From ad0d16a8ca9982ce6dbd2a626fb488d924d98bda Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 1 Jul 2024 06:24:33 -0400 Subject: [PATCH] feat: add cvssV4 support (#6756) --- README.md | 4 + ant/pom.xml | 2 +- archetype/pom.xml | 2 +- cli/pom.xml | 2 +- core/pom.xml | 2 +- .../data/nodeaudit/NpmAuditParser.java | 4 +- .../dependencycheck/data/nvdcve/CveDB.java | 527 +++++++++++++++++- .../data/nvdcve/H2Functions.java | 141 ++++- .../dependency/Vulnerability.java | 24 + .../resources/data/dbStatements.properties | 4 +- .../resources/data/dbStatements_h2.properties | 2 +- ...Statements_microsoft sql server.properties | 2 +- .../data/dbStatements_oracle.properties | 2 +- .../data/dbStatements_postgresql.properties | 2 +- core/src/main/resources/data/initialize.sql | 17 +- .../main/resources/data/initialize_mssql.sql | 76 ++- .../main/resources/data/initialize_mysql.sql | 76 ++- .../main/resources/data/initialize_oracle.sql | 100 +++- .../resources/data/initialize_postgres.sql | 83 ++- core/src/main/resources/data/upgrade_5.4.sql | 43 ++ .../main/resources/dependencycheck.properties | 2 +- .../test/resources/dependencycheck.properties | 2 +- maven/pom.xml | 2 +- pom.xml | 10 +- utils/pom.xml | 2 +- 25 files changed, 1086 insertions(+), 47 deletions(-) create mode 100644 core/src/main/resources/data/upgrade_5.4.sql diff --git a/README.md b/README.md index a01131c4208..fc5c3ffcd5d 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,10 @@ Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/). Additionally, more information about the architecture and ways to extend dependency-check can be found on the [wiki]. +## Notice + +This product uses the NVD API but is not endorsed or certified by the NVD. + ## 9.0.0 Upgrade Notice **Upgrading to 9.0.0 or later is mandatory**; previous versions of dependency-check diff --git a/ant/pom.xml b/ant/pom.xml index a370ba8e549..f89306d9ed9 100644 --- a/ant/pom.xml +++ b/ant/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 9.2.1-SNAPSHOT + 10.0.0-SNAPSHOT dependency-check-ant diff --git a/archetype/pom.xml b/archetype/pom.xml index 733b7a01a3e..e224f201ad2 100644 --- a/archetype/pom.xml +++ b/archetype/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 9.2.1-SNAPSHOT + 10.0.0-SNAPSHOT dependency-check-plugin Dependency-Check Plugin Archetype diff --git a/cli/pom.xml b/cli/pom.xml index 8b2c05c0e9d..a4a6a98f6c3 100644 --- a/cli/pom.xml +++ b/cli/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 9.2.1-SNAPSHOT + 10.0.0-SNAPSHOT dependency-check-cli diff --git a/core/pom.xml b/core/pom.xml index 96589a56bee..6625cb7559a 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 9.2.1-SNAPSHOT + 10.0.0-SNAPSHOT dependency-check-core diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nodeaudit/NpmAuditParser.java b/core/src/main/java/org/owasp/dependencycheck/data/nodeaudit/NpmAuditParser.java index 7c442c9f4fe..715604fd509 100644 --- a/core/src/main/java/org/owasp/dependencycheck/data/nodeaudit/NpmAuditParser.java +++ b/core/src/main/java/org/owasp/dependencycheck/data/nodeaudit/NpmAuditParser.java @@ -132,13 +132,13 @@ private Advisory parseAdvisory(JSONObject object) throws JSONException { } if (baseScore >= 0.0) { final String vector = jsonCvss.optString("vectorString"); - if (vector != null) { + if (vector != null && !"null".equals(vector)) { if (vector.startsWith("CVSS:3") && baseScore >= 0.0) { try { final CvssV3 cvss = CvssUtil.vectorToCvssV3(vector, baseScore); advisory.setCvssV3(cvss); } catch (IllegalArgumentException iae) { - LOGGER.warn("Invalid CVSS vector format encountered in NPM Audit results '{}' ", vector, iae); + LOGGER.warn("Invalid CVSS vector format encountered in NPM Audit results '{}': {} ", vector, iae.getMessage()); } } else { LOGGER.warn("Unsupported CVSS vector format in NPM Audit results, please file a feature " diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java index 06767076ef6..5d3d4c8dd65 100644 --- a/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java +++ b/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java @@ -56,6 +56,8 @@ import io.github.jeremylong.openvulnerability.client.nvd.CvssV2Data; import io.github.jeremylong.openvulnerability.client.nvd.CvssV3; import io.github.jeremylong.openvulnerability.client.nvd.CvssV3Data; +import io.github.jeremylong.openvulnerability.client.nvd.CvssV4; +import io.github.jeremylong.openvulnerability.client.nvd.CvssV4Data; import io.github.jeremylong.openvulnerability.client.nvd.LangString; import io.github.jeremylong.openvulnerability.client.nvd.Node; import io.github.jeremylong.openvulnerability.client.nvd.Reference; @@ -797,6 +799,238 @@ public Vulnerability getVulnerability(String cve, Connection conn) throws Databa final CvssV3 cvss = new CvssV3(null, null, cvssData, rsV.getDouble(19), rsV.getDouble(20)); vuln.setCvssV3(cvss); } +// 32.v4version, 33.v4attackVector, 34.v4attackComplexity, 35.v4attackRequirements, 36.v4privilegesRequired, +// 37.v4userInteraction, 38.v4vulnConfidentialityImpact, 39.v4vulnIntegrityImpact, 40.v4vulnAvailabilityImpact, +// 41.v4subConfidentialityImpact, 42.v4subIntegrityImpact, 43.v4subAvailabilityImpact, 44.v4exploitMaturity, +// 45.v4confidentialityRequirement, 46.v4integrityRequirement, 47.v4availabilityRequirement, 48.v4modifiedAttackVector, +// 49.v4modifiedAttackComplexity, 50.v4modifiedAttackRequirements, 51.v4modifiedPrivilegesRequired, 52.v4modifiedUserInteraction, +// 53.v4modifiedVulnConfidentialityImpact, 54.v4modifiedVulnIntegrityImpact, 55.v4modifiedVulnAvailabilityImpact, +// 56.v4modifiedSubConfidentialityImpact, 57.v4modifiedSubIntegrityImpact, 58.v4modifiedSubAvailabilityImpact, +// 59.v4safety, 60.v4automatable, 61.v4recovery, 62.v4valueDensity, 63.v4vulnerabilityResponseEffort, 64.v4providerUrgency, +// 65.v4baseScore, 66.v4baseSeverity, 67.v4threatScore, 68.v4threatSeverity, 69.v4environmentalScore, 70.v4environmentalSeverity +// 71.v4source, 72.v4type + if (rsV.getObject(33) != null) { + String vectorString = null; + + String value = rsV.getString(32); + CvssV4Data.Version version = CvssV4Data.Version.fromValue(value); + CvssV4Data.AttackVectorType attackVector = null; + value = rsV.getString(33); + if (value != null) { + attackVector = CvssV4Data.AttackVectorType.fromValue(value); + } + CvssV4Data.AttackComplexityType attackComplexity = null; + value = rsV.getString(34); + if (value != null) { + attackComplexity = CvssV4Data.AttackComplexityType.fromValue(value); + } + CvssV4Data.AttackRequirementsType attackRequirements = null; + value = rsV.getString(35); + if (value != null) { + attackRequirements = CvssV4Data.AttackRequirementsType.fromValue(value); + } + CvssV4Data.PrivilegesRequiredType privilegesRequired = null; + value = rsV.getString(36); + if (value != null) { + privilegesRequired = CvssV4Data.PrivilegesRequiredType.fromValue(value); + } + CvssV4Data.UserInteractionType userInteraction = null; + value = rsV.getString(37); + if (value != null) { + userInteraction = CvssV4Data.UserInteractionType.fromValue(value); + } + CvssV4Data.CiaType vulnConfidentialityImpact = null; + value = rsV.getString(38); + if (value != null) { + vulnConfidentialityImpact = CvssV4Data.CiaType.fromValue(value); + } + CvssV4Data.CiaType vulnIntegrityImpact = null; + value = rsV.getString(39); + if (value != null) { + vulnIntegrityImpact = CvssV4Data.CiaType.fromValue(value); + } + CvssV4Data.CiaType vulnAvailabilityImpact = null; + value = rsV.getString(40); + if (value != null) { + vulnAvailabilityImpact = CvssV4Data.CiaType.fromValue(value); + } + CvssV4Data.CiaType subConfidentialityImpact = null; + value = rsV.getString(41); + if (value != null) { + subConfidentialityImpact = CvssV4Data.CiaType.fromValue(value); + } + CvssV4Data.CiaType subIntegrityImpact = null; + value = rsV.getString(42); + if (value != null) { + subIntegrityImpact = CvssV4Data.CiaType.fromValue(value); + } + CvssV4Data.CiaType subAvailabilityImpact = null; + value = rsV.getString(43); + if (value != null) { + subAvailabilityImpact = CvssV4Data.CiaType.fromValue(value); + } + CvssV4Data.ExploitMaturityType exploitMaturity = null; + value = rsV.getString(44); + if (value != null) { + exploitMaturity = CvssV4Data.ExploitMaturityType.fromValue(value); + } + CvssV4Data.CiaRequirementType confidentialityRequirement = null; + value = rsV.getString(45); + if (value != null) { + confidentialityRequirement = CvssV4Data.CiaRequirementType.fromValue(value); + } + CvssV4Data.CiaRequirementType integrityRequirement = null; + value = rsV.getString(46); + if (value != null) { + integrityRequirement = CvssV4Data.CiaRequirementType.fromValue(value); + } + CvssV4Data.CiaRequirementType availabilityRequirement = null; + value = rsV.getString(47); + if (value != null) { + availabilityRequirement = CvssV4Data.CiaRequirementType.fromValue(value); + } + CvssV4Data.ModifiedAttackVectorType modifiedAttackVector = null; + value = rsV.getString(48); + if (value != null) { + modifiedAttackVector = CvssV4Data.ModifiedAttackVectorType.fromValue(value); + } + CvssV4Data.ModifiedAttackComplexityType modifiedAttackComplexity = null; + value = rsV.getString(49); + if (value != null) { + modifiedAttackComplexity = CvssV4Data.ModifiedAttackComplexityType.fromValue(value); + } + CvssV4Data.ModifiedAttackRequirementsType modifiedAttackRequirements = null; + value = rsV.getString(50); + if (value != null) { + modifiedAttackRequirements = CvssV4Data.ModifiedAttackRequirementsType.fromValue(value); + } + CvssV4Data.ModifiedPrivilegesRequiredType modifiedPrivilegesRequired = null; + value = rsV.getString(51); + if (value != null) { + modifiedPrivilegesRequired = CvssV4Data.ModifiedPrivilegesRequiredType.fromValue(value); + } + CvssV4Data.ModifiedUserInteractionType modifiedUserInteraction = null; + value = rsV.getString(52); + if (value != null) { + modifiedUserInteraction = CvssV4Data.ModifiedUserInteractionType.fromValue(value); + } + CvssV4Data.ModifiedCiaType modifiedVulnConfidentialityImpact = null; + value = rsV.getString(53); + if (value != null) { + modifiedVulnConfidentialityImpact = CvssV4Data.ModifiedCiaType.fromValue(value); + } + CvssV4Data.ModifiedCiaType modifiedVulnIntegrityImpact = null; + value = rsV.getString(54); + if (value != null) { + modifiedVulnIntegrityImpact = CvssV4Data.ModifiedCiaType.fromValue(value); + } + CvssV4Data.ModifiedCiaType modifiedVulnAvailabilityImpact = null; + value = rsV.getString(55); + if (value != null) { + modifiedVulnAvailabilityImpact = CvssV4Data.ModifiedCiaType.fromValue(value); + } + CvssV4Data.ModifiedCiaType modifiedSubConfidentialityImpact = null; + value = rsV.getString(56); + if (value != null) { + modifiedSubConfidentialityImpact = CvssV4Data.ModifiedCiaType.fromValue(value); + } + CvssV4Data.ModifiedCiaType modifiedSubIntegrityImpact = null; + value = rsV.getString(57); + if (value != null) { + modifiedSubIntegrityImpact = CvssV4Data.ModifiedCiaType.fromValue(value); + } + CvssV4Data.ModifiedCiaType modifiedSubAvailabilityImpact = null; + value = rsV.getString(58); + if (value != null) { + modifiedSubAvailabilityImpact = CvssV4Data.ModifiedCiaType.fromValue(value); + } + CvssV4Data.SafetyType safety = null; + value = rsV.getString(59); + if (value != null) { + safety = CvssV4Data.SafetyType.fromValue(value); + } + CvssV4Data.AutomatableType automatable = null; + value = rsV.getString(60); + if (value != null) { + automatable = CvssV4Data.AutomatableType.fromValue(value); + } + CvssV4Data.RecoveryType recovery = null; + value = rsV.getString(61); + if (value != null) { + recovery = CvssV4Data.RecoveryType.fromValue(value); + } + CvssV4Data.ValueDensityType valueDensity = null; + value = rsV.getString(62); + if (value != null) { + valueDensity = CvssV4Data.ValueDensityType.fromValue(value); + } + CvssV4Data.VulnerabilityResponseEffortType vulnerabilityResponseEffort = null; + value = rsV.getString(63); + if (value != null) { + vulnerabilityResponseEffort = CvssV4Data.VulnerabilityResponseEffortType.fromValue(value); + } + CvssV4Data.ProviderUrgencyType