feat: Add CISA Known Exploited Vulnerability Catalog (#4895)

ant/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>7.4.5-SNAPSHOT</version>
+        <version>8.0.0-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>

archetype/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>7.4.5-SNAPSHOT</version>
+        <version>8.0.0-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>

cli/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>7.4.5-SNAPSHOT</version>
+        <version>8.0.0-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>

cli/src/test/resources/sample.properties

@@ -2,6 +2,7 @@ odc.autoupdate=false
 somethingmadeup=test
 analyzer.experimental.enabled=false
 analyzer.jar.enabled=true
+analyzer.knownexploited.enabled=true
 analyzer.archive.enabled=true
 analyzer.node.package.enabled=true
 analyzer.composer.lock.enabled=true

cli/src/test/resources/sample2.properties

@@ -2,6 +2,7 @@ odc.autoupdate=true
 
 analyzer.experimental.enabled=true
 analyzer.jar.enabled=false
+analyzer.knownexploited.enabled=true
 analyzer.archive.enabled=false
 analyzer.node.package.enabled=false
 analyzer.composer.lock.enabled=false

core/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>7.4.5-SNAPSHOT</version>
+        <version>8.0.0-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -103,19 +103,35 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <plugin>
                 <groupId>org.jsonschema2pojo</groupId>
                 <artifactId>jsonschema2pojo-maven-plugin</artifactId>
-                <configuration>
-                    <sourceDirectory>${basedir}/src/main/resources/schema/nvdcve/json</sourceDirectory>
-                    <outputDirectory>${project.build.directory}/generated-sources/java</outputDirectory>
-                    <includeGetters>true</includeGetters>
-                    <annotationStyle>jackson</annotationStyle>
-                    <targetPackage>org.owasp.dependencycheck.data.nvd.json</targetPackage>
-                </configuration>
+
                 <executions>
                     <execution>
+                        <id>generate-nvd</id>
                         <phase>generate-sources</phase>
                         <goals>
                             <goal>generate</goal>
                         </goals>
+                        <configuration>
+                            <sourceDirectory>${basedir}/src/main/resources/schema/external/nvd</sourceDirectory>
+                            <outputDirectory>${project.build.directory}/generated-sources/java</outputDirectory>
+                            <includeGetters>true</includeGetters>
+                            <annotationStyle>jackson</annotationStyle>
+                            <targetPackage>org.owasp.dependencycheck.data.nvd.json</targetPackage>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>generate-knownexploited</id>
+                        <phase>generate-sources</phase>
+                        <goals>
+                            <goal>generate</goal>
+                        </goals>
+                        <configuration>
+                            <sourceDirectory>${basedir}/src/main/resources/schema/external/cisa</sourceDirectory>
+                            <outputDirectory>${project.build.directory}/generated-sources/java</outputDirectory>
+                            <includeGetters>true</includeGetters>
+                            <annotationStyle>jackson</annotationStyle>
+                            <targetPackage>org.owasp.dependencycheck.data.knownexploited.json</targetPackage>
+                        </configuration>
                     </execution>
                 </executions>
             </plugin>

core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -586,7 +586,8 @@ private File extractPom(String path, JarFile jar) throws AnalysisException {
      * @return true if there was evidence within the pom that we could use;
      * otherwise false
      */
-    public static boolean setPomEvidence(Dependency dependency, Model pom, List<ClassNameInformation> classes, boolean isMainPom) {
+    public static boolean setPomEvidence(Dependency dependency, Model pom,
+            List<ClassNameInformation> classes, boolean isMainPom) {
         if (pom == null) {
             return false;
         }

core/src/main/java/org/owasp/dependencycheck/analyzer/KnownExploitedVulnerabilityAnalyzer.java

