Merge branch 'main' into jcs-logging

Author: jeremylong

Dockerfile

@@ -15,6 +15,7 @@ ARG GID=1000
 ENV user=dependencycheck
 ENV JAVA_HOME=/opt/jdk
 ENV JAVA_OPTS="-Danalyzer.assembly.dotnet.path=/usr/bin/dotnet -Danalyzer.bundle.audit.path=/usr/bin/bundle-audit -Danalyzer.golang.path=/usr/local/go/bin/go"
+ENV ODC_NAME=dependency-check-docker
 
 COPY --from=jlink /jlinked /opt/jdk/
 COPY --from=go /usr/local/go/ /usr/local/go/

ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java

@@ -45,6 +45,7 @@
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.SeverityUtil;
+import org.owasp.dependencycheck.utils.scarf.TelemetryCollector;
 import org.slf4j.impl.StaticLoggerBinder;
 
 //CSOFF: MethodCount
@@ -1335,6 +1336,7 @@ protected void executeWithContextClassloader() throws BuildException {
         } catch (InvalidSettingException e) {
             throw new BuildException(e);
         }
+        TelemetryCollector.send(getSettings());
         try (Engine engine = new Engine(Check.class.getClassLoader(), getSettings())) {
             for (Resource resource : getPath()) {
                 final FileProvider provider = resource.as(FileProvider.class);

ant/src/main/resources/task.properties

@@ -1,2 +1,3 @@
 # the path to the data directory
 data.directory=data/11.0
+odc.application.name=dependency-check-ant

cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -26,6 +26,7 @@
 
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
+
 import org.apache.commons.cli.ParseException;
 import org.apache.tools.ant.DirectoryScanner;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
@@ -39,6 +40,7 @@
 import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.utils.scarf.TelemetryCollector;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -48,7 +50,10 @@
 import ch.qos.logback.classic.spi.ILoggingEvent;
 import ch.qos.logback.classic.Level;
 import ch.qos.logback.classic.LoggerContext;
+import io.github.jeremylong.jcs3.slf4j.Slf4jAdapter;
+
 import java.util.TreeSet;
+
 import org.owasp.dependencycheck.utils.SeverityUtil;
 
 /**
@@ -184,6 +189,7 @@ public int run(String[] args) {
             try {
                 populateSettings(cli);
                 Downloader.getInstance().configure(settings);
+                TelemetryCollector.send(settings);
             } catch (InvalidSettingException ex) {
                 LOGGER.error(ex.getMessage(), ex);
                 LOGGER.debug(ERROR_LOADING_PROPERTIES_FILE, ex);
@@ -249,7 +255,7 @@ public int run(String[] args) {
      * collection.
      */
     private int runScan(String reportDirectory, String[] outputFormats, String applicationName, String[] files,
-            String[] excludes, int symLinkDepth, float cvssFailScore) throws DatabaseException,
+                        String[] excludes, int symLinkDepth, float cvssFailScore) throws DatabaseException,
             ExceptionCollection, ReportException {
         Engine engine = null;
         try {
@@ -336,10 +342,10 @@ private int determineReturnCode(Engine engine, float cvssFailScore) {
                     if (addName) {
                         addName = false;
                         ids.append(NEW_LINE).append(d.getFileName()).append(" (")
-                           .append(Stream.concat(d.getSoftwareIdentifiers().stream(), d.getVulnerableSoftwareIdentifiers().stream())
-                                         .map(Identifier::getValue)
-                                         .collect(Collectors.joining(", ")))
-                           .append("): ");
+                                .append(Stream.concat(d.getSoftwareIdentifiers().stream(), d.getVulnerableSoftwareIdentifiers().stream())
+                                        .map(Identifier::getValue)
+                                        .collect(Collectors.joining(", ")))
+                                .append("): ");
                         ids.append(v.getName()).append('(').append(score).append(')');
                     } else {
                         ids.append(", ").append(v.getName()).append('(').append(score).append(')');
@@ -445,6 +451,7 @@ private void runUpdateOnly() throws UpdateException, DatabaseException {
     }
 
