templates.jsonReport.vsl Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of dependency-check-core Show documentation
Show all versions of dependency-check-core Show documentation
dependency-check-core is the engine and reporting tool used to identify and report if there are any known, publicly disclosed vulnerabilities in the scanned project's dependencies. The engine extracts meta-data from the dependencies and uses this to do fuzzy key-word matching against the Common Platfrom Enumeration (CPE), if any CPE identifiers are found the associated Common Vulnerability and Exposure (CVE) entries are added to the generated report.
{
"reportSchema": "1.1",
"scanInfo": {
"engineVersion": "$version",
"dataSource": [
#foreach($prop in $properties.getMetaData().entrySet())
#if($foreach.count > 1),#end{
"name": "$enc.json($prop.key)",
"timestamp": "$enc.json($prop.value)"
}
#end
]
},
"projectInfo": {
"name": "$enc.json($applicationName)",
#if($groupID)"groupID":"$enc.json($groupID)",#end
#if($artifactID)"artifactID":"$enc.json($artifactID)",#end
#if($applicationVersion)"version":"$enc.json($applicationVersion)",#end
"reportDate": "$enc.json($scanDateXML)",
"credits": {
"NVD": "This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov",
"NPM": "This report may contain data retrieved from the NPM Public Advisories: https://www.npmjs.com/advisories",
"RETIREJS": "This report may contain data retrieved from the RetireJS community: https://retirejs.github.io/retire.js/",
"OSSINDEX": "This report may contain data retrieved from the Sonatype OSS Index: https://ossindex.sonatype.org"
}
},
"dependencies": [
#foreach($dependency in $dependencies)#if($foreach.count > 1),#end{
"isVirtual": #if($dependency.isVirtual())true#{else}false#end,
"fileName": "$enc.json($dependency.DisplayFileName)",
"filePath": "$enc.json($dependency.FilePath)"
#if(!$dependency.isVirtual()),"md5": "$enc.json($dependency.Md5sum)",
"sha1": "$enc.json($dependency.Sha1sum)",
"sha256": "$enc.json($dependency.Sha256sum)"#end
#if($dependency.description),"description": "$enc.json($dependency.description)"#end
#if($dependency.license),"license": "$enc.json($dependency.license)"#end
#if ($dependency.projectReferences.size()>0)
,"projectReferences": [
#foreach($ref in $dependency.projectReferences)
#if($foreach.count > 1),#end
"$enc.json($ref)"
#end
]
#end
#if ($dependency.getRelatedDependencies().size()>0)
,"relatedDependencies": [
#foreach($related in $dependency.getRelatedDependencies()) #if($foreach.count > 1),#end {
"isVirtual": #if($related.isVirtual())true#{else}false#end,
"filePath": "$enc.json($related.FilePath)"
#if(!$related.isVirtual()),"sha256": "$enc.json($related.Sha256sum)",
"sha1": "$enc.json($related.Sha1sum)",
"md5": "$enc.json($related.Md5sum)"#end#if($related.getSoftwareIdentifiers().size()>0),
"packageIds": [
#foreach($id in $related.getSoftwareIdentifiers())
#if($foreach.count > 1),#end
{
"id": "$id.value"
#if ($id.url),"url": "$enc.json($id.url)"#end
#if ($id.notes),"notes": "$enc.json($id.notes)"#end
#if ($id.description),"description":"$enc.json($id.description)"#end
}
#end
]#end
}
#end
]
#end
,"evidenceCollected": {
"vendorEvidence": [
#foreach($evidence in $dependency.getEvidence($VENDOR))
#if($foreach.count > 1),#end{
"type": "vendor",
"confidence": "$enc.json($evidence.getConfidence().toString())",
"source": "$enc.json($evidence.getSource())",
"name": "$enc.json($evidence.getName())",
"value": "$enc.json($evidence.getValue().trim())"
}
#end
],
"productEvidence": [
#foreach($evidence in $dependency.getEvidence($PRODUCT))
#if($foreach.count > 1),#end{
"type": "product",
"confidence": "$enc.json($evidence.getConfidence().toString())",
