org.owasp.dependencycheck.dependency

Class Vulnerability

java.lang.Object

org.owasp.dependencycheck.dependency.Vulnerability

All Implemented Interfaces:

java.io.Serializable, java.lang.Comparable<Vulnerability>

@NotThreadSafe
public class Vulnerability
extends java.lang.Object
implements java.io.Serializable, java.lang.Comparable<Vulnerability>

Contains the information about a vulnerability.

Author:

Jeremy Long

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	Vulnerability.Source An enumeration for the source of vulnerability.

Constructor Summary

Constructors

Constructor and Description
Vulnerability() Default constructor.
Vulnerability(java.lang.String name) Constructs a new Vulnerability by its name.

Method Summary

Modifier and Type	Method and Description
void	addCwe(java.lang.String cwe) Adds a CWE to the set.
void	addReference(Reference ref) Adds a reference to the references collection.
void	addReference(java.lang.String referenceSource, java.lang.String referenceName, java.lang.String referenceUrl) Adds a reference.
void	addReferences(java.util.Set<Reference> references) Adds the references to the collection.
void	addVulnerableSoftware(java.util.Set<VulnerableSoftware> vulnerableSoftware) Adds the vulnerableSoftware to the collection.
void	addVulnerableSoftware(VulnerableSoftware software) Adds an entry for vulnerable software.
int	compareTo(@NotNull Vulnerability o) Compares two vulnerabilities. Natural order of vulnerabilities is defined as decreasing in severity and alphabetically by name for equal severity.
boolean	equals(java.lang.Object obj)
io.github.jeremylong.openvulnerability.client.nvd.CvssV2	getCvssV2() Get the CVSS V2 scoring information.
io.github.jeremylong.openvulnerability.client.nvd.CvssV3	getCvssV3() Get the CVSS V3 scoring information.
io.github.jeremylong.openvulnerability.client.nvd.CvssV4	getCvssV4() Get the CVSS V3 scoring information.
CweSet	getCwes() Get the set of CWEs.
java.lang.String	getDescription() Get the value of description.
java.lang.String	getHighestSeverityText() The report text to use for highest severity when this issue is ranked highest.
Vulnerability	getKnownExploitedVulnerability() Get the value of knownExploitedVulnerability.
VulnerableSoftware	getMatchedVulnerableSoftware() Get the value of matchedVulnerableSoftware.
java.lang.String	getName() Get the value of name.
java.lang.String	getNotes() Get the value of notes from suppression notes.
java.util.Set<Reference>	getReferences() Get the value of references.
java.util.List<Reference>	getReferences(boolean sorted) Returns the list of references.
Vulnerability.Source	getSource() Returns the source that identified the vulnerability.
java.lang.String	getUnscoredSeverity() Retrieves the severity a Vulnerability.Source has assigned for which a CVSS score is not available.
java.util.Set<VulnerableSoftware>	getVulnerableSoftware() Get the value of vulnerableSoftware.
java.util.List<VulnerableSoftware>	getVulnerableSoftware(boolean sorted) Returns a sorted list of vulnerable software.
int	hashCode()
void	setCvssV2(io.github.jeremylong.openvulnerability.client.nvd.CvssV2 cvssV2) Sets the CVSS V2 scoring information.
void	setCvssV3(io.github.jeremylong.openvulnerability.client.nvd.CvssV3 cvssV3) Sets the CVSS V3 scoring information.
void	setCvssV4(io.github.jeremylong.openvulnerability.client.nvd.CvssV4 cvssV4) Sets the CVSS V4 scoring information.
void	setDescription(java.lang.String description) Set the value of description.
void	setKnownExploitedVulnerability(Vulnerability kev) Adds information about known exploited vulnerabilities.
void	setMatchedVulnerableSoftware(VulnerableSoftware software) Sets the CPE that caused this vulnerability to be flagged.
void	setName(java.lang.String name) Set the value of name.
void	setNotes(java.lang.String notes) Set the value of notes.
void	setSource(Vulnerability.Source source) Sets the source that identified the vulnerability.
void	setUnscoredSeverity(java.lang.String unscoredSeverity) Sets the severity a Vulnerability.Source has assigned for which a CVSS score is not available.
java.lang.String	toString()

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

Vulnerability

public Vulnerability()

Default constructor.

