org.owasp.dependencycheck.dependency

Class VulnerableSoftware

java.lang.Object

us.springett.parsers.cpe.Cpe

org.owasp.dependencycheck.dependency.VulnerableSoftware

All Implemented Interfaces:

Serializable, Comparable, us.springett.parsers.cpe.ICpe

@ThreadSafe
public class VulnerableSoftware
extends us.springett.parsers.cpe.Cpe
implements Serializable

A record containing information about vulnerable software. This is referenced from a vulnerability.

Author:

Jeremy Long

See Also:

Serialized Form

Constructor Summary

Constructors

Constructor and Description

VulnerableSoftware(us.springett.parsers.cpe.values.Part part, String vendor, String product, String version, String update, String edition, String language, String swEdition, String targetSw, String targetHw, String other, String versionEndExcluding, String versionEndIncluding, String versionStartExcluding, String versionStartIncluding, boolean vulnerable) Constructs a new immutable VulnerableSoftware object that represents the Well Form Named defined in the CPE 2.3 specification.

Method Summary

Modifier and Type	Method and Description
int	compareTo(@NotNull Object o)
protected boolean	compareVersionRange(String targetVersion) Evaluates the target against the version and version range checks: versionEndExcluding, versionStartExcluding versionEndIncluding, and versionStartIncluding.
protected static boolean	compareVersions(VulnerableSoftware vs, String targetVersion) Evaluates the target against the version and version range checks: versionEndExcluding, versionStartExcluding versionEndIncluding, and versionStartIncluding.
boolean	equals(Object obj)
String	getVersionEndExcluding() Returns the versionEndExcluding.
String	getVersionEndIncluding() Returns the versionEndIncluding.
String	getVersionStartExcluding() Returns the versionStartExcluding.
String	getVersionStartIncluding() Returns the versionStartIncluding.
int	hashCode()
boolean	isVulnerable() Returns the value of vulnerable.
boolean	matchedBy(us.springett.parsers.cpe.ICpe target) Determines if the target VulnerableSoftware matches the VulnerableSoftware.
boolean	matches(us.springett.parsers.cpe.ICpe target) Determines if the VulnerableSoftware matches the given target VulnerableSoftware.
static boolean	testMatch(us.springett.parsers.cpe.ICpe left, us.springett.parsers.cpe.ICpe right) Tests if the left matches the right.
String	toString()

Methods inherited from class us.springett.parsers.cpe.Cpe

compareAttributes, compareAttributes, compareVersions, getEdition, getLanguage, getOther, getPart, getProduct, getSwEdition, getTargetHw, getTargetSw, getUpdate, getVendor, getVersion, getWellFormedEdition, getWellFormedLanguage, getWellFormedOther, getWellFormedProduct, getWellFormedSwEdition, getWellFormedTargetHw, getWellFormedTargetSw, getWellFormedUpdate, getWellFormedVendor, getWellFormedVersion, toCpe22Uri, toCpe23FS

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

VulnerableSoftware

public VulnerableSoftware(us.springett.parsers.cpe.values.Part part,
                          String vendor,
                          String product,
                          String version,
                          String update,
                          String edition,
                          String language,
                          String swEdition,
                          String targetSw,
                          String targetHw,
                          String other,
                          String versionEndExcluding,
                          String versionEndIncluding,
                          String versionStartExcluding,
                          String versionStartIncluding,
                          boolean vulnerable)
                   throws us.springett.parsers.cpe.exceptions.CpeValidationException

Constructs a new immutable VulnerableSoftware object that represents the Well Form Named defined in the CPE 2.3 specification. Specifying null will be set to the default LogicalValue.ANY. All values passed in must be well formed (i.e. special characters quoted with a backslash).

