\\Projectestproject\\libraries\\component1.dll</filePath>
<md5>ba5a6a10bae6ce2abbabec9facae23a4</md5>
<sha1>ae917bbce68733468b1972113e0e1fc5dc7444a0</sha1>
<evidenceCollected>
<evidence type="vendor" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>component1.dll</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>component1</value>
</evidence>
<evidence type="version" confidence="MEDIUM">
<source>file</source>
<name>name</name>
<value>component1</value>
</evidence>
<evidence type="version" confidence="MEDIUM">
<source>file</source>
<name>version</name>
<value>1</value>
</evidence>
</evidenceCollected>
</dependency>
<dependency>
<fileName>adapter-ear1.ear: dom4j-2.1.1.jar</fileName>
<filePath>/var/lib/adapter-ear1.ear/dom4j-2.1.1.jar</filePath>
<md5>21b24bc199530e07cb15d93c7f929f04</md5>
<sha1>a29f196740ab608199488c574f536529b5c21242</sha1>
<relatedDependencies>
<relatedDependency>
<fileName>adapter-ear8.ear: dom4j-2.1.1.jar</fileName>
<filePath>/var/lib/adapter-ear8.ear/dom4j-2.1.1.jar</filePath>
<sha256>a520752f350909c191db45a598a88fcca2fa5db17a340dee6b3d0e36f4122e11</sha256>
<sha1>080c5a481cd7abf27bfd4b48edf73b1cb214085e</sha1>
<md5>add18b9f953221ff565cf7a34aac0ed9</md5>
</relatedDependency>
<relatedDependency>
<fileName>adapter-ear1.ear: dom4j-extensions-2.1.1.jar</fileName>
<filePath>/var/lib/adapter-ear1.ear/dom4j-extensions-2.1.1.jar</filePath>
<sha256>a520752f350909c191db45a598a88fcca2fa5db17a340dee6b3d0e36f4122e11</sha256>
<sha1>080c5a481cd7abf27bfd4b48edf73b1cb214085e</sha1>
<md5>add18b9f953221ff565cf7a34aac0ed9</md5>
</relatedDependency>
</relatedDependencies>
<evidenceCollected>
<evidence type="vendor" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>org.jdom</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>dom4j</value>
</evidence>
</evidenceCollected>
<identifiers>
<identifiers>
<package confidence="HIGH">
<id>pkg:maven/org.dom4j/[email protected]</id>
<url>https://ossindex.sonatype.org/component/pkg:maven/org.dom4j/[email protected]</url>
</package>
<vulnerabilityIds confidence="HIGHEST">
<id>cpe:2.3:a:dom4j_project:dom4j:2.1.1.hat-00001:*:*:*:*:*:*:*</id>
<url>https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Adom4j_project&cpe_product=cpe%3A%2F%3Adom4j_project%3Adom4j&cpe_version=cpe%3A%2F%3Adom4j_project%3Adom4j%3A2.1.1.hat-00001</url>
</vulnerabilityIds>
</identifiers>
<identifier type="cpe" confidence="HIGHEST">
<name>cpe:/a:apache:xalan-java:2.7.1</name>
<url>https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Axalan-java%3A2.7.1</url>
</identifier>
<identifier type="maven" confidence="HIGHEST">
<name>xalan:serializer:2.7.1</name>
<url>https://search.maven.org/remotecontent?filepath=xalan/serializer/2.7.1/serializer-2.7.1.jar</url>
</identifier>
</identifiers>
<vulnerabilities>
<vulnerability>
<name>CVE-0000-0001</name>
<cvssScore>7.5</cvssScore>
<cvssAccessVector>NETWORK</cvssAccessVector>
<cvssAccessComplexity>LOW</cvssAccessComplexity>
<cvssAuthenticationr>NONE</cvssAuthenticationr>
<cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact>
<cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact>
<cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact>
<severity>High</severity>
<cwe>CWE-00 Bad Vulnerability</cwe>
<description>Description of a bad vulnerability.</description>
<references>
<reference>
<source>Reference1</source>
<url>http://localhost/badvulnerability.htm</url>
<name>Reference Name</name>
</reference>
<reference>
<source>MISC</source>
<url>http://localhost2/reference_for_badvulnerability.pdf</url>
<name>Reference for a bad vulnerability</name>
</reference>
</references>
<vulnerableSoftware>
<software>cpe:/a:component2:component2:1.0</software>
</vulnerableSoftware>
</vulnerability>
</vulnerabilities>
</dependency>
<dependency isVirtual="true">
<fileName>yargs-parser:5.0.0</fileName>
<filePath>/var/lib/jenkins/workspace/nl-selfservice_-_metrics_develop/package-lock.json?yargs-parser</filePath>
<md5/>
<sha1/>
<sha256/>
<relatedDependencies>
<relatedDependency>
<filePath>/var/lib/adapter-ear8.ear/dom4j-2.1.1.jar</filePath>
<sha256>a520752f350909c191db45a598a88fcca2fa5db17a340dee6b3d0e36f4122e11</sha256>
<sha1>080c5a481cd7abf27bfd4b48edf73b1cb214085e</sha1>
<md5>add18b9f953221ff565cf7a34aac0ed9</md5>
</relatedDependency>
<relatedDependency>
<filePath>/var/lib/adapter-ear1.ear/dom4j-extensions-2.1.1.jar</filePath>
<sha256>a520752f350909c191db45a598a88fcca2fa5db17a340dee6b3d0e36f4122e11</sha256>
<sha1>080c5a481cd7abf27bfd4b48edf73b1cb214085e</sha1>
<md5>add18b9f953221ff565cf7a34aac0ed9</md5>
</relatedDependency>
</relatedDependencies>
<projectReferences>
<projectReference>package-lock.json: transitive</projectReference>
</projectReferences>
<evidenceCollected>
<evidence type="vendor" confidence="HIGH">
<source>package.json</source>
<name>name</name>
<value>yargs-parser</value>
</evidence>
<evidence type="product" confidence="HIGHEST">
<source>package.json</source>
<name>name</name>
<value>yargs-parser</value>
</evidence>
<evidence type="version" confidence="HIGHEST">
<source>package.json</source>
<name>version</name>
<value>5.0.0</value>
</evidence>
</evidenceCollected>
<identifiers>
<package confidence="HIGHEST">
<id>pkg:npm/[email protected]</id>
<url>https://ossindex.sonatype.org/component/pkg:npm/[email protected]</url>
</package>
</identifiers>
<vulnerabilities>
<vulnerability source="NPM">
<name>1500</name>
<severity unscored="true">low</severity>
<description>Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects.Parsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.</description>
<references>
<reference>
<source>Advisory 1500: Prototype Pollution</source>
<name>- [Snyk Report](https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381)</name>
</reference>
</references>
<vulnerableSoftware>
<software>cpe:2.3:a:*:yargs-parser:\\<13.1.2\\|\\|\\>\\=14.0.0\\<15.0.1\\|\\|\\>\\=16.0.0\\<18.1.2:*:*:*:*:*:*:*</software>
</vulnerableSoftware>
</vulnerability>
<vulnerability source="OSSINDEX">
<name>CVE-2020-7608</name>
<severity>HIGH</severity>
<cvssV3>
<baseScore>7.5</baseScore>
<attackVector>N</attackVector>
<attackComplexity>L</attackComplexity>
<privilegesRequired>N</privilegesRequired>
<userInteraction>N</userInteraction>
<scope>U</scope>
<confidentialityImpact>N</confidentialityImpact>
<integrityImpact>H</integrityImpact>
<availabilityImpact>N</availabilityImpact>
<baseSeverity>HIGH</baseSeverity>
</cvssV3>
<description>yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.</description>
<references>
<reference>
<source>OSSINDEX</source>
<url>https://ossindex.sonatype.org/vuln/b7740d41-fc85-4d22-8af5-5a3159e114ea?component-type=npm&component-name=yargs-parser</url>
