From 6f4835855456ec36687cd8eef35140b4d47eebda Mon Sep 17 00:00:00 2001 From: Tomas Bjerre Date: Sun, 1 Sep 2024 11:19:06 +0200 Subject: [PATCH] fix(sarif): originalUriBaseIds lookup (refs #189) --- .../violations/lib/parsers/SarifParser.java | 146 ++++- .../bjurr/violations/lib/SarifParserTest.java | 4 +- .../sarif/dependency-check-report.sarif | 558 +++++++++++++++++- .../sarif/samples/OriginalUriBaseIds.sarif | 11 + 4 files changed, 703 insertions(+), 16 deletions(-) diff --git a/src/main/java/se/bjurr/violations/lib/parsers/SarifParser.java b/src/main/java/se/bjurr/violations/lib/parsers/SarifParser.java index b88d8cd..486ab54 100644 --- a/src/main/java/se/bjurr/violations/lib/parsers/SarifParser.java +++ b/src/main/java/se/bjurr/violations/lib/parsers/SarifParser.java @@ -7,6 +7,8 @@ import com.google.gson.JsonDeserializationContext; import com.google.gson.JsonDeserializer; import com.google.gson.JsonElement; +import com.google.gson.JsonObject; +import com.google.gson.JsonPrimitive; import java.lang.reflect.Type; import java.util.ArrayList; import java.util.HashMap; @@ -15,18 +17,23 @@ import java.util.Map.Entry; import java.util.Optional; import java.util.Set; +import java.util.TreeMap; import java.util.TreeSet; +import java.util.logging.Level; +import java.util.logging.Logger; import java.util.stream.Collectors; import se.bjurr.violations.lib.ViolationsLogger; import se.bjurr.violations.lib.model.SEVERITY; import se.bjurr.violations.lib.model.Violation; import se.bjurr.violations.lib.model.generated.sarif.Artifact; +import se.bjurr.violations.lib.model.generated.sarif.ArtifactLocation; import se.bjurr.violations.lib.model.generated.sarif.Invocation; import se.bjurr.violations.lib.model.generated.sarif.Location; import se.bjurr.violations.lib.model.generated.sarif.Message; import se.bjurr.violations.lib.model.generated.sarif.MessageStrings; import se.bjurr.violations.lib.model.generated.sarif.MultiformatMessageString; import se.bjurr.violations.lib.model.generated.sarif.Notification; +import se.bjurr.violations.lib.model.generated.sarif.OriginalUriBaseIds; import se.bjurr.violations.lib.model.generated.sarif.PhysicalLocation; import se.bjurr.violations.lib.model.generated.sarif.PropertyBag; import se.bjurr.violations.lib.model.generated.sarif.Region; @@ -43,6 +50,7 @@ import se.bjurr.violations.lib.util.Utils; public class SarifParser implements ViolationsParser { + private static Logger LOGGER = Logger.getLogger(SarifParser.class.getSimpleName()); public static final String SARIF_RESULTS_CORRELATION_GUID = "correlationGuid"; public static final String SARIF_RESULTS_SUPPRESSED = "suppressed"; @@ -73,6 +81,7 @@ public Notification.Level deserialize( final String asString = json.getAsString(); return Notification.Level.fromValue(asString); } catch (final Exception e) { + LOGGER.log(Level.SEVERE, json.toString(), e); return Notification.Level.NONE; } } @@ -88,6 +97,7 @@ public ReportingConfiguration.Level deserialize( final String asString = json.getAsString(); return ReportingConfiguration.Level.fromValue(asString); } catch (final Exception e) { + LOGGER.log(Level.SEVERE, json.toString(), e); return ReportingConfiguration.Level.NONE; } } @@ -112,11 +122,57 @@ public MessageStrings deserialize( return messageStrings; } catch (final RuntimeException e) { + LOGGER.log(Level.SEVERE, json.toString(), e); return new MessageStrings(); } } } + private static class OriginalUriBaseIdsStringsDeserializer + implements JsonDeserializer { + + @Override + public OriginalUriBaseIds deserialize( + final JsonElement json, final Type typeOfT, final JsonDeserializationContext context) { + try { + final OriginalUriBaseIds to = new OriginalUriBaseIds(); + + for (final Entry entry : json.getAsJsonObject().entrySet()) { + final ArtifactLocation al = this.toArtifactLocation(entry.getValue()); + to.setAdditionalProperty(entry.getKey(), al); + } + + return to; + } catch (final RuntimeException e) { + LOGGER.log(Level.SEVERE, json.toString(), e); + return new OriginalUriBaseIds(); + } + } + + private ArtifactLocation toArtifactLocation(final JsonElement artifactLocationJsonElement) { + final ArtifactLocation al = new ArtifactLocation(); + if (artifactLocationJsonElement instanceof JsonObject) { + final JsonObject valueObject = artifactLocationJsonElement.getAsJsonObject(); + + final JsonElement uriAttr = valueObject.get("uri"); + if (uriAttr != null) { + al.setUri(uriAttr.getAsString()); + } + + final JsonElement uriBaseIdAttr = valueObject.get("uriBaseId"); + if (uriBaseIdAttr != null) { + al.setUriBaseId(uriBaseIdAttr.getAsString()); + } + } else if (artifactLocationJsonElement instanceof JsonPrimitive) { + al.setUri(artifactLocationJsonElement.getAsString()); + } + if (al.getUri() == null) { + al.setUri(""); + } + return al; + } + } + @Override public Set parseReportOutput( final String reportContent, final ViolationsLogger violationsLogger) throws Exception { @@ -126,6 +182,8 @@ public Set parseReportOutput( .registerTypeAdapter( ReportingConfiguration.Level.class, new ReportingConfigurationDeserializer()) .registerTypeAdapter(MessageStrings.class, new MessageStringsDeserializer()) + .registerTypeAdapter( + OriginalUriBaseIds.class, new OriginalUriBaseIdsStringsDeserializer()) .create() .fromJson(reportContent, SarifSchema.class); @@ -136,14 +194,54 @@ ReportingConfiguration.Level.class, new ReportingConfigurationDeserializer()) } for (final Run run : report.getRuns()) { - violations.addAll(this.parseNotifications(run)); - violations.addAll(this.parseResults(run)); + final Map originalUriBaseIdsMap = + this.getOriginalUriBaseIdsMap(run.getOriginalUriBaseIds()); + violations.addAll(this.parseNotifications(run, originalUriBaseIdsMap)); + violations.addAll(this.parseResults(run, originalUriBaseIdsMap)); } return violations; } - private Set parseResults(final Run run) { + private Map getOriginalUriBaseIdsMap( + final OriginalUriBaseIds originalUriBaseIds) { + final Map originalUriBaseIdsMap = new TreeMap(); + if (originalUriBaseIds == null) { + return originalUriBaseIdsMap; + } + final Map additionalProperties = + originalUriBaseIds.getAdditionalProperties(); + if (additionalProperties == null) { + return originalUriBaseIdsMap; + } + + for (final String baseId : additionalProperties.keySet()) { + originalUriBaseIdsMap.put( + baseId, this.getOriginalUriBaseIdsMapValue(additionalProperties, baseId)); + } + + return originalUriBaseIdsMap; + } + + private String getOriginalUriBaseIdsMapValue( + final Map