templates.jenkinsReport.vsl Maven / Gradle / Ivy
#**
This file is part of dependency-check-core.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Copyright (c) 2012 Jeremy Long. All Rights Reserved.
@author Jeremy Long
@version 1.4
*#
#[[
Dependency-Check Report
Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
How to read the report |
Suppressing false positives |
Getting Help: github issues
Sponsor
]]#
Project: $enc.html($applicationName)
#if ($groupID && $artifactID && $applicationVersion)
$enc.html($groupID):$enc.html($artifactID):$enc.html($applicationVersion)
#end
#set($depCount=$dependencies.size())
#set($vulnDepCount=0)
#set($vulnCount=0)
#set($vulnSuppressedCount=0)
#set($cpeSuppressedCount=0)
#foreach($dependency in $dependencies)
#set($depCount=$depCount+$dependency.getRelatedDependencies().size())
#if($dependency.getVulnerabilities().size()>0)
#set($vulnDepCount=$vulnDepCount+1)
#set($vulnCount=$vulnCount+$dependency.getVulnerabilities().size())
#end
#if($dependency.getSuppressedIdentifiers().size()>0)
#set($cpeSuppressedCount=$cpeSuppressedCount+1)
#end
#if($dependency.getSuppressedVulnerabilities().size()>0)
#set($vulnSuppressedCount=$vulnSuppressedCount+$dependency.getSuppressedVulnerabilities().size())
#end
#end
Scan Information:
- dependency-check version: $version
- Report Generated On: $scanDate
- Dependencies Scanned: $depCount ($dependencies.size() unique)
- Vulnerable Dependencies: $vulnDepCount
- Vulnerabilities Found: $vulnCount
- Vulnerabilities Suppressed: $vulnSuppressedCount
#set($cnt=0)
#if($exceptions)
#macro( writeHtmlException $type $ex $depth)
#set($cnt=$cnt+1)
$enc.html($ex.getMessage())
$type: $enc.html($ex.toString())
#if($ex.getStackTrace())
#foreach($t in $ex.getStackTrace())
$enc.html($t.toString())
#end
#end
#if($ex.getCause() && $depth<20)
#set($cause="cause")
#set($currentDepth=$depth+1)
#writeHtmlException($cause $ex.getCause() $currentDepth)
#end
#end
Analysis Exceptions
#foreach($ex in $exceptions)
#set($type="exception")
#set($d=0)
#writeHtmlException($type $ex $d)
#end
#end
Summary
#set($lnkcnt=0)
Dependency
Vulnerability IDs
Package
Highest Severity
CVE Count
Confidence
Evidence Count
#foreach($dependency in $dependencies)
#if($dependency.getVulnerabilities().size()>0)
#set($lnkcnt=$lnkcnt+1)
$enc.html($dependency.DisplayFileName)
#set($mavenlink="")
#set($cpeIdCount=0)
#set($cpeIdConf="")
#set($sortValue="")
#foreach($id in $dependency.getVulnerableSoftwareIdentifiers())
#set($sortValue=$sortValue+$id.value)
#end
#set($sortValue="")
#set($cpeSort=0)
#foreach($id in $dependency.getVulnerableSoftwareIdentifiers())
#if ($cpeIdCount>=1)
#end
#if( $id.url )
$enc.html($id.value)
#else
$enc.html($id.value)
#end
#if ($cpeIdConf == "")
#set($cpeIdConf=$id.confidence)
#set($cpeSort=$id.confidence.ordinal())
#elseif ($cpeIdConf.compareTo($id.confidence)>0)
#set($cpeIdConf=$id.confidence)
#set($cpeSort=$id.confidence.ordinal())
#end
#set($cpeIdCount=$cpeIdCount+1)
#end
#foreach($id in $dependency.getSoftwareIdentifiers())
#set($sortValue=$sortValue+$id.value)
#end
#set($sortValue="")
#set($idCount=0)
#foreach($id in $dependency.getSoftwareIdentifiers())
#if ($idCount>=1)
#end
#if( $id.url )
$enc.html($id.value)
#else
$enc.html($id.value)
#end
#set($idCount=$idCount+1)
#end
#set($cveImpact=-1)
#set($cveSeverity=" ")
#if($dependency.getVulnerabilities().size()>0)
#set($severestVuln=$dependency.getVulnerabilities(true).iterator().next())
## yes - we are mixing v2 and v3... no consistency in data so doing the best we can
## with a set sorted approximately on descending severity
#if ($severestVuln.cvssV3)
#set($cveImpact=$severestVuln.cvssV3.cvssData.baseScore)
#elseif ($severestVuln.cvssV2)
#set($cveImpact=$severestVuln.cvssV2.cvssData.baseScore)
#end
#set($cveSeverity=$enc.html($severestVuln.highestSeverityText))
#end
#set($sortValue=$cveImpact*10)
$cveSeverity
$dependency.getVulnerabilities().size()
$WordUtils.capitalizeFully($cpeIdConf.toString())
$dependency.size()
#end
#end
Dependencies
#set($lnkcnt=0)
#set($vsctr=0) ##counter to create unique groups for vulnerable software
#foreach($dependency in $dependencies)
#if($dependency.getVulnerabilities().size()>0)
#set($lnkcnt=$lnkcnt+1)
$enc.html($dependency.DisplayFileName)
#if ($dependency.description)
Description:
$enc.html($dependency.description)
#end
#if ($dependency.license)
#if ($dependency.license.matches("https?://.+"))
License:
$enc.html($dependency.license)
#else
License:$enc.html($dependency.license)
#end
#end