"source": "$enc.json($evidence.getSource())",
"name": "$enc.json($evidence.getName())",
"value": "$enc.json($evidence.getValue().trim())"
}
#end
],
"versionEvidence": [
#foreach($evidence in $dependency.getEvidence($VERSION))
#if($foreach.count > 1),#end
{
"type": "version",
"confidence": "$enc.json($evidence.getConfidence().toString())",
"source": "$enc.json($evidence.getSource())",
"name": "$enc.json($evidence.getName())",
"value": "$enc.json($evidence.getValue().trim())"
}
#end
]
}
#if($dependency.getSoftwareIdentifiers() && $dependency.getSoftwareIdentifiers().size()>0)
,"packages": [
#foreach($id in $dependency.getSoftwareIdentifiers())
#if($foreach.count > 1),#end
{
"id": "$enc.json($id.value)"
#if($id.confidence),"confidence": "$enc.json($id.confidence)"#end
#if($id.url),"url": "$enc.json($id.url)"#end
#if($id.description),"description": "$enc.json($id.description)"#end
#if($id.notes),"notes": "$enc.json($id.notes)"#end
}
#end
]#end
#if($dependency.getVulnerableSoftwareIdentifiers() && $dependency.getVulnerableSoftwareIdentifiers().size()>0)
,"vulnerabilityIds": [
#foreach($id in $dependency.getVulnerableSoftwareIdentifiers())
#if($foreach.count > 1),#end
{
"id": "$enc.json($id.value)"
#if($id.confidence),"confidence": "$enc.json($id.confidence)"#end
#if($id.url),"url": "$enc.json($id.url)"#end
#if($id.description),"description": "$enc.json($id.description)"#end
#if($id.notes),"notes": "$enc.json($id.notes)"#end
}
#end
]#end
#if($dependency.getSuppressedIdentifiers() && $dependency.getSuppressedIdentifiers().size()>0)
,"suppressedVulnerabilityIds": [
#foreach($id in $dependency.getSuppressedIdentifiers())
#if($foreach.count > 1),#end
{
"id": "$enc.json($id.value)"
#if($id.confidence),"confidence": "$enc.json($id.confidence)"#end
#if($id.url),"url": "$enc.json($id.url)"#end
#if($id.description),"description": "$enc.json($id.description)"#end
#if($id.notes),"notes": "$enc.json($id.notes)"#end
}
#end
]#end
#if($dependency.getVulnerabilities().size()>0)
,"vulnerabilities": [
#foreach($vuln in $dependency.getVulnerabilities(true))#if($foreach.count > 1),#end {
"source": "$enc.json($vuln.getSource().name())",
"name": "$enc.json($vuln.name)",
#if($vuln.UnscoredSeverity)"severity" : "$enc.json($vuln.unscoredSeverity)",
#elseif($vuln.cvssV3 && $vuln.cvssV3.baseSeverity)
"severity" : "$enc.json($vuln.cvssV3.baseSeverity)",
#elseif($vuln.cvssV2 && $vuln.cvssV2.severity)
"severity" : "$enc.json($vuln.cvssV2.severity)",
#end
#if($vuln.cvssV2)
"cvssv2": {
"score": $vuln.cvssV2.score,
"accessVector": "$enc.json($vuln.cvssV2.accessVector)",
"accessComplexity": "$enc.json($vuln.cvssV2.accessComplexity)",
"authenticationr": "$enc.json($vuln.cvssV2.authentication)",
"confidentialImpact": "$enc.json($vuln.cvssV2.confidentialityImpact)",
"integrityImpact": "$enc.json($vuln.cvssV2.integrityImpact)",
"availabilityImpact": "$enc.json($vuln.cvssV2.availabilityImpact)",
"severity": "$enc.json($vuln.cvssV2.severity)"
},
#end
#if($vuln.cvssV3)
"cvssv3": {
"baseScore": $vuln.cvssV3.baseScore,
"attackVector": "$enc.json($vuln.cvssV3.attackVector)",
"attackComplexity": "$enc.json($vuln.cvssV3.attackComplexity)",
"privilegesRequired": "$enc.json($vuln.cvssV3.privilegesRequired)",
"userInteraction": "$enc.json($vuln.cvssV3.userInteraction)",
"scope": "$enc.json($vuln.cvssV3.scope)",
"confidentialityImpact": "$enc.json($vuln.cvssV3.confidentialityImpact)",
"integrityImpact": "$enc.json($vuln.cvssV3.integrityImpact)",
"availabilityImpact": "$enc.json($vuln.cvssV3.availabilityImpact)",
"baseSeverity": "$enc.json($vuln.cvssV3.baseSeverity)"
},
#end
#if (!$vuln.cwe.cwes.isEmpty())
"cwes": [
#foreach($cweEntry in $vuln.cwes.entries)