providerUrgency = null; + value = rsV.getString(64); + if (value != null) { + providerUrgency = CvssV4Data.ProviderUrgencyType.fromValue(value); + } + Double baseScore = null; + if (rsV.getObject(65) != null) { + baseScore = rsV.getDouble(65); + } + CvssV4Data.SeverityType baseSeverity = null; + value = rsV.getString(66); + if (value != null) { + baseSeverity = CvssV4Data.SeverityType.fromValue(value); + } + Double threatScore = null; + if (rsV.getObject(67) != null) { + threatScore = rsV.getDouble(67); + } + CvssV4Data.SeverityType threatSeverity = null; + value = rsV.getString(68); + if (value != null) { + threatSeverity = CvssV4Data.SeverityType.fromValue(value); + } + Double environmentalScore = null; + if (rsV.getObject(69) != null) { + environmentalScore = rsV.getDouble(69); + } + CvssV4Data.SeverityType environmentalSeverity = null; + value = rsV.getString(70); + if (value != null) { + environmentalSeverity = CvssV4Data.SeverityType.fromValue(value); + } + //initializing data twice to get the vector string. I really should have designed the object better... + CvssV4Data data = new CvssV4Data(version, vectorString, attackVector, attackComplexity, attackRequirements, privilegesRequired, + userInteraction, vulnConfidentialityImpact, vulnIntegrityImpact, vulnAvailabilityImpact, subConfidentialityImpact, + subIntegrityImpact, subAvailabilityImpact, exploitMaturity, confidentialityRequirement, integrityRequirement, + availabilityRequirement, modifiedAttackVector, modifiedAttackComplexity, modifiedAttackRequirements, + modifiedPrivilegesRequired, modifiedUserInteraction, modifiedVulnConfidentialityImpact, modifiedVulnIntegrityImpact, + modifiedVulnAvailabilityImpact, modifiedSubConfidentialityImpact, modifiedSubIntegrityImpact, modifiedSubAvailabilityImpact, + safety, automatable, recovery, valueDensity, vulnerabilityResponseEffort, providerUrgency, baseScore, baseSeverity, + threatScore, threatSeverity, environmentalScore, environmentalSeverity); + vectorString = data.toString(); + data = new CvssV4Data(version, vectorString, attackVector, attackComplexity, attackRequirements, privilegesRequired, + userInteraction, vulnConfidentialityImpact, vulnIntegrityImpact, vulnAvailabilityImpact, subConfidentialityImpact, + subIntegrityImpact, subAvailabilityImpact, exploitMaturity, confidentialityRequirement, integrityRequirement, + availabilityRequirement, modifiedAttackVector, modifiedAttackComplexity, modifiedAttackRequirements, + modifiedPrivilegesRequired, modifiedUserInteraction, modifiedVulnConfidentialityImpact, modifiedVulnIntegrityImpact, + modifiedVulnAvailabilityImpact, modifiedSubConfidentialityImpact, modifiedSubIntegrityImpact, modifiedSubAvailabilityImpact, + safety, automatable, recovery, valueDensity, vulnerabilityResponseEffort, providerUrgency, baseScore, baseSeverity, + threatScore, threatSeverity, environmentalScore, environmentalSeverity); + + String source = rsV.getString(71); + CvssV4.Type cvssType = null; + value = rsV.getString(72); + if (value != null) { + cvssType = CvssV4.Type.fromValue(value); + } + + CvssV4 cvssv4 = new CvssV4(source, cvssType, data); + vuln.setCvssV4(cvssv4); + } + } else { LOGGER.debug(cve + " does not exist in the database"); return null; @@ -949,6 +1183,19 @@ private int updateOrInsertVulnerability(DefCveItem cve, String description) { // String 23.v3PrivilegesRequired, String 24.v3UserInteraction, String 25.v3Scope, // String 26.v3ConfidentialityImpact, String 27.v3IntegrityImpact, String 28.v3AvailabilityImpact, // Float 29.v3BaseScore, String 30.v3BaseSeverity, String 31.v3Version +// . String 32.v4version, String 33.v4attackVector, String 34.v4attackComplexity, String 35.v4attackRequirements, +// String 36.v4privilegesRequired, String 37.v4userInteraction, String 38.v4vulnConfidentialityImpact, +// String 39.v4vulnIntegrityImpact, String 40.v4vulnAvailabilityImpact, String 41.v4subConfidentialityImpact, +// String 42.v4subIntegrityImpact, String 43.v4subAvailabilityImpact, String 44.v4exploitMaturity, +// String 45.v4confidentialityRequirement, String 46.v4integrityRequirement, String 47.v4availabilityRequirement, +// String 48.v4modifiedAttackVector, String 49.v4modifiedAttackComplexity, String 50.v4modifiedAttackRequirements, +// String 51.v4modifiedPrivilegesRequired, String 52.v4modifiedUserInteraction, String 53.v4modifiedVulnConfidentialityImpact, +// String 54.v4modifiedVulnIntegrityImpact, String 55.v4modifiedVulnAvailabilityImpact, String 56.v4modifiedSubConfidentialityImpact, +// String 57.v4modifiedSubIntegrityImpact, String 58.v4modifiedSubAvailabilityImpact, String 59.v4safety, +// String 60.v4automatable, String 61.v4recovery, String 62.v4valueDensity, String 63.v4vulnerabilityResponseEffort, +// String 64.v4providerUrgency, Float 65.v4baseScore, String 66.v4baseSeverity, Float 67.v4threatScore, +// String 68.v4threatSeverity, Float 69.v4environmentalScore, String 70.v4environmentalSeverity +// . String 71.v4Source, String 72.v4type callUpdate.setString(1, cve.getCve().getId()); callUpdate.setString(2, description); Optional optCvssv2 = null; @@ -1044,12 +1291,104 @@ private int updateOrInsertVulnerability(DefCveItem cve, String description) { callUpdate.setNull(30, java.sql.Types.VARCHAR); callUpdate.setNull(31, java.sql.Types.VARCHAR); } + + Optional optCvssv4 = null; + if (cve.getCve().getMetrics() != null && cve.getCve().getMetrics().getCvssMetricV40() != null) { + optCvssv4 = cve.getCve().getMetrics().getCvssMetricV40().stream().sorted(Comparator.comparing(CvssV4::getType)).findFirst(); + } + if (optCvssv4 != null && optCvssv4.isPresent()) { + LOGGER.error("Updating CVE: {}" , cve.getCve().getId()); + CvssV4 cvssv4 = optCvssv4.get(); + setUpdateColumn(callUpdate, 32, cvssv4.getCvssData().getVersion()); + setUpdateColumn(callUpdate, 33, cvssv4.getCvssData().getAttackVector()); + setUpdateColumn(callUpdate, 34, cvssv4.getCvssData().getAttackComplexity()); + setUpdateColumn(callUpdate, 35, cvssv4.getCvssData().getAttackRequirements()); + setUpdateColumn(callUpdate, 36, cvssv4.getCvssData().getPrivilegesRequired()); + setUpdateColumn(callUpdate, 37, cvssv4.getCvssData().getUserInteraction()); + setUpdateColumn(callUpdate, 38, cvssv4.getCvssData().getVulnConfidentialityImpact()); + setUpdateColumn(callUpdate, 39, cvssv4.getCvssData().getVulnIntegrityImpact()); + setUpdateColumn(callUpdate, 40, cvssv4.getCvssData().getVulnAvailabilityImpact()); + setUpdateColumn(callUpdate, 41, cvssv4.getCvssData().getSubConfidentialityImpact()); + setUpdateColumn(callUpdate, 42, cvssv4.getCvssData().getSubIntegrityImpact()); + setUpdateColumn(callUpdate, 43, cvssv4.getCvssData().getSubAvailabilityImpact()); + setUpdateColumn(callUpdate, 44, cvssv4.getCvssData().getExploitMaturity()); + setUpdateColumn(callUpdate, 45, cvssv4.getCvssData().getConfidentialityRequirement()); + setUpdateColumn(callUpdate, 46, cvssv4.getCvssData().getIntegrityRequirement()); + setUpdateColumn(callUpdate, 47, cvssv4.getCvssData().getAvailabilityRequirement()); + setUpdateColumn(callUpdate, 48, cvssv4.getCvssData().getModifiedAttackVector()); + setUpdateColumn(callUpdate, 49, cvssv4.getCvssData().getModifiedAttackComplexity()); + setUpdateColumn(callUpdate, 50, cvssv4.getCvssData().getModifiedAttackRequirements()); + setUpdateColumn(callUpdate, 51, cvssv4.getCvssData().getModifiedPrivilegesRequired()); + setUpdateColumn(callUpdate, 52, cvssv4.getCvssData().getModifiedUserInteraction()); + setUpdateColumn(callUpdate, 53, cvssv4.getCvssData().getModifiedVulnConfidentialityImpact()); + setUpdateColumn(callUpdate, 54, cvssv4.getCvssData().getModifiedVulnIntegrityImpact()); + setUpdateColumn(callUpdate, 55, cvssv4.getCvssData().getModifiedVulnAvailabilityImpact()); + setUpdateColumn(callUpdate, 56, cvssv4.getCvssData().getModifiedSubConfidentialityImpact()); + setUpdateColumn(callUpdate, 57, cvssv4.getCvssData().getModifiedSubIntegrityImpact()); + setUpdateColumn(callUpdate, 58, cvssv4.getCvssData().getModifiedSubAvailabilityImpact()); + setUpdateColumn(callUpdate, 59, cvssv4.getCvssData().getSafety()); + setUpdateColumn(callUpdate, 60, cvssv4.getCvssData().getAutomatable()); + setUpdateColumn(callUpdate, 61, cvssv4.getCvssData().getRecovery()); + setUpdateColumn(callUpdate, 62, cvssv4.getCvssData().getValueDensity()); + setUpdateColumn(callUpdate, 63, cvssv4.getCvssData().getVulnerabilityResponseEffort()); + setUpdateColumn(callUpdate, 64, cvssv4.getCvssData().getProviderUrgency()); + setUpdateColumn(callUpdate, 65, cvssv4.getCvssData().getBaseScore()); + setUpdateColumn(callUpdate, 66, cvssv4.getCvssData().getBaseSeverity()); + setUpdateColumn(callUpdate, 67, cvssv4.getCvssData().getThreatScore()); + setUpdateColumn(callUpdate, 68, cvssv4.getCvssData().getThreatSeverity()); + setUpdateColumn(callUpdate, 69, cvssv4.getCvssData().getEnvironmentalScore()); + setUpdateColumn(callUpdate, 70, cvssv4.getCvssData().getEnvironmentalSeverity()); + setUpdateColumn(callUpdate, 71, cvssv4.getSource()); + setUpdateColumn(callUpdate, 72, cvssv4.getType()); + } else { + callUpdate.setNull(32, java.sql.Types.VARCHAR); + callUpdate.setNull(33, java.sql.Types.VARCHAR); + callUpdate.setNull(34, java.sql.Types.VARCHAR); + callUpdate.setNull(35, java.sql.Types.VARCHAR); + callUpdate.setNull(36, java.sql.Types.VARCHAR); + callUpdate.setNull(37, java.sql.Types.VARCHAR); + callUpdate.setNull(38, java.sql.Types.VARCHAR); + callUpdate.setNull(39, java.sql.Types.VARCHAR); + callUpdate.setNull(40, java.sql.Types.VARCHAR); + callUpdate.setNull(41, java.sql.Types.VARCHAR); + callUpdate.setNull(42, java.sql.Types.VARCHAR); + callUpdate.setNull(43, java.sql.Types.VARCHAR); + callUpdate.setNull(44, java.sql.Types.VARCHAR); + callUpdate.setNull(45, java.sql.Types.VARCHAR); + callUpdate.setNull(46, java.sql.Types.VARCHAR); + callUpdate.setNull(47, java.sql.Types.VARCHAR); + callUpdate.setNull(48, java.sql.Types.VARCHAR); + callUpdate.setNull(49, java.sql.Types.VARCHAR); + callUpdate.setNull(50, java.sql.Types.VARCHAR); + callUpdate.setNull(51, java.sql.Types.VARCHAR); + callUpdate.setNull(52, java.sql.Types.VARCHAR); + callUpdate.setNull(53, java.sql.Types.VARCHAR); + callUpdate.setNull(54, java.sql.Types.VARCHAR); + callUpdate.setNull(55, java.sql.Types.VARCHAR); + callUpdate.setNull(56, java.sql.Types.VARCHAR); + callUpdate.setNull(57, java.sql.Types.VARCHAR); + callUpdate.setNull(58, java.sql.Types.VARCHAR); + callUpdate.setNull(59, java.sql.Types.VARCHAR); + callUpdate.setNull(60, java.sql.Types.VARCHAR); + callUpdate.setNull(61, java.sql.Types.VARCHAR); + callUpdate.setNull(62, java.sql.Types.VARCHAR); + callUpdate.setNull(63, java.sql.Types.VARCHAR); + callUpdate.setNull(64, java.sql.Types.VARCHAR); + callUpdate.setNull(65, java.sql.Types.DOUBLE); + callUpdate.setNull(66, java.sql.Types.VARCHAR); + callUpdate.setNull(67, java.sql.Types.DOUBLE); + callUpdate.setNull(68, java.sql.Types.VARCHAR); + callUpdate.setNull(69, java.sql.Types.DOUBLE); + callUpdate.setNull(70, java.sql.Types.VARCHAR); + callUpdate.setNull(71, java.sql.Types.VARCHAR); + callUpdate.setNull(72, java.sql.Types.VARCHAR); + } if (isOracle) { try { final CallableStatement cs = (CallableStatement) callUpdate; - cs.registerOutParameter(32, JDBCType.INTEGER); + cs.registerOutParameter(73, JDBCType.INTEGER); cs.executeUpdate(); - vulnerabilityId = cs.getInt(32); + vulnerabilityId = cs.getInt(73); } catch (SQLException ex) { final String msg = String.format("Unable to retrieve id for new vulnerability for '%s'", cve.getCve().getId()); throw new DatabaseException(msg, ex); @@ -1655,6 +1994,14 @@ private void setUpdateColumn(PreparedStatement ps, int i, String value) throws S ps.setString(i, value); } } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4.Type value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } private void setUpdateColumn(PreparedStatement ps, int i, Boolean value) throws SQLException { if (value == null) { @@ -1734,6 +2081,182 @@ private void setUpdateColumn(PreparedStatement ps, int i, CvssV3Data.Version val } } + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.Version value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.AttackVectorType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.AttackComplexityType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.AttackRequirementsType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.PrivilegesRequiredType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.UserInteractionType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.CiaType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.ExploitMaturityType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.CiaRequirementType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.ModifiedAttackVectorType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.ModifiedAttackComplexityType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.ModifiedAttackRequirementsType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.ModifiedPrivilegesRequiredType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.ModifiedUserInteractionType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.ModifiedCiaType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.SafetyType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.AutomatableType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.RecoveryType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.ValueDensityType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.VulnerabilityResponseEffortType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.ProviderUrgencyType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + + private void setUpdateColumn(PreparedStatement ps, int i, CvssV4Data.SeverityType value) throws SQLException { + if (value == null) { + ps.setNull(i, java.sql.Types.VARCHAR); + } else { + ps.setString(i, value.value()); + } + } + /** * Sets the float parameter on a prepared statement from a properties map. * diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/H2Functions.java b/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/H2Functions.java index 4032248b9b6..e683746b7f1 100644 --- a/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/H2Functions.java +++ b/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/H2Functions.java @@ -178,6 +178,47 @@ public static void insertSoftware(final Connection conn, int vulnerabilityId, St * @param v3BaseScore the CVSS v3 base score * @param v3BaseSeverity the CVSS v3 base severity * @param v3Version the CVSS v3 version + * @param v4version CVSS v4 data + * @param v4attackVector CVSS v4 data + * @param v4attackComplexity CVSS v4 data + * @param v4attackRequirements CVSS v4 data + * @param v4privilegesRequired CVSS v4 data + * @param v4userInteraction CVSS v4 data + * @param v4vulnConfidentialityImpact CVSS v4 data + * @param v4vulnIntegrityImpact CVSS v4 data + * @param v4vulnAvailabilityImpact CVSS v4 data + * @param v4subConfidentialityImpact CVSS v4 data + * @param v4subIntegrityImpact CVSS v4 data + * @param v4subAvailabilityImpact CVSS v4 data + * @param v4exploitMaturity CVSS v4 data + * @param v4confidentialityRequirement CVSS v4 data + * @param v4integrityRequirement CVSS v4 data + * @param v4availabilityRequirement CVSS v4 data + * @param v4modifiedAttackVector CVSS v4 data + * @param v4modifiedAttackComplexity CVSS v4 data + * @param v4modifiedAttackRequirements CVSS v4 data + * @param v4modifiedPrivilegesRequired CVSS v4 data + * @param v4modifiedUserInteraction CVSS v4 data + * @param v4modifiedVulnConfidentialityImpact CVSS v4 data + * @param v4modifiedVulnIntegrityImpact CVSS v4 data + * @param v4modifiedVulnAvailabilityImpact CVSS v4 data + * @param v4modifiedSubConfidentialityImpact CVSS v4 data + * @param v4modifiedSubIntegrityImpact CVSS v4 data + * @param v4modifiedSubAvailabilityImpact CVSS v4 data + * @param v4safety CVSS v4 data + * @param v4automatable CVSS v4 data + * @param v4recovery CVSS v4 data + * @param v4valueDensity CVSS v4 data + * @param v4vulnerabilityResponseEffort CVSS v4 data + * @param v4providerUrgency CVSS v4 data + * @param v4baseScore CVSS v4 data + * @param v4baseSeverity CVSS v4 data + * @param v4threatScore CVSS v4 data + * @param v4threatSeverity CVSS v4 data + * @param v4environmentalScore CVSS v4 data + * @param v4environmentalSeverity CVSS v4 data + * @param v4source CVSS v4 data + * @param v4type CVSS v4 data * @return a result set containing the vulnerability id * @throws SQLException thrown if there is an error updating or inserting * the vulnerability @@ -192,7 +233,20 @@ public static ResultSet updateVulnerability(final Connection conn, String cve, Float v3ImpactScore, String v3AttackVector, String v3AttackComplexity, String v3PrivilegesRequired, String v3UserInteraction, String v3Scope, String v3ConfidentialityImpact, String v3IntegrityImpact, String v3AvailabilityImpact, - Float v3BaseScore, String v3BaseSeverity, String v3Version) throws SQLException { + Float v3BaseScore, String v3BaseSeverity, String v3Version, String v4version, + String v4attackVector, String v4attackComplexity, String v4attackRequirements, + String v4privilegesRequired, String v4userInteraction, String v4vulnConfidentialityImpact, + String v4vulnIntegrityImpact, String v4vulnAvailabilityImpact, String v4subConfidentialityImpact, + String v4subIntegrityImpact, String v4subAvailabilityImpact, String v4exploitMaturity, + String v4confidentialityRequirement, String v4integrityRequirement, String v4availabilityRequirement, + String v4modifiedAttackVector, String v4modifiedAttackComplexity, String v4modifiedAttackRequirements, + String v4modifiedPrivilegesRequired, String v4modifiedUserInteraction, String v4modifiedVulnConfidentialityImpact, + String v4modifiedVulnIntegrityImpact, String v4modifiedVulnAvailabilityImpact, String v4modifiedSubConfidentialityImpact, + String v4modifiedSubIntegrityImpact, String v4modifiedSubAvailabilityImpact, String v4safety, + String v4automatable, String v4recovery, String v4valueDensity, String v4vulnerabilityResponseEffort, + String v4providerUrgency, Float v4baseScore, String v4baseSeverity, Float v4threatScore, + String v4threatSeverity, Float v4environmentalScore, String v4environmentalSeverity, + String v4source, String v4type) throws SQLException { final SimpleResultSet ret = new SimpleResultSet(); ret.addColumn("id", Types.INTEGER, 10, 0); @@ -240,7 +294,22 @@ public static ResultSet updateVulnerability(final Connection conn, String cve, + "v3ImpactScore=?, v3AttackVector=?, v3AttackComplexity=?, " + "v3PrivilegesRequired=?, v3UserInteraction=?, v3Scope=?, " + "v3ConfidentialityImpact=?, v3IntegrityImpact=?, v3AvailabilityImpact=?, " - + "v3BaseScore=?, v3BaseSeverity=?, v3Version=? " + + "v3BaseScore=?, v3BaseSeverity=?, v3Version=?, v4version=?, v4attackVector=?, " + + "v4attackComplexity=?, v4attackRequirements=?, v4privilegesRequired=?, " + + "v4userInteraction=?, v4vulnConfidentialityImpact=?, v4vulnIntegrityImpact=?, " + + "v4vulnAvailabilityImpact=?, v4subConfidentialityImpact=?, v4subIntegrityImpact=?, " + + "v4subAvailabilityImpact=?, v4exploitMaturity=?, " + + "v4confidentialityRequirement=?, v4integrityRequirement=?, " + + "v4availabilityRequirement=?, v4modifiedAttackVector=?, " + + "v4modifiedAttackComplexity=?, v4modifiedAttackRequirements=?, " + + "v4modifiedPrivilegesRequired=?, v4modifiedUserInteraction=?, " + + "v4modifiedVulnConfidentialityImpact=?, v4modifiedVulnIntegrityImpact=?, " + + "v4modifiedVulnAvailabilityImpact=?, v4modifiedSubConfidentialityImpact=?, " + + "v4modifiedSubIntegrityImpact=?, v4modifiedSubAvailabilityImpact=?, " + + "v4safety=?, v4automatable=?, v4recovery=?, v4valueDensity=?, " + + "v4vulnerabilityResponseEffort=?, v4providerUrgency=?, v4baseScore=?, " + + "v4baseSeverity=?, v4threatScore=?, v4threatSeverity=?, v4environmentalScore=?, " + + "v4environmentalSeverity=?, v4source=?, v4type=?" + "WHERE id=?"); } else { //just do insert @@ -255,8 +324,22 @@ public static ResultSet updateVulnerability(final Connection conn, String cve, + "v3ImpactScore, v3AttackVector, v3AttackComplexity, " + "v3PrivilegesRequired, v3UserInteraction, v3Scope, " + "v3ConfidentialityImpact, v3IntegrityImpact, v3AvailabilityImpact, " - + "v3BaseScore, v3BaseSeverity, v3Version, cve) VALUES (?, ?, ?, ?, ?, ?, " - + "?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)", + + "v3BaseScore, v3BaseSeverity, v3Version, v4version, v4attackVector, " + + "v4attackComplexity, v4attackRequirements, v4privilegesRequired, " + + "v4userInteraction, v4vulnConfidentialityImpact, v4vulnIntegrityImpact, " + + "v4vulnAvailabilityImpact, v4subConfidentialityImpact, v4subIntegrityImpact, " + + "v4subAvailabilityImpact, v4exploitMaturity,v4confidentialityRequirement, " + + "v4integrityRequirement, v4availabilityRequirement,v4modifiedAttackVector, " + + "v4modifiedAttackComplexity, v4modifiedAttackRequirements,v4modifiedPrivilegesRequired, " + + "v4modifiedUserInteraction, v4modifiedVulnConfidentialityImpact,v4modifiedVulnIntegrityImpact, " + + "v4modifiedVulnAvailabilityImpact, v4modifiedSubConfidentialityImpact,v4modifiedSubIntegrityImpact, " + + "v4modifiedSubAvailabilityImpact, v4safety, v4automatable, v4recovery, v4valueDensity, " + + "v4vulnerabilityResponseEffort, v4providerUrgency, v4baseScore, v4baseSeverity, " + + "v4threatScore,v4threatSeverity, v4environmentalScore, v4environmentalSeverity, " + + "v4source, v4type, cve) VALUES (?, ?, ?, ?, ?, ?, " + + "?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, " + + "?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, " + + "?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)", returnedColumns); } @@ -291,12 +374,58 @@ public static ResultSet updateVulnerability(final Connection conn, String cve, setFloatOrNull(merge, 28, v3BaseScore); setStringOrNull(merge, 29, v3BaseSeverity); setStringOrNull(merge, 30, v3Version); + + + setStringOrNull(merge, 31, v4version); + setStringOrNull(merge, 32, v4attackVector); + setStringOrNull(merge, 33, v4attackComplexity); + setStringOrNull(merge, 34, v4attackRequirements); + setStringOrNull(merge, 35, v4privilegesRequired); + setStringOrNull(merge, 36, v4userInteraction); + setStringOrNull(merge, 37, v4vulnConfidentialityImpact); + setStringOrNull(merge, 38, v4vulnIntegrityImpact); + setStringOrNull(merge, 39, v4vulnAvailabilityImpact); + setStringOrNull(merge, 40, v4subConfidentialityImpact); + setStringOrNull(merge, 41, v4subIntegrityImpact); + setStringOrNull(merge, 42, v4subAvailabilityImpact); + setStringOrNull(merge, 43, v4exploitMaturity); + setStringOrNull(merge, 44, v4confidentialityRequirement); + setStringOrNull(merge, 45, v4integrityRequirement); + setStringOrNull(merge, 46, v4availabilityRequirement); + setStringOrNull(merge, 47, v4modifiedAttackVector); + setStringOrNull(merge, 48, v4modifiedAttackComplexity); + setStringOrNull(merge, 49, v4modifiedAttackRequirements); + setStringOrNull(merge, 50, v4modifiedPrivilegesRequired); + setStringOrNull(merge, 51, v4modifiedUserInteraction); + setStringOrNull(merge, 52, v4modifiedVulnConfidentialityImpact); + setStringOrNull(merge, 53, v4modifiedVulnIntegrityImpact); + setStringOrNull(merge, 54, v4modifiedVulnAvailabilityImpact); + setStringOrNull(merge, 55, v4modifiedSubConfidentialityImpact); + setStringOrNull(merge, 56, v4modifiedSubIntegrityImpact); + setStringOrNull(merge, 57, v4modifiedSubAvailabilityImpact); + setStringOrNull(merge, 58, v4safety); + setStringOrNull(merge, 59, v4automatable); + setStringOrNull(merge, 60, v4recovery); + setStringOrNull(merge, 61, v4valueDensity); + setStringOrNull(merge, 62, v4vulnerabilityResponseEffort); + setStringOrNull(merge, 63, v4providerUrgency); + setFloatOrNull(merge, 64, v4baseScore); + setStringOrNull(merge, 65, v4baseSeverity); + setFloatOrNull(merge, 66, v4threatScore); + setStringOrNull(merge, 67, v4threatSeverity); + setFloatOrNull(merge, 68, v4environmentalScore); + setStringOrNull(merge, 69, v4environmentalSeverity); + setStringOrNull(merge, 70, v4source); + setStringOrNull(merge, 71, v4type); + + //cve must be the last