Skip to content

Commit

Permalink
Implemented a fix for #1145
Browse files Browse the repository at this point in the history
  • Loading branch information
aikebah committed Apr 8, 2018
1 parent 781e538 commit 00f2314
Show file tree
Hide file tree
Showing 7 changed files with 241 additions and 37 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,12 @@
package org.owasp.dependencycheck.xml.suppression;

import java.util.ArrayList;
import java.util.Calendar;
import java.util.List;
import javax.annotation.concurrent.NotThreadSafe;
import javax.xml.bind.DatatypeConverter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.Attributes;
import org.xml.sax.SAXException;
import org.xml.sax.helpers.DefaultHandler;
Expand All @@ -32,6 +36,11 @@
@NotThreadSafe
public class SuppressionHandler extends DefaultHandler {

/**
* The logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(SuppressionHandler.class);

/**
* The suppress node, indicates the start of a new rule.
*/
Expand Down Expand Up @@ -117,6 +126,10 @@ public void startElement(String uri, String localName, String qName, Attributes
} else {
rule.setBase(false);
}
final String until = currentAttributes.getValue("until");
if (until != null) {
rule.setUntil(DatatypeConverter.parseDate(until));
}
}
}

Expand All @@ -133,7 +146,11 @@ public void endElement(String uri, String localName, String qName) throws SAXExc
if (null != qName) {
switch (qName) {
case SUPPRESS:
suppressionRules.add(rule);
if (rule.getUntil() != null && rule.getUntil().before(Calendar.getInstance())) {
LOGGER.info("Suppression is expired for rule: {}", rule);
} else {
suppressionRules.add(rule);
}
rule = null;
break;
case FILE_PATH:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,13 +51,17 @@ public class SuppressionParser {
*/
private static final Logger LOGGER = LoggerFactory.getLogger(SuppressionParser.class);
/**
* The suppression schema file location.
* The suppression schema file location for v 1.2
*/
public static final String SUPPRESSION_SCHEMA = "schema/dependency-suppression.1.1.xsd";
public static final String SUPPRESSION_SCHEMA_1_2 = "schema/dependency-suppression.1.2.xsd";
/**
* The old suppression schema file location.
* The suppression schema file location for v1.1.
*/
private static final String OLD_SUPPRESSION_SCHEMA = "schema/suppression.xsd";
public static final String SUPPRESSION_SCHEMA_1_1 = "schema/dependency-suppression.1.1.xsd";
/**
* The old suppression schema file location for v1.0.
*/
private static final String SUPPRESSION_SCHEMA_1_0 = "schema/suppression.xsd";

/**
* Parses the given XML file and returns a list of the suppression rules
Expand All @@ -68,19 +72,11 @@ public class SuppressionParser {
* @throws SuppressionParseException thrown if the XML file cannot be parsed
*/
public List<SuppressionRule> parseSuppressionRules(File file) throws SuppressionParseException {
try {
try (FileInputStream fis = new FileInputStream(file)) {
return parseSuppressionRules(fis);
} catch (IOException ex) {
LOGGER.debug("", ex);
throw new SuppressionParseException(ex);
}
} catch (SAXException ex) {
try (FileInputStream fis = new FileInputStream(file)) {
return parseSuppressionRules(fis, OLD_SUPPRESSION_SCHEMA);
} catch (SAXException | IOException ex1) {
throw new SuppressionParseException(ex);
}
try (FileInputStream fis = new FileInputStream(file)) {
return parseSuppressionRules(fis);
} catch (SAXException | IOException ex) {
LOGGER.debug("", ex);
throw new SuppressionParseException(ex);
}
}

Expand All @@ -94,23 +90,13 @@ public List<SuppressionRule> parseSuppressionRules(File file) throws Suppression
* @throws SAXException thrown if the XML cannot be parsed
*/
public List<SuppressionRule> parseSuppressionRules(InputStream inputStream) throws SuppressionParseException, SAXException {
return parseSuppressionRules(inputStream, SUPPRESSION_SCHEMA);
}