     //CSOFF: MethodLength
+
     /**
      * Updates the global Settings.
      *
@@ -454,6 +461,12 @@ private void runUpdateOnly() throws UpdateException, DatabaseException {
      * file is unable to be loaded.
      */
     protected void populateSettings(CliParser cli) throws InvalidSettingException {
+        String name = System.getenv("ODC_NAME") != null ? System.getenv("ODC_NAME") : "dependency-check-cli";
+        if (name.isBlank()) {
+            name = "dependency-check-cli";
+        }
+        name = name.replace("/", "-").replace(" ", "_");
+        settings.setString(Settings.KEYS.APPLICATION_NAME, name);
         final File propertiesFile = cli.getFileArgument(CliParser.ARGUMENT.PROP);
         if (propertiesFile != null) {
             try {
@@ -726,6 +739,7 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException {
     }
 
     //CSON: MethodLength
+
     /**
      * Creates a file appender and adds it to logback.
      *

core/pom.xml

@@ -294,7 +294,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <scope>compile</scope>
         </dependency>
         <dependency>
-            <groupId>org.glassfish</groupId>
+            <groupId>org.eclipse.parsson</groupId>
             <artifactId>jakarta.json</artifactId>
         </dependency>
         <dependency>

core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java

@@ -35,6 +35,7 @@
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.SeverityUtil;
+import org.owasp.dependencycheck.utils.scarf.TelemetryCollector;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -888,6 +889,8 @@ public void setPropertiesFilePath(String propertiesFilePath) {
     @SuppressWarnings("squid:S2095")
     private Engine executeDependencyCheck() throws ExceptionCollection {
         populateSettings();
+        String version = settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown");
+        TelemetryCollector.send(settings, "dependency-check-scan-agent", version);
         final Engine engine;
         try {
             engine = new Engine(settings);

core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java

@@ -196,7 +196,7 @@ private boolean isNodeAuditEnabled(Engine engine) {
                     try {
                         ((AbstractNpmAnalyzer) a).prepareFileTypeAnalyzer(engine);
                     } catch (InitializationException ex) {
-                        String message = "Error initializing the " + a.getName();
+                        final String message = "Error initializing the " + a.getName();
                         LOGGER.debug(message, ex);
                     }
                 }

core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java

@@ -59,10 +59,10 @@
 import java.net.SocketTimeoutException;
 
 import javax.annotation.Nullable;
+
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.dependencycheck.utils.CvssUtil;
 import org.sonatype.goodies.packageurl.InvalidException;
-import org.sonatype.ossindex.service.client.transport.Transport.TransportException;
 
 /**
  * Enrich dependency information from Sonatype OSS index.
@@ -131,13 +131,14 @@ protected void closeAnalyzer() throws Exception {
 
     @Override
     protected void prepareAnalyzer(Engine engine) throws InitializationException {
-      synchronized (FETCH_MUTIX) {
-        if (StringUtils.isEmpty(getSettings().getString(KEYS.ANALYZER_OSSINDEX_USER, StringUtils.EMPTY)) ||
-            StringUtils.isEmpty(getSettings().getString(KEYS.ANALYZER_OSSINDEX_PASSWORD, StringUtils.EMPTY))) {
-          LOG.warn("Disabling OSS Index analyzer due to missing user/password credentials. Authentication is now required: https://ossindex.sonatype.org/doc/auth-required");
-          setEnabled(false);
+        synchronized (FETCH_MUTIX) {
+            if (StringUtils.isEmpty(getSettings().getString(KEYS.ANALYZER_OSSINDEX_USER, StringUtils.EMPTY))
+                    || StringUtils.isEmpty(getSettings().getString(KEYS.ANALYZER_OSSINDEX_PASSWORD, StringUtils.EMPTY))) {
+                LOG.warn("Disabling OSS Index analyzer due to missing user/password credentials. Authentication is now " +
+                        "required: https://ossindex.sonatype.org/doc/auth-required");
+                setEnabled(false);
+            }
         }
-      }
     }
 
     @Override

core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java

@@ -528,6 +528,11 @@ public String toString() {
         return sb.toString();
     }
 
+    /**
+     * Returns the NVD search URL for this vulnerable software.
+     *
+     * @return the NVD search URL
+     */
     public String toNvdSearchUrl() {
         return CpeIdentifier.nvdSearchUrlFor(this);
     }

core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java

@@ -20,6 +20,7 @@
 import java.util.ArrayList;
 import java.util.Calendar;
 import java.util.List;
+import java.util.Optional;
 import javax.annotation.concurrent.NotThreadSafe;
 import org.owasp.dependencycheck.exception.ParseException;
 import org.owasp.dependencycheck.utils.DateUtil;
@@ -30,7 +31,8 @@
 import org.xml.sax.helpers.DefaultHandler;
 
