Package org.owasp.dependencycheck.dependency

Class Vulnerability

  • All Implemented Interfaces:
    java.io.Serializable, java.lang.Comparable<Vulnerability>
    @NotThreadSafe
public class Vulnerability
extends java.lang.Object
implements java.io.Serializable, java.lang.Comparable<Vulnerability>
    Contains the information about a vulnerability.
    Author:
    Jeremy Long
    See Also:
    Serialized Form

    • Constructor Detail

      • Vulnerability

        public Vulnerability()
        Default constructor.

      • Vulnerability

        public Vulnerability​(java.lang.String name)
        Constructs a new Vulnerability by its name.
        Parameters:
        name - the name of the vulnerability

    • Method Detail

      • getName

        public java.lang.String getName()
        Get the value of name.
        Returns:
        the value of name

      • setName

        public void setName​(java.lang.String name)
        Set the value of name.
        Parameters:
        name - new value of name

      • getDescription

        public java.lang.String getDescription()
        Get the value of description.
        Returns:
        the value of description

      • setDescription

        public void setDescription​(java.lang.String description)
        Set the value of description.
        Parameters:
        description - new value of description

      • getReferences

        public java.util.Set<Reference> getReferences()
        Get the value of references.
        Returns:
        the value of references

      • getReferences

        public java.util.List<Reference> getReferences​(boolean sorted)
        Returns the list of references. This is primarily used within the generated reports.
        Parameters:
        sorted - whether the returned list should be sorted
        Returns:
        the list of references

      • addReferences

        public void addReferences​(java.util.Set<Reference> references)
        Adds the references to the collection.
        Parameters:
        references - a collection of references to add

      • addReference

        public void addReference​(Reference ref)
        Adds a reference to the references collection.
        Parameters:
        ref - a reference for the vulnerability

      • addReference

        public void addReference​(java.lang.String referenceSource,
                         java.lang.String referenceName,
                         java.lang.String referenceUrl)
        Adds a reference.
        Parameters:
        referenceSource - the source of the reference
        referenceName - the referenceName of the reference
        referenceUrl - the url of the reference

      • setKnownExploitedVulnerability

        public void setKnownExploitedVulnerability​(Vulnerability kev)
        Adds information about known exploited vulnerabilities.
        Parameters:
        kev - the known exploited vulnerability information

      • getKnownExploitedVulnerability

        public Vulnerability getKnownExploitedVulnerability()
        Get the value of knownExploitedVulnerability.
        Returns:
        the value of knownExploitedVulnerability

      • getVulnerableSoftware

        public java.util.Set<VulnerableSoftware> getVulnerableSoftware()
        Get the value of vulnerableSoftware.
        Returns:
        the value of vulnerableSoftware

      • getVulnerableSoftware

        public java.util.List<VulnerableSoftware> getVulnerableSoftware​(boolean sorted)
        Returns a sorted list of vulnerable software. This is primarily used for display within reports.
        Parameters:
        sorted - whether or not the list should be sorted
        Returns:
        the list of vulnerable software

      • removeVulnerableSoftware

        public void removeVulnerableSoftware​(java.util.Set<VulnerableSoftware> vulnerableSoftware)
        Removes the specified vulnerableSoftware from the collection.
        Parameters:
        vulnerableSoftware - a collection of vulnerable software to be removed

      • addVulnerableSoftware

        public void addVulnerableSoftware​(java.util.Set<VulnerableSoftware> vulnerableSoftware)
        Adds the vulnerableSoftware to the collection.
        Parameters:
        vulnerableSoftware - a collection of vulnerable software

      • addVulnerableSoftware

        public void addVulnerableSoftware​(VulnerableSoftware software)
        Adds an entry for vulnerable software.
        Parameters:
        software - the vulnerable software reference to add

      • getCvssV2

        public io.github.jeremylong.openvulnerability.client.nvd.CvssV2 getCvssV2()
        Get the CVSS V2 scoring information.
        Returns:
        the CVSS V2 scoring information

      • setCvssV2

        public void setCvssV2​(io.github.jeremylong.openvulnerability.client.nvd.CvssV2 cvssV2)
        Sets the CVSS V2 scoring information.
        Parameters:
        cvssV2 - the CVSS V2 scoring information

      • getCvssV3

        public io.github.jeremylong.openvulnerability.client.nvd.CvssV3 getCvssV3()
        Get the CVSS V3 scoring information.
        Returns:
        the CVSS V3 scoring information