entry if (vulnerabilityId == 0) { - merge.setString(31, cve); + merge.setString(72, cve); } else { - merge.setInt(31, vulnerabilityId); + merge.setInt(72, vulnerabilityId); } + final int count = merge.executeUpdate(); if (vulnerabilityId == 0) { try (ResultSet rs = merge.getGeneratedKeys()) { diff --git a/core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java index e13a8257270..d79b75ecfe6 100644 --- a/core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java +++ b/core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java @@ -19,6 +19,7 @@ import io.github.jeremylong.openvulnerability.client.nvd.CvssV2; import io.github.jeremylong.openvulnerability.client.nvd.CvssV3; +import io.github.jeremylong.openvulnerability.client.nvd.CvssV4; import java.io.Serializable; import java.util.ArrayList; import java.util.Collections; @@ -116,6 +117,11 @@ public enum Source { * The CVSS V3 scoring information. */ private CvssV3 cvssV3; + + /** + * The CVSS V4 scoring information. + */ + private CvssV4 cvssV4; /** * The Vulnerable Software that caused this vulnerability to be flagged. @@ -337,6 +343,24 @@ public CvssV3 getCvssV3() { public void setCvssV3(CvssV3 cvssV3) { this.cvssV3 = cvssV3; } + + /** + * Get the CVSS V3 scoring information. + * + * @return the CVSS V3 scoring information + */ + public CvssV4 getCvssV4() { + return cvssV4; + } + + /** + * Sets the CVSS V4 scoring information. + * + * @param cvssV4 the CVSS V4 scoring information + */ + public void setCvssV4(CvssV4 cvssV4) { + this.cvssV4 = cvssV4; + } /** * Get the set of CWEs. diff --git a/core/src/main/resources/data/dbStatements.properties b/core/src/main/resources/data/dbStatements.properties index 17782e10d31..c7f06782970 100644 --- a/core/src/main/resources/data/dbStatements.properties +++ b/core/src/main/resources/data/dbStatements.properties @@ -21,7 +21,7 @@ COUNT_CPE=SELECT COUNT(*) records FROM cpeEntry INSERT_CWE=INSERT INTO cweEntry (cveid, cwe) VALUES (?, ?) INSERT_REFERENCE=INSERT INTO reference (cveid, name, url, source) VALUES (?, ?, ?, ?) INSERT_SOFTWARE=CALL insert_software(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) -UPDATE_VULNERABILITY=CALL update_vulnerability(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) +UPDATE_VULNERABILITY=CALL update_vulnerability(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) SELECT_CPE_ECOSYSTEM=SELECT DISTINCT vendor, product, ecosystem FROM cpeEcosystemCache SELECT_CVE_FROM_SOFTWARE=SELECT cve, part, vendor, product, version, update_version, edition, lang, sw_edition, target_sw, target_hw, other, versionEndExcluding, versionEndIncluding, versionStartExcluding, versionStartIncluding, vulnerable FROM software INNER JOIN vulnerability ON vulnerability.id = software.cveid INNER JOIN cpeEntry ON cpeEntry.id = software.cpeEntryId WHERE vendor = ? AND product = ? ORDER BY cve, vendor, product, version, update_version @@ -30,7 +30,7 @@ SELECT_REFERENCES=SELECT source, name, url FROM reference WHERE cveid = ? SELECT_VENDOR_PRODUCT_LIST=SELECT vendor, product FROM cpeEntry GROUP BY vendor, product SELECT_VENDOR_PRODUCT_LIST_FOR_NODE=SELECT vendor, product FROM cpeEntry WHERE ecosystem like 'npm' or ecosystem like 'node.js' or target_sw like 'node.js' GROUP BY vendor, product SELECT_SOFTWARE=SELECT part, vendor, product, version, update_version, edition, lang, sw_edition, target_sw, target_hw, other, versionEndExcluding, versionEndIncluding, versionStartExcluding, versionStartIncluding, vulnerable FROM software INNER JOIN cpeEntry ON software.cpeEntryId = cpeEntry.id WHERE cveid = ? -SELECT_VULNERABILITY=SELECT id, description, v2Severity, v2ExploitabilityScore, v2ImpactScore, v2AcInsufInfo, v2ObtainAllPrivilege, v2ObtainUserPrivilege, v2ObtainOtherPrivilege, v2UserInteractionRequired, v2Score, v2AccessVector, v2AccessComplexity, v2Authentication, v2ConfidentialityImpact, v2IntegrityImpact, v2AvailabilityImpact, v2Version, v3ExploitabilityScore, v3ImpactScore, v3AttackVector, v3AttackComplexity, v3PrivilegesRequired, v3UserInteraction, v3Scope, v3ConfidentialityImpact, v3IntegrityImpact, v3AvailabilityImpact, v3BaseScore, v3BaseSeverity, v3Version FROM vulnerability WHERE cve = ? +SELECT_VULNERABILITY=SELECT id, description, v2Severity, v2ExploitabilityScore, v2ImpactScore, v2AcInsufInfo, v2ObtainAllPrivilege, v2ObtainUserPrivilege, v2ObtainOtherPrivilege, v2UserInteractionRequired, v2Score, v2AccessVector, v2AccessComplexity, v2Authentication, v2ConfidentialityImpact, v2IntegrityImpact, v2AvailabilityImpact, v2Version, v3ExploitabilityScore, v3ImpactScore, v3AttackVector, v3AttackComplexity, v3PrivilegesRequired, v3UserInteraction, v3Scope, v3ConfidentialityImpact, v3IntegrityImpact, v3AvailabilityImpact, v3BaseScore, v3BaseSeverity, v3Version, v4version, v4attackVector, v4attackComplexity, v4attackRequirements, v4privilegesRequired, v4userInteraction, v4vulnConfidentialityImpact, v4vulnIntegrityImpact, v4vulnAvailabilityImpact, v4subConfidentialityImpact, v4subIntegrityImpact, v4subAvailabilityImpact, v4exploitMaturity, v4confidentialityRequirement, v4integrityRequirement, v4availabilityRequirement, v4modifiedAttackVector, v4modifiedAttackComplexity, v4modifiedAttackRequirements, v4modifiedPrivilegesRequired, v4modifiedUserInteraction, v4modifiedVulnConfidentialityImpact, v4modifiedVulnIntegrityImpact, v4modifiedVulnAvailabilityImpact, v4modifiedSubConfidentialityImpact, v4modifiedSubIntegrityImpact, v4modifiedSubAvailabilityImpact, v4safety, v4automatable, v4recovery, v4valueDensity, v4vulnerabilityResponseEffort, v4providerUrgency, v4baseScore, v4baseSeverity, v4threatScore, v4threatSeverity, v4environmentalScore, v4environmentalSeverity, v4source, v4type FROM vulnerability WHERE cve = ? SELECT_VULNERABILITY_CWE=SELECT cwe FROM cweEntry WHERE cveid = ? SELECT_PROPERTIES=SELECT * FROM properties SELECT_PROPERTY=SELECT * FROM properties WHERE id = ? diff --git a/core/src/main/resources/data/dbStatements_h2.properties b/core/src/main/resources/data/dbStatements_h2.properties index ed8fae70bb8..7aeaa17897c 100644 --- a/core/src/main/resources/data/dbStatements_h2.properties +++ b/core/src/main/resources/data/dbStatements_h2.properties @@ -16,6 +16,6 @@ MERGE_PROPERTY=MERGE INTO properties (id, `value`) KEY(id) VALUES(?, ?) MERGE_CPE_ECOSYSTEM=MERGE INTO cpeEcosystemCache (vendor, product, ecosystem) KEY(vendor, product) VALUES(?, ?, ?) CLEANUP_ORPHANS=DELETE FROM cpeEntry WHERE id IN (SELECT id FROM cpeEntry LEFT JOIN software ON cpeEntry.id = software.CPEEntryId WHERE software.CPEEntryId IS NULL) -UPDATE_VULNERABILITY=SELECT * FROM update_vulnerability(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) +UPDATE_VULNERABILITY=SELECT * FROM update_vulnerability(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) SELECT_SCHEMA_VERSION=SELECT `value` FROM properties WHERE id = 'version' diff --git a/core/src/main/resources/data/dbStatements_microsoft sql server.properties b/core/src/main/resources/data/dbStatements_microsoft sql server.properties index a5eb15b9c7b..4a05e6da786 100644 --- a/core/src/main/resources/data/dbStatements_microsoft sql server.properties +++ b/core/src/main/resources/data/dbStatements_microsoft sql server.properties @@ -13,7 +13,7 @@ # limitations under the License. INSERT_SOFTWARE=EXEC insert_software ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? -UPDATE_VULNERABILITY=EXEC update_vulnerability ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? +UPDATE_VULNERABILITY=EXEC update_vulnerability ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? UPDATE_ECOSYSTEM=UPDATE cpeEntry SET ecosystem=cpeEcosystemCache.ecosystem FROM cpeEntry INNER JOIN cpeEcosystemCache ON cpeEcosystemCache.vendor=cpeEntry.vendor AND cpeEcosystemCache.product=cpeEntry.product WHERE cpeEntry.ecosystem IS NULL AND cpeEcosystemCache.ecosystem<>'MULTIPLE'; UPDATE_ECOSYSTEM2=UPDATE cpeEntry SET ecosystem=null FROM cpeEntry INNER JOIN cpeEcosystemCache ON cpeEcosystemCache.vendor=cpeEntry.vendor AND cpeEcosystemCache.product=cpeEntry.product WHERE cpeEcosystemCache.ecosystem='MULTIPLE' AND cpeEntry.ecosystem IS NOT NULL; diff --git a/core/src/main/resources/data/dbStatements_oracle.properties b/core/src/main/resources/data/dbStatements_oracle.properties index ee7ed4b9e70..d7c29f24d7a 100644 --- a/core/src/main/resources/data/dbStatements_oracle.properties +++ b/core/src/main/resources/data/dbStatements_oracle.properties @@ -19,5 +19,5 @@ CLEANUP_ORPHANS=DELETE FROM cpeEntry WHERE id not in (SELECT CPEEntryId FROM sof UPDATE_ECOSYSTEM=UPDATE v_update_ecosystems SET entryEco=cachedEco WHERE entryEco IS NULL AND cachedEco <>'MULTIPLE' UPDATE_ECOSYSTEM2=UPDATE v_update_ecosystems SET entryEco = NULL WHERE cachedEco = 'MULTIPLE' AND entryEco IS NOT NULL -UPDATE_VULNERABILITY={ call update_vulnerability( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) } +UPDATE_VULNERABILITY={ call update_vulnerability(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) } MERGE_KNOWN_EXPLOITED={ CALL merge_knownexploited(?,?,?,?,?,?,?,?,?) } \ No newline at end of file diff --git a/core/src/main/resources/data/dbStatements_postgresql.properties b/core/src/main/resources/data/dbStatements_postgresql.properties index 04c982502c6..8c8d7b507cb 100644 --- a/core/src/main/resources/data/dbStatements_postgresql.properties +++ b/core/src/main/resources/data/dbStatements_postgresql.properties @@ -15,7 +15,7 @@ MERGE_PROPERTY=SELECT save_property(?, ?); CLEANUP_ORPHANS=DELETE FROM cpeEntry WHERE NOT EXISTS (SELECT * FROM software WHERE cpeEntry.id = software.CPEEntryId); INSERT_SOFTWARE=SELECT insert_software(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) -UPDATE_VULNERABILITY=SELECT update_vulnerability(?::VARCHAR(20), ?::VARCHAR(8000), ?::VARCHAR(20), ?::DECIMAL(3,1), ?::DECIMAL(3,1), ?::BOOLEAN, ?::BOOLEAN, ?:: BOOLEAN, ?::BOOLEAN, ?::BOOLEAN, ?::DECIMAL(3,1), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(5),?::DECIMAL(3,1), ?::DECIMAL(3,1), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::DECIMAL(3,1), ?::VARCHAR(20), ?::VARCHAR(5)); +UPDATE_VULNERABILITY=SELECT update_vulnerability(?::VARCHAR(20), ?::VARCHAR(8000), ?::VARCHAR(20), ?::DECIMAL(3,1), ?::DECIMAL(3,1), ?::BOOLEAN, ?::BOOLEAN, ?:: BOOLEAN, ?::BOOLEAN, ?::BOOLEAN, ?::DECIMAL(3,1), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(5),?::DECIMAL(3,1), ?::DECIMAL(3,1), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::VARCHAR(20), ?::DECIMAL(3,1), ?::VARCHAR(20), ?::VARCHAR(5), ?::VARCHAR(5), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(20), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::VARCHAR(15), ?::DECIMAL(3,1), ?::VARCHAR(15), ?::DECIMAL(3,1), ?::VARCHAR(15), ?::DECIMAL(3,1), ?::VARCHAR(15)); MERGE_CPE_ECOSYSTEM=SELECT merge_ecosystem(?, ?, ?); MERGE_KNOWN_EXPLOITED=CALL merge_knownexploited(?,?,?,?,?,?,?,?,?); diff --git a/core/src/main/resources/data/initialize.sql b/core/src/main/resources/data/initialize.sql index 580aaee4fdd..b2c5ee29baf 100644 --- a/core/src/main/resources/data/initialize.sql +++ b/core/src/main/resources/data/initialize.sql @@ -20,7 +20,20 @@ CREATE TABLE vulnerability (id int auto_increment PRIMARY KEY, cve VARCHAR(20) U v3ImpactScore DECIMAL(3,1), v3AttackVector VARCHAR(20), v3AttackComplexity VARCHAR(20), v3PrivilegesRequired VARCHAR(20), v3UserInteraction VARCHAR(20), v3Scope VARCHAR(20), v3ConfidentialityImpact VARCHAR(20), v3IntegrityImpact VARCHAR(20), v3AvailabilityImpact VARCHAR(20), - v3BaseScore DECIMAL(3,1), v3BaseSeverity VARCHAR(20), v3Version VARCHAR(5)); + v3BaseScore DECIMAL(3,1), v3BaseSeverity VARCHAR(20), v3Version VARCHAR(5), + v4version VARCHAR(5), v4attackVector VARCHAR(15), v4attackComplexity VARCHAR(15), + v4attackRequirements VARCHAR(15), v4privilegesRequired VARCHAR(15), v4userInteraction VARCHAR(15), + v4vulnConfidentialityImpact VARCHAR(15), v4vulnIntegrityImpact VARCHAR(15), v4vulnAvailabilityImpact VARCHAR(15), + v4subConfidentialityImpact VARCHAR(15), v4subIntegrityImpact VARCHAR(15), + v4subAvailabilityImpact