 /**
- * A handler to load suppression rules.
+ * A handler to load suppression rules. In the input xml a suppression rule can be part of a {@code suppressionGroup}. In that
+ * case the attributes set on group element will act as default values for child suppressions.
  *
  * @author Jeremy Long
  */
@@ -42,6 +44,10 @@ public class SuppressionHandler extends DefaultHandler {
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(SuppressionHandler.class);
 
+    /**
+     * The suppressionGroup node, indicates the start of a new suppressionGroup.
+     */
+    public static final String SUPPRESSION_GROUP = "suppressionGroup";
     /**
      * The suppress node, indicates the start of a new rule.
      */
@@ -105,6 +111,10 @@ public class SuppressionHandler extends DefaultHandler {
      */
     private StringBuilder currentText;
 
+    private Boolean groupBase = null;
+    private Calendar groupUntil = null;
+
+
     /**
      * Get the value of suppressionRules.
      *
@@ -127,22 +137,40 @@ public List<SuppressionRule> getSuppressionRules() {
     public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
         currentAttributes = attributes;
         currentText = new StringBuilder();
+
+        if (SUPPRESSION_GROUP.equals(qName)) {
+            groupBase = attributes.getValue("base") != null ? Boolean.parseBoolean(attributes.getValue("base")) : null;
+            groupUntil = parseUntilAttribute(attributes).orElse(null);
+        }
+
         if (SUPPRESS.equals(qName)) {
+            Boolean base = attributes.getValue("base") != null ? Boolean.parseBoolean(attributes.getValue("base")) : null;
+            Calendar until = parseUntilAttribute(attributes).orElse(null);
+
             rule = new SuppressionRule();
-            final String base = currentAttributes.getValue("base");
-            if (base != null) {
-                rule.setBase(Boolean.parseBoolean(base));
-            } else {
-                rule.setBase(false);
-            }
-            final String until = currentAttributes.getValue("until");
-            if (until != null) {
-                try {
-                    rule.setUntil(DateUtil.parseXmlDate(until));
-                } catch (ParseException ex) {
-                    throw new SAXException("Unable to parse until date in suppression file: " + until, ex);
-                }
+            //If suppression doesn't have attribute set, use that of the group (if in group).
+            rule.setBase(base != null ? base : groupBase);
+            rule.setUntil(until != null ? until : groupUntil);
+        }
+    }
+
+    /**
+     * Read the provided {@code attributes} for attribute {@code until}. Return {@link Calendar} object if attribute is
+     * present and can be parsed.
+     *
+     * @return empty if attribute {@code until} is not present.
+     * @throws SAXException if attribute {@code until} is present but value can not be parsed as {@link Calendar}.
+     */
+    private static Optional<Calendar> parseUntilAttribute(Attributes attributes) throws SAXException {
+        String untilStr = attributes.getValue("until");
+        if (untilStr != null) {
+            try {
+                return Optional.of(DateUtil.parseXmlDate(untilStr));
+            } catch (ParseException ex) {
+                throw new SAXException("Unable to parse attribute 'until': " + untilStr, ex);
             }
+        } else {
+            return Optional.empty();
         }
     }
 
@@ -166,6 +194,10 @@ public void endElement(String uri, String localName, String qName) throws SAXExc
                     }
                     rule = null;
                     break;
+                case SUPPRESSION_GROUP:
+                    groupBase = null;
+                    groupUntil = null;
+                    break;
                 case FILE_PATH:
                     rule.setFilePath(processPropertyType());
                     break;
@@ -191,7 +223,10 @@ public void endElement(String uri, String localName, String qName) throws SAXExc
                     rule.addVulnerabilityName(processPropertyType());
                     break;
                 case NOTES:
-                    rule.setNotes(currentText.toString().trim());
+                    // Check that the notes element is from a suppression and not a suppressionGroup.
+                    if(rule != null) {
+                        rule.setNotes(currentText.toString().trim());
+                    }
                     break;
                 case CVSS_BELOW:
                     final Double cvss = Double.valueOf(currentText.toString().trim());