[JENKINS-73382] Report parser fails on report file generated by depen…

…dency-check version 10

Fix parsing of the version in the xml report file.

pom.xml

@@ -4,7 +4,7 @@
     <parent>
         <groupId>org.jenkins-ci.plugins</groupId>
         <artifactId>plugin</artifactId>
-        <version>4.81</version>
+        <version>4.85</version>
     </parent>
     <artifactId>dependency-check-jenkins-plugin</artifactId>
     <name>OWASP Dependency-Check Plugin</name>
@@ -80,11 +80,11 @@
         <revision>5.5.1</revision>
         <changelist>-SNAPSHOT</changelist>
         <gitHubRepo>jenkinsci/dependency-check-plugin</gitHubRepo>
-        <jenkins.version>2.387.3</jenkins.version>
-        <jenkins-plugins-bom.artifactId>bom-2.387.x</jenkins-plugins-bom.artifactId>
-        <jenkins-plugins-bom.version>2543.vfb_1a_5fb_9496d</jenkins-plugins-bom.version>
+        <jenkins.version>2.426.3</jenkins.version>
+        <jenkins-plugins-bom.artifactId>bom-2.426.x</jenkins-plugins-bom.artifactId>
+        <jenkins-plugins-bom.version>3157.vb_3e8b_8a_d185d</jenkins-plugins-bom.version>
 
-        <assertj.version>3.24.2</assertj.version>
+        <assertj.version>3.26.0</assertj.version>
         <checkstyle.version>10.17.0</checkstyle.version>
     </properties>
 

src/main/java/org/jenkinsci/plugins/DependencyCheck/model/ReportParser.java

@@ -24,6 +24,7 @@
 import javax.xml.parsers.ParserConfigurationException;
 
 import org.apache.commons.digester3.Digester;
+import org.jenkinsci.plugins.DependencyCheck.tools.Version;
 import org.xml.sax.SAXException;
 
 /**
@@ -33,6 +34,7 @@
  * @since 1.0.0
  */
 public final class ReportParser {
+    private static final Version MIN_VERSION = new Version("5");
 
     private ReportParser() {
     }
@@ -129,11 +131,9 @@ public static List<Finding> parse(final InputStream file)
             if (analysis == null) {
                 throw new SAXException("Input stream is not a Dependency-Check report file.");
             }
+
             if (analysis.getScanInfo() == null || analysis.getScanInfo().getEngineVersion() == null
-                    || analysis.getScanInfo().getEngineVersion().startsWith("1")
-                    || analysis.getScanInfo().getEngineVersion().startsWith("2")
-                    || analysis.getScanInfo().getEngineVersion().startsWith("3")
-                    || analysis.getScanInfo().getEngineVersion().startsWith("4")) {
+                    || Version.parseVersion(analysis.getScanInfo().getEngineVersion()).compareTo(MIN_VERSION) < 0) {
                 throw new ReportParserException("Unsupported Dependency-Check schema version detected");
             }
             findings = convert(analysis);
@@ -150,7 +150,7 @@ public static List<Finding> parse(final InputStream file)
      * @return a List of Finding objects
      */
     private static List<Finding> convert(final Analysis collection) {
-        List<Finding> findings = new ArrayList<Finding>();
+        List<Finding> findings = new ArrayList<>();
         for (Dependency dependency : collection.getDependencies()) {
             for (Vulnerability vulnerability : dependency.getVulnerabilities()) {
                 final Finding finding = new Finding(dependency, vulnerability);

src/test/java/org/jenkinsci/plugins/DependencyCheck/model/ReportParserTest.java

@@ -15,6 +15,7 @@
  */
 package org.jenkinsci.plugins.DependencyCheck.model;
 
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.fail;
@@ -24,6 +25,7 @@
 
 import org.jenkinsci.plugins.DependencyCheck.model.Vulnerability.Source;
 import org.junit.Test;
+import org.jvnet.hudson.test.Issue;
 
 public class ReportParserTest {
 
@@ -66,4 +68,11 @@ public void testVulnerability() throws Exception {
         assertEquals(Severity.HIGH, finding.getNormalizedSeverity());
     }
 
