Report and doc updates. Changes vuln source from NSP to NPM #1366

jeremylong · Sep 21, 2018 · ec50415 · ec50415
1 parent bc4c98b
commit ec50415
Show file tree

Hide file tree

Showing 10 changed files with 21 additions and 23 deletions.
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NodeAuditAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NodeAuditAnalyzer.java
@@ -61,7 +61,7 @@ public class NodeAuditAnalyzer extends AbstractNpmAnalyzer {
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(NodeAuditAnalyzer.class);
     /**
-     * The default URL to the NSP check API.
+     * The default URL to the NPM Audit API.
      */
     public static final String DEFAULT_URL = "https://registry.npmjs.org/-/npm/v1/security/audits";
     /**
@@ -183,14 +183,12 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
                  * Create a new vulnerability out of the advisory returned by nsp.
                  */
                 final Vulnerability vuln = new Vulnerability();
-                //vuln.setCvssScore(advisory.getCvssScore());
                 vuln.setDescription(advisory.getOverview());
                 vuln.setName(String.valueOf(advisory.getId()));
-
-                // TODO: NPM Audit still has a requirement on NSP but this will soon change.
-                vuln.setSource(Vulnerability.Source.NSP);
+                vuln.setUnscoredSeverity(advisory.getSeverity());
+                vuln.setSource(Vulnerability.Source.NPM);
                 vuln.addReference(
-                        "NSP",
+                        "NPM",
                         "Advisory " + advisory.getId() + ": " + advisory.getTitle(),
                         advisory.getReferences() // TODO? What was this before ?????????????
                 );

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/exception/SearchException.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/exception/SearchException.java
@@ -20,7 +20,7 @@
 import javax.annotation.concurrent.ThreadSafe;
 
 /**
- * An exception thrown when an online searching fails (such as NSP).
+ * An exception thrown when an online searching fails (such as NPM).
  *
  * @author Jeremy Long
  */

diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nodeaudit/Advisory.java b/core/src/main/java/org/owasp/dependencycheck/data/nodeaudit/Advisory.java
@@ -29,7 +29,7 @@
 public class Advisory {
 
     /**
-     * The unique ID of the advisory as issued by Node Security Platform.
+     * The unique ID of the advisory as issued by NPM.
      */
     private int id;
 

diff --git a/core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
@@ -43,9 +43,9 @@ public enum Source {
          */
         NVD,
         /**
-         * Node Security Platform.
+         * NPM Public Advisory.
          */
-        NSP,
+        NPM,
         /**
          * RetireJS.
          */

diff --git a/core/src/main/resources/templates/htmlReport.vsl b/core/src/main/resources/templates/htmlReport.vsl
@@ -860,8 +860,8 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                             #set($vsctr=$vsctr+1)
                             #if($vuln.getSource().name().equals("NVD"))
                                 <p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<button class="copybutton" title="Generate Suppression XML for this CCE for this file" onclick="copyText('$enc.javascript($dependency.DisplayFileName)', '$enc.javascript($dependency.Sha1sum)', '$enc.javascript($suppressGav)', 'cve', '$enc.javascript($vuln.name)')">suppress</button></p>
-                            #elseif($vuln.getSource().name().equals("NSP"))
-                                <p><b><a target="_blank" href="https://nodesecurity.io/advisories/$enc.url($vuln.name)">NSP-$enc.html($vuln.name)</a></b></p>
+                            #elseif($vuln.getSource().name().equals("NPM"))
+                                <p><b><a target="_blank" href="https://www.npmjs.com/advisories/$enc.url($vuln.name)">NPM-$enc.html($vuln.name)</a></b></p>
                             #elseif($vuln.getSource().name().equals("RETIREJS"))
                                 <p><b>$enc.html($vuln.name)</b> (RetireJS)</p>
                             #end
@@ -908,7 +908,7 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                                     #end
                                     </ul></p>
                                 #end
-                            #elseif ($vuln.getSource().name().equals("NSP"))
+                            #elseif ($vuln.getSource().name().equals("NPM"))
                                 <p>Vulnerable Software &amp; Versions:
                                     <ul>
                                     #foreach($vs in $vuln.getVulnerableSoftware())
@@ -1039,8 +1039,8 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
                                     #set($vsctr=$vsctr+1)
                                     #if($vuln.getSource().name().equals("NVD"))
                                         <p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<span class="suppressedLabel" >suppressed</span></p>
-                                    #elseif($vuln.getSource().name().equals("NSP"))
-                                        <p><b><a target="_blank" href="https://nodesecurity.io/advisories/$enc.url($vuln.name)">NSP-$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<span class="suppressedLabel" >suppressed</span></p>
+                                    #elseif($vuln.getSource().name().equals("NPM"))
+                                        <p><b><a target="_blank" href="https://www.npmjs.com/advisories/$enc.url($vuln.name)">NPM-$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<span class="suppressedLabel" >suppressed</span></p>
                                     #elseif($vuln.getSource().name().equals("RETIREJS"))
                                         <p><b>$enc.html($vuln.name)</b> (RetireJS)&nbsp;&nbsp;<span class="suppressedLabel" >suppressed</span></p>
                                     #end
@@ -1096,7 +1096,7 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
             <br/><br/>
             This report contains data retrieved from the <a href="https://nvd.nist.gov">National Vulnerability Database</a>.
             <br/>
-            This report may contain data retrieved from the <a href="https://nodesecurity.io">Node Security Platform</a>.
+            This report may contain data retrieved from the <a href="https://www.npmjs.com/advisories">NPM Public Advisories</a>.
         </div>
     </body>
 </html>
diff --git a/core/src/main/resources/templates/jsonReport.vsl b/core/src/main/resources/templates/jsonReport.vsl
@@ -19,7 +19,7 @@
         "reportDate": "$scanDateXML",
         "credits": {
             "NVD": "This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov",
-            "NSP": "This report may contain data retrieved from the Node Security Platform: https://nodesecurity.io",
+            "NPM": "This report may contain data retrieved from the NPM Public Advisories: https://www.npmjs.com/advisories",
             "RETIREJS": "This report may contain data retrieved from the RetireJS community: https://retirejs.github.io/retire.js/"
         }
     },

