From 5c4754de2565e1ead8b5aa5d72d30c655f798704 Mon Sep 17 00:00:00 2001 From: Nikolas Falco Date: Fri, 5 Jul 2024 14:38:29 +0200 Subject: [PATCH] [JENKINS-73382] Report parser fails on report file generated by dependency-check version 10 Fix parsing of the version in the xml report file. --- pom.xml | 10 +-- .../DependencyCheck/model/ReportParser.java | 10 +-- .../model/ReportParserTest.java | 9 ++ .../model/dependency-check-report-v10.xml | 86 +++++++++++++++++++ 4 files changed, 105 insertions(+), 10 deletions(-) create mode 100644 src/test/resources/org/jenkinsci/plugins/DependencyCheck/model/dependency-check-report-v10.xml diff --git a/pom.xml b/pom.xml index 3b12a73..c7de37e 100644 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ org.jenkins-ci.plugins plugin - 4.81 + 4.85 dependency-check-jenkins-plugin OWASP Dependency-Check Plugin @@ -80,11 +80,11 @@ 5.5.1 -SNAPSHOT jenkinsci/dependency-check-plugin - 2.387.3 - bom-2.387.x - 2543.vfb_1a_5fb_9496d + 2.426.3 + bom-2.426.x + 3157.vb_3e8b_8a_d185d - 3.24.2 + 3.26.0 10.17.0 diff --git a/src/main/java/org/jenkinsci/plugins/DependencyCheck/model/ReportParser.java b/src/main/java/org/jenkinsci/plugins/DependencyCheck/model/ReportParser.java index 52c7568..d48a5ed 100755 --- a/src/main/java/org/jenkinsci/plugins/DependencyCheck/model/ReportParser.java +++ b/src/main/java/org/jenkinsci/plugins/DependencyCheck/model/ReportParser.java @@ -24,6 +24,7 @@ import javax.xml.parsers.ParserConfigurationException; import org.apache.commons.digester3.Digester; +import org.jenkinsci.plugins.DependencyCheck.tools.Version; import org.xml.sax.SAXException; /** @@ -33,6 +34,7 @@ * @since 1.0.0 */ public final class ReportParser { + private static final Version MIN_VERSION = new Version("5"); private ReportParser() { } @@ -129,11 +131,9 @@ public static List parse(final InputStream file) if (analysis == null) { throw new SAXException("Input stream is not a Dependency-Check report file."); } + if (analysis.getScanInfo() == null || analysis.getScanInfo().getEngineVersion() == null - || analysis.getScanInfo().getEngineVersion().startsWith("1") - || analysis.getScanInfo().getEngineVersion().startsWith("2") - || analysis.getScanInfo().getEngineVersion().startsWith("3") - || analysis.getScanInfo().getEngineVersion().startsWith("4")) { + || Version.parseVersion(analysis.getScanInfo().getEngineVersion()).compareTo(MIN_VERSION) < 0) { throw new ReportParserException("Unsupported Dependency-Check schema version detected"); } findings = convert(analysis); @@ -150,7 +150,7 @@ public static List parse(final InputStream file) * @return a List of Finding objects */ private static List convert(final Analysis collection) { - List findings = new ArrayList(); + List findings = new ArrayList<>(); for (Dependency dependency : collection.getDependencies()) { for (Vulnerability vulnerability : dependency.getVulnerabilities()) { final Finding finding = new Finding(dependency, vulnerability); diff --git a/src/test/java/org/jenkinsci/plugins/DependencyCheck/model/ReportParserTest.java b/src/test/java/org/jenkinsci/plugins/DependencyCheck/model/ReportParserTest.java index b464a79..953ba86 100644 --- a/src/test/java/org/jenkinsci/plugins/DependencyCheck/model/ReportParserTest.java +++ b/src/test/java/org/jenkinsci/plugins/DependencyCheck/model/ReportParserTest.java @@ -15,6 +15,7 @@ */ package org.jenkinsci.plugins.DependencyCheck.model; +import static org.assertj.core.api.Assertions.assertThat; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.fail; @@ -24,6 +25,7 @@ import org.jenkinsci.plugins.DependencyCheck.model.Vulnerability.Source; import org.junit.Test; +import org.jvnet.hudson.test.Issue; public class ReportParserTest { @@ -66,4 +68,11 @@ public void testVulnerability() throws Exception { assertEquals(Severity.HIGH, finding.getNormalizedSeverity()); } + @Issue("JENKINS-73382") + @Test + public void parse_report_v10() throws Exception { + List findings = ReportParser.parse(getClass().getResourceAsStream("dependency-check-report-v10.xml")); + assertThat(findings).isEmpty(); + } + } diff --git a/src/test/resources/org/jenkinsci/plugins/DependencyCheck/model/dependency-check-report-v10.xml b/src/test/resources/org/jenkinsci/plugins/DependencyCheck/model/dependency-check-report-v10.xml new file mode 100644 index 0000000..99eb675 --- /dev/null +++ b/src/test/resources/org/jenkinsci/plugins/DependencyCheck/model/dependency-check-report-v10.xml @@ -0,0 +1,86 @@ + + + + 10.0.1 + + NVD API Last Checked + 2024-07-05T11:12:02Z + + + NVD API Last Modified + 2024-07-05T08:15:03Z + + + NVD Cache Last Checked + 2024-07-05T11:12:02Z + + + NVD Cache Last Modified + 2024-07-05T08:15:03Z + + + + root + com.acme + root + 1.1.9-SNAPSHOT + 2024-07-05T11:13:33.465082212Z + This product uses the NVD API but is not endorsed or certified by the NVD. This report contains data + retrieved from the National Vulnerability Database: https://nvd.nist.gov, Github Advisory Database (via NPM + Audit API): https://github.com/advisories/, and the RetireJS community. + + + + + @antora/asciidoc-loader:3.1.8 + + /projectDir/docs-site/package-lock.json?@antora/site-generator:3.1.8/@antora/asciidoc-loader:3.1.8 + + + + + Loads AsciiDoc content into an Asciidoctor Document object (AST) for use in an Antora + documentation pipeline. + + MPL-2.0 + + docs-site/@antora/site-generator:3.1.8 + + + + @antora/asciidoc-loader:3.1.8 + /projectDir/docs-site/package-lock.json?/@antora/asciidoc-loader:3.1.8 + + + + + + + pkg:npm/%40antora%2Fasciidoc-loader@3.1.8 + + + + + + + package.json + author + OpenDevise Inc. (https://opendevise.com) + + + package.json + version + 3.1.8 + + + + + pkg:npm/%40antora%2Fasciidoc-loader@3.1.8 + + https://ossindex.sonatype.org/component/pkg:npm/%40antora%2Fasciidoc-loader@3.1.8?utm_source=dependency-check&utm_medium=integration&utm_content=10.0.1 + + + + + + \ No newline at end of file