additionalProperties, final String baseId) { + for (final Entry candidate : additionalProperties.entrySet()) { + if (candidate.getKey().equals(baseId)) { + final String uriBaseId = candidate.getValue().getUriBaseId(); + if (uriBaseId != null) { + final String resolvedBase = + this.getOriginalUriBaseIdsMapValue(additionalProperties, uriBaseId); + return resolvedBase + candidate.getValue().getUri(); + } else { + return candidate.getValue().getUri(); + } + } + } + return ""; + } + + private Set parseResults( + final Run run, final Map originalUriBaseIdsMap) { final Set violations = new TreeSet<>(); for (final Result result : run.getResults()) { String ruleId = this.findRuleId(result, result.getRule()); @@ -173,7 +271,8 @@ private Set parseResults(final Run run) { if (this.notEmptyOrNull(locations)) { for (final Location location : locations) { final ParsedPhysicalLocation parsedPhysicalLocation = - this.parsePhysicalLocation(location.getPhysicalLocation(), run.getArtifacts()); + this.parsePhysicalLocation( + location.getPhysicalLocation(), run.getArtifacts(), originalUriBaseIdsMap); final String fullMessage = this.toMessage(message, helpTextOpt, parsedPhysicalLocation, reportingDescriptor); violations.add( @@ -208,7 +307,8 @@ private Set parseResults(final Run run) { return violations; } - private Set parseNotifications(final Run run) { + private Set parseNotifications( + final Run run, final Map originalUriBaseIdsMap) { final Set violations = new TreeSet<>(); for (final Invocation invocation : run.getInvocations()) { for (final Notification notification : invocation.getToolConfigurationNotifications()) { @@ -227,7 +327,8 @@ private Set parseNotifications(final Run run) { if (this.notEmptyOrNull(locations)) { for (final Location location : locations) { final ParsedPhysicalLocation parsedPhysicalLocation = - this.parsePhysicalLocation(location.getPhysicalLocation(), run.getArtifacts()); + this.parsePhysicalLocation( + location.getPhysicalLocation(), run.getArtifacts(), originalUriBaseIdsMap); final Optional helpTextOpt = Optional.empty(); final String fullMessage = this.toMessage( @@ -387,20 +488,39 @@ private String toMessage( } private ParsedPhysicalLocation parsePhysicalLocation( - final PhysicalLocation physicalLocation, final Set artifacts) { + final PhysicalLocation physicalLocation, + final Set artifacts, + final Map originalUriBaseIdsMap) { final ParsedPhysicalLocation parsed = new ParsedPhysicalLocation(); final Region region = physicalLocation.getRegion(); - if (region == null) { - return parsed; + if (region != null) { + parsed.startLine = Optional.ofNullable(region.getStartLine()).orElse(Violation.NO_LINE); + parsed.regionMessage = this.extractMessage(region.getMessage(), null); + } else { + parsed.startLine = Violation.NO_LINE; + parsed.regionMessage = ""; + } + parsed.filename = ""; + final String uriBaseId = physicalLocation.getArtifactLocation().getUriBaseId(); + if (uriBaseId != null) { + final String originalUriBaseId = originalUriBaseIdsMap.get(uriBaseId); + if (originalUriBaseId == null) { + LOGGER.warning( + "Did not find '" + + uriBaseId + + "' in originalUriBaseIds " + + originalUriBaseIdsMap.keySet()); + } + if (originalUriBaseId != null && !originalUriBaseId.isEmpty()) { + parsed.filename += originalUriBaseId; + } } - parsed.startLine = Optional.ofNullable(region.getStartLine()).orElse(Violation.NO_LINE); - parsed.regionMessage = this.extractMessage(region.getMessage(), null); final Integer artifactLocationIndex = physicalLocation.getArtifactLocation().getIndex(); if (artifactLocationIndex != null && artifactLocationIndex != -1) { - parsed.filename = + parsed.filename += new ArrayList<>(artifacts).get(artifactLocationIndex).getLocation().getUri(); } else { - parsed.filename = physicalLocation.getArtifactLocation().getUri(); + parsed.filename += physicalLocation.getArtifactLocation().getUri(); } return parsed; } diff --git a/src/test/java/se/bjurr/violations/lib/SarifParserTest.java b/src/test/java/se/bjurr/violations/lib/SarifParserTest.java index f8b74fd..b3d3bc7 100644 --- a/src/test/java/se/bjurr/violations/lib/SarifParserTest.java +++ b/src/test/java/se/bjurr/violations/lib/SarifParserTest.java @@ -279,7 +279,7 @@ public void testThatViolationsCanBeParsed_with_tool_configuration_notifications( assertThat(violation0.getMessage()) // .isEqualTo("Cannot copy from non-file URI: http://example.org/image.png"); assertThat(violation0.getFile()) // - .isEqualTo("config.xml"); + .isEqualTo("file:///home/demo/config.xml"); assertThat(violation0.getSeverity()) // .isEqualTo(SEVERITY.WARN); } @@ -361,7 +361,7 @@ public void testThatViolationsCanBeParsed_dependencyCheck() { + "\n" + " CVE-2021-4277 - A vulnerability, which was classified as problematic, has been found in fredsmith utils. This issue affects some unknown processing of the file screenshot_sync of the component Filename Handler. The manipulation leads to predictable from observable state. The name of the patch is dbab1b66955eeb3d76b34612b358307f5c4e3944. It is recommended to apply a patch to fix this issue. The identifier VDB-216749 was assigned to this vulnerability."); assertThat(violation0.getFile()) // - .isEqualTo("-"); + .endsWith("-"); assertThat(violation0.getStartLine()) // .isEqualTo(0); assertThat(violation0.getSeverity()) // diff --git a/src/test/resources/sarif/dependency-check-report.sarif b/src/test/resources/sarif/dependency-check-report.sarif index 9324c87..096ff65 100644 --- a/src/test/resources/sarif/dependency-check-report.sarif +++ b/src/test/resources/sarif/dependency-check-report.sarif @@ -1 +1,557 @@ -{"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json","version": "2.1.0","runs": [{"tool": {"driver": {"name": "dependency-check","version": "7.4.1","informationUri": "https://jeremylong.github.io/DependencyCheck/","rules": [{"id": "CVE-2021-4277","shortDescription": {"text": "Medium severity - CVE-2021-4277 Use of Insufficiently Random Values vulnerability in pkg:maven\/org.codehaus.plexus\/plexus-utils@3.1.1"},"fullDescription": {"text": "A vulnerability, which was classified as problematic, has been found in fredsmith utils. This issue affects some unknown processing of the file screenshot_sync of the component Filename Handler. The manipulation leads to predictable from observable state. The name of the patch is dbab1b66955eeb3d76b34612b358307f5c4e3944. It is recommended to apply a patch to fix this issue. The identifier VDB-216749 was assigned to this vulnerability."