#if($foreach.count > 1),#end
"$enc.json($cweEntry)"
#end
],
#end
"description": "$enc.json($vuln.description)",
"notes": "#if ($vuln.notes)$enc.json($vuln.notes)#end",
"references": [
#foreach($ref in $vuln.getReferences())
#if($foreach.count > 1),#end {
"source": "$enc.json($ref.source)",
#if ($ref.url)"url": "$enc.json($ref.url)",#end
"name": "$enc.json($ref.name)"
}#end
],
"vulnerableSoftware": [
#foreach($vs in $vuln.getVulnerableSoftware())
#if($foreach.count > 1),#end {
"software": {
"id":"$enc.json($vs.toCpe23FS())"
#if($vs == $vuln.matchedVulnerableSoftware),"vulnerabilityIdMatched":"true"#end
#if($vs.versionStartIncluding),"versionStartIncluding":"$enc.json($vs.versionStartIncluding)"#end
#if($vs.versionStartExcluding),"versionStartExcluding":"$enc.json($vs.versionStartExcluding)"#end
#if($vs.versionEndIncluding),"versionEndIncluding":"$enc.json($vs.versionEndIncluding)"#end
#if($vs.versionEndExcluding),"versionEndExcluding":"$enc.json($vs.versionEndExcluding)"#end
#if(!$vs.vulnerable),"vulnerable":"$vs.vulnerable"#end
}
}#end
]
}#end
]#end
#if($dependency.getSuppressedVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0)
,"suppressedVulnerabilities": [
#foreach($vuln in $dependency.getSuppressedVulnerabilities(true))#if($foreach.count > 1),#end {
"source": "$enc.json($vuln.getSource().name())",
"name": "$enc.json($vuln.name)",
#if($vuln.cvssV2)
"cvssv2": {
"score": $vuln.cvssV2.score,
"accessVector": "$enc.json($vuln.cvssV2.accessVector)",
"accessComplexity": "$enc.json($vuln.cvssV2.accessComplexity)",
"authenticationr": "$enc.json($vuln.cvssV2.authentication)",
"confidentialImpact": "$enc.json($vuln.cvssV2.confidentialityImpact)",
"integrityImpact": "$enc.json($vuln.cvssV2.integrityImpact)",
"availabilityImpact": "$enc.json($vuln.cvssV2.availabilityImpact)",
"severity": "$enc.json($vuln.cvssV2.severity)"
},
#end
#if($vuln.cvssV3)
"cvssv3": {
"baseScore": $vuln.cvssV3.baseScore,
"attackVector": "$enc.json($vuln.cvssV3.attackVector)",
"attackComplexity": "$enc.json($vuln.cvssV3.attackComplexity)",
"privilegesRequired": "$enc.json($vuln.cvssV3.privilegesRequired)",
"userInteraction": "$enc.json($vuln.cvssV3.userInteraction)",
"scope": "$enc.json($vuln.cvssV3.scope)",
"confidentialityImpact": "$enc.json($vuln.cvssV3.confidentialityImpact)",
"integrityImpact": "$enc.json($vuln.cvssV3.integrityImpact)",
"availabilityImpact": "$enc.json($vuln.cvssV3.availabilityImpact)",
"baseSeverity": "$enc.json($vuln.cvssV3.baseSeverity)"
},
#end
#if (!$vuln.cwe.cwes.isEmpty())
"cwes": [
#foreach($cweEntry in $vuln.cwes.entries)
#if($foreach.count > 1),#end
"$enc.json($cweEntry)"
#end
],
#end
"description": "$enc.json($vuln.description)",
"notes": "#if ($vuln.notes)$enc.json($vuln.notes)#end",
"references": [
#foreach($ref in $vuln.getReferences())
#if($foreach.count > 1),#end {
"source": "$enc.json($ref.source)",
#if ($ref.url)"url": "$enc.json($ref.url)",#end
"name": "$enc.json($ref.name)"
}#end
],
"vulnerableSoftware": [
#foreach($vs in $vuln.getVulnerableSoftware())
#if($foreach.count > 1),#end {
"software": {
"id":"$enc.json($vs.toCpe23FS())"
#if($vs == $vuln.matchedVulnerableSoftware),"vulnerabilityIdMatched":"true"#end
#if($vs.versionStartIncluding),"versionStartIncluding":"$enc.json($vs.versionStartIncluding)"#end
#if($vs.versionStartExcluding),"versionStartExcluding":"$enc.json($vs.versionStartExcluding)"#end
#if($vs.versionEndIncluding),"versionEndIncluding":"$enc.json($vs.versionEndIncluding)"#end
#if($vs.versionEndExcluding),"versionEndExcluding":"$enc.json($vs.versionEndExcluding)"#end
#if(!$vs.vulnerable),"vulnerable":"$vs.vulnerable"#end
}
}#end
]
}#end
]#end
}#end
]
}