diff --git a/pom.xml b/pom.xml
index 3b12a73..c7de37e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -4,7 +4,7 @@
org.jenkins-ci.plugins
plugin
- 4.81
+ 4.85
dependency-check-jenkins-plugin
OWASP Dependency-Check Plugin
@@ -80,11 +80,11 @@
5.5.1
-SNAPSHOT
jenkinsci/dependency-check-plugin
- 2.387.3
- bom-2.387.x
- 2543.vfb_1a_5fb_9496d
+ 2.426.3
+ bom-2.426.x
+ 3157.vb_3e8b_8a_d185d
- 3.24.2
+ 3.26.0
10.17.0
diff --git a/src/main/java/org/jenkinsci/plugins/DependencyCheck/model/ReportParser.java b/src/main/java/org/jenkinsci/plugins/DependencyCheck/model/ReportParser.java
index 52c7568..d48a5ed 100755
--- a/src/main/java/org/jenkinsci/plugins/DependencyCheck/model/ReportParser.java
+++ b/src/main/java/org/jenkinsci/plugins/DependencyCheck/model/ReportParser.java
@@ -24,6 +24,7 @@
import javax.xml.parsers.ParserConfigurationException;
import org.apache.commons.digester3.Digester;
+import org.jenkinsci.plugins.DependencyCheck.tools.Version;
import org.xml.sax.SAXException;
/**
@@ -33,6 +34,7 @@
* @since 1.0.0
*/
public final class ReportParser {
+ private static final Version MIN_VERSION = new Version("5");
private ReportParser() {
}
@@ -129,11 +131,9 @@ public static List parse(final InputStream file)
if (analysis == null) {
throw new SAXException("Input stream is not a Dependency-Check report file.");
}
+
if (analysis.getScanInfo() == null || analysis.getScanInfo().getEngineVersion() == null
- || analysis.getScanInfo().getEngineVersion().startsWith("1")
- || analysis.getScanInfo().getEngineVersion().startsWith("2")
- || analysis.getScanInfo().getEngineVersion().startsWith("3")
- || analysis.getScanInfo().getEngineVersion().startsWith("4")) {
+ || Version.parseVersion(analysis.getScanInfo().getEngineVersion()).compareTo(MIN_VERSION) < 0) {
throw new ReportParserException("Unsupported Dependency-Check schema version detected");
}
findings = convert(analysis);
@@ -150,7 +150,7 @@ public static List parse(final InputStream file)
* @return a List of Finding objects
*/
private static List convert(final Analysis collection) {
- List findings = new ArrayList();
+ List findings = new ArrayList<>();
for (Dependency dependency : collection.getDependencies()) {
for (Vulnerability vulnerability : dependency.getVulnerabilities()) {
final Finding finding = new Finding(dependency, vulnerability);
diff --git a/src/test/java/org/jenkinsci/plugins/DependencyCheck/model/ReportParserTest.java b/src/test/java/org/jenkinsci/plugins/DependencyCheck/model/ReportParserTest.java
index b464a79..953ba86 100644
--- a/src/test/java/org/jenkinsci/plugins/DependencyCheck/model/ReportParserTest.java
+++ b/src/test/java/org/jenkinsci/plugins/DependencyCheck/model/ReportParserTest.java
@@ -15,6 +15,7 @@
*/
package org.jenkinsci.plugins.DependencyCheck.model;
+import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.fail;
@@ -24,6 +25,7 @@
import org.jenkinsci.plugins.DependencyCheck.model.Vulnerability.Source;
import org.junit.Test;
+import org.jvnet.hudson.test.Issue;
public class ReportParserTest {
@@ -66,4 +68,11 @@ public void testVulnerability() throws Exception {
assertEquals(Severity.HIGH, finding.getNormalizedSeverity());
}
+ @Issue("JENKINS-73382")
+ @Test
+ public void parse_report_v10() throws Exception {
+ List findings = ReportParser.parse(getClass().getResourceAsStream("dependency-check-report-v10.xml"));
+ assertThat(findings).isEmpty();
+ }
+
}
diff --git a/src/test/resources/org/jenkinsci/plugins/DependencyCheck/model/dependency-check-report-v10.xml b/src/test/resources/org/jenkinsci/plugins/DependencyCheck/model/dependency-check-report-v10.xml
new file mode 100644
index 0000000..99eb675
--- /dev/null
+++ b/src/test/resources/org/jenkinsci/plugins/DependencyCheck/model/dependency-check-report-v10.xml
@@ -0,0 +1,86 @@
+
+
+
+ 10.0.1
+
+ NVD API Last Checked
+ 2024-07-05T11:12:02Z
+
+
+ NVD API Last Modified
+ 2024-07-05T08:15:03Z
+
+
+ NVD Cache Last Checked
+ 2024-07-05T11:12:02Z
+
+
+ NVD Cache Last Modified
+ 2024-07-05T08:15:03Z
+
+
+
+ root
+ com.acme
+ root
+ 1.1.9-SNAPSHOT
+ 2024-07-05T11:13:33.465082212Z
+ This product uses the NVD API but is not endorsed or certified by the NVD. This report contains data
+ retrieved from the National Vulnerability Database: https://nvd.nist.gov, Github Advisory Database (via NPM
+ Audit API): https://github.com/advisories/, and the RetireJS community.
+
+
+
+
+ @antora/asciidoc-loader:3.1.8
+
+ /projectDir/docs-site/package-lock.json?@antora/site-generator:3.1.8/@antora/asciidoc-loader:3.1.8
+
+
+
+
+ Loads AsciiDoc content into an Asciidoctor Document object (AST) for use in an Antora
+ documentation pipeline.
+
+ MPL-2.0
+
+ docs-site/@antora/site-generator:3.1.8
+
+
+
+ @antora/asciidoc-loader:3.1.8
+ /projectDir/docs-site/package-lock.json?/@antora/asciidoc-loader:3.1.8
+
+
+
+
+
+
+ pkg:npm/%40antora%2Fasciidoc-loader@3.1.8
+
+
+
+
+
+
+ package.json
+ author
+ OpenDevise Inc. (https://opendevise.com)
+
+
+ package.json
+ version
+ 3.1.8
+
+
+
+
+ pkg:npm/%40antora%2Fasciidoc-loader@3.1.8
+
+ https://ossindex.sonatype.org/component/pkg:npm/%40antora%2Fasciidoc-loader@3.1.8?utm_source=dependency-check&utm_medium=integration&utm_content=10.0.1
+
+
+
+
+
+
\ No newline at end of file