fix: correct XML/JSON report CVSS field & HTML report URL mappings (#8156)

Signed-off-by: Chad Wilson <[email protected]>

Author: chadlwilson

core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java

@@ -17,15 +17,12 @@
  */
 package org.owasp.dependencycheck.reporting;
 
-import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
 import java.util.Set;
 import javax.annotation.concurrent.ThreadSafe;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import org.apache.commons.text.StringEscapeUtils;
 import org.owasp.dependencycheck.dependency.naming.Identifier;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 /**
  * An extremely simple wrapper around various escape utils to perform URL and
@@ -36,12 +33,6 @@
  */
 @ThreadSafe
 public class EscapeTool {
-
-    /**
-     * The logger.
-     */
-    private static final Logger LOGGER = LoggerFactory.getLogger(EscapeTool.class);
-
     /**
      * URL Encodes the provided text.
      *
@@ -52,13 +43,7 @@ public String url(String text) {
         if (text == null || text.isEmpty()) {
             return text;
         }
-        try {
-            return URLEncoder.encode(text, UTF_8.name());
-        } catch (UnsupportedEncodingException ex) {
-            LOGGER.warn("UTF-8 is not supported?");
-            LOGGER.info("", ex);
-        }
-        return "";
+        return URLEncoder.encode(text, UTF_8);
     }
 
     /**
@@ -74,6 +59,10 @@ public String html(String text) {
         return StringEscapeUtils.escapeHtml4(text);
     }
 
+    public String html(Object o) {
+        return xml(o == null ? null : o.toString());
+    }
+
     /**
      * XML Encodes the provided text.
      *
@@ -87,6 +76,10 @@ public String xml(String text) {
         return StringEscapeUtils.escapeXml11(text);
     }
 
+    public String xml(Object o) {
+        return xml(o == null ? null : o.toString());
+    }
+
     /**
      * JSON Encodes the provided text.
      *
@@ -100,6 +93,10 @@ public String json(String text) {
         return StringEscapeUtils.escapeJson(text);
     }
 
+    public String json(Object o) {
+        return xml(o == null ? null : o.toString());
+    }
+
     /**
      * JavaScript encodes the provided text.
      *
@@ -126,7 +123,7 @@ public String csv(String text) {
             return "\"\"";
         }
         final String str = text.trim().replace("\n", " ");
-        if (str.trim().length() == 0) {
+        if (str.isBlank()) {
             return "\"\"";
         }
         return StringEscapeUtils.escapeCsv(str);

core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java

@@ -260,6 +260,7 @@ private VelocityContext createContext(String applicationName, List<Dependency> d
         final String scanDateJunit = DateTimeFormatter.ISO_LOCAL_DATE_TIME.format(dt);
         final String scanDateGitLab = DateTimeFormatter.ISO_LOCAL_DATE_TIME.format(dt.withNano(0));
 
+        // Remember to update type definitions at templates/velocity_implicit.vm
         final VelocityContext ctxt = new VelocityContext();
         ctxt.put("applicationName", applicationName);
         dependencies.sort(Dependency.NAME_COMPARATOR);

core/src/main/java/org/owasp/dependencycheck/reporting/ReportTool.java

@@ -125,6 +125,15 @@ private String determineScore(Vulnerability vuln) {
         return "unknown";
     }
 
+    /**
+     * Map severity names from various sources to a standard set of severity names.
+     * @param sev the severity name
+     * @return the standardized severity name (critical, high, medium, low, unknown)
+     */
+    public String normalizeSeverity(Object sev) {
+        return normalizeSeverity(sev.toString());
+    }
+
     /**
      * Map severity names from various sources to a standard set of severity names.
      * @param sev the severity name