},"help": {"text": "","markdown": "For more information see [CVE-2021-4277](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4277).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv3_baseScore": 5.3,"cvssv3_attackVector": "NETWORK","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "NONE","cvssv3_userInteraction": "NONE","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "LOW","cvssv3_integrityImpact": "NONE","cvssv3_availabilityImpact": "NONE","cvssv3_baseSeverity": "MEDIUM","cvssv3_exploitabilityScore": "3.9","cvssv3_impactScore": "1.4","cvssv3_version": "3.1","source": "NVD"}}],"properties": {"disclaimer": "Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user's risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.","nvd": "This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov","npm": "This report may contain data retrieved from the NPM Public Advisories: https://www.npmjs.com/advisories","retirejs": "This report may contain data retrieved from the RetireJS community: https://retirejs.github.io/retire.js/","ossindex": "This report may contain data retrieved from the Sonatype OSS Index: https://ossindex.sonatype.org","NVD CVE Checked": "2023-03-03T15:35:17","NVD CVE Modified": "2023-03-03T14:00:01","VersionCheckOn": "2023-03-03T15:35:28"}}},"artifacts": [{"description": {"text": "APIs for JSR-299: Contexts and Dependency Injection for Java EE"},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/javax\/enterprise\/cdi-api\/1.0\/cdi-api-1.0.jar"},"hashes": {"md5": "462c0959f0322016495f4598243bc0f2","sha1": "44c453f60909dfc223552ace63e05c694215156b","sha256": "1f10b2204cc77c919301f20ff90461c3df1b6e6cb148be1c2d22107f4851d423"},"properties": {"id1": "pkg:maven\/javax.enterprise\/cdi-api@1.0"}},{"description": {"text": "\n Apache Commons Lang, a package of Java utility classes for the\n classes that are in java.lang's hierarchy, or are considered to be so\n standard as to justify existence in java.lang.\n "},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/org\/apache\/commons\/commons-lang3\/3.8.1\/commons-lang3-3.8.1.jar"},"hashes": {"md5": "540b1256d887a6993ecbef23371a3302","sha1": "6505a72a097d9270f7a9e7bf42c4238283247755","sha256": "dac807f65b07698ff39b1b07bfef3d87ae3fd46d91bbf8a2bc02b2a831616f68"},"properties": {"license": "https:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt","id2": "pkg:maven\/org.apache.commons\/commons-lang3@3.8.1"}},{"description": {"text": "The javax.inject API"},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/javax\/inject\/javax.inject\/1\/javax.inject-1.jar"},"hashes": {"md5": "289075e48b909e9e74e6c915b3631d2e","sha1": "6975da39a7040257bd51d21a231b76c915872d38","sha256": "91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff"},"properties": {"license": "The Apache Software License, Version 2.0: http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt","id3": "pkg:maven\/javax.inject\/javax.inject@1"}},{"description": {"text": "JSR-250 Reference Implementation by Glassfish"},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/javax\/annotation\/jsr250-api\/1.0\/jsr250-api-1.0.jar"},"hashes": {"md5": "4cd56b2e4977e541186de69f5126b4a6","sha1": "5025422767732a1ab45d93abfea846513d742dcf","sha256": "a1a922d0d9b6d183ed3800dfac01d1e1eb159f0e8c6f94736931c1def54a941f"},"properties": {"license": "COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: https:\/\/glassfish.dev.java.net\/public\/CDDLv1.0.html","id4": "pkg:maven\/javax.annotation\/jsr250-api@1.0"}},{"location": {"uri": "\/home\/bjerre\/.m2\/repository\/org\/apache\/maven\/maven-artifact\/3.6.0\/maven-artifact-3.6.0.jar"},"hashes": {"md5": "89e95013b11f347e48c0525965600404","sha1": "d4c0da647de59c9ccc304a112fe1f1474d49e8eb","sha256": "3d5a0e77cde76d386b18c7400db1eb16aacef02e031ecd0d954477aeccc92155"},"properties": {"id5": "pkg:maven\/org.apache.maven\/maven-artifact@3.6.0"}},{"description": {"text": "Model for Maven POM (Project Object Model)"},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/org\/apache\/maven\/maven-model\/3.6.0\/maven-model-3.6.0.jar"},"hashes": {"md5": "0505d964b102e3f62845f5d4508e166e","sha1": "06d73e6218a10cfe82cf0325b582cbed732cc751","sha256": "a1bf0c7856afd1f1b9c81c22818328fb7a796b4047010e08f2e859d1896080a9"},"properties": {"id6": "pkg:maven\/org.apache.maven\/maven-model@3.6.0"}},{"description": {"text": "Java annotations to use in Mojos"},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/org\/apache\/maven\/plugin-tools\/maven-plugin-annotations\/3.6.0\/maven-plugin-annotations-3.6.0.jar"},"hashes": {"md5": "c26580fde2323b86d67de4ec22baf2ae","sha1": "e3ce624bc4af77c9dbe2d609851c4082a4da7bc4","sha256": "9e2434820dd2ba44ad70a66e5b2a9993a2a8b047ceabc3e850e4858cbf3f91c3"},"properties": {"id7": "pkg:maven\/org.apache.maven.plugin-tools\/maven-plugin-annotations@3.6.0"}},{"description": {"text": "The API for plugins - Mojos - development."},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/org\/apache\/maven\/maven-plugin-api\/3.6.0\/maven-plugin-api-3.6.0.jar"},"hashes": {"md5": "416f41e165e638af2daa5d009af35946","sha1": "1ad37c33e3f046a84e7394df36a05a7f3b877d55","sha256": "0062a08b463314a1b5f8eb1a56207efb830fbdf547c42a3191eb146c4db39b1a"},"properties": {"id8": "pkg:maven\/org.apache.maven\/maven-plugin-api@3.6.0"}},{"location": {"uri": "\/home\/bjerre\/.m2\/repository\/org\/eclipse\/sisu\/org.eclipse.sisu.inject\/0.3.3\/org.eclipse.sisu.inject-0.3.3.jar"},"hashes": {"md5": "47ff59586827a2e705183c678e70404f","sha1": "b163fc1e714db5f9b389ec11f11950b5913e454c","sha256": "c6935e0b7d362ed4ca768c9b71d5d4d98788ff0a79c0d2bb954c221a078b166b"},"properties": {"license": "http:\/\/www.eclipse.org\/legal\/epl-v10.html","id9": "pkg:maven\/org.eclipse.sisu\/org.eclipse.sisu.inject@0.3.3"}},{"location": {"uri": "\/home\/bjerre\/.m2\/repository\/org\/eclipse\/sisu\/org.eclipse.sisu.plexus\/0.3.3\/org.eclipse.sisu.plexus-0.3.3.jar"},"hashes": {"md5": "02eeaf9f89f7249f9f7bbab2771f5ef5","sha1": "2c892c1fe0cd2dabcc729e1cbff3524b4847b1fe","sha256": "98045f5ecd802d6a96ba00394f8cb61259f9ac781ec2cb51ca0cb7b2c94ac720"},"properties": {"license": "http:\/\/www.eclipse.org\/legal\/epl-v10.html","id10": "pkg:maven\/org.eclipse.sisu\/org.eclipse.sisu.plexus@0.3.3"}},{"description": {"text": "A class loader framework"},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/org\/codehaus\/plexus\/plexus-classworlds\/2.5.2\/plexus-classworlds-2.5.2.jar"},"hashes": {"md5": "53b54feee8cef6b843bd6748bda4bfa7","sha1": "4abb111bfdace5b8167db4c0ef74644f3f88f142","sha256": "b2931d41740490a8d931cbe0cfe9ac20deb66cca606e679f52522f7f534c9fd7"},"properties": {"license": "http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt","id11": "pkg:maven\/org.codehaus.plexus\/plexus-classworlds@2.5.2"}},{"description": {"text": "\n Plexus Component \"Java 5\" Annotations, to describe plexus components properties in java sources with\n standard annotations instead of javadoc annotations.