feat: support multple cvssBelow thesholds per version (#2563)

Author: mwardell-agfa

core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java

@@ -76,7 +76,7 @@ protected String getAnalyzerEnabledSettingKey() {
 
     @Override
     public boolean filter(SuppressionRule rule) {
-        return rule.hasCve() || rule.hasCvssBelow() || rule.hasCwe() || rule.hasVulnerabilityName();
+        return rule.hasCve() || rule.hasCvssBelow() || rule.hasCvssV2Below() || rule.hasCvssV3Below()  || rule.hasCvssV4Below() || rule.hasCwe() || rule.hasVulnerabilityName();
     }
 
     @Override

core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java

@@ -88,6 +88,18 @@ public class SuppressionHandler extends DefaultHandler {
      * The cvssBelow element name.
      */
     public static final String CVSS_BELOW = "cvssBelow";
+    /**
+     * The cvssV2Below element name.
+     */
+    public static final String CVSS_V2_BELOW = "cvssV2Below";
+    /**
+     * The cvssV3Below element name.
+     */
+    public static final String CVSS_V3_BELOW = "cvssV3Below";
+    /**
+     * The cvssV4Below element name.
+     */
+    public static final String CVSS_V4_BELOW = "cvssV4Below";
     /**
      * A list of suppression rules.
      */
@@ -197,6 +209,18 @@ public void endElement(String uri, String localName, String qName) throws SAXExc
                     final Double cvss = Double.valueOf(currentText.toString().trim());
                     rule.addCvssBelow(cvss);
                     break;
+                case CVSS_V2_BELOW:
+                    final Double cvssV2 = Double.valueOf(currentText.toString().trim());
+                    rule.addCvssV2Below(cvssV2);
+                    break;
+                case CVSS_V3_BELOW:
+                    final Double cvssV3 = Double.valueOf(currentText.toString().trim());
+                    rule.addCvssV3Below(cvssV3);
+                    break;
+                case CVSS_V4_BELOW:
+                    final Double cvssV4 = Double.valueOf(currentText.toString().trim());
+                    rule.addCvssV4Below(cvssV4);
+                    break;
                 default:
                     break;
             }

core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java

@@ -54,6 +54,10 @@ public class SuppressionParser {
      * The logger.
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(SuppressionParser.class);
+    /**
+     * The suppression schema file location for v 1.4.
+     */
+    public static final String SUPPRESSION_SCHEMA_1_4 = "schema/dependency-suppression.1.4.xsd";
     /**
      * The suppression schema file location for v 1.3.
      */
@@ -101,6 +105,7 @@ public List<SuppressionRule> parseSuppressionRules(File file) throws Suppression
     public List<SuppressionRule> parseSuppressionRules(InputStream inputStream)
             throws SuppressionParseException, SAXException {
         try (
+                InputStream schemaStream14 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_4);
                 InputStream schemaStream13 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_3);
                 InputStream schemaStream12 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_2);
                 InputStream schemaStream11 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_1);
@@ -112,7 +117,7 @@ public List<SuppressionRule> parseSuppressionRules(InputStream inputStream)
             final String charsetName = bom == null ? defaultEncoding : bom.getCharsetName();
 
             final SuppressionHandler handler = new SuppressionHandler();
-            final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream13, schemaStream12, schemaStream11, schemaStream10);
+            final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream14, schemaStream13, schemaStream12, schemaStream11, schemaStream10);
             final XMLReader xmlReader = saxParser.getXMLReader();
             xmlReader.setErrorHandler(new SuppressionErrorHandler());
             xmlReader.setContentHandler(handler);

core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java

@@ -63,6 +63,18 @@ public class SuppressionRule {
      * The list of cvssBelow scores.
      */
     private List<Double> cvssBelow = new ArrayList<>();
+    /**
+     * The list of cvssV2Below scores.
+     */
+    private List<Double> cvssV2Below = new ArrayList<>();
+    /**
+     * The list of cvssV3Below scores.
+     */
+    private List<Double> cvssV3Below = new ArrayList<>();
+    /**
+     * The list of cvssV4Below scores.
+     */
+    private List<Double> cvssV4Below = new ArrayList<>();
     /**
      * The list of CWE entries to suppress.
      */
@@ -261,6 +273,114 @@ public boolean hasCvssBelow() {
         return !cvssBelow.isEmpty();
     }
 
