Class Vulnerability

java.lang.Object
org.owasp.dependencycheck.dependency.Vulnerability
All Implemented Interfaces:
Serializable, Comparable<Vulnerability>
@NotThreadSafe public class Vulnerability extends Object implements Serializable, Comparable<Vulnerability>
Contains the information about a vulnerability.
Author:
Jeremy Long
See Also:

  • Constructor Details

    • Vulnerability

      public Vulnerability()
      Default constructor.

    • Vulnerability

      public Vulnerability(String name)
      Constructs a new Vulnerability by its name.
      Parameters:
      name - the name of the vulnerability

  • Method Details

    • getName

      public String getName()
      Get the value of name.
      Returns:
      the value of name

    • setName

      public void setName(String name)
      Set the value of name.
      Parameters:
      name - new value of name

    • getDescription

      public String getDescription()
      Get the value of description.
      Returns:
      the value of description

    • setDescription

      public void setDescription(String description)
      Set the value of description.
      Parameters:
      description - new value of description

    • getReferences

      public Set<Reference> getReferences()
      Get the value of references.
      Returns:
      the value of references

    • getReferences

      public List<Reference> getReferences(boolean sorted)
      Returns the list of references. This is primarily used within the generated reports.
      Parameters:
      sorted - whether the returned list should be sorted
      Returns:
      the list of references

    • addReferences

      public void addReferences(Set<Reference> references)
      Adds the references to the collection.
      Parameters:
      references - a collection of references to add

    • addReference

      public void addReference(Reference ref)
      Adds a reference to the references collection.
      Parameters:
      ref - a reference for the vulnerability

    • addReference

      public void addReference(String referenceSource, String referenceName, String referenceUrl)
      Adds a reference.
      Parameters:
      referenceSource - the source of the reference
      referenceName - the referenceName of the reference
      referenceUrl - the url of the reference

    • setKnownExploitedVulnerability

      public void setKnownExploitedVulnerability(Vulnerability kev)
      Adds information about known exploited vulnerabilities.
      Parameters:
      kev - the known exploited vulnerability information

    • getKnownExploitedVulnerability

      public Vulnerability getKnownExploitedVulnerability()
      Get the value of knownExploitedVulnerability.
      Returns:
      the value of knownExploitedVulnerability

    • getVulnerableSoftware

      public Set<VulnerableSoftware> getVulnerableSoftware()
      Get the value of vulnerableSoftware.
      Returns:
      the value of vulnerableSoftware

    • getVulnerableSoftware

      public List<VulnerableSoftware> getVulnerableSoftware(boolean sorted)
      Returns a sorted list of vulnerable software. This is primarily used for display within reports.
      Parameters:
      sorted - whether or not the list should be sorted
      Returns:
      the list of vulnerable software

    • removeVulnerableSoftware

      public void removeVulnerableSoftware(Set<VulnerableSoftware> vulnerableSoftware)
      Removes the specified vulnerableSoftware from the collection.
      Parameters:
      vulnerableSoftware - a collection of vulnerable software to be removed

    • addVulnerableSoftware

      public void addVulnerableSoftware(Set<VulnerableSoftware> vulnerableSoftware)
      Adds the vulnerableSoftware to the collection.
      Parameters:
      vulnerableSoftware - a collection of vulnerable software

    • addVulnerableSoftware

      public void addVulnerableSoftware(VulnerableSoftware software)
      Adds an entry for vulnerable software.
      Parameters:
      software - the vulnerable software reference to add

    • getCvssV2

      public io.github.jeremylong.openvulnerability.client.nvd.CvssV2 getCvssV2()
      Get the CVSS V2 scoring information.
      Returns:
      the CVSS V2 scoring information

    • setCvssV2

      public void setCvssV2(io.github.jeremylong.openvulnerability.client.nvd.CvssV2 cvssV2)
      Sets the CVSS V2 scoring information.
      Parameters:
      cvssV2 - the CVSS V2 scoring information

    • getCvssV3

      public io.github.jeremylong.openvulnerability.client.nvd.CvssV3 getCvssV3()
      Get the CVSS V3 scoring information.
      Returns:
      the CVSS V3 scoring information