/**
* Parses the given XML stream and returns a list of the suppression rules
* contained.
*
* @param inputStream an InputStream containing suppression rules
* @param schema the schema used to validate the XML stream
* @return a list of suppression rules
* @throws SuppressionParseException thrown if the XML cannot be parsed
* @throws SAXException thrown if the XML cannot be parsed
*/
private List<SuppressionRule> parseSuppressionRules(InputStream inputStream, String schema) throws SuppressionParseException, SAXException {
try (InputStream schemaStream = FileUtils.getResourceAsStream(schema)) {
try (
InputStream schemaStream12 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_2);
InputStream schemaStream11 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_1);
InputStream schemaStream10 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_0);
) {
final SuppressionHandler handler = new SuppressionHandler();
final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream);
final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream12, schemaStream11, schemaStream10);
final XMLReader xmlReader = saxParser.getXMLReader();
xmlReader.setErrorHandler(new SuppressionErrorHandler());
xmlReader.setContentHandler(handler);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,13 @@
package org.owasp.dependencycheck.xml.suppression;

import java.util.ArrayList;
import java.util.Calendar;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.annotation.concurrent.NotThreadSafe;
import javax.xml.bind.DatatypeConverter;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.Vulnerability;
Expand Down Expand Up @@ -76,6 +78,30 @@ public class SuppressionRule {
*/
private boolean base;

/**
* A date until which the suppression is to be retained. This can be used
* to make a temporary suppression that auto-expires to suppress a CVE
* while waiting for the vulnerability fix of the dependency to be
* released.
*/
private Calendar until;

/**
* Get the (@code{nullable}) value of until
* @return the value of until
*/
public Calendar getUntil() {
return until;
}

/**
* Set the value of until
* @param until new value of until
*/
public void setUntil(Calendar until) {
this.until = until;
}

/**
* Get the value of filePath.
*
Expand Down Expand Up @@ -502,6 +528,9 @@ protected boolean identifierMatches(String identifierType, PropertyType suppress
public String toString() {
final StringBuilder sb = new StringBuilder(64);
sb.append("SuppressionRule{");
if (until != null) {
sb.append("until=").append(DatatypeConverter.printDate(until)).append(',');
}
if (filePath != null) {
sb.append("filePath=").append(filePath).append(',');
}
Expand Down
66 changes: 66 additions & 0 deletions core/src/main/resources/schema/dependency-suppression.1.2.xsd
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema id="suppressions"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified"
targetNamespace="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd"
xmlns:dc="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">

<xs:complexType name="regexStringType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="regex" use="optional" type="xs:boolean" default="false"/>
<xs:attribute name="caseSensitive" use="optional" type="xs:boolean" default="false"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:simpleType name="cvssScoreType">
<xs:restriction base="xs:decimal">
<xs:minInclusive value="0"/>
<xs:maxInclusive value="10"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="cveType">
<xs:restriction base="xs:string">
<xs:pattern value="((\w+\-)?CVE\-\d\d\d\d\-\d+|\d+)"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="sha1Type">
<xs:restriction base="xs:string">
<xs:pattern value="[a-fA-F0-9]{40}"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="suppressions">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="suppress">
<xs:complexType>
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="notes" type="xs:string"/>
</xs:sequence>
<xs:choice minOccurs="0" maxOccurs="1">
<xs:element name="filePath" type="dc:regexStringType"/>
<xs:element name="sha1" type="dc:sha1Type"/>
<xs:element name="gav" type="dc:regexStringType"/>
</xs:choice>
<xs:choice minOccurs="1" maxOccurs="unbounded">
<xs:element name="cpe" type="dc:regexStringType"/>
<xs:element name="cve" type="dc:cveType"/>
<xs:element name="cwe" type="xs:positiveInteger"/>
<xs:element name="cvssBelow" type="dc:cvssScoreType"/>
</xs:choice>
</xs:sequence>
<xs:attribute name="base" use="optional" type="xs:boolean" default="false"/>
<xs:attribute name="until" use="optional" type="xs:date">
<xs:annotation>
<xs:documentation>
When specified the suppression will only be active when the specified date is still in the future. On and after the 'until' date the suppression will no longer be active.
</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@

import java.io.File;
import java.util.List;
import org.junit.Assert;

import static org.junit.Assert.assertTrue;

Expand All @@ -33,14 +34,36 @@
public class SuppressionParserTest extends BaseTest {

