jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.49k stars 1.29k forks source link

Annotate the CVEs with a comment for tracking #2431

Open chnke opened 4 years ago

chnke commented 4 years ago

For each CVE suppressed in the suppressions.xml file (tag CVE-2015-1832), would it be possible to annotate the generated HTML report with a comment? The comment could be passed in the tags in suppressions.xml file, and it could be in HTML format, so that I can explain why it is suppressed, and with hyperlinks?

Can we have the same comment for the CVEs that are not in suppressions.xml, so that I can provide some references for each CVE active and under investigation? You can use another file to pass this information, similar to suppressions.xml.

The idea is that when I open the HTML report file, each CVE has a comment with explanation and references.

jeremylong commented 4 years ago

This feature already exists - but my be a little hidden unless you know what you are looking for in the report. At the very bottom of the report there is a collapsed section called Suppressed Vulnerabilities. If you expand this you will see all of the suppressed items and if the suppression.xml file you used had a note it will be listed in the report. These notes are also added to the XML and JSON version of the report.

However, there is currently no way to do create the notes for a non-suppressed item - we'll have to figure out the best way to do this. However, what I find interesting about this is that people spend more time analyzing if they are actually vulnerable then, in most cases, it takes to just upgrade to a non-vulnerable version.

jeremylong commented 4 years ago

Regarding the HTML content - I am very opposed to this. I might be open to MD if we strip all tags prior to rendering the MD as HTML (this might be useful in other parts of ODC as well as some content external content we utilize contains MD which we currently render as text).

The rendering currently takes place in the Velocity HTML template:

https://github.com/jeremylong/DependencyCheck/blob/2b6f802301edbf2aadab76f58d05dbfd4434b3b8/core/src/main/resources/templates/htmlReport.vsl#L867-L869 https://github.com/jeremylong/DependencyCheck/blob/2b6f802301edbf2aadab76f58d05dbfd4434b3b8/core/src/main/resources/templates/htmlReport.vsl#L883 https://github.com/jeremylong/DependencyCheck/blob/2b6f802301edbf2aadab76f58d05dbfd4434b3b8/core/src/main/resources/templates/htmlReport.vsl#L910 https://github.com/jeremylong/DependencyCheck/blob/2b6f802301edbf2aadab76f58d05dbfd4434b3b8/core/src/main/resources/templates/htmlReport.vsl#L1051 https://github.com/jeremylong/DependencyCheck/blob/2b6f802301edbf2aadab76f58d05dbfd4434b3b8/core/src/main/resources/templates/htmlReport.vsl#L1078

A new method would need to be added to the ReportTool to take MD, strip or encode HTML tags, and then render the HTML as output. This could then be used to wrap the output of the suppression notes instead of just the current HTML encoding.

For you other annotation enhancement for non-suppressed vulnerabilities - I would suggest we just expand the current suppression analyzer and the suppression file schema to allow for annotation of non-suppressed vulnerabilities.