core/src/main/resources/templates/htmlReport.vsl

@@ -27,6 +27,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <title>Dependency-Check Report</title>
         <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
         <link rel="shortcut icon" href="data:;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAVLSURBVFhHvZdvbFRFEMB3913v9Vr+FKUNRdtrewg1lQgRE0gMYkJSowYMwcSPkGDwg8ZigMR+UYzGaIuAEj+R+IfE+EUlRL+QYAwhGBMqkFQDpO1xd/YPBaSU9u767r0dZ5a513vtXVsq8Zcsb3bu9c3szuzsIMU8iEaj5fhYJlzRYCkZ7Utd+wbnQL+Nd0TeoyeAPLFgf/oiyTNxXw6g4WUhTz4JEtaiNXLCEE8l3seHJjlzsOJHfLxMsgHE4cje9B6eTUPxc0ZoxbFHG1qVFq9rCRsKjc+KFG3oFGQ6Kw6xJsCsDqDxNZYWbWSYVUFAJFkyaA2XWAxiHIlcGPukYg1rDCVDQKsOadmqBaxllY8CuKHBuqOlHlNKufFk/GdUmxxoeqTpMbBg1dGXRlZtqHc2R8rgedIXgk4eqNyXMblS1AE2vhWNP84qAxl2hewno6wyFHOAZOLAc6PRbU+kd2OyrmbVPTg3pjlQzDgazGmh40rKMY3LZrVBCi/Tl0z+gqJxYGV9fWNOWC0kF3Jm1/C2pZWwk6cG2olpOcDb7hsHgLQGcUWAGs0bV1K7EuSQFbbOLKmuPkOvkZ64mkzG8bXz5BirDBuP1fzQP6I+5yl9eAS9vxjYAVz9esx0P2a0ck+73VKGPFaR8Vtpx7k0ODiYZlVJmpcvfzirwi1SyUWsMiF5ZXX6A1zJzsq9mRO+A7T1lO2BIyZVN/6bJZFWnQO4Wl1dnerq6sqRbq401TWtw9qxjGT6zhfbs3+0Hrw+THPfgVhdA8Xdz3j84RpIdZOngrY1kUgMOR3lG1kVREkHhBp3smJ4wdLmf+TuoJOxuroW3NI6zN6L9B1W33MAV1+FW99mNIgUclBaYtCPObjx3lTqT5KxqJyk52y4nv5u4f7stzzNY+Hww0ncS0JXBIoDWryRN07JVlVTc9Xo74OQpV7F6ndk5CO7iVVEwDihVqxYYVtKrOc5bckIgHJIpnhl3MxfpWIuJZyWAMdo0Io1AOXMJFI0hm3VzrOiYG2BmsLEAz0Zd9DWzZmyHd/tLt+bOUmDthuzun3C8dryjqCDdzF5tqcPRr40f1AElcvl6lgmJkC5d1kWYS8bZ3HOVL0z0TcKiz70tBjAML4opVgsoeB2nIJyXfeKJfRxGo52j4ds+xwWmN9t1/7t8sDALX7vvqjdd31cChgi40YhZdXUSyiPGkAjPalUL43+/v6/e3p6btC4PHB5XsZ9sMqxZJAWbGIxwJz6gfkAWl5jcUYUbU1+3D60uIp0PPwiNR/wZAW3HERRh5Sy4C3LEhdoiAn368b6xhdoxKLRVn5nXmDpfZZFg7J00f5QgRYJlkV5GWyJVnk2yRpUKBaLFZ6QOYMFaAdW0x08xcXDr5E9E8V3wAmFD7NseO3pMf8uh1xuJYuzQuGjMJreT4rJc4/XrvZk6aZ0yZ47WPkm47M55mxnET23IrW1tRU8DUBFBlf2faYzcptGuefETRix9+NXDNhLHJmpPTenAON1xMyQRbZevaV5ooanwrbsdSz6kPF8kaEz7o9CqOEAvPO59yuFccBR4a/MjGnfNDp5M2IzgQnpd8QB41NBoxRvarWyVrgRe77Ad4vhHzX6H41S8l2eitO9ZR+/+dNDZ3lqbsW+VN/52x12YxlY04xbZd5IqUSbCd8BSiLby13AlTWwSnx6tvKNY10LzCmhm7E3kTiFYqAp/a/4lZCSUYIX6Frffmb86K6nxqJknDoZVD1Q48S0ajc1FBTXU8mFzVs/G77OmgdK0XLLZ7nNnGHuXvmn/w9yYrwzUvIefzAI8S83C2sS1J4rmAAAAABJRU5ErkJggg==" />
+        <!--suppress CssUnknownProperty, CssUnusedSymbol, HtmlDeprecatedAttribute, CssRedundantUnit, CssReplaceWithShorthandSafely -->
         <style type="text/css">
             #modal-background {
                 display: none;
@@ -479,6 +480,9 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                 #set($cnt=0)
 #if($exceptions)
     #macro( writeHtmlException $type $ex $depth)
+        #* @vtlvariable name="type" type="java.lang.String" *#
+        #* @vtlvariable name="ex" type="java.lang.Throwable" *#
+        #* @vtlvariable name="depth" type="java.lang.Integer" *#
         #set($cnt=$cnt+1)
         <h4 id="header$cnt" class="subsectionheader white">$enc.html($ex.getMessage())</h4>
         <div id="content$cnt" class="subsectioncontent standardsubsection">
@@ -750,7 +754,7 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                                 #foreach($ref in $vuln.getReferences(true))
                                     #if ($ref.url && $ref.name)
                                     <li>$enc.html($ref.source) - <a target="_blank" href="$enc.html($ref.url)">$enc.html($ref.name)</a></li>
-                                    #elseif ($ref.uri)
+                                    #elseif ($ref.url)
                                     <li>$enc.html($ref.source) - <a target="_blank" href="$enc.html($ref.url)">$enc.html($ref.url)</a></li>
                                     #elseif ($ref.name)
                                     <li>$enc.html($ref.source) - $enc.html($ref.name)</li>