<name>[CVE-2020-7608] yargs-parser could be tricked into adding or modifying properties of Object.prot...</name>
</reference>
</references>
<vulnerableSoftware>
<software vulnerabilityIdMatched="true">cpe:2.3:a:*:yargs-parser:5.0.0:*:*:*:*:*:*:*</software>
</vulnerableSoftware>
</vulnerability>
<vulnerability source="OSSINDEX">
<name>CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')</name>
<severity>HIGH</severity>
<cvssV3>
<baseScore>7.5</baseScore>
<attackVector>N</attackVector>
<attackComplexity>L</attackComplexity>
<privilegesRequired>N</privilegesRequired>
<userInteraction>N</userInteraction>
<scope>U</scope>
<confidentialityImpact>N</confidentialityImpact>
<integrityImpact>N</integrityImpact>
<availabilityImpact>H</availabilityImpact>
<baseSeverity>HIGH</baseSeverity>
</cvssV3>
<cwes>
<cwe>CWE-400</cwe>
</cwes>
<description>The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.</description>
<references>
<reference>
<source>OSSINDEX</source>
<url>https://ossindex.sonatype.org/vuln/7ccaaed0-205b-4382-a963-8a30a0b151b1?component-type=npm&component-name=yargs-parser</url>
<name>CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')</name>
</reference>
</references>
<vulnerableSoftware>
<software vulnerabilityIdMatched="true">cpe:2.3:a:*:yargs-parser:5.0.0:*:*:*:*:*:*:*</software>
</vulnerableSoftware>
</vulnerability>
</vulnerabilities>
</dependency>
<dependency>
<fileName>adapter-ear2.ear: dom4j-2.1.1.jar</fileName>
<filePath>C:\\Projectestproject\\libraries\\component2.dll</filePath>
<md5>21b24bc199530e07cb15d93c7f929f04</md5>
<sha1>a29f196740ab608199488c574f536529b5c21242</sha1>
<evidenceCollected>
<evidence type="vendor" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>org.jdom</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>dom4j</value>
</evidence>
</evidenceCollected>
<identifiers>
<identifiers>
<package confidence="HIGH">
<id>pkg:maven/org.dom4j/[email protected]</id>
<url>https://ossindex.sonatype.org/component/pkg:maven/org.dom4j/[email protected]</url>
</package>
<vulnerabilityIds confidence="HIGHEST">
<id>cpe:2.3:a:dom4j_project:dom4j:2.1.1.hat-00001:*:*:*:*:*:*:*</id>
<url>https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Adom4j_project&cpe_product=cpe%3A%2F%3Adom4j_project%3Adom4j&cpe_version=cpe%3A%2F%3Adom4j_project%3Adom4j%3A2.1.1.hat-00001</url>
</vulnerabilityIds>
</identifiers>
<identifier type="cpe" confidence="HIGHEST">
<name>cpe:/a:apache:xalan-java:2.7.1</name>
<url>https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Axalan-java%3A2.7.1</url>
</identifier>
<identifier type="maven" confidence="HIGHEST">
<name>xalan:serializer:2.7.1</name>
<url>https://search.maven.org/remotecontent?filepath=xalan/serializer/2.7.1/serializer-2.7.1.jar</url>
</identifier>
</identifiers>
<vulnerabilities>
<vulnerability>
<name>CVE-0000-0001</name>
<cvssScore>7.5</cvssScore>
<cvssAccessVector>NETWORK</cvssAccessVector>
<cvssAccessComplexity>LOW</cvssAccessComplexity>
<cvssAuthenticationr>NONE</cvssAuthenticationr>
<cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact>
<cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact>
<cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact>
<severity>High</severity>
<cwe>CWE-00 Bad Vulnerability</cwe>
<description>Description of a bad vulnerability.</description>
<references>
<reference>
<source>Reference1</source>
<url>http://localhost/badvulnerability.htm</url>
<name>Reference Name</name>
</reference>
<reference>
<source>MISC</source>
<url>http://localhost2/reference_for_badvulnerability.pdf</url>
<name>Reference for a bad vulnerability</name>
</reference>
</references>
<vulnerableSoftware>
<software>cpe:/a:component2:component2:1.0</software>
</vulnerableSoftware>
</vulnerability>
</vulnerabilities>
</dependency>
<dependency>
<fileName>adapter-ear3.ear: dom4j-2.1.1.jar</fileName>
<filePath>C:\\Projectestproject\\libraries\\component2.dll</filePath>
<md5>21b24bc199530e07cb15d93c7f929f04</md5>
<sha1>a29f196740ab608199488c574f536529b5c21242</sha1>
<evidenceCollected>
<evidence type="version" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>2.1.1</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>dom4j</value>
</evidence>
</evidenceCollected>
<vulnerabilities>
<vulnerability>
<name>CVE-0000-0001</name>
<cvssScore>7.5</cvssScore>
<cvssAccessVector>NETWORK</cvssAccessVector>
<cvssAccessComplexity>LOW</cvssAccessComplexity>
<cvssAuthenticationr>NONE</cvssAuthenticationr>
<cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact>
<cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact>
<cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact>
<severity>High</severity>
<cwe>CWE-00 Bad Vulnerability</cwe>
<description>Description of a bad vulnerability.</description>
<references>
<reference>
<source>Reference1</source>
<url>http://localhost/badvulnerability.htm</url>
<name>Reference Name</name>
</reference>
<reference>
<source>MISC</source>
<url>http://localhost2/reference_for_badvulnerability.pdf</url>
<name>Reference for a bad vulnerability</name>
</reference>
</references>
<vulnerableSoftware>
<software>cpe:/a:component2:component2:1.0</software>
</vulnerableSoftware>
</vulnerability>
</vulnerabilities>
</dependency>
<dependency>
<fileName>adapter-ear4.ear: liquibase-core-3.5.3.jar: jquery.js</fileName>
<filePath>C:\\Projectestproject\\libraries\\component3.dll</filePath>
<md5>21b24bc199530e07cb15d93c7f929f03</md5>
<sha1>a29f196740ab608199488c574f536529b5c21243</sha1>
<evidenceCollected>
<evidence type="version" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>3.1.1</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>jquery</value>
</evidence>
</evidenceCollected>
<vulnerabilities>
<vulnerability>
<name>CVE-0000-0001</name>
<cvssScore>7.5</cvssScore>
<cvssAccessVector>NETWORK</cvssAccessVector>
<cvssAccessComplexity>LOW</cvssAccessComplexity>
<cvssAuthenticationr>NONE</cvssAuthenticationr>
<cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact>
<cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact>
<cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact>
<severity>High</severity>
<cwe>CWE-00 Bad Vulnerability</cwe>
<description>Description of a bad vulnerability.</description>
<references>
<reference>
<source>Reference1</source>
<url>http://localhost/badvulnerability.htm</url>
<name>Reference Name</name>
</reference>
<reference>
<source>MISC</source>
<url>http://localhost2/reference_for_badvulnerability.pdf</url>
<name>Reference for a bad vulnerability</name>
</reference>
</references>
<vulnerableSoftware>
<software>cpe:/a:component3:component3:1.0</software>
</vulnerableSoftware>