\n "},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/org\/codehaus\/plexus\/plexus-component-annotations\/1.5.5\/plexus-component-annotations-1.5.5.jar"},"hashes": {"md5": "ef37dcdb84030422db428b63c4354e5b","sha1": "c72f2660d0cbed24246ddb55d7fdc4f7374d2078","sha256": "4df7a6a7be64b35bbccf60b5c115697f9ea3421d22674ae67135dde375fcca1f"},"properties": {"id12": "pkg:maven\/org.codehaus.plexus\/plexus-component-annotations@1.5.5"}},{"description": {"text": "A collection of various utility classes to ease working with strings, files, command lines, XML and\n more.\n "},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/org\/codehaus\/plexus\/plexus-utils\/3.1.1\/plexus-utils-3.1.1.jar"},"hashes": {"md5": "8b09fc3466a84ee3e36e8df197a573f3","sha1": "b296e62bbdb9b4f018adffbd5e8e0aaa34b8c718","sha256": "d1f74a7a0d91eb82536d71175b177bf21b1d7d286376b0ea5ba8a194265ba90b"},"properties": {"id13": "pkg:maven\/org.codehaus.plexus\/plexus-utils@3.1.1","vid1": "cpe:2.3:a:plexus-utils_project:plexus-utils:3.1.1:*:*:*:*:*:*:*","vid2": "cpe:2.3:a:utils_project:utils:3.1.1:*:*:*:*:*:*:*"}},{"location": {"uri": "\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/com.google.code.gson\/gson\/pom.xml"},"hashes": {"md5": "c13f373086992bab8989b514941891a6","sha1": "ce159faf33c1e665e1f3a785a5d678a2b20151bc","sha256": "d2b115634f5c085db4b9c9ffc2658e89e231fdbfbe2242121a1cd95d4d948dd7"},"properties": {"license": "Apache-2.0: https:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt","id14": "pkg:maven\/com.google.code.gson\/gson@2.10.1","vid3": "cpe:2.3:a:google:gson:2.10.1:*:*:*:*:*:*:*"}},{"description": {"text": "The bit array data structure is implemented in Java as the BitSet class. Unfortunately, this fails to scale without compression.\n JavaEWAH is a word-aligned compressed variant of the Java bitset class. It uses a 64-bit run-length encoding (RLE) compression scheme.\n The goal of word-aligned compression is not to achieve the best compression, but rather to improve query processing time. Hence, we try to save CPU cycles, maybe at the expense of storage. However, the EWAH scheme we implemented is always more efficient storage-wise than an uncompressed bitmap (implemented in Java as the BitSet class). Unlike some alternatives, javaewah does not rely on a patented scheme. "},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/com.googlecode.javaewah\/JavaEWAH\/pom.xml"},"hashes": {"md5": "31679ce3dc24bd983006245d6760b640","sha1": "c0e2224902ce244ef82d72c9287f933394255452","sha256": "9725b1fe9c6810d977750bb84415ea1082c4b488d4a839f9704bb4f5e8fc17f4"},"properties": {"license": "Apache 2: http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt","id15": "pkg:maven\/com.googlecode.javaewah\/JavaEWAH@1.1.13"}},{"description": {"text": "Base elements (lines, corners, borders) and themes for frames, grids, lists (itemize, enumerate)."},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/de.vandermeer\/ascii-utf-themes\/pom.xml"},"hashes": {"md5": "7bb1c6d124e6a3f94dfe5dd07fb4dda8","sha1": "655c6b2982aea2a562fcf37ea90cad903bc640d3","sha256": "7c91c7995fa8b5cd9cd18bc4cddc354af0cc3ee7348efc0d76d6d2f80b8f2175"},"properties": {"license": "Apache 2: http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt","id16": "pkg:maven\/de.vandermeer\/ascii-utf-themes@0.0.1"}},{"description": {"text": "An ASCII table with various render options and UTF-8 support"},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/de.vandermeer\/asciitable\/pom.xml"},"hashes": {"md5": "2291b203e867a7e7050d3848c3f2cd8b","sha1": "e203c3f62027dd993181b079827d58f49e1a36a4","sha256": "14a53b93e0d7749a4eba546091dbc8698c5d4051570d9f65a9f09e40b83a9dc6"},"properties": {"license": "Apache 2: http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt","id17": "pkg:maven\/de.vandermeer\/asciitable@0.3.2"}},{"description": {"text": "Set of translators for characters, HTML Elements, and their combinations."},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/de.vandermeer\/char-translation\/pom.xml"},"hashes": {"md5": "25072e753702b310bf35f6ba3ccdb9bc","sha1": "aa5b4b4e94959af4473d9f90d20a47e072f7c030","sha256": "8f83b635b8501cbab107d520c1e02ed59ad77600fb0c554bbb9ac653c6a0cc80"},"properties": {"license": "Apache 2: http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt","id18": "pkg:maven\/de.vandermeer\/char-translation@0.0.2"}},{"description": {"text": "Set of interfaces used by other SKB projects."},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/de.vandermeer\/skb-interfaces\/pom.xml"},"hashes": {"md5": "b5a8f357d2e123f1e8b04329bf3b5810","sha1": "568f494ff770f0951419af9a51f11c3e87e2f393","sha256": "72f6ff6d66c6316056de6b954b0248604234f10e3bbd7f8cc13ba384e6e607cd"},"properties": {"license": "Apache 2: http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt","id19": "pkg:maven\/de.vandermeer\/skb-interfaces@0.0.1"}},{"description": {"text": "Efficient and customizable TreeLayout Algorithm in Java."},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/org.abego.treelayout\/org.abego.treelayout.core\/pom.xml"},"hashes": {"md5": "0fd589167b7a434db7580a66737649b9","sha1": "e8da72b4e31c6610ca57fde5f73d5ee4d1d5f957","sha256": "7c8cbfca64e970440d4f287f3516a96c00692a0394fca1d57b12a97a96f0ea11"},"properties": {"license": "BSD 3-Clause \"New\" or \"Revised\" License (BSD-3-Clause): http:\/\/treelayout.googlecode.com\/files\/LICENSE.TXT","id20": "pkg:maven\/org.abego.treelayout\/org.abego.treelayout.core@1.0.1"}},{"description": {"text": "StringTemplate is a java template engine for generating source code,\nweb pages, emails, or any other formatted text output.\n\nStringTemplate is particularly good at multi-targeted code generators,\nmultiple site skins, and internationalization\/localization. \n\nIt evolved over years of effort developing jGuru.com. \n\nStringTemplate also generates the stringtemplate website: http:\/\/www.stringtemplate.org\nand powers the ANTLR v3 code generator. Its distinguishing characteristic \nis that unlike other engines, it strictly enforces model-view separation.