Package org.owasp.dependencycheck.dependency

Class VulnerableSoftware

  • All Implemented Interfaces:
    java.io.Serializable, java.lang.Comparable, us.springett.parsers.cpe.ICpe
    @ThreadSafe
public class VulnerableSoftware
extends us.springett.parsers.cpe.Cpe
implements java.io.Serializable
    A record containing information about vulnerable software. This is referenced from a vulnerability.
    Author:
    Jeremy Long
    See Also:
    Serialized Form

    • Constructor Summary

      Constructors 
      Constructor Description
      VulnerableSoftware​(us.springett.parsers.cpe.values.Part part, java.lang.String vendor, java.lang.String product, java.lang.String version, java.lang.String update, java.lang.String edition, java.lang.String language, java.lang.String swEdition, java.lang.String targetSw, java.lang.String targetHw, java.lang.String other, java.lang.String versionEndExcluding, java.lang.String versionEndIncluding, java.lang.String versionStartExcluding, java.lang.String versionStartIncluding, boolean vulnerable)
      Constructs a new immutable VulnerableSoftware object that represents the Well Form Named defined in the CPE 2.3 specification.

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      int compareTo​(@NotNull java.lang.Object o)  
      protected static boolean compareUpdateAttributes​(java.lang.String left, java.lang.String right)
      Performs the same operation as Cpe.compareAttributes() - except additional rules are applied to match a1 to alpha1 and the comparison of update attributes will also return true if the only difference between the strings is an underscore or hyphen.
      protected boolean compareVersionRange​(java.lang.String targetVersion)
      Evaluates the target against the version and version range checks: versionEndExcluding, versionStartExcluding versionEndIncluding, and versionStartIncluding.
      protected static boolean compareVersions​(VulnerableSoftware vs, java.lang.String targetVersion)
      Evaluates the target against the version and version range checks: versionEndExcluding, versionStartExcluding versionEndIncluding, and versionStartIncluding.
      boolean equals​(java.lang.Object obj)  
      java.lang.String getVersionEndExcluding()
      Returns the versionEndExcluding.
      java.lang.String getVersionEndIncluding()
      Returns the versionEndIncluding.
      java.lang.String getVersionStartExcluding()
      Returns the versionStartExcluding.
      java.lang.String getVersionStartIncluding()
      Returns the versionStartIncluding.
      int hashCode()  
      boolean isVulnerable()
      Returns the value of vulnerable.
      boolean matchedBy​(us.springett.parsers.cpe.ICpe target)
      Determines if the target VulnerableSoftware matches the VulnerableSoftware.
      boolean matches​(us.springett.parsers.cpe.ICpe target)
      Determines if the VulnerableSoftware matches the given target VulnerableSoftware.
      static boolean testMatch​(us.springett.parsers.cpe.ICpe left, us.springett.parsers.cpe.ICpe right)
      Tests if the left matches the right.
      java.lang.String toString()  

      • Methods inherited from class us.springett.parsers.cpe.Cpe

        compareAttribute, compareAttribute, compareAttributes, compareAttributes, compareVersions, getEdition, getLanguage, getOther, getPart, getProduct, getSwEdition, getTargetHw, getTargetSw, getUpdate, getVendor, getVersion, getWellFormedEdition, getWellFormedLanguage, getWellFormedOther, getWellFormedProduct, getWellFormedSwEdition, getWellFormedTargetHw, getWellFormedTargetSw, getWellFormedUpdate, getWellFormedVendor, getWellFormedVersion, toCpe22Uri, toCpe23FS

      • Methods inherited from class java.lang.Object

        clone, finalize, getClass, notify, notifyAll, wait, wait, wait

    • Constructor Detail

      • VulnerableSoftware

        public VulnerableSoftware​(us.springett.parsers.cpe.values.Part part,
                          java.lang.String vendor,
                          java.lang.String product,
                          java.lang.String version,
                          java.lang.String update,
                          java.lang.String edition,
                          java.lang.String language,
                          java.lang.String swEdition,
                          java.lang.String targetSw,
                          java.lang.String targetHw,
                          java.lang.String other,
                          java.lang.String versionEndExcluding,
                          java.lang.String versionEndIncluding,
                          java.lang.String versionStartExcluding,
                          java.lang.String versionStartIncluding,
                          boolean vulnerable)
                   throws us.springett.parsers.cpe.exceptions.CpeValidationException
        Constructs a new immutable VulnerableSoftware object that represents the Well Form Named defined in the CPE 2.3 specification. Specifying null will be set to the default LogicalValue.ANY. All values passed in must be well formed (i.e. special characters quoted with a backslash).
        Parameters:
        part - the type of entry: application, operating system, or hardware
        vendor - the vendor of the CPE entry
        product - the product of the CPE entry
        version - the version of the CPE entry
        update - the update of the CPE entry
        edition - the edition of the CPE entry
        language - the language of the CPE entry
        swEdition - the swEdition of the CPE entry
        targetSw - the targetSw of the CPE entry
        targetHw - the targetHw of the CPE entry
        other - the other of the CPE entry
        versionEndExcluding - the ending range, excluding the specified version, for matching vulnerable software
        versionEndIncluding - the ending range, including the specified version, for matching vulnerable software
        versionStartExcluding - the starting range, excluding the specified version, for matching vulnerable software
        versionStartIncluding - the starting range, including the specified version, for matching vulnerable software
        vulnerable - whether or not this represents a vulnerable software item
        Throws:
        us.springett.parsers.cpe.exceptions.CpeValidationException - thrown if one of the CPE entries is invalid
        See Also:
        CPE 2.3