    • setCvssV3

      public void setCvssV3(io.github.jeremylong.openvulnerability.client.nvd.CvssV3 cvssV3)
      Sets the CVSS V3 scoring information.
      Parameters:
      cvssV3 - the CVSS V3 scoring information

    • getCvssV4

      public io.github.jeremylong.openvulnerability.client.nvd.CvssV4 getCvssV4()
      Get the CVSS V3 scoring information.
      Returns:
      the CVSS V3 scoring information

    • setCvssV4

      public void setCvssV4(io.github.jeremylong.openvulnerability.client.nvd.CvssV4 cvssV4)
      Sets the CVSS V4 scoring information.
      Parameters:
      cvssV4 - the CVSS V4 scoring information

    • getCwes

      public CweSet getCwes()
      Get the set of CWEs.
      Returns:
      the set of CWEs

    • addCwe

      public void addCwe(String cwe)
      Adds a CWE to the set.
      Parameters:
      cwe - new CWE to add

    • getUnscoredSeverity

      public String getUnscoredSeverity()
      Retrieves the severity a Vulnerability.Source has assigned for which a CVSS score is not available. Severity could be anything ranging from 'critical', 'high', 'medium', and 'low', to non-traditional labels like 'major', 'minor', and 'important'.
      Returns:
      the un-scored severity

    • setUnscoredSeverity

      public void setUnscoredSeverity(String unscoredSeverity)
      Sets the severity a Vulnerability.Source has assigned for which a CVSS score is not available. Severity could be anything ranging from 'critical', 'high', 'medium', and 'low', to non-traditional labels like 'major', 'minor', and 'important'.
      Parameters:
      unscoredSeverity - the un-scored severity

    • getNotes

      public String getNotes()
      Get the value of notes from suppression notes.
      Returns:
      the value of notes

    • setNotes

      public void setNotes(String notes)
      Set the value of notes.
      Parameters:
      notes - new value of notes

    • equals

      public boolean equals(Object obj)
      Overrides:
      equals in class Object

    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class Object

    • toString

      public String toString()
      Overrides:
      toString in class Object

    • compareTo

      public int compareTo(@NonNull Vulnerability o)
      Compares two vulnerabilities.
      Natural order of vulnerabilities is defined as decreasing in severity and alphabetically by name for equal severity. This way the most severe issues are listed first in a sorted list.
      This uses a best-effort ordering for severity as the variety of sources do not guarantee a consistent availability of standardized severity scores. The bestEffort severity level estimation will use CVSSv3 baseScore for comparison when available on both sides. If any of the vulnerabilities does not have a CVSSv3 score the sort order may be off, but it will be consistent.
      The ranking (high to low) of severity can be informally represented as &lt;CVSSv3 critical> >> &lt;Unscored recognized critical> >> &lt;Unscored unrecognized (assumed Critical)> >> &lt;Score-based comparison for high-or-lower scoring severities with recognized unscored severities taking the lower bound of the comparable CVSSv3 range>
      Specified by:
      compareTo in interface Comparable<Vulnerability>
      Parameters:
      o - a vulnerability to be compared
      Returns:
      a negative integer, zero, or a positive integer as this object is less than , equal to, or greater than the specified vulnerability
      See Also:
      • bestEffortSeverityLevelForSorting()

    • getHighestSeverityText

      public String getHighestSeverityText()
      The report text to use for highest severity when this issue is ranked highest.
      Returns:
      The string to display in the report, clarifying for unrecognized unscored severities that critical is assumed.

    • setMatchedVulnerableSoftware

      public void setMatchedVulnerableSoftware(VulnerableSoftware software)
      Sets the CPE that caused this vulnerability to be flagged.
      Parameters:
      software - a Vulnerable Software identifier

    • getMatchedVulnerableSoftware

      public VulnerableSoftware getMatchedVulnerableSoftware()
      Get the value of matchedVulnerableSoftware.
      Returns:
      the value of matchedVulnerableSoftware

    • getSource

      public Vulnerability.Source getSource()
      Returns the source that identified the vulnerability.
      Returns:
      the source

    • setSource

      public void setSource(Vulnerability.Source source)
      Sets the source that identified the vulnerability.
      Parameters:
      source - the source