\n\nStrict separation makes websites and code generators more flexible\nand maintainable; it also provides an excellent defense against malicious\ntemplate authors.\n\nThere are currently about 600 StringTemplate source downloads a month.\n "},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/org.antlr\/ST4\/pom.xml"},"hashes": {"md5": "683219fec455dfde94a6473373265284","sha1": "116663d33389525e932a4ff7adaf66eb06caf277","sha256": "3c0890dec71174eb3ba3d404ca9e341901ff6b0421808b00713b0dbb1306c17c"},"properties": {"license": "BSD licence: http:\/\/antlr.org\/license.html","id21": "pkg:maven\/org.antlr\/ST4@4.0.8"}},{"description": {"text": "A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions."},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/org.antlr\/antlr-runtime\/pom.xml"},"hashes": {"md5": "b9bf8a27cb01fac6a32d6aa68b59f5bf","sha1": "af8ae5172f0c499d932d465673c9833c8777c1dd","sha256": "46a9c2200bb8b12bd7124aa7a5097ff49099908329c851a04cb2051420aa7f25"},"properties": {"id22": "pkg:maven\/org.antlr\/antlr-runtime@3.5.2"}},{"description": {"text": "The ANTLR 4 Runtime"},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/org.antlr\/antlr4-runtime\/pom.xml"},"hashes": {"md5": "9d1d96c3ffedf7f287c0de8032becdde","sha1": "47a3c5bc681610d2ca3ec9e499eaaece74fa89c1","sha256": "4f7e70ffbcf4223f836b620034d0f0eb5ee67a32a956ef726d2a22337285e7b7"},"properties": {"id23": "pkg:maven\/org.antlr\/antlr4-runtime@4.5.1"}},{"description": {"text": "The ANTLR 4 grammar compiler."},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/org.antlr\/antlr4\/pom.xml"},"hashes": {"md5": "b42cf64297acd58ff6b348de3b407561","sha1": "4c68afec494088293747b3f63dc415aa396b6c0c","sha256": "744599611082f19ffbd61aa40c303edbd760ee428572813e08bc9b99317b6df6"},"properties": {"id24": "pkg:maven\/org.antlr\/antlr4@4.5.1"}},{"description": {"text": "\n Apache Commons Lang, a package of Java utility classes for the\n classes that are in java.lang's hierarchy, or are considered to be so\n standard as to justify existence in java.lang.\n "},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/org.apache.commons\/commons-lang3\/pom.xml"},"hashes": {"md5": "5b94f12ccc8674526bc96c46c3899900","sha1": "fd6eccbd05d55177e2f5e6d9da6f8d120751ab72","sha256": "686e75b561a13c1031d43a7647a364e2ed3e456467050eac4527b94b06d73fd1"},"properties": {"id25": "pkg:maven\/org.apache.commons\/commons-lang3@3.4"}},{"description": {"text": "\n Repository access and algorithms\n "},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/org.eclipse.jgit\/org.eclipse.jgit\/pom.xml"},"hashes": {"md5": "6ad90143e7e0219dce98eeed2188111a","sha1": "849ac18b1db0534ab42bf842a0efd144b9d01dd6","sha256": "3cc4bebf9c936578eae2b6d24fb2a912d89993a54fd0e2fbc1c8abc049878515"},"properties": {"id26": "pkg:maven\/org.eclipse.jgit\/org.eclipse.jgit@5.13.1.202206130422-r","vid4": "cpe:2.3:a:eclipse:jgit:5.13.1:202206130422:*:*:*:*:*:*"}},{"description": {"text": "The slf4j API"},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/org.slf4j\/slf4j-api\/pom.xml"},"hashes": {"md5": "640805e90ef388e325cd8e0bff2e99e6","sha1": "02013960e5ee7f712d8fa6f2e618a6ff2e8d98a9","sha256": "7e0747751e9b67e19dcb5206f04ea22cc03d250c422426402eadd03513f2c314"},"properties": {"id27": "pkg:maven\/org.slf4j\/slf4j-api@1.7.30"}},{"description": {"text": "A collection of scripts"},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar"},"hashes": {"md5": "ec77306b92d858fc601360fb0c4c15b2","sha1": "329d01ed828b4d54c8cc9e9943ae035a0a8182b4","sha256": "66cb02ffa40fb4796bd95b2256c64a2891c1bf47ad4982553f6d0b688df3e7e9"},"properties": {"license": "The Apache Software License, Version 2.0: http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt","id28": "pkg:maven\/se.bjurr.violations\/violations-git-lib@1.49.0"}},{"description": {"text": "A collection of scripts"},"location": {"uri": "\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-lib\/1.156.1\/violations-lib-1.156.1.jar"},"hashes": {"md5": "daf26a84d907f19a70fde150894d9267","sha1": "0c71e81520206c1377fedf72401ab45ec618c7d7","sha256": "07561393aa90963ed3e58c07df08d7dbd60f56c7285b848b7caf98a5ed86b27c"},"properties": {"license": "The Apache Software License, Version 2.0: http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt","id29": "pkg:maven\/se.bjurr.violations\/violations-lib@1.156.1"}}],"results": [ {"ruleId": "CVE-2021-4277","level": "warning","message": {"text": "CVE-2021-4277 - A vulnerability, which was classified as problematic, has been found in fredsmith utils. This issue affects some unknown processing of the file screenshot_sync of the component Filename Handler. The manipulation leads to predictable from observable state. The name of the patch is dbab1b66955eeb3d76b34612b358307f5c4e3944. It is recommended to apply a patch to fix this issue. The identifier VDB-216749 was assigned to this vulnerability."},"partialFingerprints": {"vulnerabilityHash": "bc7a7570067c3fb482d04589a45b3852"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "\/home\/bjerre\/.m2\/repository\/org\/codehaus\/plexus\/plexus-utils\/3.1.1\/plexus-utils-3.1.1.jar","index": 12 }},"logicalLocations": [{"fullyQualifiedName": "pkg:maven\/org.codehaus.plexus\/plexus-utils@3.1.1"}]}]}]}]} \ No newline at end of file +{ + "$schema":"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version":"2.1.0", + "runs":[ + { + "tool":{ + "driver":{ + "name":"dependency-check", + "version":"7.4.1", + "informationUri":"https://jeremylong.github.io/DependencyCheck/", + "rules":[ + { + "id":"CVE-2021-4277", + "shortDescription":{ + "text":"Medium severity - CVE-2021-4277 Use of Insufficiently Random Values vulnerability in pkg:maven\/org.codehaus.plexus\/plexus-utils@3.1.1" + }, + "fullDescription":{ + "text":"A vulnerability, which was classified as problematic, has been found in fredsmith utils. This issue affects some unknown processing of the file screenshot_sync of the component Filename Handler. The manipulation leads to predictable from observable state. The name of the patch is dbab1b66955eeb3d76b34612b358307f5c4e3944. It is recommended to apply a patch to fix this issue. The identifier VDB-216749 was assigned to this vulnerability." + }, + "help":{ + "text":"", + "markdown":"For more information see [CVE-2021-4277](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4277).