</vulnerability>
<suppressedVulnerability source="NVD">
<name>CVE-2019-7238</name>
<cvssV2>
<score>7.5</score>
<accessVector>NETWORK</accessVector>
<accessComplexity>LOW</accessComplexity>
<authenticationr>NONE</authenticationr>
<confidentialImpact>PARTIAL</confidentialImpact>
<integrityImpact>PARTIAL</integrityImpact>
<availabilityImpact>PARTIAL</availabilityImpact>
<severity>HIGH</severity>
<version>2.0</version>
<exploitabilityScore>10.0</exploitabilityScore>
<impactScore>6.4</impactScore>
</cvssV2>
<cvssV3>
<baseScore>9.8</baseScore>
<attackVector>NETWORK</attackVector>
<attackComplexity>LOW</attackComplexity>
<privilegesRequired>NONE</privilegesRequired>
<userInteraction>NONE</userInteraction>
<scope>UNCHANGED</scope>
<confidentialityImpact>HIGH</confidentialityImpact>
<integrityImpact>HIGH</integrityImpact>
<availabilityImpact>HIGH</availabilityImpact>
<baseSeverity>CRITICAL</baseSeverity>
<exploitabilityScore>3.9</exploitabilityScore>
<impactScore>5.9</impactScore>
<version>3.0</version>
</cvssV3>
<cwes>
<cwe>NVD-CWE-noinfo</cwe>
</cwes>
<description>Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control.</description>
<references>
<reference>
<source>MISC</source>
<url>https://support.sonatype.com/hc/en-us/articles/360017310793-CVE-2019-7238-Nexus-Repository-Manager-3-Missing-Access-Controls-and-Remote-Code-Execution-February-5th-2019</url>
<name>https://support.sonatype.com/hc/en-us/articles/360017310793-CVE-2019-7238-Nexus-Repository-Manager-3-Missing-Access-Controls-and-Remote-Code-Execution-February-5th-2019</name>
</reference>
</references>
<vulnerableSoftware>
<software matched="true" versionEndExcluding="3.15.0">cpe:2.3:a:sonatype:nexus:*:*:*:*:*:*:*:*</software>
</vulnerableSoftware>
</suppressedVulnerability>
<suppressedVulnerability source="NVD">
<name>CVE-2017-1000487</name>
<cvssV2>
<score>7.5</score>
<accessVector>NETWORK</accessVector>
<accessComplexity>LOW</accessComplexity>
<authenticationr>NONE</authenticationr>
<confidentialImpact>PARTIAL</confidentialImpact>
<integrityImpact>PARTIAL</integrityImpact>
<availabilityImpact>PARTIAL</availabilityImpact>
<severity>HIGH</severity>
<version>2.0</version>
<exploitabilityScore>10.0</exploitabilityScore>
<impactScore>6.4</impactScore>
<acInsufInfo>true</acInsufInfo>
</cvssV2>
<cvssV3>
<baseScore>9.8</baseScore>
<attackVector>NETWORK</attackVector>
<attackComplexity>LOW</attackComplexity>
<privilegesRequired>NONE</privilegesRequired>
<userInteraction>NONE</userInteraction>
<scope>UNCHANGED</scope>
<confidentialityImpact>HIGH</confidentialityImpact>
<integrityImpact>HIGH</integrityImpact>
<availabilityImpact>HIGH</availabilityImpact>
<baseSeverity>CRITICAL</baseSeverity>
<exploitabilityScore>3.9</exploitabilityScore>
<impactScore>5.9</impactScore>
<version>3.1</version>
</cvssV3>
<cwes>
<cwe>CWE-78</cwe>
</cwes>
<description>Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.</description>
<notes>This is our reason for not to upgrade it.</notes>
<references>
<reference>
<source>MLIST</source>
<url>https://lists.debian.org/debian-lts-announce/2018/01/msg00011.html</url>
<name>[debian-lts-announce] 20180109 [SECURITY] [DLA 1237-1] plexus-utils2 security update</name>
</reference>
<reference>
<source>DEBIAN</source>
<url>https://www.debian.org/security/2018/dsa-4146</url>
<name>DSA-4146</name>
</reference>
</references>
<vulnerableSoftware>
<software matched="true" versionEndExcluding="3.0.16">cpe:2.3:a:plexus-utils_project:plexus-utils:*:*:*:*:*:*:*:*</software>
</vulnerableSoftware>
</suppressedVulnerability>
</vulnerabilities>
</dependency>
</dependencies>
</analysis>
"""
testfile = TestFile("dependency-check-report.xml", content)
parser = DependencyCheckParser()
findings = parser.get_findings(testfile, Test())
items = findings
self.assertEqual(11, len(items))
# test also different component_name formats
with self.subTest(i=0):
# identifier -> package url java + 2 relateddependencies
self.assertEqual(items[0].title, "org.dom4j:dom4j:2.1.1.redhat-00001 | CVE-0000-0001")
self.assertEqual(items[0].component_name, "org.dom4j:dom4j")
self.assertEqual(items[0].component_version, "2.1.1.redhat-00001")
self.assertIn(
"Description of a bad vulnerability.",
items[0].description,
)
self.assertIn(
"/var/lib/adapter-ear1.ear/dom4j-2.1.1.jar",
items[0].description,
)
self.assertEqual(items[0].severity, "High")
self.assertEqual(items[0].file_path, "adapter-ear1.ear: dom4j-2.1.1.jar")
self.assertEqual(
items[0].mitigation,
"Update org.dom4j:dom4j:2.1.1.redhat-00001 to at least the version recommended in the description",
)
self.assertEqual(
items[0].date, datetime(2016, 11, 5, 14, 52, 15, 748000, tzinfo=tzoffset(None, -14400))
) # 2016-11-05T14:52:15.748-0400
with self.subTest(i=1):
self.assertEqual(items[1].title, "org.dom4j:dom4j:2.1.1.redhat-00001 | CVE-0000-0001")
self.assertEqual(items[1].component_name, "org.dom4j:dom4j")
self.assertEqual(items[1].component_version, "2.1.1.redhat-00001")
self.assertIn(
"Description of a bad vulnerability.",
items[1].description,
)
self.assertIn(
"/var/lib/adapter-ear8.ear/dom4j-2.1.1.jar",
items[1].description,
)
self.assertEqual(items[1].severity, "High")
self.assertEqual(items[1].file_path, "adapter-ear8.ear: dom4j-2.1.1.jar")
self.assertEqual(
items[1].mitigation,
"Update org.dom4j:dom4j:2.1.1.redhat-00001 to at least the version recommended in the description",
)
self.assertEqual(items[1].tags, "related")
with self.subTest(i=2):
self.assertEqual(items[2].title, "org.dom4j:dom4j:2.1.1.redhat-00001 | CVE-0000-0001")
self.assertEqual(items[2].component_name, "org.dom4j:dom4j")
self.assertEqual(items[2].component_version, "2.1.1.redhat-00001")
self.assertIn(
"Description of a bad vulnerability.",
items[2].description,
)
self.assertIn(
"/var/lib/adapter-ear1.ear/dom4j-extensions-2.1.1.jar",
items[2].description,
)
self.assertEqual(items[2].severity, "High")
self.assertEqual(items[2].file_path, "adapter-ear1.ear: dom4j-extensions-2.1.1.jar")
self.assertEqual(
items[2].mitigation,
"Update org.dom4j:dom4j:2.1.1.redhat-00001 to at least the version recommended in the description",
)
with self.subTest(i=3):
# identifier -> package url javascript, no vulnerabilitids, 3 vulnerabilities, relateddependencies without filename (pre v6.0.0)
self.assertEqual(
items[3].title, "yargs-parser:5.0.0 | 1500"
)
self.assertEqual(items[3].component_name, "yargs-parser")
self.assertEqual(items[3].component_version, "5.0.0")
# assert fails due to special characters, not too important
# self.assertEqual(items[1].description, "Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects.Parsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.")