VARCHAR(15), v4exploitMaturity VARCHAR(20), v4confidentialityRequirement VARCHAR(15), + v4integrityRequirement VARCHAR(15), v4availabilityRequirement VARCHAR(15), v4modifiedAttackVector VARCHAR(15), + v4modifiedAttackComplexity VARCHAR(15), v4modifiedAttackRequirements VARCHAR(15), v4modifiedPrivilegesRequired VARCHAR(15), + v4modifiedUserInteraction VARCHAR(15), v4modifiedVulnConfidentialityImpact VARCHAR(15), v4modifiedVulnIntegrityImpact VARCHAR(15), + v4modifiedVulnAvailabilityImpact VARCHAR(15), v4modifiedSubConfidentialityImpact VARCHAR(15), v4modifiedSubIntegrityImpact VARCHAR(15), + v4modifiedSubAvailabilityImpact VARCHAR(15), v4safety VARCHAR(15), v4automatable VARCHAR(15), v4recovery VARCHAR(15), + v4valueDensity VARCHAR(15), v4vulnerabilityResponseEffort VARCHAR(15), v4providerUrgency VARCHAR(15), + v4baseScore DECIMAL(3,1), v4baseSeverity VARCHAR(15), v4threatScore DECIMAL(3,1), v4threatSeverity VARCHAR(15), + v4environmentalScore DECIMAL(3,1), v4environmentalSeverity VARCHAR(15), v4source VARCHAR(50), v4type VARCHAR(15)); CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255), CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE); @@ -68,4 +81,4 @@ CREATE ALIAS insert_software FOR "org.owasp.dependencycheck.data.nvdcve.H2Functi CREATE ALIAS merge_knownexploited FOR "org.owasp.dependencycheck.data.nvdcve.H2Functions.mergeKnownExploited"; CREATE TABLE properties (id varchar(50) PRIMARY KEY, `value` varchar(500)); -INSERT INTO properties(id, `value`) VALUES ('version', '5.4'); \ No newline at end of file +INSERT INTO properties(id, `value`) VALUES ('version', '5.5'); \ No newline at end of file diff --git a/core/src/main/resources/data/initialize_mssql.sql b/core/src/main/resources/data/initialize_mssql.sql index 10d27e78cd2..8ccc2241838 100644 --- a/core/src/main/resources/data/initialize_mssql.sql +++ b/core/src/main/resources/data/initialize_mssql.sql @@ -39,7 +39,20 @@ CREATE TABLE vulnerability (id int identity(1,1) PRIMARY KEY, cve VARCHAR(20) UN v3ImpactScore DECIMAL(3,1), v3AttackVector VARCHAR(20), v3AttackComplexity VARCHAR(20), v3PrivilegesRequired VARCHAR(20), v3UserInteraction VARCHAR(20), v3Scope VARCHAR(20), v3ConfidentialityImpact VARCHAR(20), v3IntegrityImpact VARCHAR(20), v3AvailabilityImpact VARCHAR(20), - v3BaseScore DECIMAL(3,1), v3BaseSeverity VARCHAR(20), v3Version VARCHAR(5)); + v3BaseScore DECIMAL(3,1), v3BaseSeverity VARCHAR(20), v3Version VARCHAR(5), + v4version VARCHAR(5), v4attackVector VARCHAR(15), v4attackComplexity VARCHAR(15), + v4attackRequirements VARCHAR(15), v4privilegesRequired VARCHAR(15), v4userInteraction VARCHAR(15), + v4vulnConfidentialityImpact VARCHAR(15), v4vulnIntegrityImpact VARCHAR(15), v4vulnAvailabilityImpact VARCHAR(15), + v4subConfidentialityImpact VARCHAR(15), v4subIntegrityImpact VARCHAR(15), + v4subAvailabilityImpact VARCHAR(15), v4exploitMaturity VARCHAR(20), v4confidentialityRequirement VARCHAR(15), + v4integrityRequirement VARCHAR(15), v4availabilityRequirement VARCHAR(15), v4modifiedAttackVector VARCHAR(15), + v4modifiedAttackComplexity VARCHAR(15), v4modifiedAttackRequirements VARCHAR(15), v4modifiedPrivilegesRequired VARCHAR(15), + v4modifiedUserInteraction VARCHAR(15), v4modifiedVulnConfidentialityImpact VARCHAR(15), v4modifiedVulnIntegrityImpact VARCHAR(15), + v4modifiedVulnAvailabilityImpact VARCHAR(15), v4modifiedSubConfidentialityImpact VARCHAR(15), v4modifiedSubIntegrityImpact VARCHAR(15), + v4modifiedSubAvailabilityImpact VARCHAR(15), v4safety VARCHAR(15), v4automatable VARCHAR(15), v4recovery VARCHAR(15), + v4valueDensity VARCHAR(15), v4vulnerabilityResponseEffort VARCHAR(15), v4providerUrgency VARCHAR(15), + v4baseScore DECIMAL(3,1), v4baseSeverity VARCHAR(15), v4threatScore DECIMAL(3,1), v4threatSeverity VARCHAR(15), + v4environmentalScore DECIMAL(3,1), v4environmentalSeverity VARCHAR(15), v4source VARCHAR(50), v4type VARCHAR(15)); CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255), CONSTRAINT FK_Reference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE); @@ -120,7 +133,20 @@ CREATE PROCEDURE update_vulnerability ( @v3AttackComplexity VARCHAR(20), @v3PrivilegesRequired VARCHAR(20), @v3UserInteraction VARCHAR(20), @v3Scope VARCHAR(20), @v3ConfidentialityImpact VARCHAR(20), @v3IntegrityImpact VARCHAR(20), @v3AvailabilityImpact VARCHAR(20), @v3BaseScore DECIMAL(3,1), @v3BaseSeverity VARCHAR(20), - @v3Version VARCHAR(5)) AS + @v3Version VARCHAR(5), @v4version VARCHAR(5), @v4attackVector VARCHAR(15), @v4attackComplexity VARCHAR(15), + @v4attackRequirements VARCHAR(15), @v4privilegesRequired VARCHAR(15), @v4userInteraction VARCHAR(15), + @v4vulnConfidentialityImpact VARCHAR(15), @v4vulnIntegrityImpact VARCHAR(15), @v4vulnAvailabilityImpact VARCHAR(15), + @v4subConfidentialityImpact VARCHAR(15), @v4subIntegrityImpact VARCHAR(15), @v4subAvailabilityImpact VARCHAR(15), + @v4exploitMaturity VARCHAR(20), @v4confidentialityRequirement VARCHAR(15), @v4integrityRequirement VARCHAR(15), + @v4availabilityRequirement VARCHAR(15), @v4modifiedAttackVector VARCHAR(15), @v4modifiedAttackComplexity VARCHAR(15), + @v4modifiedAttackRequirements VARCHAR(15), @v4modifiedPrivilegesRequired VARCHAR(15), @v4modifiedUserInteraction VARCHAR(15), + @v4modifiedVulnConfidentialityImpact VARCHAR(15), @v4modifiedVulnIntegrityImpact VARCHAR(15), + @v4modifiedVulnAvailabilityImpact VARCHAR(15), @v4modifiedSubConfidentialityImpact VARCHAR(15), + @v4modifiedSubIntegrityImpact VARCHAR(15), @v4modifiedSubAvailabilityImpact VARCHAR(15), @v4safety VARCHAR(15), + @v4automatable VARCHAR(15), @v4recovery VARCHAR(15), @v4valueDensity VARCHAR(15), @v4vulnerabilityResponseEffort VARCHAR(15), + @v4providerUrgency VARCHAR(15), @v4baseScore DECIMAL(3,1), @v4baseSeverity VARCHAR(15), @v4threatScore DECIMAL(3,1), + @v4threatSeverity VARCHAR(15), @v4environmentalScore DECIMAL(3,1), @v4environmentalSeverity VARCHAR(15), + @v4source VARCHAR(15), @v4type VARCHAR(15)) AS BEGIN DECLARE @vulnerabilityId INT; @@ -141,7 +167,24 @@ BEGIN v3ExploitabilityScore=@v3ExploitabilityScore, v3ImpactScore=@v3ImpactScore, v3AttackVector=@v3AttackVector, v3AttackComplexity=@v3AttackComplexity, v3PrivilegesRequired=@v3PrivilegesRequired, v3UserInteraction=@v3UserInteraction, v3Scope=@v3Scope, v3ConfidentialityImpact=@v3ConfidentialityImpact, v3IntegrityImpact=@v3IntegrityImpact, - v3AvailabilityImpact=@v3AvailabilityImpact, v3BaseScore=@v3BaseScore, v3BaseSeverity=@v3BaseSeverity, v3Version=@v3Version + v3AvailabilityImpact=@v3AvailabilityImpact, v3BaseScore=@v3BaseScore, v3BaseSeverity=@v3BaseSeverity, v3Version=@v3Version, + v4version=@v4version, v4attackVector=@v4attackVector, v4attackComplexity=@v4attackComplexity, v4attackRequirements=@v4attackRequirements, + v4privilegesRequired=@v4privilegesRequired, v4userInteraction=@v4userInteraction, v4vulnConfidentialityImpact=@v4vulnConfidentialityImpact, + v4vulnIntegrityImpact=@v4vulnIntegrityImpact, v4vulnAvailabilityImpact=@v4vulnAvailabilityImpact, + v4subConfidentialityImpact=@v4subConfidentialityImpact, v4subIntegrityImpact=@v4subIntegrityImpact, + v4subAvailabilityImpact=@v4subAvailabilityImpact, v4exploitMaturity=@v4exploitMaturity, + v4confidentialityRequirement=@v4confidentialityRequirement, v4integrityRequirement=@v4integrityRequirement, + v4availabilityRequirement=@v4availabilityRequirement, v4modifiedAttackVector=@v4modifiedAttackVector, + v4modifiedAttackComplexity=@v4modifiedAttackComplexity, v4modifiedAttackRequirements=@v4modifiedAttackRequirements, + v4modifiedPrivilegesRequired=@v4modifiedPrivilegesRequired, v4modifiedUserInteraction=@v4modifiedUserInteraction, + v4modifiedVulnConfidentialityImpact=@v4modifiedVulnConfidentialityImpact, v4modifiedVulnIntegrityImpact=@v4modifiedVulnIntegrityImpact, + v4modifiedVulnAvailabilityImpact=@v4modifiedVulnAvailabilityImpact, v4modifiedSubConfidentialityImpact=@v4modifiedSubConfidentialityImpact, + v4modifiedSubIntegrityImpact=@v4modifiedSubIntegrityImpact, v4modifiedSubAvailabilityImpact=@v4modifiedSubAvailabilityImpact, + v4safety=@v4safety, v4automatable=@v4automatable, v4recovery=@v4recovery, v4valueDensity=@v4valueDensity, + v4vulnerabilityResponseEffort=@v4vulnerabilityResponseEffort, v4providerUrgency=@v4providerUrgency, + v4baseScore=@v4baseScore, v4baseSeverity=@v4baseSeverity, v4threatScore=@v4threatScore, + v4threatSeverity=@v4threatSeverity, v4environmentalScore=@v4environmentalScore, + v4environmentalSeverity=@v4environmentalSeverity, v4source=@v4source, v4type=@v4type WHERE id=@vulnerabilityId; END ELSE @@ -156,7 +199,18 @@ BEGIN v3ImpactScore, v3AttackVector, v3AttackComplexity, v3PrivilegesRequired, v3UserInteraction, v3Scope, v3ConfidentialityImpact, v3IntegrityImpact, v3AvailabilityImpact, - v3BaseScore, v3BaseSeverity, v3Version) + v3BaseScore, v3BaseSeverity, v3Version, v4version, v4attackVector, + v4attackComplexity, v4attackRequirements, v4privilegesRequired, v4userInteraction, + v4vulnConfidentialityImpact, v4vulnIntegrityImpact, v4vulnAvailabilityImpact, + v4subConfidentialityImpact, v4subIntegrityImpact, v4subAvailabilityImpact, + v4exploitMaturity, v4confidentialityRequirement, v4integrityRequirement, + v4availabilityRequirement, v4modifiedAttackVector, v4modifiedAttackComplexity, + v4modifiedAttackRequirements, v4modifiedPrivilegesRequired, v4modifiedUserInteraction, + v4modifiedVulnConfidentialityImpact, v4modifiedVulnIntegrityImpact, v4modifiedVulnAvailabilityImpact, + v4modifiedSubConfidentialityImpact, v4modifiedSubIntegrityImpact, v4modifiedSubAvailabilityImpact, + v4safety, v4automatable, v4recovery, v4valueDensity, v4vulnerabilityResponseEffort, + v4providerUrgency, v4baseScore, v4baseSeverity, v4threatScore, v4threatSeverity, + v4environmentalScore, v4environmentalSeverity, v4sourcey, v4type) VALUES (@cveId, @description, @v2Severity, @v2ExploitabilityScore, @v2ImpactScore, @v2AcInsufInfo, @v2ObtainAllPrivilege, @@ -167,7 +221,19 @@ BEGIN @v3ImpactScore, @v3AttackVector, @v3AttackComplexity, @v3PrivilegesRequired, @v3UserInteraction, @v3Scope, @v3ConfidentialityImpact, @v3IntegrityImpact, @v3AvailabilityImpact, - @v3BaseScore, @v3BaseSeverity, @v3Version); + @v3BaseScore, @v3BaseSeverity, @v3Version, @v4version, @v4attackVector, + @v4attackComplexity, @v4attackRequirements, @v4privilegesRequired, + @v4userInteraction, @v4vulnConfidentialityImpact, @v4vulnIntegrityImpact, + @v4vulnAvailabilityImpact, @v4subConfidentialityImpact, @v4subIntegrityImpact, + @v4subAvailabilityImpact, @v4exploitMaturity, @v4confidentialityRequirement, + @v4integrityRequirement, @v4availabilityRequirement, @v4modifiedAttackVector, + @v4modifiedAttackComplexity, @v4modifiedAttackRequirements, @v4modifiedPrivilegesRequired, + @v4modifiedUserInteraction, @v4modifiedVulnConfidentialityImpact, @v4modifiedVulnIntegrityImpact, + @v4modifiedVulnAvailabilityImpact, @v4modifiedSubConfidentialityImpact, @v4modifiedSubIntegrityImpact, + @v4modifiedSubAvailabilityImpact, @v4safety, @v4automatable, @v4recovery, @v4valueDensity, + @v4vulnerabilityResponseEffort, @v4providerUrgency, @v4baseScore, @v4baseSeverity, + @v4threatScore, @v4threatSeverity, @v4environmentalScore, @v4environmentalSeverity, + @v4source, @v4type); SET @vulnerabilityId = SCOPE_IDENTITY(); END; diff --git a/core/src/main/resources/data/initialize_mysql.sql b/core/src/main/resources/data/initialize_mysql.sql index 68bf7d61e7e..3d055c33650 100644 --- a/core/src/main/resources/data/initialize_mysql.sql +++ b/core/src/main/resources/data/initialize_mysql.sql @@ -39,7 +39,20 @@ CREATE TABLE vulnerability (id int auto_increment PRIMARY KEY, cve VARCHAR(20) U v3ImpactScore DECIMAL(3,1), v3AttackVector VARCHAR(20), v3AttackComplexity VARCHAR(20), v3PrivilegesRequired VARCHAR(20), v3UserInteraction VARCHAR(20), v3Scope VARCHAR(20), v3ConfidentialityImpact VARCHAR(20), v3IntegrityImpact VARCHAR(20), v3AvailabilityImpact VARCHAR(20), - v3BaseScore DECIMAL(3,1), v3BaseSeverity VARCHAR(20), v3Version VARCHAR(5)); + v3BaseScore DECIMAL(3,1), v3BaseSeverity VARCHAR(20), v3Version VARCHAR(5), + v4version VARCHAR(5), v4attackVector