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)." + }, + "properties":{ + "cvssv3_baseScore":5.3, + "cvssv3_attackVector":"NETWORK", + "cvssv3_attackComplexity":"LOW", + "cvssv3_privilegesRequired":"NONE", + "cvssv3_userInteraction":"NONE", + "cvssv3_scope":"UNCHANGED", + "cvssv3_confidentialityImpact":"LOW", + "cvssv3_integrityImpact":"NONE", + "cvssv3_availabilityImpact":"NONE", + "cvssv3_baseSeverity":"MEDIUM", + "cvssv3_exploitabilityScore":"3.9", + "cvssv3_impactScore":"1.4", + "cvssv3_version":"3.1", + "source":"NVD" + } + } + ], + "properties":{ + "disclaimer":"Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user's risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.", + "nvd":"This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov", + "npm":"This report may contain data retrieved from the NPM Public Advisories: https://www.npmjs.com/advisories", + "retirejs":"This report may contain data retrieved from the RetireJS community: https://retirejs.github.io/retire.js/", + "ossindex":"This report may contain data retrieved from the Sonatype OSS Index: https://ossindex.sonatype.org", + "NVD CVE Checked":"2023-03-03T15:35:17", + "NVD CVE Modified":"2023-03-03T14:00:01", + "VersionCheckOn":"2023-03-03T15:35:28" + } + } + }, + "artifacts":[ + { + "description":{ + "text":"APIs for JSR-299: Contexts and Dependency Injection for Java EE" + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/javax\/enterprise\/cdi-api\/1.0\/cdi-api-1.0.jar" + }, + "hashes":{ + "md5":"462c0959f0322016495f4598243bc0f2", + "sha1":"44c453f60909dfc223552ace63e05c694215156b", + "sha256":"1f10b2204cc77c919301f20ff90461c3df1b6e6cb148be1c2d22107f4851d423" + }, + "properties":{ + "id1":"pkg:maven\/javax.enterprise\/cdi-api@1.0" + } + }, + { + "description":{ + "text":"\n Apache Commons Lang, a package of Java utility classes for the\n classes that are in java.lang's hierarchy, or are considered to be so\n standard as to justify existence in java.lang.\n " + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/org\/apache\/commons\/commons-lang3\/3.8.1\/commons-lang3-3.8.1.jar" + }, + "hashes":{ + "md5":"540b1256d887a6993ecbef23371a3302", + "sha1":"6505a72a097d9270f7a9e7bf42c4238283247755", + "sha256":"dac807f65b07698ff39b1b07bfef3d87ae3fd46d91bbf8a2bc02b2a831616f68" + }, + "properties":{ + "license":"https:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt", + "id2":"pkg:maven\/org.apache.commons\/commons-lang3@3.8.1" + } + }, + { + "description":{ + "text":"The javax.inject API" + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/javax\/inject\/javax.inject\/1\/javax.inject-1.jar" + }, + "hashes":{ + "md5":"289075e48b909e9e74e6c915b3631d2e", + "sha1":"6975da39a7040257bd51d21a231b76c915872d38", + "sha256":"91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff" + }, + "properties":{ + "license":"The Apache Software License, Version 2.0: http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt", + "id3":"pkg:maven\/javax.inject\/javax.inject@1" + } + }, + { + "description":{ + "text":"JSR-250 Reference Implementation by Glassfish" + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/javax\/annotation\/jsr250-api\/1.0\/jsr250-api-1.0.jar" + }, + "hashes":{ + "md5":"4cd56b2e4977e541186de69f5126b4a6", + "sha1":"5025422767732a1ab45d93abfea846513d742dcf", + "sha256":"a1a922d0d9b6d183ed3800dfac01d1e1eb159f0e8c6f94736931c1def54a941f" + }, + "properties":{ + "license":"COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: https:\/\/glassfish.dev.java.net\/public\/CDDLv1.0.html", + "id4":"pkg:maven\/javax.annotation\/jsr250-api@1.0" + } + }, + { + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/org\/apache\/maven\/maven-artifact\/3.6.0\/maven-artifact-3.6.0.jar" + }, + "hashes":{ + "md5":"89e95013b11f347e48c0525965600404", + "sha1":"d4c0da647de59c9ccc304a112fe1f1474d49e8eb", + "sha256":"3d5a0e77cde76d386b18c7400db1eb16aacef02e031ecd0d954477aeccc92155" + }, + "properties":{ + "id5":"pkg:maven\/org.apache.maven\/maven-artifact@3.6.0" + } + }, + { + "description":{ + "text":"Model for Maven POM (Project Object Model)" + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/org\/apache\/maven\/maven-model\/3.6.0\/maven-model-3.6.0.jar" + }, + "hashes":{ + "md5":"0505d964b102e3f62845f5d4508e166e", + "sha1":"06d73e6218a10cfe82cf0325b582cbed732cc751", + "sha256":"a1bf0c7856afd1f1b9c81c22818328fb7a796b4047010e08f2e859d1896080a9" + }, + "properties":{ + "id6":"pkg:maven\/org.apache.maven\/maven-model@3.6.0" + } + }, + { + "description":{ + "text":"Java annotations to use in Mojos" + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/org\/apache\/maven\/plugin-tools\/maven-plugin-annotations\/3.6.0\/maven-plugin-annotations-3.6.0.jar" + }, + "hashes":{ + "md5":"c26580fde2323b86d67de4ec22baf2ae", + "sha1":"e3ce624bc4af77c9dbe2d609851c4082a4da7bc4", + "sha256":"9e2434820dd2ba44ad70a66e5b2a9993a2a8b047ceabc3e850e4858cbf3f91c3" + }, + "properties":{ + "id7":"pkg:maven\/org.apache.maven.plugin-tools\/maven-plugin-annotations@3.6.0" + } + }, + { + "description":{ + "text":"The API for plugins - Mojos - development." + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/org\/apache\/maven\/maven-plugin-api\/3.6.0\/maven-plugin-api-3.6.0.jar" + }, + "hashes":{ + "md5":"416f41e165e638af2daa5d009af35946", + "sha1":"1ad37c33e3f046a84e7394df36a05a7f3b877d55", + "sha256":"0062a08b463314a1b5f8eb1a56207efb830fbdf547c42a3191eb146c4db39b1a" + }, + "properties":{ + "id8":"pkg:maven\/org.apache.maven\/maven-plugin-api@3.6.0" + } + }, + { + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/org\/eclipse\/sisu\/org.eclipse.sisu.inject\/0.3.3\/org.eclipse.sisu.inject-0.3.3.jar" + }, + "hashes":{ + "md5":"47ff59586827a2e705183c678e70404f", + "sha1":"b163fc1e714db5f9b389ec11f11950b5913e454c", + "sha256":"c6935e0b7d362ed4ca768c9b71d5d4d98788ff0a79c0d2bb954c221a078b166b" + }, + "properties":{ + "license":"http:\/\/www.eclipse.org\/legal\/epl-v10.html", + "id9":"pkg:maven\/org.eclipse.sisu\/org.eclipse.sisu.inject@0.3.3" + } + }, + { + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/org\/eclipse\/sisu\/org.eclipse.sisu.plexus\/0.3.3\/org.eclipse.sisu.plexus-0.3.3.jar" + }, + "hashes":{ + "md5":"02eeaf9f89f7249f9f7bbab2771f5ef5", + "sha1":"2c892c1fe0cd2dabcc729e1cbff3524b4847b1fe", + "sha256":"98045f5ecd802d6a96ba00394f8cb61259f9ac781ec2cb51ca0cb7b2c94ac720" + }, + "properties":{ + "license":"http:\/\/www.eclipse.org\/legal\/epl-v10.html", + "id10":"pkg:maven\/org.eclipse.sisu\/org.eclipse.sisu.plexus@0.3.3" + } + }, + { + "description":{ + "text":"A class loader framework" + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/org\/codehaus\/plexus\/plexus-classworlds\/2.5.2\/plexus-classworlds-2.5.2.jar" + }, + "hashes":{ + "md5":"53b54feee8cef6b843bd6748bda4bfa7", + "sha1":"4abb111bfdace5b8167db4c0ef74644f3f88f142", + "sha256":"b2931d41740490a8d931cbe0cfe9ac20deb66cca606e679f52522f7f534c9fd7" + }, + "properties":{ + "license":"http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt", + "id11":"pkg:maven\/org.codehaus.plexus\/plexus-classworlds@2.5.2" + } + }, + { + "description":{ + "text":"\n Plexus Component \"Java 5\" Annotations, to describe plexus components properties in java sources with\n standard annotations instead of javadoc annotations.