self.assertEqual(items[3].severity, "Low")
self.assertEqual(items[3].file_path, "yargs-parser:5.0.0")
self.assertEqual(
items[3].mitigation, "Update yargs-parser:5.0.0 to at least the version recommended in the description"
)
self.assertIn(
"**Source:** NPM",
items[3].description,
)
with self.subTest(i=4):
self.assertEqual(
items[4].title,
"yargs-parser:5.0.0 | CVE-2020-7608",
)
self.assertEqual(items[4].component_name, "yargs-parser")
self.assertEqual(items[4].component_version, "5.0.0")
self.assertIn(
'yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.',
items[4].description,
)
self.assertIn(
"/var/lib/jenkins/workspace/nl-selfservice_-_metrics_develop/package-lock.json?yargs-parser",
items[4].description,
)
self.assertEqual(items[4].severity, "High")
self.assertEqual(items[4].file_path, "yargs-parser:5.0.0")
self.assertEqual(
items[4].mitigation, "Update yargs-parser:5.0.0 to at least the version recommended in the description"
)
with self.subTest(i=5):
self.assertEqual(
items[5].title,
"yargs-parser:5.0.0 | CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
)
self.assertEqual(items[5].component_name, "yargs-parser")
self.assertEqual(items[5].component_version, "5.0.0")
self.assertIn(
"The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.",
items[5].description,
)
# check that the filepath is in the description
self.assertIn(
"/var/lib/jenkins/workspace/nl-selfservice_-_metrics_develop/package-lock.json?yargs-parser",
items[5].description,
)
self.assertEqual(items[5].severity, "High")
self.assertEqual(items[5].file_path, "yargs-parser:5.0.0")
self.assertEqual(
items[5].mitigation, "Update yargs-parser:5.0.0 to at least the version recommended in the description"
)
with self.subTest(i=6):
# identifier -> cpe java
self.assertEqual(items[6].title, "org.dom4j:dom4j:2.1.1.redhat-00001 | CVE-0000-0001")
self.assertEqual(items[6].component_name, "org.dom4j:dom4j")
self.assertEqual(items[6].component_version, "2.1.1.redhat-00001")
self.assertEqual(items[6].severity, "High")
self.assertEqual(items[6].file_path, "adapter-ear2.ear: dom4j-2.1.1.jar")
self.assertEqual(
items[6].mitigation,
"Update org.dom4j:dom4j:2.1.1.redhat-00001 to at least the version recommended in the description",
)
with self.subTest(i=7):
# identifier -> maven java
self.assertEqual(items[7].title, "dom4j:2.1.1 | CVE-0000-0001")
self.assertEqual(items[7].component_name, "dom4j")
self.assertEqual(items[7].component_version, "2.1.1")
self.assertEqual(items[7].severity, "High")
self.assertEqual(
items[7].mitigation, "Update dom4j:2.1.1 to at least the version recommended in the description"
)
with self.subTest(i=8):
# evidencecollected -> single product + single verison javascript
self.assertEqual(
items[8].title,
"jquery:3.1.1 | CVE-0000-0001",
)
self.assertEqual(items[8].component_name, "jquery")
self.assertEqual(items[8].component_version, "3.1.1")
self.assertEqual(items[8].severity, "High")
self.assertEqual(
items[8].mitigation, "Update jquery:3.1.1 to at least the version recommended in the description"
)
with self.subTest(i=9):
# Tests for two suppressed vulnerabilities,
# One for Suppressed with notes, the other is without.
self.assertEqual(items[9].active, False)
self.assertEqual(
items[9].mitigation,
"**This vulnerability is mitigated and/or suppressed:** Document on why we are suppressing this vulnerability is missing!\nUpdate jquery:3.1.1 to at least the version recommended in the description",
)
self.assertEqual(items[9].tags, ["suppressed", "no_suppression_document"])
self.assertEqual(items[10].severity, "Critical")
with self.subTest(i=10):
self.assertEqual(items[10].active, False)
self.assertEqual(
items[10].mitigation,
"**This vulnerability is mitigated and/or suppressed:** This is our reason for not to upgrade it.\nUpdate jquery:3.1.1 to at least the version recommended in the description",
)
self.assertEqual(items[10].tags, "suppressed")
self.assertEqual(items[10].severity, "Critical")
def test_parse_file_with_multiple_vulnerabilities_has_multiple_findings(self):
content = """<?xml version="1.0"?>
<analysis xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.1.3.xsd">
<scanInfo>
</scanInfo>
<projectInfo>
<name>Test Project</name>
<reportDate>2016-11-05T14:52:15.748-0400</reportDate>
<credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits>
</projectInfo>
<dependencies>
<dependency>
<fileName>component1</fileName>
<filePath>C:\\Projectestproject\\libraries\\component1.dll</filePath>
<md5>ba5a6a10bae6ce2abbabec9facae23a4</md5>
<sha1>ae917bbce68733468b1972113e0e1fc5dc7444a0</sha1>
<evidenceCollected>
<evidence type="vendor" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>component1.dll</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>component1</value>
</evidence>
<evidence type="version" confidence="MEDIUM">
<source>file</source>
<name>name</name>
<value>component1</value>
</evidence>
<evidence type="version" confidence="MEDIUM">
<source>file</source>
<name>version</name>
<value>1</value>
</evidence>
</evidenceCollected>
</dependency>
<dependency>
<fileName>adapter-ear1.ear: dom4j-2.1.1.jar</fileName>
<filePath>/var/lib/adapter-ear1.ear/dom4j-2.1.1.jar</filePath>
<md5>21b24bc199530e07cb15d93c7f929f04</md5>
<sha1>a29f196740ab608199488c574f536529b5c21242</sha1>
<relatedDependencies>
<relatedDependency>
<fileName>adapter-ear8.ear: dom4j-2.1.1.jar</fileName>
<filePath>/var/lib/adapter-ear8.ear/dom4j-2.1.1.jar</filePath>
<sha256>a520752f350909c191db45a598a88fcca2fa5db17a340dee6b3d0e36f4122e11</sha256>
<sha1>080c5a481cd7abf27bfd4b48edf73b1cb214085e</sha1>
<md5>add18b9f953221ff565cf7a34aac0ed9</md5>
</relatedDependency>
<relatedDependency>
<fileName>adapter-ear1.ear: dom4j-extensions-2.1.1.jar</fileName>
<filePath>/var/lib/adapter-ear1.ear/dom4j-extensions-2.1.1.jar</filePath>
<sha256>a520752f350909c191db45a598a88fcca2fa5db17a340dee6b3d0e36f4122e11</sha256>
<sha1>080c5a481cd7abf27bfd4b48edf73b1cb214085e</sha1>
<md5>add18b9f953221ff565cf7a34aac0ed9</md5>
</relatedDependency>
</relatedDependencies>
<evidenceCollected>
<evidence type="vendor" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>org.jdom</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>dom4j</value>
</evidence>
</evidenceCollected>
<identifiers>
<identifiers>
<package confidence="HIGH">
<id>pkg:maven/org.dom4j/[email protected]</id>
<url>https://ossindex.sonatype.org/component/pkg:maven/org.dom4j/[email protected]</url>
</package>
<vulnerabilityIds confidence="HIGHEST">
<id>cpe:2.3:a:dom4j_project:dom4j:2.1.1.hat-00001:*:*:*:*:*:*:*</id>
<url>https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Adom4j_project&cpe_product=cpe%3A%2F%3Adom4j_project%3Adom4j&cpe_version=cpe%3A%2F%3Adom4j_project%3Adom4j%3A2.1.1.hat-00001</url>
</vulnerabilityIds>
</identifiers>
<identifier type="cpe" confidence="HIGHEST">
<name>cpe:/a:apache:xalan-java:2.7.1</name>
<url>https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Axalan-java%3A2.7.1</url>