VARCHAR(15), v4attackComplexity VARCHAR(15), + v4attackRequirements VARCHAR(15), v4privilegesRequired VARCHAR(15), v4userInteraction VARCHAR(15), + v4vulnConfidentialityImpact VARCHAR(15), v4vulnIntegrityImpact VARCHAR(15), v4vulnAvailabilityImpact VARCHAR(15), + v4subConfidentialityImpact VARCHAR(15), v4subIntegrityImpact VARCHAR(15), + v4subAvailabilityImpact VARCHAR(15), v4exploitMaturity VARCHAR(20), v4confidentialityRequirement VARCHAR(15), + v4integrityRequirement VARCHAR(15), v4availabilityRequirement VARCHAR(15), v4modifiedAttackVector VARCHAR(15), + v4modifiedAttackComplexity VARCHAR(15), v4modifiedAttackRequirements VARCHAR(15), v4modifiedPrivilegesRequired VARCHAR(15), + v4modifiedUserInteraction VARCHAR(15), v4modifiedVulnConfidentialityImpact VARCHAR(15), v4modifiedVulnIntegrityImpact VARCHAR(15), + v4modifiedVulnAvailabilityImpact VARCHAR(15), v4modifiedSubConfidentialityImpact VARCHAR(15), v4modifiedSubIntegrityImpact VARCHAR(15), + v4modifiedSubAvailabilityImpact VARCHAR(15), v4safety VARCHAR(15), v4automatable VARCHAR(15), v4recovery VARCHAR(15), + v4valueDensity VARCHAR(15), v4vulnerabilityResponseEffort VARCHAR(15), v4providerUrgency VARCHAR(15), + v4baseScore DECIMAL(3,1), v4baseSeverity VARCHAR(15), v4threatScore DECIMAL(3,1), v4threatSeverity VARCHAR(15), + v4environmentalScore DECIMAL(3,1), v4environmentalSeverity VARCHAR(15), v4source VARCHAR(50), v4type VARCHAR(15)); CREATE TABLE `reference` (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255), CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE); @@ -133,7 +146,20 @@ CREATE PROCEDURE update_vulnerability ( IN p_v3AttackComplexity VARCHAR(20), IN p_v3PrivilegesRequired VARCHAR(20), IN p_v3UserInteraction VARCHAR(20), IN p_v3Scope VARCHAR(20), IN p_v3ConfidentialityImpact VARCHAR(20), IN p_v3IntegrityImpact VARCHAR(20), IN p_v3AvailabilityImpact VARCHAR(20), IN p_v3BaseScore DECIMAL(3,1), IN p_v3BaseSeverity VARCHAR(20), - IN p_v3Version VARCHAR(5)) + IN p_v3Version VARCHAR(5), IN p_v4version VARCHAR(5), IN p_v4attackVector VARCHAR(15), IN p_v4attackComplexity VARCHAR(15), + IN p_v4attackRequirements VARCHAR(15), IN p_v4privilegesRequired VARCHAR(15), IN p_v4userInteraction VARCHAR(15), + IN p_v4vulnConfidentialityImpact VARCHAR(15), IN p_v4vulnIntegrityImpact VARCHAR(15), IN p_v4vulnAvailabilityImpact VARCHAR(15), + IN p_v4subConfidentialityImpact VARCHAR(15), IN p_v4subIntegrityImpact VARCHAR(15), IN p_v4subAvailabilityImpact VARCHAR(15), + IN p_v4exploitMaturity VARCHAR(20), IN p_v4confidentialityRequirement VARCHAR(15), IN p_v4integrityRequirement VARCHAR(15), + IN p_v4availabilityRequirement VARCHAR(15), IN p_v4modifiedAttackVector VARCHAR(15), IN p_v4modifiedAttackComplexity VARCHAR(15), + IN p_v4modifiedAttackRequirements VARCHAR(15), IN p_v4modifiedPrivilegesRequired VARCHAR(15), IN p_v4modifiedUserInteraction VARCHAR(15), + IN p_v4modifiedVulnConfidentialityImpact VARCHAR(15), IN p_v4modifiedVulnIntegrityImpact VARCHAR(15), + IN p_v4modifiedVulnAvailabilityImpact VARCHAR(15), IN p_v4modifiedSubConfidentialityImpact VARCHAR(15), + IN p_v4modifiedSubIntegrityImpact VARCHAR(15), IN p_v4modifiedSubAvailabilityImpact VARCHAR(15), IN p_v4safety VARCHAR(15), + IN p_v4automatable VARCHAR(15), IN p_v4recovery VARCHAR(15), IN p_v4valueDensity VARCHAR(15), IN p_v4vulnerabilityResponseEffort VARCHAR(15), + IN p_v4providerUrgency VARCHAR(15), IN p_v4baseScore DECIMAL(3,1), IN p_v4baseSeverity VARCHAR(15), IN p_v4threatScore DECIMAL(3,1), + IN p_v4threatSeverity VARCHAR(15), IN p_v4environmentalScore DECIMAL(3,1), IN p_v4environmentalSeverity VARCHAR(15), + IN p_v4source VARCHAR(15), IN p_v4type VARCHAR(15)) BEGIN DECLARE vulnerabilityId INT DEFAULT 0; @@ -161,6 +187,24 @@ IF vulnerabilityId > 0 THEN `v3AttackComplexity`=p_v3AttackComplexity, `v3PrivilegesRequired`=p_v3PrivilegesRequired, `v3UserInteraction`=p_v3UserInteraction, `v3Scope`=p_v3Scope, `v3ConfidentialityImpact`=p_v3ConfidentialityImpact, `v3IntegrityImpact`=p_v3IntegrityImpact, `v3AvailabilityImpact`=p_v3AvailabilityImpact, `v3BaseScore`=p_v3BaseScore, `v3BaseSeverity`=p_v3BaseSeverity, `v3Version`=p_v3Version + `v4version`=p_v4version, `v4attackVector`=p_v4attackVector, `v4attackComplexity`=p_v4attackComplexity, + `v4attackRequirements`=p_v4attackRequirements, `v4privilegesRequired`=p_v4privilegesRequired, + `v4userInteraction`=p_v4userInteraction, `v4vulnConfidentialityImpact`=p_v4vulnConfidentialityImpact, + `v4vulnIntegrityImpact`=p_v4vulnIntegrityImpact, `v4vulnAvailabilityImpact`=p_v4vulnAvailabilityImpact, + `v4subConfidentialityImpact`=p_v4subConfidentialityImpact, `v4subIntegrityImpact`=p_v4subIntegrityImpact, + `v4subAvailabilityImpact`=p_v4subAvailabilityImpact, `v4exploitMaturity`=p_v4exploitMaturity, + `v4confidentialityRequirement`=p_v4confidentialityRequirement, `v4integrityRequirement`=p_v4integrityRequirement, + `v4availabilityRequirement`=p_v4availabilityRequirement, `v4modifiedAttackVector`=p_v4modifiedAttackVector, + `v4modifiedAttackComplexity`=p_v4modifiedAttackComplexity, `v4modifiedAttackRequirements`=p_v4modifiedAttackRequirements, + `v4modifiedPrivilegesRequired`=p_v4modifiedPrivilegesRequired, `v4modifiedUserInteraction`=p_v4modifiedUserInteraction, + `v4modifiedVulnConfidentialityImpact`=p_v4modifiedVulnConfidentialityImpact, `v4modifiedVulnIntegrityImpact`=p_v4modifiedVulnIntegrityImpact, + `v4modifiedVulnAvailabilityImpact`=p_v4modifiedVulnAvailabilityImpact, `v4modifiedSubConfidentialityImpact`=p_v4modifiedSubConfidentialityImpact, + `v4modifiedSubIntegrityImpact`=p_v4modifiedSubIntegrityImpact, `v4modifiedSubAvailabilityImpact`=p_v4modifiedSubAvailabilityImpact, + `v4safety`=p_v4safety, `v4automatable`=p_v4automatable, `v4recovery`=p_v4recovery, `v4valueDensity`=p_v4valueDensity, + `v4vulnerabilityResponseEffort`=p_v4vulnerabilityResponseEffort, `v4providerUrgency`=p_v4providerUrgency, + `v4baseScore`=p_v4baseScore, `v4baseSeverity`=p_v4baseSeverity, `v4threatScore`=p_v4threatScore, + `v4threatSeverity`=p_v4threatSeverity, `v4environmentalScore`=p_v4environmentalScore, `v4environmentalSeverity`=p_v4environmentalSeverity, + `v4source`=p_v4source, `v4type`=p_v4type WHERE id=vulnerabilityId; ELSE INSERT INTO vulnerability (`cve`, `description`, @@ -173,7 +217,20 @@ ELSE `v3ImpactScore`, `v3AttackVector`, `v3AttackComplexity`, `v3PrivilegesRequired`, `v3UserInteraction`, `v3Scope`, `v3ConfidentialityImpact`, `v3IntegrityImpact`, `v3AvailabilityImpact`, - `v3BaseScore`, `v3BaseSeverity`, `v3Version`) + `v3BaseScore`, `v3BaseSeverity`, `v3Version`, `v4version`, `v4attackVector`, + `v4attackComplexity`, `v4attackRequirements`, `v4privilegesRequired`, `v4userInteraction`, + `v4vulnConfidentialityImpact`, `v4vulnIntegrityImpact`, `v4vulnAvailabilityImpact`, + `v4subConfidentialityImpact`, `v4subIntegrityImpact`, `v4subAvailabilityImpact`, + `v4exploitMaturity`, `v4confidentialityRequirement`, `v4integrityRequirement`, + `v4availabilityRequirement`, `v4modifiedAttackVector`, `v4modifiedAttackComplexity`, + `v4modifiedAttackRequirements`, `v4modifiedPrivilegesRequired`, `v4modifiedUserInteraction`, + `v4modifiedVulnConfidentialityImpact`, `v4modifiedVulnIntegrityImpact`, + `v4modifiedVulnAvailabilityImpact`, `v4modifiedSubConfidentialityImpact`, + `v4modifiedSubIntegrityImpact`, `v4modifiedSubAvailabilityImpact`, `v4safety`, + `v4automatable`, `v4recovery`, `v4valueDensity`, `v4vulnerabilityResponseEffort`, + `v4providerUrgency`, `v4baseScore`, `v4baseSeverity`, `v4threatScore`, + `v4threatSeverity`, `v4environmentalScore`, `v4environmentalSeverity`, + `v4source`, `v4type`) VALUES (p_cveId, p_description, p_v2Severity, p_v2ExploitabilityScore, p_v2ImpactScore, p_v2AcInsufInfo, p_v2ObtainAllPrivilege, @@ -184,7 +241,18 @@ ELSE p_v3ImpactScore, p_v3AttackVector, p_v3AttackComplexity, p_v3PrivilegesRequired, p_v3UserInteraction, p_v3Scope, p_v3ConfidentialityImpact, p_v3IntegrityImpact, p_v3AvailabilityImpact, - p_v3BaseScore, p_v3BaseSeverity, p_v3Version); + p_v3BaseScore, p_v3BaseSeverity, p_v3Version, p_v4version, + p_v4attackVector, p_v4attackComplexity, p_v4attackRequirements, p_v4privilegesRequired, + p_v4userInteraction, p_v4vulnConfidentialityImpact, p_v4vulnIntegrityImpact, p_v4vulnAvailabilityImpact, + p_v4subConfidentialityImpact, p_v4subIntegrityImpact, p_v4subAvailabilityImpact, p_v4exploitMaturity, + p_v4confidentialityRequirement, p_v4integrityRequirement, p_v4availabilityRequirement, + p_v4modifiedAttackVector, p_v4modifiedAttackComplexity, p_v4modifiedAttackRequirements, + p_v4modifiedPrivilegesRequired, p_v4modifiedUserInteraction, p_v4modifiedVulnConfidentialityImpact, + p_v4modifiedVulnIntegrityImpact, p_v4modifiedVulnAvailabilityImpact, p_v4modifiedSubConfidentialityImpact, + p_v4modifiedSubIntegrityImpact, p_v4modifiedSubAvailabilityImpact, p_v4safety, p_v4automatable, p_v4recovery, + p_v4valueDensity, p_v4vulnerabilityResponseEffort, p_v4providerUrgency, p_v4baseScore, p_v4baseSeverity, + p_v4threatScore, p_v4threatSeverity, p_v4environmentalScore, p_v4environmentalSeverity, + p_v4source, p_v4type); SET vulnerabilityId = LAST_INSERT_ID(); END IF; diff --git a/core/src/main/resources/data/initialize_oracle.sql b/core/src/main/resources/data/initialize_oracle.sql index 710098e3c7d..2247b1ce686 100644 --- a/core/src/main/resources/data/initialize_oracle.sql +++ b/core/src/main/resources/data/initialize_oracle.sql @@ -120,7 +120,20 @@ CREATE TABLE vulnerability (id INT NOT NULL PRIMARY KEY, cve VARCHAR(20) UNIQUE, v3ImpactScore DECIMAL(3,1), v3AttackVector VARCHAR(20), v3AttackComplexity VARCHAR(20), v3PrivilegesRequired VARCHAR(20), v3UserInteraction VARCHAR(20), v3Scope VARCHAR(20), v3ConfidentialityImpact VARCHAR(20), v3IntegrityImpact VARCHAR(20), v3AvailabilityImpact VARCHAR(20), - v3BaseScore DECIMAL(3,1), v3BaseSeverity VARCHAR(20), v3Version VARCHAR(5)); + v3BaseScore DECIMAL(3,1), v3BaseSeverity VARCHAR(20), v3Version VARCHAR(5), + v4version VARCHAR(5), v4attackVector VARCHAR(15), v4attackComplexity VARCHAR(15), + v4attackRequirements VARCHAR(15), v4privilegesRequired VARCHAR(15), v4userInteraction VARCHAR(15), + v4vulnConfidentialityImpact VARCHAR(15), v4vulnIntegrityImpact VARCHAR(15), v4vulnAvailabilityImpact VARCHAR(15), + v4subConfidentialityImpact VARCHAR(15), v4subIntegrityImpact VARCHAR(15), + v4subAvailabilityImpact VARCHAR(15), v4exploitMaturity VARCHAR(20), v4confidentialityRequirement VARCHAR(15), + v4integrityRequirement VARCHAR(15), v4availabilityRequirement VARCHAR(15), v4modifiedAttackVector VARCHAR(15), + v4modifiedAttackComplexity VARCHAR(15), v4modifiedAttackRequirements VARCHAR(15), v4modifiedPrivilegesRequired VARCHAR(15), + v4modifiedUserInteraction VARCHAR(15), v4modifiedVulnConfidentialityImpact VARCHAR(15), v4modifiedVulnIntegrityImpact VARCHAR(15), + v4modifiedVulnAvailabilityImpact VARCHAR(15), v4modifiedSubConfidentialityImpact VARCHAR(15), v4modifiedSubIntegrityImpact VARCHAR(15), + v4modifiedSubAvailabilityImpact VARCHAR(15), v4safety VARCHAR(15), v4automatable VARCHAR(15), v4recovery VARCHAR(15), + v4valueDensity VARCHAR(15), v4vulnerabilityResponseEffort VARCHAR(15), v4providerUrgency VARCHAR(15), + v4baseScore DECIMAL(3,1), v4baseSeverity VARCHAR(15), v4threatScore DECIMAL(3,1), v4threatSeverity VARCHAR(15), + v4environmentalScore DECIMAL(3,1), v4environmentalSeverity VARCHAR(15), v4source VARCHAR(50), v4type VARCHAR(15)); CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255), CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE); @@ -271,6 +284,47 @@ CREATE OR REPLACE PROCEDURE update_vulnerability(p_cveId IN vulnerability.cve%ty p_v3BaseScore IN vulnerability.v3BaseScore%type, p_v3BaseSeverity IN vulnerability.v3BaseSeverity%type, p_v3Version IN vulnerability.v3Version%type, + p_v4version IN vulnerability.v4version%type, + p_v4attackVector IN vulnerability.v4attackVector%type, + p_v4attackComplexity IN vulnerability.v4attackComplexity%type, + p_v4attackRequirements IN vulnerability.v4attackRequirements%type, + p_v4privilegesRequired IN vulnerability.v4privilegesRequired%type, + p_v4userInteraction