+    /**
+     * Get the value of cvssV2Below.
+     *
+     * @return the value of cvssV2Below
+     */
+    public List<Double> getCvssV2Below() {
+        return cvssV2Below;
+    }
+
+    /**
+     * Set the value of cvssV2Below.
+     *
+     * @param cvssV2Below new value of cvssV2Below
+     */
+    public void setCvssV2Below(List<Double> cvssV2Below) {
+        this.cvssV2Below = cvssV2Below;
+    }
+
+    /**
+     * Adds the CVSS to the cvssV2Below list.
+     *
+     * @param cvss the CVSS to add
+     */
+    public void addCvssV2Below(Double cvss) {
+        this.cvssV2Below.add(cvss);
+    }
+
+    /**
+     * Returns whether or not this suppression rule has CVSS v2 suppression criteria.
+     *
+     * @return whether or not this suppression rule has CVSS v2 suppression criteria.
+     */
+    public boolean hasCvssV2Below() {
+        return !cvssV2Below.isEmpty();
+    }
+
+    /**
+     * Get the value of cvssV3Below.
+     *
+     * @return the value of cvssV3Below
+     */
+    public List<Double> getCvssV3Below() {
+        return cvssV3Below;
+    }
+
+    /**
+     * Set the value of cvssV3Below.
+     *
+     * @param cvssV3Below new value of cvssV3Below
+     */
+    public void setCvssV3Below(List<Double> cvssV3Below) {
+        this.cvssV3Below = cvssV3Below;
+    }
+
+    /**
+     * Adds the CVSS to the cvssV3Below list.
+     *
+     * @param cvss the CVSS to add
+     */
+    public void addCvssV3Below(Double cvss) {
+        this.cvssV3Below.add(cvss);
+    }
+
+    /**
+     * Returns whether or not this suppression rule has CVSS v3 suppression criteria.
+     *
+     * @return whether or not this suppression rule has CVSS v3 suppression criteria.
+     */
+    public boolean hasCvssV3Below() {
+        return !cvssV3Below.isEmpty();
+    }
+
+    /**
+     * Get the value of cvssV4Below.
+     *
+     * @return the value of cvssV4Below
+     */
+    public List<Double> getCvssV4Below() {
+        return cvssV4Below;
+    }
+
+    /**
+     * Set the value of cvssV4Below.
+     *
+     * @param cvssV4Below new value of cvssV4Below
+     */
+    public void setCvssV4Below(List<Double> cvssV4Below) {
+        this.cvssV4Below = cvssV4Below;
+    }
+
+    /**
+     * Adds the CVSS to the cvssV4Below list.
+     *
+     * @param cvss the CVSS to add
+     */
+    public void addCvssV4Below(Double cvss) {
+        this.cvssV4Below.add(cvss);
+    }
+
+    /**
+     * Returns whether or not this suppression rule has CVSS v4 suppression criteria.
+     *
+     * @return whether or not this suppression rule has CVSS v4 suppression criteria.
+     */
+    public boolean hasCvssV4Below() {
+        return !cvssV4Below.isEmpty();
+    }
+
     /**
      * Get the value of notes.
      *
@@ -494,7 +614,7 @@ public void process(Dependency dependency) {
             }
             removalList.forEach(dependency::removeVulnerableSoftwareIdentifier);
         }
-        if (hasCve() || hasVulnerabilityName() || hasCwe() || hasCvssBelow()) {
+        if (hasCve() || hasVulnerabilityName() || hasCwe() || hasCvssBelow() || hasCvssV2Below() || hasCvssV3Below() || hasCvssV4Below()) {
             final Set<Vulnerability> removeVulns = new HashSet<>();
             for (Vulnerability v : dependency.getVulnerabilities()) {
                 boolean remove = false;
@@ -525,23 +645,9 @@ public void process(Dependency dependency) {
                     }
                 }
                 if (!remove) {
-                    for (Double cvss : this.cvssBelow) {
-                        //TODO validate this comparison
-                        if (v.getCvssV2() != null && v.getCvssV2().getCvssData().getBaseScore().compareTo(cvss) < 0) {
-                            remove = true;
-                            removeVulns.add(v);
-                            break;
-                        }
-                        if (v.getCvssV3() != null && v.getCvssV3().getCvssData().getBaseScore().compareTo(cvss) < 0) {
-                            remove = true;
-                            removeVulns.add(v);
-                            break;
-                        }
-                        if (v.getCvssV4() != null && v.getCvssV4().getCvssData().getBaseScore().compareTo(cvss) < 0) {
-                            remove = true;
-                            removeVulns.add(v);
-                            break;
-                        }
+                    if (suppressedBasedOnScore(v)) {
+                        remove = true;
+                        removeVulns.add(v);
                     }
                 }
                 if (remove && !isBase()) {
@@ -556,6 +662,44 @@ public void process(Dependency dependency) {
         }
     }
 