</identifier>
<identifier type="maven" confidence="HIGHEST">
<name>xalan:serializer:2.7.1</name>
<url>https://search.maven.org/remotecontent?filepath=xalan/serializer/2.7.1/serializer-2.7.1.jar</url>
</identifier>
</identifiers>
<vulnerabilities>
<vulnerability>
<name>CVE-0000-0001</name>
<cvssScore>7.5</cvssScore>
<cvssAccessVector>NETWORK</cvssAccessVector>
<cvssAccessComplexity>LOW</cvssAccessComplexity>
<cvssAuthenticationr>NONE</cvssAuthenticationr>
<cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact>
<cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact>
<cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact>
<severity>High</severity>
<cwe>CWE-00 Bad Vulnerability</cwe>
<description>Description of a bad vulnerability.</description>
<references>
<reference>
<source>Reference1</source>
<url>http://localhost/badvulnerability.htm</url>
<name>Reference Name</name>
</reference>
<reference>
<source>MISC</source>
<url>http://localhost2/reference_for_badvulnerability.pdf</url>
<name>Reference for a bad vulnerability</name>
</reference>
</references>
<vulnerableSoftware>
<software>cpe:/a:component2:component2:1.0</software>
</vulnerableSoftware>
</vulnerability>
</vulnerabilities>
</dependency>
<dependency isVirtual="true">
<fileName>yargs-parser:5.0.0</fileName>
<filePath>/var/lib/jenkins/workspace/nl-selfservice_-_metrics_develop/package-lock.json?yargs-parser</filePath>
<md5/>
<sha1/>
<sha256/>
<relatedDependencies>
<relatedDependency>
<filePath>/var/lib/adapter-ear8.ear/dom4j-2.1.1.jar</filePath>
<sha256>a520752f350909c191db45a598a88fcca2fa5db17a340dee6b3d0e36f4122e11</sha256>
<sha1>080c5a481cd7abf27bfd4b48edf73b1cb214085e</sha1>
<md5>add18b9f953221ff565cf7a34aac0ed9</md5>
</relatedDependency>
<relatedDependency>
<filePath>/var/lib/adapter-ear1.ear/dom4j-extensions-2.1.1.jar</filePath>
<sha256>a520752f350909c191db45a598a88fcca2fa5db17a340dee6b3d0e36f4122e11</sha256>
<sha1>080c5a481cd7abf27bfd4b48edf73b1cb214085e</sha1>
<md5>add18b9f953221ff565cf7a34aac0ed9</md5>
</relatedDependency>
</relatedDependencies>
<projectReferences>
<projectReference>package-lock.json: transitive</projectReference>
</projectReferences>
<evidenceCollected>
<evidence type="vendor" confidence="HIGH">
<source>package.json</source>
<name>name</name>
<value>yargs-parser</value>
</evidence>
<evidence type="product" confidence="HIGHEST">
<source>package.json</source>
<name>name</name>
<value>yargs-parser</value>
</evidence>
<evidence type="version" confidence="HIGHEST">
<source>package.json</source>
<name>version</name>
<value>5.0.0</value>
</evidence>
</evidenceCollected>
<identifiers>
<package confidence="HIGHEST">
<id>pkg:npm/[email protected]</id>
<url>https://ossindex.sonatype.org/component/pkg:npm/[email protected]</url>
</package>
</identifiers>
<vulnerabilities>
<vulnerability source="NPM">
<name>1500</name>
<severity unscored="true">low</severity>
<description>Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects.Parsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.</description>
<references>
<reference>
<source>Advisory 1500: Prototype Pollution</source>
<name>- [Snyk Report](https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381)</name>
</reference>
</references>
<vulnerableSoftware>
<software>cpe:2.3:a:*:yargs-parser:\\<13.1.2\\|\\|\\>\\=14.0.0\\<15.0.1\\|\\|\\>\\=16.0.0\\<18.1.2:*:*:*:*:*:*:*</software>
</vulnerableSoftware>
</vulnerability>
<vulnerability source="OSSINDEX">
<name>CVE-2020-7608</name>
<severity>HIGH</severity>
<cvssV3>
<baseScore>7.5</baseScore>
<attackVector>N</attackVector>
<attackComplexity>L</attackComplexity>
<privilegesRequired>N</privilegesRequired>
<userInteraction>N</userInteraction>
<scope>U</scope>
<confidentialityImpact>N</confidentialityImpact>
<integrityImpact>H</integrityImpact>
<availabilityImpact>N</availabilityImpact>
<baseSeverity>HIGH</baseSeverity>
</cvssV3>
<description>yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.</description>
<references>
<reference>
<source>OSSINDEX</source>
<url>https://ossindex.sonatype.org/vuln/b7740d41-fc85-4d22-8af5-5a3159e114ea?component-type=npm&component-name=yargs-parser</url>
<name>[CVE-2020-7608] yargs-parser could be tricked into adding or modifying properties of Object.prot...</name>
</reference>
</references>
<vulnerableSoftware>
<software vulnerabilityIdMatched="true">cpe:2.3:a:*:yargs-parser:5.0.0:*:*:*:*:*:*:*</software>
</vulnerableSoftware>
</vulnerability>
<vulnerability source="OSSINDEX">
<name>CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')</name>
<severity>HIGH</severity>
<cvssV3>
<baseScore>7.5</baseScore>
<attackVector>N</attackVector>
<attackComplexity>L</attackComplexity>
<privilegesRequired>N</privilegesRequired>
<userInteraction>N</userInteraction>
<scope>U</scope>
<confidentialityImpact>N</confidentialityImpact>
<integrityImpact>N</integrityImpact>
<availabilityImpact>H</availabilityImpact>
<baseSeverity>HIGH</baseSeverity>
</cvssV3>
<cwes>
<cwe>CWE-400</cwe>
</cwes>
<description>The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.</description>
<references>
<reference>
<source>OSSINDEX</source>
<url>https://ossindex.sonatype.org/vuln/7ccaaed0-205b-4382-a963-8a30a0b151b1?component-type=npm&component-name=yargs-parser</url>
<name>CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')</name>
</reference>
</references>
<vulnerableSoftware>
<software vulnerabilityIdMatched="true">cpe:2.3:a:*:yargs-parser:5.0.0:*:*:*:*:*:*:*</software>
</vulnerableSoftware>
</vulnerability>
</vulnerabilities>
</dependency>
<dependency>
<fileName>adapter-ear2.ear: dom4j-2.1.1.jar</fileName>
<filePath>C:\\Projectestproject\\libraries\\component2.dll</filePath>
<md5>21b24bc199530e07cb15d93c7f929f04</md5>
<sha1>a29f196740ab608199488c574f536529b5c21242</sha1>
<evidenceCollected>
<evidence type="vendor" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>org.jdom</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>dom4j</value>
</evidence>
</evidenceCollected>
<identifiers>
<identifiers>
<package confidence="HIGH">
<id>pkg:maven/org.dom4j/[email protected]</id>
<url>https://ossindex.sonatype.org/component/pkg:maven/org.dom4j/[email protected]</url>
</package>
<vulnerabilityIds confidence="HIGHEST">
<id>cpe:2.3:a:dom4j_project:dom4j:2.1.1.hat-00001:*:*:*:*:*:*:*</id>
<url>https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Adom4j_project&cpe_product=cpe%3A%2F%3Adom4j_project%3Adom4j&cpe_version=cpe%3A%2F%3Adom4j_project%3Adom4j%3A2.1.1.hat-00001</url>
</vulnerabilityIds>
</identifiers>
<identifier type="cpe" confidence="HIGHEST">
<name>cpe:/a:apache:xalan-java:2.7.1</name>
<url>https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Axalan-java%3A2.7.1</url>
</identifier>
<identifier type="maven" confidence="HIGHEST">
<name>xalan:serializer:2.7.1</name>
<url>https://search.maven.org/remotecontent?filepath=xalan/serializer/2.7.1/serializer-2.7.1.jar</url>
