Merge branch 'main' into plugins

CHANGELOG.md

@@ -1,6 +1,6 @@
 # Change Log
 
-## [Version 7.4.4](https://github.com/jeremylong/DependencyCheck/releases/tag/v7.4.4) (2022-01-06)
+## [Version 7.4.4](https://github.com/jeremylong/DependencyCheck/releases/tag/v7.4.4) (2023-01-06)
 
 ### Fixed
 

cli/src/test/resources/sample.properties

@@ -2,6 +2,7 @@ odc.autoupdate=false
 somethingmadeup=test
 analyzer.experimental.enabled=false
 analyzer.jar.enabled=true
+analyzer.knownexploited.enabled=true
 analyzer.archive.enabled=true
 analyzer.node.package.enabled=true
 analyzer.composer.lock.enabled=true

cli/src/test/resources/sample2.properties

@@ -2,6 +2,7 @@ odc.autoupdate=true
 
 analyzer.experimental.enabled=true
 analyzer.jar.enabled=false
+analyzer.knownexploited.enabled=true
 analyzer.archive.enabled=false
 analyzer.node.package.enabled=false
 analyzer.composer.lock.enabled=false

core/pom.xml

@@ -103,19 +103,35 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <plugin>
                 <groupId>org.jsonschema2pojo</groupId>
                 <artifactId>jsonschema2pojo-maven-plugin</artifactId>
-                <configuration>
-                    <sourceDirectory>${basedir}/src/main/resources/schema/nvdcve/json</sourceDirectory>
-                    <outputDirectory>${project.build.directory}/generated-sources/java</outputDirectory>
-                    <includeGetters>true</includeGetters>
-                    <annotationStyle>jackson</annotationStyle>
-                    <targetPackage>org.owasp.dependencycheck.data.nvd.json</targetPackage>
-                </configuration>
+
                 <executions>
                     <execution>
+                        <id>generate-nvd</id>
                         <phase>generate-sources</phase>
                         <goals>
                             <goal>generate</goal>
                         </goals>
+                        <configuration>
+                            <sourceDirectory>${basedir}/src/main/resources/schema/external/nvd</sourceDirectory>
+                            <outputDirectory>${project.build.directory}/generated-sources/java</outputDirectory>
+                            <includeGetters>true</includeGetters>
+                            <annotationStyle>jackson</annotationStyle>
+                            <targetPackage>org.owasp.dependencycheck.data.nvd.json</targetPackage>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>generate-knownexploited</id>
+                        <phase>generate-sources</phase>
+                        <goals>
+                            <goal>generate</goal>
+                        </goals>
+                        <configuration>
+                            <sourceDirectory>${basedir}/src/main/resources/schema/external/cisa</sourceDirectory>
+                            <outputDirectory>${project.build.directory}/generated-sources/java</outputDirectory>
+                            <includeGetters>true</includeGetters>
+                            <annotationStyle>jackson</annotationStyle>
+                            <targetPackage>org.owasp.dependencycheck.data.knownexploited.json</targetPackage>
+                        </configuration>
                     </execution>
                 </executions>
             </plugin>

core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -586,7 +586,8 @@ private File extractPom(String path, JarFile jar) throws AnalysisException {
      * @return true if there was evidence within the pom that we could use;
      * otherwise false
      */
-    public static boolean setPomEvidence(Dependency dependency, Model pom, List<ClassNameInformation> classes, boolean isMainPom) {
+    public static boolean setPomEvidence(Dependency dependency, Model pom,
+            List<ClassNameInformation> classes, boolean isMainPom) {
         if (pom == null) {
             return false;
         }

core/src/main/java/org/owasp/dependencycheck/analyzer/KnownExploitedVulnerabilityAnalyzer.java