IN vulnerability.v4userInteraction%type, + p_v4vulnConfidentialityImpact IN vulnerability.v4vulnConfidentialityImpact%type, + p_v4vulnIntegrityImpact IN vulnerability.v4vulnIntegrityImpact%type, + p_v4vulnAvailabilityImpact IN vulnerability.v4vulnAvailabilityImpact%type, + p_v4subConfidentialityImpact IN vulnerability.v4subConfidentialityImpact%type, + p_v4subIntegrityImpact IN vulnerability.v4subIntegrityImpact%type, + p_v4subAvailabilityImpact IN vulnerability.v4subAvailabilityImpact%type, + p_v4exploitMaturity IN vulnerability.v4exploitMaturity%type, + p_v4confidentialityRequirement IN vulnerability.v4confidentialityRequirement%type, + p_v4integrityRequirement IN vulnerability.v4integrityRequirement%type, + p_v4availabilityRequirement IN vulnerability.v4availabilityRequirement%type, + p_v4modifiedAttackVector IN vulnerability.v4modifiedAttackVector%type, + p_v4modifiedAttackComplexity IN vulnerability.v4modifiedAttackComplexity%type, + p_v4modifiedAttackRequirements IN vulnerability.v4modifiedAttackRequirements%type, + p_v4modifiedPrivilegesRequired IN vulnerability.v4modifiedPrivilegesRequired%type, + p_v4modifiedUserInteraction IN vulnerability.v4modifiedUserInteraction%type, + p_v4modifiedVulnConfidentialityImpact IN vulnerability.v4modifiedVulnConfidentialityImpact%type, + p_v4modifiedVulnIntegrityImpact IN vulnerability.v4modifiedVulnIntegrityImpact%type, + p_v4modifiedVulnAvailabilityImpact IN vulnerability.v4modifiedVulnAvailabilityImpact%type, + p_v4modifiedSubConfidentialityImpact IN vulnerability.v4modifiedSubConfidentialityImpact%type, + p_v4modifiedSubIntegrityImpact IN vulnerability.v4modifiedSubIntegrityImpact%type, + p_v4modifiedSubAvailabilityImpact IN vulnerability.v4modifiedSubAvailabilityImpact%type, + p_v4safety IN vulnerability.v4safety%type, + p_v4automatable IN vulnerability.v4automatable%type, + p_v4recovery IN vulnerability.v4recovery%type, + p_v4valueDensity IN vulnerability.v4valueDensity%type, + p_v4vulnerabilityResponseEffort IN vulnerability.v4vulnerabilityResponseEffort%type, + p_v4providerUrgency IN vulnerability.v4providerUrgency%type, + p_v4baseScore IN vulnerability.v4baseScore%type, + p_v4baseSeverity IN vulnerability.v4baseSeverity%type, + p_v4threatScore IN vulnerability.v4threatScore%type, + p_v4threatSeverity IN vulnerability.v4threatSeverity%type, + p_v4environmentalScore IN vulnerability.v4environmentalScore%type, + p_v4environmentalSeverity IN vulnerability.v4environmentalSeverity%type, + p_v4source IN vulnerability.v4source%type, + p_v4type IN vulnerability.v4type%type, vulnerabilityId OUT vulnerability.id%type) AS BEGIN @@ -309,7 +363,25 @@ BEGIN v3AvailabilityImpact=p_v3AvailabilityImpact, v3BaseScore=p_v3BaseScore, v3BaseSeverity=p_v3BaseSeverity, - v3Version=p_v3Version + v3Version=p_v3Version, + v4version=p_v4version, v4attackVector=p_v4attackVector, v4attackComplexity=p_v4attackComplexity, + v4attackRequirements=p_v4attackRequirements, v4privilegesRequired=p_v4privilegesRequired, + v4userInteraction=p_v4userInteraction, v4vulnConfidentialityImpact=p_v4vulnConfidentialityImpact, + v4vulnIntegrityImpact=p_v4vulnIntegrityImpact, v4vulnAvailabilityImpact=p_v4vulnAvailabilityImpact, + v4subConfidentialityImpact=p_v4subConfidentialityImpact, v4subIntegrityImpact=p_v4subIntegrityImpact, + v4subAvailabilityImpact=p_v4subAvailabilityImpact, v4exploitMaturity=p_v4exploitMaturity, + v4confidentialityRequirement=p_v4confidentialityRequirement, v4integrityRequirement=p_v4integrityRequirement, + v4availabilityRequirement=p_v4availabilityRequirement, v4modifiedAttackVector=p_v4modifiedAttackVector, + v4modifiedAttackComplexity=p_v4modifiedAttackComplexity, v4modifiedAttackRequirements=p_v4modifiedAttackRequirements, + v4modifiedPrivilegesRequired=p_v4modifiedPrivilegesRequired, v4modifiedUserInteraction=p_v4modifiedUserInteraction, + v4modifiedVulnConfidentialityImpact=p_v4modifiedVulnConfidentialityImpact, v4modifiedVulnIntegrityImpact=p_v4modifiedVulnIntegrityImpact, + v4modifiedVulnAvailabilityImpact=p_v4modifiedVulnAvailabilityImpact, v4modifiedSubConfidentialityImpact=p_v4modifiedSubConfidentialityImpact, + v4modifiedSubIntegrityImpact=p_v4modifiedSubIntegrityImpact, v4modifiedSubAvailabilityImpact=p_v4modifiedSubAvailabilityImpact, + v4safety=p_v4safety, v4automatable=p_v4automatable, v4recovery=p_v4recovery, v4valueDensity=p_v4valueDensity, + v4vulnerabilityResponseEffort=p_v4vulnerabilityResponseEffort, v4providerUrgency=p_v4providerUrgency, + v4baseScore=p_v4baseScore, v4baseSeverity=p_v4baseSeverity, v4threatScore=p_v4threatScore, + v4threatSeverity=p_v4threatSeverity, v4environmentalScore=p_v4environmentalScore, v4environmentalSeverity=p_v4environmentalSeverity, + v4source=p_v4source, v4type=p_v4type WHERE id = vulnerabilityId; EXCEPTION WHEN NO_DATA_FOUND THEN @@ -323,7 +395,17 @@ BEGIN v3ImpactScore, v3AttackVector, v3AttackComplexity, v3PrivilegesRequired, v3UserInteraction, v3Scope, v3ConfidentialityImpact, v3IntegrityImpact, v3AvailabilityImpact, - v3BaseScore, v3BaseSeverity, v3Version) + v3BaseScore, v3BaseSeverity, v3Version, v4version, + v4attackVector, v4attackComplexity, v4attackRequirements, v4privilegesRequired, + v4userInteraction, v4vulnConfidentialityImpact, v4vulnIntegrityImpact, v4vulnAvailabilityImpact, + v4subConfidentialityImpact, v4subIntegrityImpact, v4subAvailabilityImpact, v4exploitMaturity, + v4confidentialityRequirement, v4integrityRequirement, v4availabilityRequirement, + v4modifiedAttackVector, v4modifiedAttackComplexity, v4modifiedAttackRequirements, + v4modifiedPrivilegesRequired, v4modifiedUserInteraction, v4modifiedVulnConfidentialityImpact, + v4modifiedVulnIntegrityImpact, v4modifiedVulnAvailabilityImpact, v4modifiedSubConfidentialityImpact, + v4modifiedSubIntegrityImpact, v4modifiedSubAvailabilityImpact, v4safety, v4automatable, v4recovery, + v4valueDensity, v4vulnerabilityResponseEffort, v4providerUrgency, v4baseScore, v4baseSeverity, + v4threatScore, v4threatSeverity, v4environmentalScore, v4environmentalSeverity, v4source, v4type) VALUES (p_cveId, p_description, p_v2Severity, p_v2ExploitabilityScore, p_v2ImpactScore, p_v2AcInsufInfo, p_v2ObtainAllPrivilege, @@ -334,7 +416,17 @@ BEGIN p_v3ImpactScore, p_v3AttackVector, p_v3AttackComplexity, p_v3PrivilegesRequired, p_v3UserInteraction, p_v3Scope, p_v3ConfidentialityImpact, p_v3IntegrityImpact, p_v3AvailabilityImpact, - p_v3BaseScore, p_v3BaseSeverity, p_v3Version) + p_v3BaseScore, p_v3BaseSeverity, p_v3Version, p_v4version, + p_v4attackVector, p_v4attackComplexity, p_v4attackRequirements, p_v4privilegesRequired, + p_v4userInteraction, p_v4vulnConfidentialityImpact, p_v4vulnIntegrityImpact, p_v4vulnAvailabilityImpact, + p_v4subConfidentialityImpact, p_v4subIntegrityImpact, p_v4subAvailabilityImpact, p_v4exploitMaturity, + p_v4confidentialityRequirement, p_v4integrityRequirement, p_v4availabilityRequirement, + p_v4modifiedAttackVector, p_v4modifiedAttackComplexity, p_v4modifiedAttackRequirements, + p_v4modifiedPrivilegesRequired, p_v4modifiedUserInteraction, p_v4modifiedVulnConfidentialityImpact, + p_v4modifiedVulnIntegrityImpact, p_v4modifiedVulnAvailabilityImpact, p_v4modifiedSubConfidentialityImpact, + p_v4modifiedSubIntegrityImpact, p_v4modifiedSubAvailabilityImpact, p_v4safety, p_v4automatable, p_v4recovery, + p_v4valueDensity, p_v4vulnerabilityResponseEffort, p_v4providerUrgency, p_v4baseScore, p_v4baseSeverity, + p_v4threatScore, p_v4threatSeverity, p_v4environmentalScore, p_v4environmentalSeverity, p_v4source, p_v4type) RETURNING id INTO vulnerabilityId; WHEN OTHERS THEN RAISE; diff --git a/core/src/main/resources/data/initialize_postgres.sql b/core/src/main/resources/data/initialize_postgres.sql index 004706a17ad..7a19e56f555 100644 --- a/core/src/main/resources/data/initialize_postgres.sql +++ b/core/src/main/resources/data/initialize_postgres.sql @@ -26,7 +26,20 @@ CREATE TABLE vulnerability (id SERIAL PRIMARY KEY, cve VARCHAR(20) UNIQUE, v3ImpactScore DECIMAL(3,1), v3AttackVector VARCHAR(20), v3AttackComplexity VARCHAR(20), v3PrivilegesRequired VARCHAR(20), v3UserInteraction VARCHAR(20), v3Scope VARCHAR(20), v3ConfidentialityImpact VARCHAR(20), v3IntegrityImpact VARCHAR(20), v3AvailabilityImpact VARCHAR(20), - v3BaseScore DECIMAL(3,1), v3BaseSeverity VARCHAR(20), v3Version VARCHAR(5)); + v3BaseScore DECIMAL(3,1), v3BaseSeverity VARCHAR(20), v3Version VARCHAR(5), + v4version VARCHAR(5), v4attackVector VARCHAR(15), v4attackComplexity VARCHAR(15), + v4attackRequirements VARCHAR(15), v4privilegesRequired VARCHAR(15), v4userInteraction VARCHAR(15), + v4vulnConfidentialityImpact VARCHAR(15), v4vulnIntegrityImpact VARCHAR(15), v4vulnAvailabilityImpact VARCHAR(15), + v4subConfidentialityImpact VARCHAR(15), v4subIntegrityImpact VARCHAR(15), + v4subAvailabilityImpact VARCHAR(15), v4exploitMaturity VARCHAR(20), v4confidentialityRequirement VARCHAR(15), + v4integrityRequirement VARCHAR(15), v4availabilityRequirement VARCHAR(15), v4modifiedAttackVector VARCHAR(15), + v4modifiedAttackComplexity VARCHAR(15), v4modifiedAttackRequirements VARCHAR(15), v4modifiedPrivilegesRequired VARCHAR(15), + v4modifiedUserInteraction VARCHAR(15), v4modifiedVulnConfidentialityImpact VARCHAR(15), v4modifiedVulnIntegrityImpact VARCHAR(15), + v4modifiedVulnAvailabilityImpact VARCHAR(15), v4modifiedSubConfidentialityImpact VARCHAR(15), v4modifiedSubIntegrityImpact VARCHAR(15), + v4modifiedSubAvailabilityImpact VARCHAR(15), v4safety VARCHAR(15), v4automatable VARCHAR(15), v4recovery VARCHAR(15), + v4valueDensity VARCHAR(15), v4vulnerabilityResponseEffort VARCHAR(15), v4providerUrgency VARCHAR(15), + v4baseScore DECIMAL(3,1), v4baseSeverity VARCHAR(15), v4threatScore DECIMAL(3,1), v4threatSeverity VARCHAR(15), + v4environmentalScore DECIMAL(3,1), v4environmentalSeverity VARCHAR(15), v4source VARCHAR(50), v4type VARCHAR(15)); CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255), CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE); @@ -145,7 +158,20 @@ CREATE FUNCTION update_vulnerability ( IN p_v3AttackComplexity VARCHAR(20), IN p_v3PrivilegesRequired VARCHAR(20), IN p_v3UserInteraction VARCHAR(20), IN p_v3Scope VARCHAR(20), IN p_v3ConfidentialityImpact VARCHAR(20), IN p_v3IntegrityImpact VARCHAR(20), IN p_v3AvailabilityImpact VARCHAR(20), IN p_v3BaseScore DECIMAL(3,1), IN p_v3BaseSeverity VARCHAR(20), - IN p_v3Version VARCHAR(5)) + IN p_v3Version VARCHAR(5), IN p_v4version VARCHAR(5), IN p_v4attackVector VARCHAR(15), IN p_v4attackComplexity VARCHAR(15), + IN p_v4attackRequirements VARCHAR(15), IN p_v4privilegesRequired VARCHAR(15), IN p_v4userInteraction VARCHAR(15), + IN p_v4vulnConfidentialityImpact VARCHAR(15), IN p_v4vulnIntegrityImpact VARCHAR(15), IN p_v4vulnAvailabilityImpact VARCHAR(15), + IN p_v4subConfidentialityImpact VARCHAR(15), IN p_v4subIntegrityImpact VARCHAR(15), IN p_v4subAvailabilityImpact VARCHAR(15), + IN p_v4exploitMaturity VARCHAR(20), IN p_v4confidentialityRequirement VARCHAR(15), IN p_v4integrityRequirement VARCHAR(15), + IN p_v4availabilityRequirement VARCHAR(15), IN p_v4modifiedAttackVector VARCHAR(15), IN p_v4modifiedAttackComplexity VARCHAR(15), + IN p_v4modifiedAttackRequirements VARCHAR(15), IN p_v4modifiedPrivilegesRequired VARCHAR(15), IN p_v4modifiedUserInteraction VARCHAR(15), + IN p_v4modifiedVulnConfidentialityImpact VARCHAR(15), IN p_v4modifiedVulnIntegrityImpact VARCHAR(15), + IN p_v4modifiedVulnAvailabilityImpact VARCHAR(15), IN p_v4modifiedSubConfidentialityImpact VARCHAR(15), + IN p_v4modifiedSubIntegrityImpact VARCHAR(15), IN p_v4modifiedSubAvailabilityImpact VARCHAR(15), IN p_v4safety VARCHAR(15), + IN p_v4automatable VARCHAR(15), IN p_v4recovery VARCHAR(15), IN p_v4valueDensity VARCHAR(15), IN p_v4vulnerabilityResponseEffort VARCHAR(15), + IN p_v4providerUrgency VARCHAR(15), IN p_v4baseScore DECIMAL(3,1), IN p_v4baseSeverity VARCHAR(15), IN p_v4threatScore DECIMAL(3,1), + IN p_v4threatSeverity VARCHAR(15), IN p_v4environmentalScore DECIMAL(3,1), IN p_v4environmentalSeverity VARCHAR(15), + IN p_v4source VARCHAR(15), IN p_v4type