    • Method Detail

      • compareTo

        public int compareTo​(@NotNull
                     @NotNull java.lang.Object o)
        Specified by:
        compareTo in interface java.lang.Comparable
        Overrides:
        compareTo in class us.springett.parsers.cpe.Cpe

      • hashCode

        public int hashCode()
        Overrides:
        hashCode in class us.springett.parsers.cpe.Cpe

      • equals

        public boolean equals​(java.lang.Object obj)
        Overrides:
        equals in class us.springett.parsers.cpe.Cpe

      • matches

        public boolean matches​(us.springett.parsers.cpe.ICpe target)

        Determines if the VulnerableSoftware matches the given target VulnerableSoftware. This does not follow the CPE 2.3 Specification exactly as there are cases where undefined comparisons will result in either true or false. For instance, 'ANY' will match 'm+wild cards' and NA will return false when the target has 'm+wild cards'.

        For vulnerable software matching, the implementation also takes into account version ranges as specified within the NVD data feeds.

        Specified by:
        matches in interface us.springett.parsers.cpe.ICpe
        Overrides:
        matches in class us.springett.parsers.cpe.Cpe
        Parameters:
        target - the target CPE to evaluate
        Returns:
        true if the CPE matches the target; otherwise false

      • compareUpdateAttributes

        protected static boolean compareUpdateAttributes​(java.lang.String left,
                                                 java.lang.String right)
        Performs the same operation as Cpe.compareAttributes() - except additional rules are applied to match a1 to alpha1 and the comparison of update attributes will also return true if the only difference between the strings is an underscore or hyphen.
        Parameters:
        left - the left value to compare
        right - the right value to compare
        Returns:
        true if there is a match; otherwise false

      • testMatch

        public static boolean testMatch​(us.springett.parsers.cpe.ICpe left,
                                us.springett.parsers.cpe.ICpe right)
        Tests if the left matches the right.
        Parameters:
        left - the cpe to compare
        right - the cpe to check
        Returns:
        true if a match is found; otherwise false

      • matchedBy

        public boolean matchedBy​(us.springett.parsers.cpe.ICpe target)

        Determines if the target VulnerableSoftware matches the VulnerableSoftware. This does not follow the CPE 2.3 Specification exactly as there are cases where undefined comparisons will result in either true or false. For instance, 'ANY' will match 'm+wild cards' and NA will return false when the target has 'm+wild cards'.

        For vulnerable software matching, the implementation also takes into account version ranges as specified within the NVD data feeds.

        Specified by:
        matchedBy in interface us.springett.parsers.cpe.ICpe
        Overrides:
        matchedBy in class us.springett.parsers.cpe.Cpe
        Parameters:
        target - the VulnerableSoftware to evaluate
        Returns:
        true if the target CPE matches CPE; otherwise false

      • compareVersionRange

        protected boolean compareVersionRange​(java.lang.String targetVersion)
        Evaluates the target against the version and version range checks: versionEndExcluding, versionStartExcluding versionEndIncluding, and versionStartIncluding.
        Parameters:
        targetVersion - the version to compare
        Returns:
        true if the target version is matched; otherwise false

      • compareVersions

        protected static boolean compareVersions​(VulnerableSoftware vs,
                                         java.lang.String targetVersion)
        Evaluates the target against the version and version range checks: versionEndExcluding, versionStartExcluding versionEndIncluding, and versionStartIncluding.
        Parameters:
        vs - a reference to the vulnerable software to compare
        targetVersion - the version to compare
        Returns:
        true if the target version is matched; otherwise false

      • getVersionEndExcluding

        public java.lang.String getVersionEndExcluding()
        Returns the versionEndExcluding.
        Returns:
        the versionEndExcluding

      • getVersionEndIncluding

        public java.lang.String getVersionEndIncluding()
        Returns the versionEndIncluding.
        Returns:
        the versionEndIncluding

      • getVersionStartExcluding

        public java.lang.String getVersionStartExcluding()
        Returns the versionStartExcluding.
        Returns:
        the versionStartExcluding

      • getVersionStartIncluding

        public java.lang.String getVersionStartIncluding()
        Returns the versionStartIncluding.
        Returns:
        the versionStartIncluding

      • isVulnerable

        public boolean isVulnerable()
        Returns the value of vulnerable.
        Returns:
        the value of vulnerable

      • toString

        public java.lang.String toString()
        Overrides:
        toString in class us.springett.parsers.cpe.Cpe