@@ -0,0 +1,125 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2022 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.util.Map;
+import java.util.Set;
+import javax.annotation.concurrent.ThreadSafe;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Vulnerability;
+import org.owasp.dependencycheck.exception.InitializationException;
+import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * This analyzer adds information about known exploited vulnerabilities.
+ *
+ * @author Jeremy Long
+ */
+@ThreadSafe
+public class KnownExploitedVulnerabilityAnalyzer extends AbstractAnalyzer {
+
+    /**
+     * The Logger for use throughout the class
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(KnownExploitedVulnerabilityAnalyzer.class);
+    /**
+     * The map of known exploited vulnerabilities.
+     */
+    private Map<String, org.owasp.dependencycheck.data.knownexploited.json.Vulnerability> knownExploited = null;
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Known Exploited Vulnerability Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_FINDING_ANALYSIS;
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * <p>
+     * Returns the setting key to determine if the analyzer is enabled.</p>
+     *
+     * @return the key for the analyzer's enabled property
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_KNOWN_EXPLOITED_ENABLED;
+    }
+
+    /**
+     * The prepare method does nothing for this Analyzer.
+     *
+     * @param engine a reference the dependency-check engine
+     * @throws InitializationException thrown if there is an exception
+     */
+    @Override
+    public void prepareAnalyzer(Engine engine) throws InitializationException {
+        try {
+            this.knownExploited = engine.getDatabase().getknownExploitedVulnerabilities();
+        } catch (DatabaseException ex) {
+            LOGGER.debug("Unable to load the known exploited vulnerabilities", ex);
+            throw new InitializationException("Unable to load the known exploited vulnerabilities", ex);
+        }
+    }
+
+    /**
+     * Adds information about the known exploited vulnerabilities to the
+     * analysis.
+     *
+     * @param dependency The dependency being analyzed
+     * @param engine The scanning engine
+     * @throws AnalysisException is thrown if there is an exception analyzing
+     * the dependency.
+     */
+    @Override
+    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
+        final Set<Vulnerability> vulns = dependency.getVulnerabilities();
+        for (Vulnerability v : vulns) {
+            final org.owasp.dependencycheck.data.knownexploited.json.Vulnerability kev = knownExploited.get(v.getName());
+            if (kev != null) {
+                v.setKnownExploitedVulnerability(kev);
+            }
+        }
+    }
+
+}

core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java

@@ -363,7 +363,7 @@ private void processDependencies(JsonObject json, File baseDir, File rootFile,
                 String name = pathName;
                 File base;
 
-                final int indexOfNodeModule = name.lastIndexOf(NODE_MODULES_DIRNAME);
+                final int indexOfNodeModule = name.lastIndexOf(NODE_MODULES_DIRNAME + "/");
                 if (indexOfNodeModule >= 0) {
                     name = name.substring(indexOfNodeModule + NODE_MODULES_DIRNAME.length() + 1);
                     base = Paths.get(baseDir.getPath(), pathName).toFile();
@@ -386,6 +386,14 @@ private void processDependencies(JsonObject json, File baseDir, File rootFile,
 
                 if (entry.getValue() instanceof JsonObject) {
                     jo = (JsonObject) entry.getValue();
+
+                    // Ignore/skip linked entries (as they don't have "version" and
+                    // later logic will crash)
+                    if (jo.getBoolean("link", false)) {
+                        LOGGER.warn("Skipping `" + name + "` because it is a link dependency");
+                        continue;
+                    }
+
                     version = jo.getString("version");
                     optional = jo.getBoolean("optional", false);
                     isDev = jo.getBoolean("dev", false);

core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java

@@ -159,15 +159,19 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
             final String artifact = pieces[1];
             final String version;
             String classifier = null;
-            if (pieces.length == 3) {
-                version = pieces[2];
-            } else if (pieces.length == 4) {
-                classifier = pieces[2];
-                version = pieces[3];
-            } else {
-                // length == 5 as guaranteed above.
-                classifier = pieces[3];
-                version = pieces[4];
+            switch (pieces.length) {
+                case 3:
+                    version = pieces[2];
+                    break;
+                case 4:
+                    classifier = pieces[2];
+                    version = pieces[3];
+                    break;
+                default:
+                    // length == 5 as guaranteed above.
+                    classifier = pieces[3];
+                    version = pieces[4];
+                    break;
             }
 
             if ("sources".equals(classifier) || "javadoc".equals(classifier)) {

core/src/main/java/org/owasp/dependencycheck/data/nodeaudit/NpmPayloadBuilder.java

@@ -109,7 +109,7 @@ public static JsonObject build(JsonObject lockJson, JsonObject packageJson,
 
         if (dependencies != null) {
             dependencies.forEach((key, value) -> {
-                final int indexOfNodeModule = key.lastIndexOf(NodePackageAnalyzer.NODE_MODULES_DIRNAME);
+                final int indexOfNodeModule = key.lastIndexOf(NodePackageAnalyzer.NODE_MODULES_DIRNAME + "/");
                 if (indexOfNodeModule >= 0) {
                     key = key.substring(indexOfNodeModule + NodePackageAnalyzer.NODE_MODULES_DIRNAME.length() + 1);
                 }

core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java

@@ -133,7 +133,8 @@ public final class CveDB implements AutoCloseable {
     /**
      * Updates the EcoSystem Cache.
      *
-     * @return The number of records updated by the DB_ECOSYSTEM_CACHE update script.
+     * @return The number of records updated by the DB_ECOSYSTEM_CACHE update
+     * script.
      */
     public int updateEcosystemCache() {
         LOGGER.debug("Updating the ecosystem cache");
@@ -263,7 +264,15 @@ enum PreparedStatementCveDb {
         /**
          * Key for SQL Statement.
          */
-        ADD_DICT_CPE
+        ADD_DICT_CPE,
+        /**
+         * Key for SQL Statement.
+         */
+        SELECT_KNOWN_EXPLOITED_VULNERABILITIES,
+        /**
+         * Key for SQL Statement.
+         */
+        MERGE_KNOWN_EXPLOITED
     }
 