Vulnerability

public Vulnerability(java.lang.String name)

Constructs a new Vulnerability by its name.

Parameters:

name - the name of the vulnerability

Method Detail

getName

public java.lang.String getName()

Get the value of name.

Returns:

the value of name

setName

public void setName(java.lang.String name)

Set the value of name.

Parameters:

name - new value of name

getDescription

public java.lang.String getDescription()

Get the value of description.

Returns:

the value of description

setDescription

public void setDescription(java.lang.String description)

Set the value of description.

Parameters:

description - new value of description

getReferences

public java.util.Set<Reference> getReferences()

Get the value of references.

Returns:

the value of references

getReferences

public java.util.List<Reference> getReferences(boolean sorted)

Returns the list of references. This is primarily used within the generated reports.

Parameters:

sorted - whether the returned list should be sorted

Returns:

the list of references

addReferences

public void addReferences(java.util.Set<Reference> references)

Adds the references to the collection.

Parameters:

references - a collection of references to add

addReference

public void addReference(Reference ref)

Adds a reference to the references collection.

Parameters:

ref - a reference for the vulnerability

addReference

public void addReference(java.lang.String referenceSource,
                         java.lang.String referenceName,
                         java.lang.String referenceUrl)

Adds a reference.

Parameters:

referenceSource - the source of the reference

referenceName - the referenceName of the reference

referenceUrl - the url of the reference

setKnownExploitedVulnerability

public void setKnownExploitedVulnerability(Vulnerability kev)

Adds information about known exploited vulnerabilities.

Parameters:

kev - the known exploited vulnerability information

getKnownExploitedVulnerability

public Vulnerability getKnownExploitedVulnerability()

Get the value of knownExploitedVulnerability.

Returns:

the value of knownExploitedVulnerability

getVulnerableSoftware

public java.util.Set<VulnerableSoftware> getVulnerableSoftware()

Get the value of vulnerableSoftware.

Returns:

the value of vulnerableSoftware

getVulnerableSoftware

public java.util.List<VulnerableSoftware> getVulnerableSoftware(boolean sorted)

Returns a sorted list of vulnerable software. This is primarily used for display within reports.

Parameters:

sorted - whether or not the list should be sorted

Returns:

the list of vulnerable software

addVulnerableSoftware

public void addVulnerableSoftware(java.util.Set<VulnerableSoftware> vulnerableSoftware)

Adds the vulnerableSoftware to the collection.

Parameters:

vulnerableSoftware - a collection of vulnerable software

addVulnerableSoftware

public void addVulnerableSoftware(VulnerableSoftware software)

Adds an entry for vulnerable software.

Parameters:

software - the vulnerable software reference to add

getCvssV2

public io.github.jeremylong.openvulnerability.client.nvd.CvssV2 getCvssV2()

Get the CVSS V2 scoring information.

Returns:

the CVSS V2 scoring information

setCvssV2

public void setCvssV2(io.github.jeremylong.openvulnerability.client.nvd.CvssV2 cvssV2)

Sets the CVSS V2 scoring information.

Parameters:

cvssV2 - the CVSS V2 scoring information

getCvssV3

public io.github.jeremylong.openvulnerability.client.nvd.CvssV3 getCvssV3()

Get the CVSS V3 scoring information.

Returns:

the CVSS V3 scoring information

setCvssV3

public void setCvssV3(io.github.jeremylong.openvulnerability.client.nvd.CvssV3 cvssV3)

Sets the CVSS V3 scoring information.