\n " + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/org\/codehaus\/plexus\/plexus-component-annotations\/1.5.5\/plexus-component-annotations-1.5.5.jar" + }, + "hashes":{ + "md5":"ef37dcdb84030422db428b63c4354e5b", + "sha1":"c72f2660d0cbed24246ddb55d7fdc4f7374d2078", + "sha256":"4df7a6a7be64b35bbccf60b5c115697f9ea3421d22674ae67135dde375fcca1f" + }, + "properties":{ + "id12":"pkg:maven\/org.codehaus.plexus\/plexus-component-annotations@1.5.5" + } + }, + { + "description":{ + "text":"A collection of various utility classes to ease working with strings, files, command lines, XML and\n more.\n " + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/org\/codehaus\/plexus\/plexus-utils\/3.1.1\/plexus-utils-3.1.1.jar" + }, + "hashes":{ + "md5":"8b09fc3466a84ee3e36e8df197a573f3", + "sha1":"b296e62bbdb9b4f018adffbd5e8e0aaa34b8c718", + "sha256":"d1f74a7a0d91eb82536d71175b177bf21b1d7d286376b0ea5ba8a194265ba90b" + }, + "properties":{ + "id13":"pkg:maven\/org.codehaus.plexus\/plexus-utils@3.1.1", + "vid1":"cpe:2.3:a:plexus-utils_project:plexus-utils:3.1.1:*:*:*:*:*:*:*", + "vid2":"cpe:2.3:a:utils_project:utils:3.1.1:*:*:*:*:*:*:*" + } + }, + { + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/com.google.code.gson\/gson\/pom.xml" + }, + "hashes":{ + "md5":"c13f373086992bab8989b514941891a6", + "sha1":"ce159faf33c1e665e1f3a785a5d678a2b20151bc", + "sha256":"d2b115634f5c085db4b9c9ffc2658e89e231fdbfbe2242121a1cd95d4d948dd7" + }, + "properties":{ + "license":"Apache-2.0: https:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt", + "id14":"pkg:maven\/com.google.code.gson\/gson@2.10.1", + "vid3":"cpe:2.3:a:google:gson:2.10.1:*:*:*:*:*:*:*" + } + }, + { + "description":{ + "text":"The bit array data structure is implemented in Java as the BitSet class. Unfortunately, this fails to scale without compression.\n JavaEWAH is a word-aligned compressed variant of the Java bitset class. It uses a 64-bit run-length encoding (RLE) compression scheme.\n The goal of word-aligned compression is not to achieve the best compression, but rather to improve query processing time. Hence, we try to save CPU cycles, maybe at the expense of storage. However, the EWAH scheme we implemented is always more efficient storage-wise than an uncompressed bitmap (implemented in Java as the BitSet class). Unlike some alternatives, javaewah does not rely on a patented scheme. " + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/com.googlecode.javaewah\/JavaEWAH\/pom.xml" + }, + "hashes":{ + "md5":"31679ce3dc24bd983006245d6760b640", + "sha1":"c0e2224902ce244ef82d72c9287f933394255452", + "sha256":"9725b1fe9c6810d977750bb84415ea1082c4b488d4a839f9704bb4f5e8fc17f4" + }, + "properties":{ + "license":"Apache 2: http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt", + "id15":"pkg:maven\/com.googlecode.javaewah\/JavaEWAH@1.1.13" + } + }, + { + "description":{ + "text":"Base elements (lines, corners, borders) and themes for frames, grids, lists (itemize, enumerate)." + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/de.vandermeer\/ascii-utf-themes\/pom.xml" + }, + "hashes":{ + "md5":"7bb1c6d124e6a3f94dfe5dd07fb4dda8", + "sha1":"655c6b2982aea2a562fcf37ea90cad903bc640d3", + "sha256":"7c91c7995fa8b5cd9cd18bc4cddc354af0cc3ee7348efc0d76d6d2f80b8f2175" + }, + "properties":{ + "license":"Apache 2: http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt", + "id16":"pkg:maven\/de.vandermeer\/ascii-utf-themes@0.0.1" + } + }, + { + "description":{ + "text":"An ASCII table with various render options and UTF-8 support" + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/de.vandermeer\/asciitable\/pom.xml" + }, + "hashes":{ + "md5":"2291b203e867a7e7050d3848c3f2cd8b", + "sha1":"e203c3f62027dd993181b079827d58f49e1a36a4", + "sha256":"14a53b93e0d7749a4eba546091dbc8698c5d4051570d9f65a9f09e40b83a9dc6" + }, + "properties":{ + "license":"Apache 2: http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt", + "id17":"pkg:maven\/de.vandermeer\/asciitable@0.3.2" + } + }, + { + "description":{ + "text":"Set of translators for characters, HTML Elements, and their combinations." + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/de.vandermeer\/char-translation\/pom.xml" + }, + "hashes":{ + "md5":"25072e753702b310bf35f6ba3ccdb9bc", + "sha1":"aa5b4b4e94959af4473d9f90d20a47e072f7c030", + "sha256":"8f83b635b8501cbab107d520c1e02ed59ad77600fb0c554bbb9ac653c6a0cc80" + }, + "properties":{ + "license":"Apache 2: http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt", + "id18":"pkg:maven\/de.vandermeer\/char-translation@0.0.2" + } + }, + { + "description":{ + "text":"Set of interfaces used by other SKB projects." + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/de.vandermeer\/skb-interfaces\/pom.xml" + }, + "hashes":{ + "md5":"b5a8f357d2e123f1e8b04329bf3b5810", + "sha1":"568f494ff770f0951419af9a51f11c3e87e2f393", + "sha256":"72f6ff6d66c6316056de6b954b0248604234f10e3bbd7f8cc13ba384e6e607cd" + }, + "properties":{ + "license":"Apache 2: http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt", + "id19":"pkg:maven\/de.vandermeer\/skb-interfaces@0.0.1" + } + }, + { + "description":{ + "text":"Efficient and customizable TreeLayout Algorithm in Java." + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/org.abego.treelayout\/org.abego.treelayout.core\/pom.xml" + }, + "hashes":{ + "md5":"0fd589167b7a434db7580a66737649b9", + "sha1":"e8da72b4e31c6610ca57fde5f73d5ee4d1d5f957", + "sha256":"7c8cbfca64e970440d4f287f3516a96c00692a0394fca1d57b12a97a96f0ea11" + }, + "properties":{ + "license":"BSD 3-Clause \"New\" or \"Revised\" License (BSD-3-Clause): http:\/\/treelayout.googlecode.com\/files\/LICENSE.TXT", + "id20":"pkg:maven\/org.abego.treelayout\/org.abego.treelayout.core@1.0.1" + } + }, + { + "description":{ + "text":"StringTemplate is a java template engine for generating source code,\nweb pages, emails, or any other formatted text output.