     /**
@@ -1039,6 +1048,55 @@ private void deleteVulnerability(String cve) throws SQLException {
         }
     }
 
+    /**
+     * Merges the list of known exploited vulnerabilities into the database.
+     *
+     * @param vulnerabilities the list of known exploited vulnerabilities
+     * @throws DatabaseException thrown if there is an exception... duh..
+     * @throws SQLException thrown if there is an exception... duh..
+     */
+    public void updateKnownExploitedVulnerabilities(
+            List<org.owasp.dependencycheck.data.knownexploited.json.Vulnerability> vulnerabilities)
+            throws DatabaseException, SQLException {
+        try (Connection conn = databaseManager.getConnection();
+                PreparedStatement mergeKnownVulnerability = getPreparedStatement(conn, MERGE_KNOWN_EXPLOITED)) {
+            int ctr = 0;
+            for (org.owasp.dependencycheck.data.knownexploited.json.Vulnerability v : vulnerabilities) {
+                mergeKnownVulnerability.setString(1, v.getCveID());
+                addNullableStringParameter(mergeKnownVulnerability, 2, v.getVendorProject());
+                addNullableStringParameter(mergeKnownVulnerability, 3, v.getProduct());
+                addNullableStringParameter(mergeKnownVulnerability, 4, v.getVulnerabilityName());
+                addNullableStringParameter(mergeKnownVulnerability, 5, v.getDateAdded());
+                addNullableStringParameter(mergeKnownVulnerability, 6, v.getShortDescription());
+                addNullableStringParameter(mergeKnownVulnerability, 7, v.getRequiredAction());
+                addNullableStringParameter(mergeKnownVulnerability, 8, v.getDueDate());
+                addNullableStringParameter(mergeKnownVulnerability, 9, v.getNotes());
+                if (isBatchInsertEnabled()) {
+                    mergeKnownVulnerability.addBatch();
+                    ctr++;
+                    if (ctr >= getBatchSize()) {
+                        mergeKnownVulnerability.executeBatch();
+                        ctr = 0;
+                    }
+                } else {
+                    try {
+                        mergeKnownVulnerability.execute();
+                    } catch (SQLException ex) {
+                        if (ex.getMessage().contains("Duplicate entry")) {
+                            final String msg = String.format("Duplicate known exploited vulnerability key identified in '%s'", v.getCveID());
+                            LOGGER.info(msg, ex);
+                        } else {
+                            throw ex;
+                        }
+                    }
+                }
+            }
+            if (isBatchInsertEnabled()) {
+                mergeKnownVulnerability.executeBatch();
+            }
+        }
+    }
+
     /**
      * Used when updating a vulnerability - this method inserts the list of
      * vulnerable software.
@@ -1421,6 +1479,39 @@ public void addCpe(String cpe, String vendor, String product) {
         }
     }
 
+    /**
+     * Returns a map of known exploited vulnerabilities.
+     *
+     * @return a map of known exploited vulnerabilities
+     */
+    public Map<String, org.owasp.dependencycheck.data.knownexploited.json.Vulnerability> getknownExploitedVulnerabilities() {
+        final Map<String, org.owasp.dependencycheck.data.knownexploited.json.Vulnerability> known = new HashMap<>();
+
+        try (Connection conn = databaseManager.getConnection();
+                PreparedStatement ps = getPreparedStatement(conn, SELECT_KNOWN_EXPLOITED_VULNERABILITIES);
+                ResultSet rs = ps.executeQuery()) {
+
+            while (rs.next()) {
+                final org.owasp.dependencycheck.data.knownexploited.json.Vulnerability kev =
+                        new org.owasp.dependencycheck.data.knownexploited.json.Vulnerability();
+                kev.setCveID(rs.getString(1));
+                kev.setVendorProject(rs.getString(2));
+                kev.setProduct(rs.getString(3));
+                kev.setVulnerabilityName(rs.getString(4));
+                kev.setDateAdded(rs.getString(5));
+                kev.setShortDescription(rs.getString(6));
+                kev.setRequiredAction(rs.getString(7));
+                kev.setDueDate(rs.getString(8));
+                kev.setNotes(rs.getString(9));
+                known.put(kev.getCveID(), kev);
+            }
+
+        } catch (SQLException ex) {
+            throw new DatabaseException(ex);
+        }
+        return known;
+    }
+
     /**
      * Helper method to add a nullable string parameter.
      *

core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java

@@ -204,7 +204,7 @@ public String extractEcosystem(String baseEcosystem, VulnerableSoftware parsedCp
      * <code>false</code>
      */
     public boolean isRejected(String description) {
-        return description.startsWith("** REJECT **");
+        return description.startsWith("** REJECT **") || description.startsWith("DO NOT USE THIS CANDIDATE NUMBER");
     }
 
     /**