/**
* Test of parseSuppressionRules method, of class SuppressionParser.
* Test of parseSuppressionRules method, of class SuppressionParser for the v1.0 suppressions XML Schema.
*/
@Test
public void testParseSuppressionRules() throws Exception {
public void testParseSuppressionRulesV1_0() throws Exception {
//File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
File file = BaseTest.getResourceAsFile(this, "suppressions.xml");
SuppressionParser instance = new SuppressionParser();
List<SuppressionRule> result = instance.parseSuppressionRules(file);
assertTrue(result.size() > 3);
Assert.assertEquals(5, result.size());
}
/**
* Test of parseSuppressionRules method, of class SuppressionParser for the v1.1 suppressions XML Schema.
*/
@Test
public void testParseSuppressionRulesV1_1() throws Exception {
//File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
File file = BaseTest.getResourceAsFile(this, "suppressions_1_1.xml");
SuppressionParser instance = new SuppressionParser();
List<SuppressionRule> result = instance.parseSuppressionRules(file);
Assert.assertEquals(5, result.size());
}
/**
* Test of parseSuppressionRules method, of class SuppressionParser for the v1.2 suppressions XML Schema.
*/
@Test
public void testParseSuppressionRulesV1_2() throws Exception {
//File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
File file = BaseTest.getResourceAsFile(this, "suppressions_1_2.xml");
SuppressionParser instance = new SuppressionParser();
List<SuppressionRule> result = instance.parseSuppressionRules(file);
Assert.assertEquals(4, result.size());
}
}
40 changes: 40 additions & 0 deletions core/src/test/resources/suppressions_1_1.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns='https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd'
xsi:schemaLocation='https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd'>
<suppress>
<notes><![CDATA[
This suppresses cpe:/a:csv:csv:1.0 for some.jar in the "c:\path\to" directory.
]]></notes>
<filePath>c:\path\to\some.jar</filePath>
<cpe>cpe:/a:csv:csv:1.0</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses any jboss:jboss cpe for any test.jar in any directory.
]]></notes>
<filePath regex="true">.*\btest\.jar</filePath>
<cpe>cpe:/a:jboss:jboss</cpe>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses a specific cve for any test.jar in any directory.
]]></notes>
<filePath regex="true">.*\btest\.jar</filePath>
<cve>CVE-2013-1337</cve>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses a specific cve for any dependency in any directory that has the specified sha1 checksum.
]]></notes>
<sha1>384FAA82E193D4E4B0546059CA09572654BC3970</sha1>
<cve>CVE-2013-1337</cve>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses all CVE entries that have a score below CVSS 7.
]]></notes>
<cvssBelow>7</cvssBelow>
</suppress>
</suppressions>
43 changes: 43 additions & 0 deletions core/src/test/resources/suppressions_1_2.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns='https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd'
xsi:schemaLocation='https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd'>
<suppress>
<notes><![CDATA[
This suppresses cpe:/a:csv:csv:1.0 for some.jar in the "c:\path\to" directory.
]]></notes>
<filePath>c:\path\to\some.jar</filePath>
<cpe>cpe:/a:csv:csv:1.0</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses any jboss:jboss cpe for any test.jar in any directory.
]]></notes>
<filePath regex="true">.*\btest\.jar</filePath>
<cpe>cpe:/a:jboss:jboss</cpe>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses a specific cve for any test.jar in any directory.
]]></notes>
<filePath regex="true">.*\btest\.jar</filePath>
<cve>CVE-2013-1337</cve>
</suppress>
<suppress until="2014-01-01Z">
<notes><![CDATA[
This suppresses a specific cve for any dependency in any directory that has the specified sha1 checksum. If current date is not yet on or beyond 1 Jan 2014
]]></notes>
<sha1>384FAA82E193D4E4B0546059CA09572654BC3970</sha1>
<cve>CVE-2013-1337</cve>
</suppress>
<suppress until="9999-03-25Z">
<notes><![CDATA[
This suppresses all CVE entries that have a score below CVSS 7.
But only if current date is not yet on or beyond 31 Dec 9999
(which is expected to be sufficiently far in the future to have this
rule still be active when the test-cases run)
]]></notes>
<cvssBelow>7</cvssBelow>
</suppress>
</suppressions>

0 comments on commit 00f2314

Please sign in to comment.