@@ -0,0 +1,125 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2022 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.util.Map;
+import java.util.Set;
+import javax.annotation.concurrent.ThreadSafe;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Vulnerability;
+import org.owasp.dependencycheck.exception.InitializationException;
+import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * This analyzer adds information about known exploited vulnerabilities.
+ *
+ * @author Jeremy Long
+ */
+@ThreadSafe
+public class KnownExploitedVulnerabilityAnalyzer extends AbstractAnalyzer {
+
+    /**
+     * The Logger for use throughout the class
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(KnownExploitedVulnerabilityAnalyzer.class);
+    /**
+     * The map of known exploited vulnerabilities.
+     */
+    private Map<String, org.owasp.dependencycheck.data.knownexploited.json.Vulnerability> knownExploited = null;
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Known Exploited Vulnerability Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_FINDING_ANALYSIS;
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * <p>
+     * Returns the setting key to determine if the analyzer is enabled.</p>
+     *
+     * @return the key for the analyzer's enabled property
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_KNOWN_EXPLOITED_ENABLED;
+    }
+
+    /**
+     * The prepare method does nothing for this Analyzer.
+     *
+     * @param engine a reference the dependency-check engine
+     * @throws InitializationException thrown if there is an exception
+     */
+    @Override
+    public void prepareAnalyzer(Engine engine) throws InitializationException {
+        try {
+            this.knownExploited = engine.getDatabase().getknownExploitedVulnerabilities();
+        } catch (DatabaseException ex) {
+            LOGGER.debug("Unable to load the known exploited vulnerabilities", ex);
+            throw new InitializationException("Unable to load the known exploited vulnerabilities", ex);
+        }
+    }
+
+    /**
+     * Adds information about the known exploited vulnerabilities to the
+     * analysis.
+     *
+     * @param dependency The dependency being analyzed
+     * @param engine The scanning engine
+     * @throws AnalysisException is thrown if there is an exception analyzing
+     * the dependency.
+     */
+    @Override
+    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
+        final Set<Vulnerability> vulns = dependency.getVulnerabilities();
+        for (Vulnerability v : vulns) {
+            final org.owasp.dependencycheck.data.knownexploited.json.Vulnerability kev = knownExploited.get(v.getName());
+            if (kev != null) {
+                v.setKnownExploitedVulnerability(kev);
+            }
+        }
+    }
+
+}

core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java

@@ -159,15 +159,19 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
             final String artifact = pieces[1];
             final String version;
             String classifier = null;
-            if (pieces.length == 3) {
-                version = pieces[2];
-            } else if (pieces.length == 4) {
-                classifier = pieces[2];
-                version = pieces[3];
-            } else {
-                // length == 5 as guaranteed above.
-                classifier = pieces[3];
-                version = pieces[4];
+            switch (pieces.length) {
+                case 3:
+                    version = pieces[2];
+                    break;
+                case 4:
+                    classifier = pieces[2];
+                    version = pieces[3];
+                    break;
+                default:
+                    // length == 5 as guaranteed above.
+                    classifier = pieces[3];
+                    version = pieces[4];
+                    break;
             }
 
             if ("sources".equals(classifier) || "javadoc".equals(classifier)) {

core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java

@@ -133,7 +133,8 @@ public final class CveDB implements AutoCloseable {
     /**
      * Updates the EcoSystem Cache.
      *
-     * @return The number of records updated by the DB_ECOSYSTEM_CACHE update script.
+     * @return The number of records updated by the DB_ECOSYSTEM_CACHE update
+     * script.
      */
     public int updateEcosystemCache() {
         LOGGER.debug("Updating the ecosystem cache");
@@ -263,7 +264,15 @@ enum PreparedStatementCveDb {
         /**
          * Key for SQL Statement.
          */
-        ADD_DICT_CPE
+        ADD_DICT_CPE,
+        /**
+         * Key for SQL Statement.
+         */
+        SELECT_KNOWN_EXPLOITED_VULNERABILITIES,
+        /**
+         * Key for SQL Statement.
+         */
+        MERGE_KNOWN_EXPLOITED
     }
 
     /**
@@ -1039,6 +1048,55 @@ private void deleteVulnerability(String cve) throws SQLException {
         }
     }
 