Parameters:

part - the type of entry: application, operating system, or hardware

vendor - the vendor of the CPE entry

product - the product of the CPE entry

version - the version of the CPE entry

update - the update of the CPE entry

edition - the edition of the CPE entry

language - the language of the CPE entry

swEdition - the swEdition of the CPE entry

targetSw - the targetSw of the CPE entry

targetHw - the targetHw of the CPE entry

other - the other of the CPE entry

versionEndExcluding - the ending range, excluding the specified version, for matching vulnerable software

versionEndIncluding - the ending range, including the specified version, for matching vulnerable software

versionStartExcluding - the starting range, excluding the specified version, for matching vulnerable software

versionStartIncluding - the starting range, including the specified version, for matching vulnerable software

vulnerable - whether or not this represents a vulnerable software item

Throws:

us.springett.parsers.cpe.exceptions.CpeValidationException - thrown if one of the CPE entries is invalid

See Also:

CPE 2.3

Method Detail

compareTo

public int compareTo(@NotNull
                     @NotNull Object o)

Specified by:

compareTo in interface Comparable

Overrides:

compareTo in class us.springett.parsers.cpe.Cpe

hashCode

public int hashCode()

Overrides:

hashCode in class us.springett.parsers.cpe.Cpe

equals

public boolean equals(Object obj)

Overrides:

equals in class us.springett.parsers.cpe.Cpe

matches

public boolean matches(us.springett.parsers.cpe.ICpe target)

Determines if the VulnerableSoftware matches the given target VulnerableSoftware. This does not follow the CPE 2.3 Specification exactly as there are cases where undefined comparisons will result in either true or false. For instance, 'ANY' will match 'm+wild cards' and NA will return false when the target has 'm+wild cards'.

For vulnerable software matching, the implementation also takes into account version ranges as specified within the NVD data feeds.

Specified by:

matches in interface us.springett.parsers.cpe.ICpe

Overrides:

matches in class us.springett.parsers.cpe.Cpe

Parameters:

target - the target CPE to evaluate

Returns:

true if the CPE matches the target; otherwise false

testMatch

public static boolean testMatch(us.springett.parsers.cpe.ICpe left,
                                us.springett.parsers.cpe.ICpe right)

Tests if the left matches the right.

Parameters:

left - the cpe to compare

right - the cpe to check

Returns:

true if a match is found; otherwise false

matchedBy

public boolean matchedBy(us.springett.parsers.cpe.ICpe target)

Determines if the target VulnerableSoftware matches the VulnerableSoftware. This does not follow the CPE 2.3 Specification exactly as there are cases where undefined comparisons will result in either true or false. For instance, 'ANY' will match 'm+wild cards' and NA will return false when the target has 'm+wild cards'.

For vulnerable software matching, the implementation also takes into account version ranges as specified within the NVD data feeds.

Specified by:

matchedBy in interface us.springett.parsers.cpe.ICpe

Overrides:

matchedBy in class us.springett.parsers.cpe.Cpe

Parameters:

target - the VulnerableSoftware to evaluate

Returns:

true if the target CPE matches CPE; otherwise false

compareVersionRange

protected boolean compareVersionRange(String targetVersion)

Evaluates the target against the version and version range checks: versionEndExcluding, versionStartExcluding versionEndIncluding, and versionStartIncluding.

Parameters:

targetVersion - the version to compare

Returns:

true if the target version is matched; otherwise false

compareVersions

protected static boolean compareVersions(VulnerableSoftware vs,
                                         String targetVersion)

Evaluates the target against the version and version range checks: versionEndExcluding, versionStartExcluding versionEndIncluding, and versionStartIncluding.

Parameters:

vs - a reference to the vulnerable software to compare

targetVersion - the version to compare

Returns:

true if the target version is matched; otherwise false

getVersionEndExcluding

public String getVersionEndExcluding()

Returns the versionEndExcluding.

Returns:

the versionEndExcluding

getVersionEndIncluding

public String getVersionEndIncluding()

Returns the versionEndIncluding.

Returns:

the versionEndIncluding

getVersionStartExcluding

public String getVersionStartExcluding()

Returns the versionStartExcluding.

Returns:

the versionStartExcluding

getVersionStartIncluding

public String getVersionStartIncluding()

Returns the versionStartIncluding.

Returns:

the versionStartIncluding

isVulnerable

public boolean isVulnerable()

Returns the value of vulnerable.

Returns:

the value of vulnerable

toString

public String toString()

Overrides:

toString in class us.springett.parsers.cpe.Cpe