+    boolean suppressedBasedOnScore(Vulnerability v) {
+        if (!cvssBelow.isEmpty()) {
+            for (Double cvss : this.cvssBelow) {
+                //TODO validate this comparison
+                if (v.getCvssV2() != null && v.getCvssV2().getCvssData().getBaseScore().compareTo(cvss) < 0) {
+                    return true;
+                }
+                if (v.getCvssV3() != null && v.getCvssV3().getCvssData().getBaseScore().compareTo(cvss) < 0) {
+                    return true;
+                }
+                if (v.getCvssV4() != null && v.getCvssV4().getCvssData().getBaseScore().compareTo(cvss) < 0) {
+                    return true;
+                }
+            }
+            return false;
+        }
+
+        if (hasCvssV2Below() || hasCvssV3Below() || hasCvssV4Below()) {
+            Double v2SuppressionThreshold = this.cvssV2Below.stream().max(Double::compare).orElse(11.0);
+            Double v3SuppressionThreshold = this.cvssV3Below.stream().max(Double::compare).orElse(11.0);
+            Double v4SuppressionThreshold = this.cvssV4Below.stream().max(Double::compare).orElse(11.0);
+
+            Double v2Score = v.getCvssV2() != null ? v.getCvssV2().getCvssData().getBaseScore() : null;
+            Double v3Score = v.getCvssV3() != null ? v.getCvssV3().getCvssData().getBaseScore() : null;
+            Double v4Score = v.getCvssV4() != null ? v.getCvssV4().getCvssData().getBaseScore() : null;
+
+            // only if all version indicate suppression will the vulnerability be suppressed
+            // so if we are missing data (score or threshold) for a specific version we assume suppression
+            boolean cvssV2CheckSuppressing = v2Score == null || v2Score < v2SuppressionThreshold;
+            boolean cvssV3CheckSuppressing = v3Score == null || v3Score < v3SuppressionThreshold;
+            boolean cvssV4CheckSuppressing = v4Score == null || v4Score < v4SuppressionThreshold;
+
+            return cvssV2CheckSuppressing && cvssV3CheckSuppressing && cvssV4CheckSuppressing;
+        }
+
+        return false;
+    }
+
     /**
      * Identifies if the cpe specified by the cpe suppression rule does not
      * specify a version.
@@ -694,6 +838,21 @@ public String toString() {
             cvssBelow.forEach((s) -> sb.append(s).append(','));
             sb.append('}');
         }
+        if (cvssV2Below != null && !cvssV2Below.isEmpty()) {
+            sb.append("cvssV2Below={");
+            cvssV2Below.forEach((s) -> sb.append(s).append(','));
+            sb.append('}');
+        }
+        if (cvssV3Below != null && !cvssV3Below.isEmpty()) {
+            sb.append("cvssV3Below={");
+            cvssV3Below.forEach((s) -> sb.append(s).append(','));
+            sb.append('}');
+        }
+        if (cvssV4Below != null && !cvssV4Below.isEmpty()) {
+            sb.append("cvssV4Below={");
+            cvssV4Below.forEach((s) -> sb.append(s).append(','));
+            sb.append('}');
+        }
         sb.append('}');
         return sb.toString();
     }