</identifier>
</identifiers>
<vulnerabilities>
<vulnerability>
<name>CVE-0000-0001</name>
<cvssScore>7.5</cvssScore>
<cvssAccessVector>NETWORK</cvssAccessVector>
<cvssAccessComplexity>LOW</cvssAccessComplexity>
<cvssAuthenticationr>NONE</cvssAuthenticationr>
<cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact>
<cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact>
<cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact>
<severity>High</severity>
<cwe>CWE-00 Bad Vulnerability</cwe>
<description>Description of a bad vulnerability.</description>
<references>
<reference>
<source>Reference1</source>
<url>http://localhost/badvulnerability.htm</url>
<name>Reference Name</name>
</reference>
<reference>
<source>MISC</source>
<url>http://localhost2/reference_for_badvulnerability.pdf</url>
<name>Reference for a bad vulnerability</name>
</reference>
</references>
<vulnerableSoftware>
<software>cpe:/a:component2:component2:1.0</software>
</vulnerableSoftware>
</vulnerability>
</vulnerabilities>
</dependency>
<dependency>
<fileName>adapter-ear3.ear: dom4j-2.1.1.jar</fileName>
<filePath>C:\\Projectestproject\\libraries\\component2.dll</filePath>
<md5>21b24bc199530e07cb15d93c7f929f04</md5>
<sha1>a29f196740ab608199488c574f536529b5c21242</sha1>
<evidenceCollected>
<evidence type="version" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>2.1.1</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>dom4j</value>
</evidence>
</evidenceCollected>
<vulnerabilities>
<vulnerability>
<name>CVE-0000-0001</name>
<cvssScore>7.5</cvssScore>
<cvssAccessVector>NETWORK</cvssAccessVector>
<cvssAccessComplexity>LOW</cvssAccessComplexity>
<cvssAuthenticationr>NONE</cvssAuthenticationr>
<cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact>
<cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact>
<cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact>
<severity>High</severity>
<cwe>CWE-00 Bad Vulnerability</cwe>
<description>Description of a bad vulnerability.</description>
<references>
<reference>
<source>Reference1</source>
<url>http://localhost/badvulnerability.htm</url>
<name>Reference Name</name>
</reference>
<reference>
<source>MISC</source>
<url>http://localhost2/reference_for_badvulnerability.pdf</url>
<name>Reference for a bad vulnerability</name>
</reference>
</references>
<vulnerableSoftware>
<software>cpe:/a:component2:component2:1.0</software>
</vulnerableSoftware>
</vulnerability>
</vulnerabilities>
</dependency>
<dependency>
<fileName>adapter-ear4.ear: liquibase-core-3.5.3.jar: jquery.js</fileName>
<filePath>C:\\Projectestproject\\libraries\\component3.dll</filePath>
<md5>21b24bc199530e07cb15d93c7f929f03</md5>
<sha1>a29f196740ab608199488c574f536529b5c21243</sha1>
<evidenceCollected>
<evidence type="version" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>3.1.1</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>jquery</value>
</evidence>
</evidenceCollected>
<vulnerabilities>
<vulnerability>
<name>CVE-0000-0001</name>
<cvssScore>7.5</cvssScore>
<cvssAccessVector>NETWORK</cvssAccessVector>
<cvssAccessComplexity>LOW</cvssAccessComplexity>
<cvssAuthenticationr>NONE</cvssAuthenticationr>
<cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact>
<cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact>
<cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact>
<severity>High</severity>
<cwe>CWE-00 Bad Vulnerability</cwe>
<description>Description of a bad vulnerability.</description>
<references>
<reference>
<source>Reference1</source>
<url>http://localhost/badvulnerability.htm</url>
<name>Reference Name</name>
</reference>
<reference>
<source>MISC</source>
<url>http://localhost2/reference_for_badvulnerability.pdf</url>
<name>Reference for a bad vulnerability</name>
</reference>
</references>
<vulnerableSoftware>
<software>cpe:/a:component3:component3:1.0</software>
</vulnerableSoftware>
</vulnerability>
</vulnerabilities>
</dependency>
</dependencies>
</analysis>
"""
testfile = TestFile("dependency-check-report.xml", content)
parser = DependencyCheckParser()
findings = parser.get_findings(testfile, Test())
items = findings
self.assertEqual(9, len(items))
# test also different component_name formats
# identifier -> package url java + 2 relateddependencies
self.assertEqual(
items[0].title, "dom4j:2.1.1.redhat-00001 | Description of a bad vulnerability.(in adapter-ear1.ear: dom4j-2.1.1.jar)"
)
self.assertEqual(items[0].component_name, "org.dom4j:dom4j")
self.assertEqual(items[0].component_version, "2.1.1.redhat-00001")
self.assertEqual(items[0].description, "Description of a bad vulnerability.\nFilepath: /var/lib/adapter-ear1.ear/dom4j-2.1.1.jar")
self.assertEqual(items[0].severity, "High")
self.assertEqual(items[0].file_path, "adapter-ear1.ear: dom4j-2.1.1.jar")
self.assertEqual(
items[0].mitigation,
"Update org.dom4j:dom4j:2.1.1.redhat-00001 to at least the version recommended in the description"
)
self.assertEqual(
items[1].title, "dom4j:2.1.1.redhat-00001 | Description of a bad vulnerability.(in adapter-ear8.ear: dom4j-2.1.1.jar)"
)
self.assertEqual(items[1].component_name, "org.dom4j:dom4j")
self.assertEqual(items[1].component_version, "2.1.1.redhat-00001")
self.assertEqual(items[1].description, "Description of a bad vulnerability.\nFilepath: /var/lib/adapter-ear8.ear/dom4j-2.1.1.jar")
self.assertEqual(items[1].severity, "High")
self.assertEqual(items[1].file_path, "adapter-ear8.ear: dom4j-2.1.1.jar")
self.assertEqual(
items[1].mitigation,
"Update org.dom4j:dom4j:2.1.1.redhat-00001 to at least the version recommended in the description"
)
self.assertEqual(
items[2].title,
"dom4j:2.1.1.redhat-00001 | Description of a bad vulnerability.(in adapter-ear1.ear: dom4j-extensions-2.1.1.jar)",
)
self.assertEqual(items[2].component_name, "org.dom4j:dom4j")
self.assertEqual(items[2].component_version, "2.1.1.redhat-00001")
self.assertEqual(items[2].description, "Description of a bad vulnerability.\nFilepath: /var/lib/adapter-ear1.ear/dom4j-extensions-2.1.1.jar")
self.assertEqual(items[2].severity, "High")
self.assertEqual(
items[2].file_path, "adapter-ear1.ear: dom4j-extensions-2.1.1.jar"
)
self.assertEqual(
items[2].mitigation,
"Update org.dom4j:dom4j:2.1.1.redhat-00001 to at least the version recommended in the description"
)
# identifier -> package url javascript, no vulnerabilitids, 3 vulnerabilities, relateddependencies without filename (pre v6.0.0)
self.assertEqual(items[3].title, "yargs-parser:5.0.0 | 1500 Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects.Parsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.(in yargs-parser:5.0.0)")
self.assertEqual(items[3].component_name, "yargs-parser")
self.assertEqual(items[3].component_version, "5.0.0")
# assert fails due to special characters, not too important
# self.assertEqual(items[1].description, "Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects.Parsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.")