VARCHAR(15)) RETURNS TABLE (vulnerabilityId INT) AS $$ DECLARE vulnerabilityId integer := 0; @@ -166,7 +192,25 @@ IF vulnerabilityId > 0 THEN v3ExploitabilityScore=p_v3ExploitabilityScore, v3ImpactScore=p_v3ImpactScore, v3AttackVector=p_v3AttackVector, v3AttackComplexity=p_v3AttackComplexity, v3PrivilegesRequired=p_v3PrivilegesRequired, v3UserInteraction=p_v3UserInteraction, v3Scope=p_v3Scope, v3ConfidentialityImpact=p_v3ConfidentialityImpact, v3IntegrityImpact=p_v3IntegrityImpact, - v3AvailabilityImpact=p_v3AvailabilityImpact, v3BaseScore=p_v3BaseScore, v3BaseSeverity=p_v3BaseSeverity, v3Version=p_v3Version + v3AvailabilityImpact=p_v3AvailabilityImpact, v3BaseScore=p_v3BaseScore, v3BaseSeverity=p_v3BaseSeverity, v3Version=p_v3Version, + v4version=p_v4version, v4attackVector=p_v4attackVector, v4attackComplexity=p_v4attackComplexity, + v4attackRequirements=p_v4attackRequirements, v4privilegesRequired=p_v4privilegesRequired, + v4userInteraction=p_v4userInteraction, v4vulnConfidentialityImpact=p_v4vulnConfidentialityImpact, + v4vulnIntegrityImpact=p_v4vulnIntegrityImpact, v4vulnAvailabilityImpact=p_v4vulnAvailabilityImpact, + v4subConfidentialityImpact=p_v4subConfidentialityImpact, v4subIntegrityImpact=p_v4subIntegrityImpact, + v4subAvailabilityImpact=p_v4subAvailabilityImpact, v4exploitMaturity=p_v4exploitMaturity, + v4confidentialityRequirement=p_v4confidentialityRequirement, v4integrityRequirement=p_v4integrityRequirement, + v4availabilityRequirement=p_v4availabilityRequirement, v4modifiedAttackVector=p_v4modifiedAttackVector, + v4modifiedAttackComplexity=p_v4modifiedAttackComplexity, v4modifiedAttackRequirements=p_v4modifiedAttackRequirements, + v4modifiedPrivilegesRequired=p_v4modifiedPrivilegesRequired, v4modifiedUserInteraction=p_v4modifiedUserInteraction, + v4modifiedVulnConfidentialityImpact=p_v4modifiedVulnConfidentialityImpact, v4modifiedVulnIntegrityImpact=p_v4modifiedVulnIntegrityImpact, + v4modifiedVulnAvailabilityImpact=p_v4modifiedVulnAvailabilityImpact, v4modifiedSubConfidentialityImpact=p_v4modifiedSubConfidentialityImpact, + v4modifiedSubIntegrityImpact=p_v4modifiedSubIntegrityImpact, v4modifiedSubAvailabilityImpact=p_v4modifiedSubAvailabilityImpact, + v4safety=p_v4safety, v4automatable=p_v4automatable, v4recovery=p_v4recovery, v4valueDensity=p_v4valueDensity, + v4vulnerabilityResponseEffort=p_v4vulnerabilityResponseEffort, v4providerUrgency=p_v4providerUrgency, + v4baseScore=p_v4baseScore, v4baseSeverity=p_v4baseSeverity, v4threatScore=p_v4threatScore, + v4threatSeverity=p_v4threatSeverity, v4environmentalScore=p_v4environmentalScore, v4environmentalSeverity=p_v4environmentalSeverity, + v4source=p_v4source, v4type=p_v4type WHERE id=vulnerabilityId; ELSE INSERT INTO vulnerability (cve, description, @@ -179,7 +223,17 @@ ELSE v3ImpactScore, v3AttackVector, v3AttackComplexity, v3PrivilegesRequired, v3UserInteraction, v3Scope, v3ConfidentialityImpact, v3IntegrityImpact, v3AvailabilityImpact, - v3BaseScore, v3BaseSeverity, v3Version) + v3BaseScore, v3BaseSeverity, v3Version, v4version, + v4attackVector, v4attackComplexity, v4attackRequirements, v4privilegesRequired, + v4userInteraction, v4vulnConfidentialityImpact, v4vulnIntegrityImpact, v4vulnAvailabilityImpact, + v4subConfidentialityImpact, v4subIntegrityImpact, v4subAvailabilityImpact, v4exploitMaturity, + v4confidentialityRequirement, v4integrityRequirement, v4availabilityRequirement, + v4modifiedAttackVector, v4modifiedAttackComplexity, v4modifiedAttackRequirements, + v4modifiedPrivilegesRequired, v4modifiedUserInteraction, v4modifiedVulnConfidentialityImpact, + v4modifiedVulnIntegrityImpact, v4modifiedVulnAvailabilityImpact, v4modifiedSubConfidentialityImpact, + v4modifiedSubIntegrityImpact, v4modifiedSubAvailabilityImpact, v4safety, v4automatable, v4recovery, + v4valueDensity, v4vulnerabilityResponseEffort, v4providerUrgency, v4baseScore, v4baseSeverity, + v4threatScore, v4threatSeverity, v4environmentalScore, v4environmentalSeverity, v4source, v4type) VALUES (p_cveId, p_description, p_v2Severity, p_v2ExploitabilityScore, p_v2ImpactScore, p_v2AcInsufInfo, p_v2ObtainAllPrivilege, @@ -190,7 +244,17 @@ ELSE p_v3ImpactScore, p_v3AttackVector, p_v3AttackComplexity, p_v3PrivilegesRequired, p_v3UserInteraction, p_v3Scope, p_v3ConfidentialityImpact, p_v3IntegrityImpact, p_v3AvailabilityImpact, - p_v3BaseScore, p_v3BaseSeverity, p_v3Version); + p_v3BaseScore, p_v3BaseSeverity, p_v3Version, p_v4version, + p_v4attackVector, p_v4attackComplexity, p_v4attackRequirements, p_v4privilegesRequired, + p_v4userInteraction, p_v4vulnConfidentialityImpact, p_v4vulnIntegrityImpact, p_v4vulnAvailabilityImpact, + p_v4subConfidentialityImpact, p_v4subIntegrityImpact, p_v4subAvailabilityImpact, p_v4exploitMaturity, + p_v4confidentialityRequirement, p_v4integrityRequirement, p_v4availabilityRequirement, + p_v4modifiedAttackVector, p_v4modifiedAttackComplexity, p_v4modifiedAttackRequirements, + p_v4modifiedPrivilegesRequired, p_v4modifiedUserInteraction, p_v4modifiedVulnConfidentialityImpact, + p_v4modifiedVulnIntegrityImpact, p_v4modifiedVulnAvailabilityImpact, p_v4modifiedSubConfidentialityImpact, + p_v4modifiedSubIntegrityImpact, p_v4modifiedSubAvailabilityImpact, p_v4safety, p_v4automatable, p_v4recovery, + p_v4valueDensity, p_v4vulnerabilityResponseEffort, p_v4providerUrgency, p_v4baseScore, p_v4baseSeverity, + p_v4threatScore, p_v4threatSeverity, p_v4environmentalScore, p_v4environmentalSeverity, p_v4source, p_v4type); SELECT lastval() INTO vulnerabilityId; END IF; @@ -204,7 +268,14 @@ GRANT EXECUTE ON FUNCTION public.update_vulnerability(VARCHAR(20), VARCHAR(8000) BOOLEAN, DECIMAL(3,1), VARCHAR(20), VARCHAR(20), VARCHAR(20), VARCHAR(20), VARCHAR(20), VARCHAR(20), VARCHAR(5), DECIMAL(3,1), DECIMAL(3,1), VARCHAR(20), VARCHAR(20), VARCHAR(20), VARCHAR(20), VARCHAR(20), VARCHAR(20), VARCHAR(20), - VARCHAR(20), DECIMAL(3,1), VARCHAR(20), VARCHAR(5)) TO dcuser; + VARCHAR(20), DECIMAL(3,1), VARCHAR(20), VARCHAR(5), VARCHAR(5), VARCHAR(15), + VARCHAR(15), VARCHAR(15), VARCHAR(15), VARCHAR(15), VARCHAR(15), VARCHAR(15), + VARCHAR(15), VARCHAR(15), VARCHAR(15), VARCHAR(15), VARCHAR(20), VARCHAR(15), + VARCHAR(15), VARCHAR(15), VARCHAR(15), VARCHAR(15), VARCHAR(15), VARCHAR(15), + VARCHAR(15), VARCHAR(15), VARCHAR(15), VARCHAR(15), VARCHAR(15), VARCHAR(15), + VARCHAR(15), VARCHAR(15), VARCHAR(15), VARCHAR(15), VARCHAR(15), VARCHAR(15), + VARCHAR(15), DECIMAL(3,1), VARCHAR(15), DECIMAL(3,1), VARCHAR(15), DECIMAL(3,1), + VARCHAR(15), VARCHAR(50), VARCHAR(15)) TO dcuser; CREATE FUNCTION insert_software ( IN p_vulnerabilityId INT, IN p_part CHAR(1), IN p_vendor VARCHAR(255), IN p_product VARCHAR(255), diff --git a/core/src/main/resources/data/upgrade_5.4.sql b/core/src/main/resources/data/upgrade_5.4.sql new file mode 100644 index 00000000000..e8d3910ba73 --- /dev/null +++ b/core/src/main/resources/data/upgrade_5.4.sql @@ -0,0 +1,43 @@ +ALTER TABLE vulnerability ADD COLUMN v4version VARCHAR(5); +ALTER TABLE vulnerability ADD COLUMN v4attackVector VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4attackComplexity VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4attackRequirements VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4privilegesRequired VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4userInteraction VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4vulnConfidentialityImpact VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4vulnIntegrityImpact VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4vulnAvailabilityImpact VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4subConfidentialityImpact VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4subIntegrityImpact VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4subAvailabilityImpact VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4exploitMaturity VARCHAR(20); +ALTER TABLE vulnerability ADD COLUMN v4confidentialityRequirement VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4integrityRequirement VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4availabilityRequirement VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4modifiedAttackVector VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4modifiedAttackComplexity VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4modifiedAttackRequirements VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4modifiedPrivilegesRequired VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4modifiedUserInteraction VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4modifiedVulnConfidentialityImpact VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4modifiedVulnIntegrityImpact VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4modifiedVulnAvailabilityImpact VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4modifiedSubConfidentialityImpact VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4modifiedSubIntegrityImpact VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4modifiedSubAvailabilityImpact VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4safety VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4automatable VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4recovery VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4valueDensity VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4vulnerabilityResponseEffort VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4providerUrgency VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4baseScore DECIMAL(3,1); +ALTER TABLE vulnerability ADD COLUMN v4baseSeverity VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4threatScore DECIMAL(3,1); +ALTER TABLE vulnerability ADD COLUMN v4threatSeverity VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4environmentalScore DECIMAL(3,1); +ALTER TABLE vulnerability ADD COLUMN v4environmentalSeverity VARCHAR(15); +ALTER TABLE vulnerability ADD COLUMN v4source VARCHAR(50); +ALTER TABLE vulnerability ADD COLUMN v4type VARCHAR(15); + +UPDATE Properties SET `value`='5.5' WHERE ID='version'; diff --git a/core/src/main/resources/dependencycheck.properties b/core/src/main/resources/dependencycheck.properties index 7af9d454981..31c9dc9d033 100644 --- a/core/src/main/resources/dependencycheck.properties +++ b/core/src/main/resources/dependencycheck.properties @@ -21,7 +21,7 @@ data.file_name=odc.mv.db ### if you increment the DB version then you must increment the database file path ### in the mojo.properties, task.properties (maven and ant respectively), and ### the gradle PurgeDataExtension. -data.version=5.4 +data.version=5.5 #The analysis timeout in minutes odc.analysis.timeout=180 diff --git a/core/src/test/resources/dependencycheck.properties b/core/src/test/resources/dependencycheck.properties index 522f25ee335..e243bbbbd02 100644 --- a/core/src/test/resources/dependencycheck.properties +++ b/core/src/test/resources/dependencycheck.properties @@ -17,7 +17,7 @@ engine.version.url=https://jeremylong.github.io/DependencyCheck/current.txt data.directory=[JAR]/data/9.0 #if the filename has a %s it will be replaced with the current expected version data.file_name=odc.mv.db -data.version=5.4 +data.version=5.5 #The analysis timeout in minutes odc.analysis.timeout=20 diff --git a/maven/pom.xml b/maven/pom.xml index d2f1410fa8c..e837237101a 100644 --- a/maven/pom.xml +++ b/maven/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 9.2.1-SNAPSHOT + 10.0.0-SNAPSHOT dependency-check-maven maven-plugin diff --git a/pom.xml b/pom.xml index 15dc2703e53..ff0ac6c771e 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long org.owasp dependency-check-parent - 9.2.1-SNAPSHOT + 10.0.0-SNAPSHOT pom @@ -972,7 +972,13 @@ Copyright (c) 2012 - Jeremy Long io.github.jeremylong open-vulnerability-clients - 6.0.1 + 6.1.0 + + + + com.samskivert + jmustache + 1.15 org.anarres.jdiagnostics diff --git a/utils/pom.xml b/utils/pom.xml index 695a6bdd409..1f1ebd0b864 100644 --- a/utils/pom.xml +++ b/utils/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 9.2.1-SNAPSHOT + 10.0.0-SNAPSHOT dependency-check-utils