      • setCvssV3

        public void setCvssV3​(io.github.jeremylong.openvulnerability.client.nvd.CvssV3 cvssV3)
        Sets the CVSS V3 scoring information.
        Parameters:
        cvssV3 - the CVSS V3 scoring information

      • getCvssV4

        public io.github.jeremylong.openvulnerability.client.nvd.CvssV4 getCvssV4()
        Get the CVSS V3 scoring information.
        Returns:
        the CVSS V3 scoring information

      • setCvssV4

        public void setCvssV4​(io.github.jeremylong.openvulnerability.client.nvd.CvssV4 cvssV4)
        Sets the CVSS V4 scoring information.
        Parameters:
        cvssV4 - the CVSS V4 scoring information

      • getCwes

        public CweSet getCwes()
        Get the set of CWEs.
        Returns:
        the set of CWEs

      • addCwe

        public void addCwe​(java.lang.String cwe)
        Adds a CWE to the set.
        Parameters:
        cwe - new CWE to add

      • getUnscoredSeverity

        public java.lang.String getUnscoredSeverity()
        Retrieves the severity a Vulnerability.Source has assigned for which a CVSS score is not available. Severity could be anything ranging from 'critical', 'high', 'medium', and 'low', to non-traditional labels like 'major', 'minor', and 'important'.
        Returns:
        the un-scored severity

      • setUnscoredSeverity

        public void setUnscoredSeverity​(java.lang.String unscoredSeverity)
        Sets the severity a Vulnerability.Source has assigned for which a CVSS score is not available. Severity could be anything ranging from 'critical', 'high', 'medium', and 'low', to non-traditional labels like 'major', 'minor', and 'important'.
        Parameters:
        unscoredSeverity - the un-scored severity

      • getNotes

        public java.lang.String getNotes()
        Get the value of notes from suppression notes.
        Returns:
        the value of notes

      • setNotes

        public void setNotes​(java.lang.String notes)
        Set the value of notes.
        Parameters:
        notes - new value of notes

      • equals

        public boolean equals​(java.lang.Object obj)
        Overrides:
        equals in class java.lang.Object

      • hashCode

        public int hashCode()
        Overrides:
        hashCode in class java.lang.Object

      • toString

        public java.lang.String toString()
        Overrides:
        toString in class java.lang.Object

      • compareTo

        public int compareTo​(@NotNull
                     @NotNull Vulnerability o)
        Compares two vulnerabilities.
        Natural order of vulnerabilities is defined as decreasing in severity and alphabetically by name for equal severity. This way the most severe issues are listed first in a sorted list.
        This uses a best-effort ordering for severity as the variety of sources do not guarantee a consistent availability of standardized severity scores. The bestEffort severity level estimation will use CVSSv3 baseScore for comparison when available on both sides. If any of the vulnerabilities does not have a CVSSv3 score the sort order may be off, but it will be consistent.
        The ranking (high to low) of severity can be informally represented as &lt;CVSSv3 critical> >> &lt;Unscored recognized critical> >> &lt;Unscored unrecognized (assumed Critical)> >> &lt;Score-based comparison for high-or-lower scoring severities with recognized unscored severities taking the lower bound of the comparable CVSSv3 range>
        Specified by:
        compareTo in interface java.lang.Comparable<Vulnerability>
        Parameters:
        o - a vulnerability to be compared
        Returns:
        a negative integer, zero, or a positive integer as this object is less than , equal to, or greater than the specified vulnerability
        See Also:
        bestEffortSeverityLevelForSorting()

      • getHighestSeverityText

        public java.lang.String getHighestSeverityText()
        The report text to use for highest severity when this issue is ranked highest.
        Returns:
        The string to display in the report, clarifying for unrecognized unscored severities that critical is assumed.

      • setMatchedVulnerableSoftware

        public void setMatchedVulnerableSoftware​(VulnerableSoftware software)
        Sets the CPE that caused this vulnerability to be flagged.
        Parameters:
        software - a Vulnerable Software identifier

      • getMatchedVulnerableSoftware

        public VulnerableSoftware getMatchedVulnerableSoftware()
        Get the value of matchedVulnerableSoftware.
        Returns:
        the value of matchedVulnerableSoftware

      • getSource

        public Vulnerability.Source getSource()
        Returns the source that identified the vulnerability.
        Returns:
        the source

      • setSource

        public void setSource​(Vulnerability.Source source)
        Sets the source that identified the vulnerability.
        Parameters:
        source - the source