self.assertEqual(items[3].severity, "Low")
self.assertEqual(items[3].file_path, "yargs-parser:5.0.0")
self.assertEqual(
items[3].mitigation,
"Update yargs-parser:5.0.0 to at least the version recommended in the description"
)
self.assertEqual(items[4].title, 'yargs-parser:5.0.0 | yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.(in yargs-parser:5.0.0)')
self.assertEqual(items[4].component_name, "yargs-parser")
self.assertEqual(items[4].component_version, "5.0.0")
self.assertEqual(
items[4].description,
'yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.\nFilepath: /var/lib/jenkins/workspace/nl-selfservice_-_metrics_develop/package-lock.json?yargs-parser',
)
self.assertEqual(items[4].severity, "High")
self.assertEqual(items[4].file_path, "yargs-parser:5.0.0")
self.assertEqual(
items[4].mitigation,
"Update yargs-parser:5.0.0 to at least the version recommended in the description"
)
self.assertEqual(
items[5].title,
"yargs-parser:5.0.0 | Uncontrolled Resource Consumption ('Resource Exhaustion') (in yargs-parser:5.0.0)",
)
self.assertEqual(items[5].component_name, "yargs-parser")
self.assertEqual(items[5].component_version, "5.0.0")
self.assertEqual(
items[5].description,
"The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.\nFilepath: /var/lib/jenkins/workspace/nl-selfservice_-_metrics_develop/package-lock.json?yargs-parser",
)
self.assertEqual(items[5].severity, "High")
self.assertEqual(items[5].file_path, "yargs-parser:5.0.0")
self.assertEqual(
items[5].mitigation,
"Update yargs-parser:5.0.0 to at least the version recommended in the description"
)
# identifier -> cpe java
self.assertEqual(
items[6].title, "dom4j:2.1.1.redhat-00001 | Description of a bad vulnerability.(in adapter-ear2.ear: dom4j-2.1.1.jar)"
)
self.assertEqual(items[6].component_name, "org.dom4j:dom4j")
self.assertEqual(items[6].component_version, "2.1.1.redhat-00001")
self.assertEqual(items[6].severity, "High")
self.assertEqual(items[6].file_path, "adapter-ear2.ear: dom4j-2.1.1.jar")
self.assertEqual(
items[6].mitigation,
"Update org.dom4j:dom4j:2.1.1.redhat-00001 to at least the version recommended in the description"
)
# identifier -> maven java
self.assertEqual(
items[7].title, "dom4j:2.1.1 | Description of a bad vulnerability.(in adapter-ear3.ear: dom4j-2.1.1.jar)"
)
self.assertEqual(items[7].component_name, "dom4j")
self.assertEqual(items[7].component_version, "2.1.1")
self.assertEqual(items[7].severity, "High")
self.assertEqual(
items[7].mitigation,
"Update dom4j:2.1.1 to at least the version recommended in the description"
)
# evidencecollected -> single product + single verison javascript
self.assertEqual(
items[8].title,
"jquery:3.1.1 | Description of a bad vulnerability.(in adapter-ear4.ear: liquibase-core-3.5.3.jar: jquery.js)",
)
self.assertEqual(items[8].component_name, "jquery")
self.assertEqual(items[8].component_version, "3.1.1")
self.assertEqual(items[8].severity, "High")
self.assertEqual(
items[8].mitigation,
"Update jquery:3.1.1 to at least the version recommended in the description"
)
def test_parse_file_with_no_vulnerabilities_has_no_findings(self):
content = """<?xml version="1.0"?>
<analysis xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.1.3.xsd">
<scanInfo>
</scanInfo>
<projectInfo>
<name>Test Project</name>
<reportDate>2016-11-05T14:52:15.748-0400</reportDate>
<credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits>
</projectInfo>
<dependencies>
<dependency>
<fileName>component1.dll</fileName>
<filePath>C:\\Projectsestproject\\libraries\\component1.dll</filePath>
<md5>ba5a6a10bae6ce2abbabec9facae23a4</md5>
<sha1>ae917bbce68733468b1972113e0e1fc5dc7444a0</sha1>
<evidenceCollected>
<evidence type="vendor" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>component1.dll</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>component1</value>
</evidence>
<evidence type="version" confidence="MEDIUM">
<source>file</source>
<name>name</name>
<value>component1</value>
</evidence>
<evidence type="version" confidence="MEDIUM">
<source>file</source>
<name>version</name>
<value>1</value>
</evidence>
</evidenceCollected>
</dependency>
<dependency>
<fileName>component2.dll</fileName>
<filePath>C:\\Projectsestproject\\libraries\\component2.dll</filePath>
<md5>21b24bc199530e07cb15d93c7f929f04</md5>
<sha1>a29f196740ab608199488c574f536529b5c21242</sha1>
<evidenceCollected>
<evidence type="vendor" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>component2</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>component2</value>
</evidence>
</evidenceCollected>
</dependency>
</dependencies>
</analysis>
"""
testfile = TestFile("dependency-check-report.xml", content)
parser = DependencyCheckParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(0, len(findings))
def test_parse_without_file_has_no_findings(self):
parser = DependencyCheckParser(None, Test())
self.assertEqual(0, len(parser.items))
def test_parse_file_with_single_vulnerability_has_single_finding(self):
content = """<?xml version="1.0"?>
<analysis xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.1.3.xsd">
<scanInfo>
</scanInfo>
<projectInfo>
<name>Test Project</name>
<reportDate>2016-11-05T14:52:15.748-0400</reportDate>
<credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits>
</projectInfo>
<dependencies>
<dependency>
<fileName>component1.dll</fileName>
<filePath>C:\Projects\testproject\libraries\component1.dll</filePath>
<md5>ba5a6a10bae6ce2abbabec9facae23a4</md5>
<sha1>ae917bbce68733468b1972113e0e1fc5dc7444a0</sha1>
<evidenceCollected>
<evidence type="vendor" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>component1.dll</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>component1</value>
</evidence>
<evidence type="version" confidence="MEDIUM">
<source>file</source>
<name>name</name>
<value>component1</value>
</evidence>
<evidence type="version" confidence="MEDIUM">
<source>file</source>
<name>version</name>
<value>1</value>
</evidence>
</evidenceCollected>
</dependency>
<dependency>
<fileName>component2.dll</fileName>
<filePath>C:\Projects\testproject\libraries\component2.dll</filePath>
<md5>21b24bc199530e07cb15d93c7f929f04</md5>
<sha1>a29f196740ab608199488c574f536529b5c21242</sha1>
<evidenceCollected>
<evidence type="vendor" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>component2</value>
</evidence>
<evidence type="product" confidence="HIGH">
<source>file</source>
<name>name</name>
<value>component2</value>
</evidence>
</evidenceCollected>