File Path: $enc.html($dependency.FilePath)
#if(!$dependency.isVirtual())
MD5: $enc.html($dependency.Md5sum)
SHA1: $enc.html($dependency.Sha1sum)
SHA256:$enc.html($dependency.Sha256sum)
#end
#if ($dependency.projectReferences.size()==1)
Referenced In Project/Scope: $enc.html($dependency.projectReferences.iterator().next())
#end
#if ($dependency.projectReferences.size()>1)
Referenced In Projects/Scopes:
#foreach($ref in $dependency.projectReferences)
- $enc.html($ref)
#end
#end
#if ($dependency.includedBy && $dependency.includedBy.size()==1)
#set($incBy=$dependency.includedBy.iterator().next())
$enc.html($dependency.DisplayFileName) is in the transitive dependency tree of the listed items.Included by: $enc.html($incBy.getReference())#if($incBy.getType()) ($enc.html($incBy.getType()))#end
#end
#if ($dependency.includedBy && $dependency.includedBy.size()>1)
$enc.html($dependency.DisplayFileName) is in the transitive dependency tree of the listed items.Included by:
#foreach($parent in $dependency.includedBy)
- $enc.html($parent.getReference())#if($parent.getType()) ($enc.html($parent.getType()))#end
#end
#end
#if($dependency.getRelatedDependencies().size()>0)
#set($cnt=$cnt+1)
Related Dependencies
#foreach($related in $dependency.getRelatedDependencies())
- $enc.html($related.DisplayFileName)
- File Path: $enc.html($related.FilePath)
#if(!$related.isVirtual())
- MD5: $enc.html($related.Md5sum)
- SHA1: $enc.html($related.Sha1sum)
- SHA256: $enc.html($related.Sha256sum)
#end
#foreach($id in $related.getSoftwareIdentifiers())
#if( $id.url )
##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
- $enc.html($id.value)
#else
- $enc.html($id.value)
#end
#end
#end
#end
#set($cnt=$cnt+1)
Identifiers
##: $enc.html($cpevalue)
#if ($dependency.getSoftwareIdentifiers().size()==0 && $dependency.getVulnerableSoftwareIdentifiers().size()==0)
- None
#else
#foreach($id in $dependency.getSoftwareIdentifiers())
#if( $id.url )
- $enc.html($id.value)
#else
- $enc.html($id.value)
#end
#if ($id.confidence)
(Confidence:$WordUtils.capitalizeFully($id.confidence.toString()))
#end
#if ($id.notes)
- Notes: $enc.html($id.notes)
#end
#end
#foreach($id in $dependency.getVulnerableSoftwareIdentifiers())
#if( $id.url )
- $enc.html($id.value)
#else
- $enc.html($id.value)
#end
#if ($id.confidence)
(Confidence:$WordUtils.capitalizeFully($id.confidence.toString()))
#end
#if ($id.notes)
- Notes: $enc.html($id.notes)
#end
#end
#end
#set($cnt=$cnt+1)
Published Vulnerabilities
#foreach($vuln in $dependency.getVulnerabilities(true))
#set($vsctr=$vsctr+1)
#if($vuln.getSource().name().equals("NVD"))
#elseif($vuln.getSource().name().equals("NPM"))
#else
$enc.html($vuln.name) ($vuln.getSource().name())
#end
#if($vuln.description)
$enc.html($vuln.description)
#end
#if ($vuln.cwes.toString())
$vuln.cwes.toString()
#end
#if ($vuln.notes)
Notes: $enc.html($vuln.notes)
#end
#if($vuln.getCvssV2())
CVSSv2:
- Base Score: $enc.html($vuln.getCvssV2().getCvssData().getBaseSeverity()) ($vuln.getCvssV2().getCvssData().getBaseScore())
- Vector: $enc.html($vuln.getCvssV2().toString())
#end
#if($vuln.getCvssV3())
CVSSv3:
- Base Score: $enc.html($vuln.getCvssV3().getCvssData().getBaseSeverity()) ($vuln.getCvssV3().getCvssData().getBaseScore())
- Vector: $enc.html($vuln.getCvssV3().toString())
#end
#if ($vuln.unscoredSeverity)
Unscored:
- Severity: #if($vuln.unscoredSeverity.equals("0.0"))Unknown#else$enc.html($vuln.unscoredSeverity)#end
#end
#if ($vuln.getReferences().size()>0)
References:
#foreach($ref in $vuln.getReferences(true))
#if ($ref.url && $ref.name)
- $enc.html($ref.source) - $enc.html($ref.name)
#elseif ($ref.uri)
- $enc.html($ref.source) - $enc.html($ref.url)
#elseif ($ref.name)
- $enc.html($ref.source) - $enc.html($ref.name)
#end
#end
#end
#if ($vuln.getSource().name().equals("NVD") && $vuln.matchedVulnerableSoftware)
#if ($vuln.getVulnerableSoftware().size()<2)
Vulnerable Software & Versions:
#else
Vulnerable Software & Versions:
- $enc.html($vuln.matchedVulnerableSoftware.toString())
#foreach($vs in $vuln.getVulnerableSoftware(true))
- $enc.html($vs.toString())
#end
#end
#elseif ($vuln.getVulnerableSoftware().size()!=0)
Vulnerable Software & Versions ($vuln.getSource().name()):
#foreach($vs in $vuln.getVulnerableSoftware(true))
- $enc.html($vs.toString())
#end
#end
#end
#end
#end
This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog.
This report may contain data retrieved from the Github Advisory Database (via NPM Audit API).
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.