+    /**
+     * Merges the list of known exploited vulnerabilities into the database.
+     *
+     * @param vulnerabilities the list of known exploited vulnerabilities
+     * @throws DatabaseException thrown if there is an exception... duh..
+     * @throws SQLException thrown if there is an exception... duh..
+     */
+    public void updateKnownExploitedVulnerabilities(
+            List<org.owasp.dependencycheck.data.knownexploited.json.Vulnerability> vulnerabilities)
+            throws DatabaseException, SQLException {
+        try (Connection conn = databaseManager.getConnection();
+                PreparedStatement mergeKnownVulnerability = getPreparedStatement(conn, MERGE_KNOWN_EXPLOITED)) {
+            int ctr = 0;
+            for (org.owasp.dependencycheck.data.knownexploited.json.Vulnerability v : vulnerabilities) {
+                mergeKnownVulnerability.setString(1, v.getCveID());
+                addNullableStringParameter(mergeKnownVulnerability, 2, v.getVendorProject());
+                addNullableStringParameter(mergeKnownVulnerability, 3, v.getProduct());
+                addNullableStringParameter(mergeKnownVulnerability, 4, v.getVulnerabilityName());
+                addNullableStringParameter(mergeKnownVulnerability, 5, v.getDateAdded());
+                addNullableStringParameter(mergeKnownVulnerability, 6, v.getShortDescription());
+                addNullableStringParameter(mergeKnownVulnerability, 7, v.getRequiredAction());
+                addNullableStringParameter(mergeKnownVulnerability, 8, v.getDueDate());
+                addNullableStringParameter(mergeKnownVulnerability, 9, v.getNotes());
+                if (isBatchInsertEnabled()) {
+                    mergeKnownVulnerability.addBatch();
+                    ctr++;
+                    if (ctr >= getBatchSize()) {
+                        mergeKnownVulnerability.executeBatch();
+                        ctr = 0;
+                    }
+                } else {
+                    try {
+                        mergeKnownVulnerability.execute();
+                    } catch (SQLException ex) {
+                        if (ex.getMessage().contains("Duplicate entry")) {
+                            final String msg = String.format("Duplicate known exploited vulnerability key identified in '%s'", v.getCveID());
+                            LOGGER.info(msg, ex);
+                        } else {
+                            throw ex;
+                        }
+                    }
+                }
+            }
+            if (isBatchInsertEnabled()) {
+                mergeKnownVulnerability.executeBatch();
+            }
+        }
+    }
+
     /**
      * Used when updating a vulnerability - this method inserts the list of
      * vulnerable software.
@@ -1421,6 +1479,39 @@ public void addCpe(String cpe, String vendor, String product) {
         }
     }
 
+    /**
+     * Returns a map of known exploited vulnerabilities.
+     *
+     * @return a map of known exploited vulnerabilities
+     */
+    public Map<String, org.owasp.dependencycheck.data.knownexploited.json.Vulnerability> getknownExploitedVulnerabilities() {
+        final Map<String, org.owasp.dependencycheck.data.knownexploited.json.Vulnerability> known = new HashMap<>();
+
+        try (Connection conn = databaseManager.getConnection();
+                PreparedStatement ps = getPreparedStatement(conn, SELECT_KNOWN_EXPLOITED_VULNERABILITIES);
+                ResultSet rs = ps.executeQuery()) {
+
+            while (rs.next()) {
+                final org.owasp.dependencycheck.data.knownexploited.json.Vulnerability kev =
+                        new org.owasp.dependencycheck.data.knownexploited.json.Vulnerability();
+                kev.setCveID(rs.getString(1));
+                kev.setVendorProject(rs.getString(2));
+                kev.setProduct(rs.getString(3));
+                kev.setVulnerabilityName(rs.getString(4));
+                kev.setDateAdded(rs.getString(5));
+                kev.setShortDescription(rs.getString(6));
+                kev.setRequiredAction(rs.getString(7));
+                kev.setDueDate(rs.getString(8));
+                kev.setNotes(rs.getString(9));
+                known.put(kev.getCveID(), kev);
+            }
+
+        } catch (SQLException ex) {
+            throw new DatabaseException(ex);
+        }
+        return known;
+    }
+
     /**
      * Helper method to add a nullable string parameter.
      *

core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java

@@ -75,6 +75,15 @@ public class DatabaseProperties {
      */
     public static final String VERSION = "version";
 
+    /**
+     * The key for the last check time for the Known Exploited Vulnerabilities.
+     */
+    public static final String KEV_LAST_CHECKED = "kev.checked";
+    /**
+     * The key for the version the Known Exploited Vulnerabilities.
+     */
+    public static final String KEV_VERSION = "kev.version";
+
     /**
      * A collection of properties about the data.
      */