Parameters:

cvssV3 - the CVSS V3 scoring information

getCvssV4

public io.github.jeremylong.openvulnerability.client.nvd.CvssV4 getCvssV4()

Get the CVSS V3 scoring information.

Returns:

the CVSS V3 scoring information

setCvssV4

public void setCvssV4(io.github.jeremylong.openvulnerability.client.nvd.CvssV4 cvssV4)

Sets the CVSS V4 scoring information.

Parameters:

cvssV4 - the CVSS V4 scoring information

getCwes

public CweSet getCwes()

Get the set of CWEs.

Returns:

the set of CWEs

addCwe

public void addCwe(java.lang.String cwe)

Adds a CWE to the set.

Parameters:

cwe - new CWE to add

getUnscoredSeverity

public java.lang.String getUnscoredSeverity()

Retrieves the severity a Vulnerability.Source has assigned for which a CVSS score is not available. Severity could be anything ranging from 'critical', 'high', 'medium', and 'low', to non-traditional labels like 'major', 'minor', and 'important'.

Returns:

the un-scored severity

setUnscoredSeverity

public void setUnscoredSeverity(java.lang.String unscoredSeverity)

Sets the severity a Vulnerability.Source has assigned for which a CVSS score is not available. Severity could be anything ranging from 'critical', 'high', 'medium', and 'low', to non-traditional labels like 'major', 'minor', and 'important'.

Parameters:

unscoredSeverity - the un-scored severity

getNotes

public java.lang.String getNotes()

Get the value of notes from suppression notes.

Returns:

the value of notes

setNotes

public void setNotes(java.lang.String notes)

Set the value of notes.

Parameters:

notes - new value of notes

equals

public boolean equals(java.lang.Object obj)

Overrides:

equals in class java.lang.Object

hashCode

public int hashCode()

Overrides:

hashCode in class java.lang.Object

toString

public java.lang.String toString()

Overrides:

toString in class java.lang.Object

compareTo

public int compareTo(@NotNull
                     @NotNull Vulnerability o)

Compares two vulnerabilities.
Natural order of vulnerabilities is defined as decreasing in severity and alphabetically by name for equal severity. This way the most severe issues are listed first in a sorted list.
This uses a best-effort ordering for severity as the variety of sources do not guarantee a consistent availability of standardized severity scores. The bestEffort severity level estimation will use CVSSv3 baseScore for comparison when available on both sides. If any of the vulnerabilities does not have a CVSSv3 score the sort order may be off, but it will be consistent.
The ranking (high to low) of severity can be informally represented as <CVSSv3 critical> >> <Unscored recognized critical> >> <Unscored unrecognized (assumed Critical)> >> <Score-based comparison for high-or-lower scoring severities with recognized unscored severities taking the lower bound of the comparable CVSSv3 range>

Specified by:

compareTo in interface java.lang.Comparable<Vulnerability>

Parameters:

o - a vulnerability to be compared

Returns:

a negative integer, zero, or a positive integer as this object is less than , equal to, or greater than the specified vulnerability

See Also:

bestEffortSeverityLevelForSorting()

getHighestSeverityText

public java.lang.String getHighestSeverityText()

The report text to use for highest severity when this issue is ranked highest.

Returns:

The string to display in the report, clarifying for unrecognized unscored severities that critical is assumed.

setMatchedVulnerableSoftware

public void setMatchedVulnerableSoftware(VulnerableSoftware software)

Sets the CPE that caused this vulnerability to be flagged.

Parameters:

software - a Vulnerable Software identifier

getMatchedVulnerableSoftware

public VulnerableSoftware getMatchedVulnerableSoftware()

Get the value of matchedVulnerableSoftware.

Returns:

the value of matchedVulnerableSoftware

getSource

public Vulnerability.Source getSource()

Returns the source that identified the vulnerability.

Returns:

the source

setSource

public void setSource(Vulnerability.Source source)

Sets the source that identified the vulnerability.

Parameters:

source - the source