core/src/main/resources/schema/dependency-suppression.1.4.xsd

@@ -0,0 +1,72 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema id="suppressions"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           elementFormDefault="qualified"
+           targetNamespace="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.4.xsd"
+           xmlns:dc="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.4.xsd">
+
+    <xs:complexType name="regexStringType">
+        <xs:simpleContent>
+            <xs:extension base="xs:string">
+                <xs:attribute name="regex" use="optional" type="xs:boolean" default="false"/>
+                <xs:attribute name="caseSensitive" use="optional" type="xs:boolean" default="false"/>
+            </xs:extension>
+        </xs:simpleContent>
+    </xs:complexType>
+    <xs:simpleType name="cvssScoreType">
+        <xs:restriction base="xs:decimal">
+            <xs:minInclusive value="0"/>
+            <xs:maxInclusive value="10"/>
+        </xs:restriction>
+    </xs:simpleType>
+    <xs:simpleType name="cveType">
+        <xs:restriction base="xs:string">
+            <xs:pattern value="((\w+\-)?CVE\-\d\d\d\d\-\d+|\d+)"/>
+        </xs:restriction>
+    </xs:simpleType>
+    <xs:simpleType name="sha1Type">
+        <xs:restriction base="xs:string">
+            <xs:pattern value="[a-fA-F0-9]{40}"/>
+        </xs:restriction>
+    </xs:simpleType>
+    <xs:element name="suppressions">
+        <xs:complexType>
+            <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                <xs:element name="suppress">
+                    <xs:complexType>
+                        <xs:sequence minOccurs="1" maxOccurs="1">
+                            <xs:sequence minOccurs="0" maxOccurs="1">
+                                <xs:element name="notes" type="xs:string"/>
+                            </xs:sequence>
+                            <xs:choice minOccurs="0" maxOccurs="1">
+                                <xs:element name="filePath" type="dc:regexStringType"/>
+                                <xs:element name="sha1" type="dc:sha1Type"/>
+                                <xs:element name="gav" type="dc:regexStringType"/>
+                                <xs:element name="packageUrl" type="dc:regexStringType"/>
+                            </xs:choice>
+                            <xs:choice minOccurs="1" maxOccurs="unbounded">
+                                <xs:element name="cpe" type="dc:regexStringType"/>
+                                <xs:element name="cve" type="dc:cveType"/>
+                                <xs:element name="vulnerabilityName" type="dc:regexStringType"/>
+                                <xs:element name="cwe" type="xs:positiveInteger"/>
+                                <xs:element name="cvssBelow" type="dc:cvssScoreType"/>
+                                <xs:element name="cvssV2Below" type="dc:cvssScoreType" />
+                                <xs:element name="cvssV3Below" type="dc:cvssScoreType" />
+                                <xs:element name="cvssV4Below" type="dc:cvssScoreType" />
+                            </xs:choice>
+                        </xs:sequence>
+                        <xs:attribute name="base" use="optional" type="xs:boolean" default="false"/>
+                        <xs:attribute name="until" use="optional" type="xs:date">
+                            <xs:annotation>
+                                <xs:documentation>
+                                    When specified the suppression will only be active when the specified date is still in the future. On and after the 'until' date the suppression will no longer be active.
+                                </xs:documentation>
+                            </xs:annotation>
+                        </xs:attribute>
+                    </xs:complexType>
+                </xs:element>
+            </xs:sequence>
+        </xs:complexType>
+    </xs:element>
+</xs:schema>
+