+    @Issue("JENKINS-73382")
+    @Test
+    public void parse_report_v10() throws Exception {
+        List<Finding> findings = ReportParser.parse(getClass().getResourceAsStream("dependency-check-report-v10.xml"));
+        assertThat(findings).isEmpty();
+    }
+
 }

src/test/resources/org/jenkinsci/plugins/DependencyCheck/model/dependency-check-report-v10.xml

@@ -0,0 +1,86 @@
+<?xml version="1.0"?>
+<analysis xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.4.0.xsd">
+    <scanInfo>
+        <engineVersion>10.0.1</engineVersion>
+        <dataSource>
+            <name>NVD API Last Checked</name>
+            <timestamp>2024-07-05T11:12:02Z</timestamp>
+        </dataSource>
+        <dataSource>
+            <name>NVD API Last Modified</name>
+            <timestamp>2024-07-05T08:15:03Z</timestamp>
+        </dataSource>
+        <dataSource>
+            <name>NVD Cache Last Checked</name>
+            <timestamp>2024-07-05T11:12:02Z</timestamp>
+        </dataSource>
+        <dataSource>
+            <name>NVD Cache Last Modified</name>
+            <timestamp>2024-07-05T08:15:03Z</timestamp>
+        </dataSource>
+    </scanInfo>
+    <projectInfo>
+        <name>root</name>
+        <groupID>com.acme</groupID>
+        <artifactID>root</artifactID>
+        <version>1.1.9-SNAPSHOT</version>
+        <reportDate>2024-07-05T11:13:33.465082212Z</reportDate>
+        <credits>This product uses the NVD API but is not endorsed or certified by the NVD. This report contains data
+            retrieved from the National Vulnerability Database: https://nvd.nist.gov, Github Advisory Database (via NPM
+            Audit API): https://github.com/advisories/, and the RetireJS community.
+        </credits>
+    </projectInfo>
+    <dependencies>
+        <dependency isVirtual="true">
+            <fileName>@antora/asciidoc-loader:3.1.8</fileName>
+            <filePath>
+                /projectDir/docs-site/package-lock.json?@antora/site-generator:3.1.8/@antora/asciidoc-loader:3.1.8
+            </filePath>
+            <md5></md5>
+            <sha1></sha1>
+            <sha256></sha256>
+            <description>Loads AsciiDoc content into an Asciidoctor Document object (AST) for use in an Antora
+                documentation pipeline.
+            </description>
+            <license>MPL-2.0</license>
+            <projectReferences>
+                <projectReference>docs-site/@antora/site-generator:3.1.8</projectReference>
+            </projectReferences>
+            <relatedDependencies>
+                <relatedDependency isVirtual="true">
+                    <fileName>@antora/asciidoc-loader:3.1.8</fileName>
+                    <filePath>/projectDir/docs-site/package-lock.json?/@antora/asciidoc-loader:3.1.8
+                    </filePath>
+                    <sha256></sha256>
+                    <sha1></sha1>
+                    <md5></md5>
+                    <identifiers>
+                        <package>
+                            <id>pkg:npm/%40antora%[email protected]</id>
+                        </package>
+                    </identifiers>
+                </relatedDependency>
+            </relatedDependencies>
+            <evidenceCollected>
+                <evidence type="vendor" confidence="HIGHEST">
+                    <source>package.json</source>
+                    <name>author</name>
+                    <value>OpenDevise Inc. (https://opendevise.com)</value>
+                </evidence>
+                <evidence type="version" confidence="HIGHEST">
+                    <source>package.json</source>
+                    <name>version</name>
+                    <value>3.1.8</value>
+                </evidence>
+            </evidenceCollected>
+            <identifiers>
+                <package confidence="HIGHEST">
+                    <id>pkg:npm/%40antora%[email protected]</id>
+                    <url>
+                        https://ossindex.sonatype.org/component/pkg:npm/%40antora%[email protected]?utm_source=dependency-check&amp;utm_medium=integration&amp;utm_content=10.0.1
+                    </url>
+                </package>
+            </identifiers>
+        </dependency>
+    </dependencies>
+</analysis>