<identifiers>
<identifier type="cpe" confidence="LOW">
<name>(cpe:/a:component2:component2:-)</name>
</identifier>
</identifiers>
<vulnerabilities>
<vulnerability>
<name>CVE-0000-0001</name>
<cvssScore>7.5</cvssScore>
<cvssAccessVector>NETWORK</cvssAccessVector>
<cvssAccessComplexity>LOW</cvssAccessComplexity>
<cvssAuthenticationr>NONE</cvssAuthenticationr>
<cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact>
<cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact>
<cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact>
<severity>High</severity>
<cwe>CWE-00 Bad Vulnerability</cwe>
<description>Description of a bad vulnerability.</description>
<references>
<reference>
<source>Reference1</source>
<url>http://localhost/badvulnerability.htm</url>
<name>Reference Name</name>
</reference>
<reference>
<source>MISC</source>
<url>http://localhost2/reference_for_badvulnerability.pdf</url>
<name>Reference for a bad vulnerability</name>
</reference>
</references>
<vulnerableSoftware>
<software>cpe:/a:component2:component2:1.0</software>
</vulnerableSoftware>
</vulnerability>
</vulnerabilities>
</dependency>
</dependencies>
</analysis>
"""
testfile = TestFile("dependency-check-report.xml", content)
parser = DependencyCheckParser(testfile, Test())
self.assertEqual(1, len(parser.items))
def import_parser_factory(file, test, active, verified, scan_type=None):
if scan_type is None:
scan_type = test.test_type.name
if scan_type == "Burp Scan":
parser = BurpXmlParser(file, test)
elif scan_type == "Nessus Scan":
filename = file.name.lower()
if filename.endswith("csv"):
parser = NessusCSVParser(file, test)
elif filename.endswith("xml") or filename.endswith("nessus"):
parser = NessusXMLParser(file, test)
elif scan_type == "Clair Scan":
parser = ClairParser(file, test)
elif scan_type == "Nmap Scan":
parser = NmapXMLParser(file, test)
elif scan_type == "Nikto Scan":
parser = NiktoXMLParser(file, test)
elif scan_type == "Nexpose Scan":
parser = NexposeFullXmlParser(file, test)
elif scan_type == "Veracode Scan":
parser = VeracodeXMLParser(file, test)
elif scan_type == "Checkmarx Scan":
parser = CheckmarxXMLParser(file, test)
elif scan_type == "Contrast Scan":
parser = ContrastCSVParser(file, test)
elif scan_type == "Crashtest Security Scan":
parser = CrashtestSecurityXmlParser(file, test)
elif scan_type == "Bandit Scan":
parser = BanditParser(file, test)
elif scan_type == "ZAP Scan":
parser = ZapXmlParser(file, test)
elif scan_type == "AppSpider Scan":
parser = AppSpiderXMLParser(file, test)
elif scan_type == "Arachni Scan":
parser = ArachniJSONParser(file, test)
elif scan_type == 'VCG Scan':
parser = VCGParser(file, test)
elif scan_type == 'Dependency Check Scan':
parser = DependencyCheckParser(file, test)
elif scan_type == 'Retire.js Scan':
parser = RetireJsParser(file, test)
elif scan_type == 'Node Security Platform Scan':
parser = NspParser(file, test)
elif scan_type == 'NPM Audit Scan':
parser = NpmAuditParser(file, test)
elif scan_type == 'Symfony Security Check':
parser = PhpSymfonySecurityCheckParser(file, test)
elif scan_type == 'Generic Findings Import':
parser = GenericFindingUploadCsvParser(file, test, active, verified)
elif scan_type == 'Qualys Scan':
parser = QualysParser(file, test)
elif scan_type == 'Qualys Webapp Scan':
parser = QualysWebAppParser(file, test)
elif scan_type == "OpenVAS CSV":
parser = OpenVASUploadCsvParser(file, test)
elif scan_type == 'Snyk Scan':
parser = SnykParser(file, test)
elif scan_type == 'SKF Scan':
parser = SKFCsvParser(file, test)
elif scan_type == 'SSL Labs Scan':
parser = SSLlabsParser(file, test)
elif scan_type == 'Trufflehog Scan':
parser = TruffleHogJSONParser(file, test)
elif scan_type == 'Clair Klar Scan':
parser = ClairKlarParser(file, test)
elif scan_type == 'Gosec Scanner':
parser = GosecScannerParser(file, test)
elif scan_type == 'Trustwave Scan (CSV)':
parser = TrustwaveUploadCsvParser(file, test)
elif scan_type == 'Netsparker Scan':
parser = NetsparkerParser(file, test)
elif scan_type == 'PHP Security Audit v2':
parser = PhpSecurityAuditV2(file, test)
elif scan_type == 'Acunetix Scan':
parser = AcunetixScannerParser(file, test)
elif scan_type == 'Fortify Scan':
parser = FortifyXMLParser(file, test)
elif scan_type == 'SonarQube Scan':
parser = SonarQubeHtmlParser(file, test)
elif scan_type == 'MobSF Scan':
parser = MobSFParser(file, test)
elif scan_type == 'AWS Scout2 Scan':
parser = AWSScout2Parser(file, test)
elif scan_type == 'AWS Prowler Scan':
parser = AWSProwlerParser(file, test)
elif scan_type == 'Brakeman Scan':
parser = BrakemanScanParser(file, test)
elif scan_type == 'SpotBugs Scan':
parser = SpotbugsXMLParser(file, test)
elif scan_type == 'Safety Scan':
parser = SafetyParser(file, test)
elif scan_type == 'DawnScanner Scan':
parser = DawnScannerParser(file, test)
elif scan_type == 'Anchore Engine Scan':
parser = AnchoreEngineScanParser(file, test)
elif scan_type == 'Bundler-Audit Scan':
parser = BundlerAuditParser(file, test)
elif scan_type == 'Twistlock Image Scan':
parser = TwistlockParser(file, test)
elif scan_type == 'IBM AppScan DAST':
parser = IbmAppScanDASTXMLParser(file, test)
elif scan_type == 'Kiuwan Scan':
parser = KiuwanCSVParser(file, test)
elif scan_type == 'Blackduck Hub Scan':
parser = BlackduckHubCSVParser(file, test)
elif scan_type == 'Sonatype Application Scan':
parser = SonatypeJSONParser(file, test)
elif scan_type == 'Openscap Vulnerability Scan':
parser = OpenscapXMLParser(file, test)
elif scan_type == 'Immuniweb Scan':
parser = ImmuniwebXMLParser(file, test)
elif scan_type == 'Wapiti Scan':
parser = WapitiXMLParser(file, test)
elif scan_type == 'Cobalt.io Scan':
parser = CobaltCSVParser(file, test)
elif scan_type == 'Mozilla Observatory Scan':
parser = MozillaObservatoryJSONParser(file, test)
elif scan_type == 'Whitesource Scan':
parser = WhitesourceJSONParser(file, test)
elif scan_type == 'Microfocus Webinspect Scan':
parser = MicrofocusWebinspectXMLParser(file, test)
elif scan_type == 'Wpscan':
parser = WpscanJSONParser(file, test)
elif scan_type == 'Sslscan':
parser = SslscanXMLParser(file, test)
elif scan_type == 'JFrog Xray Scan':
parser = XrayJSONParser(file, test)
elif scan_type == 'Sslyze Scan':
parser = SslyzeXmlParser(file, test)
elif scan_type == 'Testssl Scan':
parser = TestsslCSVParser(file, test)
elif scan_type == 'Hadolint Dockerfile check':
parser = HadolintParser(file, test)
else:
raise ValueError('Unknown Test Type')
return parser