\n\nStringTemplate is particularly good at multi-targeted code generators,\nmultiple site skins, and internationalization\/localization. \n\nIt evolved over years of effort developing jGuru.com. \n\nStringTemplate also generates the stringtemplate website: http:\/\/www.stringtemplate.org\nand powers the ANTLR v3 code generator. Its distinguishing characteristic \nis that unlike other engines, it strictly enforces model-view separation.\n\nStrict separation makes websites and code generators more flexible\nand maintainable; it also provides an excellent defense against malicious\ntemplate authors.\n\nThere are currently about 600 StringTemplate source downloads a month.\n " + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/org.antlr\/ST4\/pom.xml" + }, + "hashes":{ + "md5":"683219fec455dfde94a6473373265284", + "sha1":"116663d33389525e932a4ff7adaf66eb06caf277", + "sha256":"3c0890dec71174eb3ba3d404ca9e341901ff6b0421808b00713b0dbb1306c17c" + }, + "properties":{ + "license":"BSD licence: http:\/\/antlr.org\/license.html", + "id21":"pkg:maven\/org.antlr\/ST4@4.0.8" + } + }, + { + "description":{ + "text":"A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions." + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/org.antlr\/antlr-runtime\/pom.xml" + }, + "hashes":{ + "md5":"b9bf8a27cb01fac6a32d6aa68b59f5bf", + "sha1":"af8ae5172f0c499d932d465673c9833c8777c1dd", + "sha256":"46a9c2200bb8b12bd7124aa7a5097ff49099908329c851a04cb2051420aa7f25" + }, + "properties":{ + "id22":"pkg:maven\/org.antlr\/antlr-runtime@3.5.2" + } + }, + { + "description":{ + "text":"The ANTLR 4 Runtime" + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/org.antlr\/antlr4-runtime\/pom.xml" + }, + "hashes":{ + "md5":"9d1d96c3ffedf7f287c0de8032becdde", + "sha1":"47a3c5bc681610d2ca3ec9e499eaaece74fa89c1", + "sha256":"4f7e70ffbcf4223f836b620034d0f0eb5ee67a32a956ef726d2a22337285e7b7" + }, + "properties":{ + "id23":"pkg:maven\/org.antlr\/antlr4-runtime@4.5.1" + } + }, + { + "description":{ + "text":"The ANTLR 4 grammar compiler." + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/org.antlr\/antlr4\/pom.xml" + }, + "hashes":{ + "md5":"b42cf64297acd58ff6b348de3b407561", + "sha1":"4c68afec494088293747b3f63dc415aa396b6c0c", + "sha256":"744599611082f19ffbd61aa40c303edbd760ee428572813e08bc9b99317b6df6" + }, + "properties":{ + "id24":"pkg:maven\/org.antlr\/antlr4@4.5.1" + } + }, + { + "description":{ + "text":"\n Apache Commons Lang, a package of Java utility classes for the\n classes that are in java.lang's hierarchy, or are considered to be so\n standard as to justify existence in java.lang.\n " + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/org.apache.commons\/commons-lang3\/pom.xml" + }, + "hashes":{ + "md5":"5b94f12ccc8674526bc96c46c3899900", + "sha1":"fd6eccbd05d55177e2f5e6d9da6f8d120751ab72", + "sha256":"686e75b561a13c1031d43a7647a364e2ed3e456467050eac4527b94b06d73fd1" + }, + "properties":{ + "id25":"pkg:maven\/org.apache.commons\/commons-lang3@3.4" + } + }, + { + "description":{ + "text":"\n Repository access and algorithms\n " + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/org.eclipse.jgit\/org.eclipse.jgit\/pom.xml" + }, + "hashes":{ + "md5":"6ad90143e7e0219dce98eeed2188111a", + "sha1":"849ac18b1db0534ab42bf842a0efd144b9d01dd6", + "sha256":"3cc4bebf9c936578eae2b6d24fb2a912d89993a54fd0e2fbc1c8abc049878515" + }, + "properties":{ + "id26":"pkg:maven\/org.eclipse.jgit\/org.eclipse.jgit@5.13.1.202206130422-r", + "vid4":"cpe:2.3:a:eclipse:jgit:5.13.1:202206130422:*:*:*:*:*:*" + } + }, + { + "description":{ + "text":"The slf4j API" + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar\/META-INF\/maven\/org.slf4j\/slf4j-api\/pom.xml" + }, + "hashes":{ + "md5":"640805e90ef388e325cd8e0bff2e99e6", + "sha1":"02013960e5ee7f712d8fa6f2e618a6ff2e8d98a9", + "sha256":"7e0747751e9b67e19dcb5206f04ea22cc03d250c422426402eadd03513f2c314" + }, + "properties":{ + "id27":"pkg:maven\/org.slf4j\/slf4j-api@1.7.30" + } + }, + { + "description":{ + "text":"A collection of scripts" + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-git-lib\/1.49.0\/violations-git-lib-1.49.0.jar" + }, + "hashes":{ + "md5":"ec77306b92d858fc601360fb0c4c15b2", + "sha1":"329d01ed828b4d54c8cc9e9943ae035a0a8182b4", + "sha256":"66cb02ffa40fb4796bd95b2256c64a2891c1bf47ad4982553f6d0b688df3e7e9" + }, + "properties":{ + "license":"The Apache Software License, Version 2.0: http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt", + "id28":"pkg:maven\/se.bjurr.violations\/violations-git-lib@1.49.0" + } + }, + { + "description":{ + "text":"A collection of scripts" + }, + "location":{ + "uri":"\/home\/bjerre\/.m2\/repository\/se\/bjurr\/violations\/violations-lib\/1.156.1\/violations-lib-1.156.1.jar" + }, + "hashes":{ + "md5":"daf26a84d907f19a70fde150894d9267", + "sha1":"0c71e81520206c1377fedf72401ab45ec618c7d7", + "sha256":"07561393aa90963ed3e58c07df08d7dbd60f56c7285b848b7caf98a5ed86b27c" + }, + "properties":{ + "license":"The Apache Software License, Version 2.0: http:\/\/www.apache.org\/licenses\/LICENSE-2.0.txt", + "id29":"pkg:maven\/se.bjurr.violations\/violations-lib@1.156.1" + } + } + ], + "results":[ + { + "ruleId":"CVE-2021-4277", + "level":"warning", + "message":{ + "text":"CVE-2021-4277 - A vulnerability, which was classified as problematic, has been found in fredsmith utils. This issue affects some unknown processing of the file screenshot_sync of the component Filename Handler. The manipulation leads to predictable from observable state. The name of the patch is dbab1b66955eeb3d76b34612b358307f5c4e3944. It is recommended to apply a patch to fix this issue. The identifier VDB-216749 was assigned to this vulnerability." + }, + "partialFingerprints":{ + "vulnerabilityHash":"bc7a7570067c3fb482d04589a45b3852" + }, + "locations":[ + { + "physicalLocation":{ + "artifactLocation":{ + "uri":"\/home\/bjerre\/.m2\/repository\/org\/codehaus\/plexus\/plexus-utils\/3.1.1\/plexus-utils-3.1.1.jar", + "index":12 + } + }, + "logicalLocations":[ + { + "fullyQualifiedName":"pkg:maven\/org.codehaus.plexus\/plexus-utils@3.1.1" + } + ] + } + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/src/test/resources/sarif/samples/OriginalUriBaseIds.sarif b/src/test/resources/sarif/samples/OriginalUriBaseIds.sarif index 354949f..4fbb4af 100644 --- a/src/test/resources/sarif/samples/OriginalUriBaseIds.sarif +++ b/src/test/resources/sarif/samples/OriginalUriBaseIds.sarif @@ -58,6 +58,17 @@ } } } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "added-stuff.md", + "uriBaseId": "SRCROOT", + "properties": { + "comment": "not in the original example" + } + } + } } ] },