diff --git a/core/src/main/resources/templates/vulnReport.vsl b/core/src/main/resources/templates/vulnReport.vsl
@@ -213,8 +213,8 @@ have been reported. Additionally, the HTML report provides many features not fou
                                 <td>
                                     #if($vuln.getSource().name().equals("NVD"))
                                     <a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a>
-                                    #elseif($vuln.getSource().name().equals("NSP"))
-                                    <a target="_blank" href="https://nodesecurity.io/advisories/$enc.url($vuln.name)">NSP-$enc.html($vuln.name)</a>
+                                    #elseif($vuln.getSource().name().equals("NPM"))
+                                    <a target="_blank" href="https://www.npmjs.com/advisories/$enc.url($vuln.name)">NPM-$enc.html($vuln.name)</a>
                                     #elseif($vuln.getSource().name().equals("RETIREJS"))
                                         $enc.html($vuln.name) (RetireJS)
                                     #end
@@ -253,7 +253,7 @@ have been reported. Additionally, the HTML report provides many features not fou
             <br/><br/>
             This report contains data retrieved from the <a href="https://nvd.nist.gov">National Vulnerability Database</a>.
             <br/>
-            This report may contain data retrieved from the <a href="https://nodesecurity.io">Node Security Platform</a>.
+            This report may contain data retrieved from the <a href="https://www.npmjs.com/advisories">NPM Public Advisories</a>.
             <br/>
             This report may contain data retrieved from the <a href="https://retirejs.github.io/retire.js/">RetireJS Community</a>.
         </p>

diff --git a/core/src/main/resources/templates/xmlReport.vsl b/core/src/main/resources/templates/xmlReport.vsl
@@ -41,7 +41,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <version>$enc.xml($applicationVersion)</version>
 #end
         <reportDate>$scanDateXML</reportDate>
-        <credits>This report contains data retrieved from the National Vulnerability Database: https://nvd.nist.gov, Node Security Platform: https://nodesecurity.io, and the RetireJS community.</credits>
+        <credits>This report contains data retrieved from the National Vulnerability Database: https://nvd.nist.gov, NPM Public Advisories: https://www.npmjs.com/advisories, and the RetireJS community.</credits>
     </projectInfo>
     <dependencies>
 #foreach($dependency in $dependencies)

diff --git a/src/site/markdown/analyzers/index.md b/src/site/markdown/analyzers/index.md
@@ -10,7 +10,7 @@ to extract identification information from the files analyzed.
 | [CMake](./cmake.html) | CMake project files (CMakeLists.txt) and scripts (\*.cmake) | Regex scan for project initialization and version setting commands. |
 | [Jar](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). |
 | [Node.js](./nodejs.html) | NPM package specification files (package.json) | Parses the package.json to gather a bill-of-materials for a Node JS project. |
-| [NSP](./nsp-analyzer.html) | [Node Security Project](https://nodesecurity.io) is used to analyze Node.js' `package.json` files for known vulnerable packages.|
+| [NPM](./node-audit-analyzer.html) | [NPM Public Advisories](https://www.npmjs.com/advisories) is used to analyze Node.js' `package-lock.json` files for known vulnerable packages.|
 | [Nuspec](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. |
 | [OpenSSL](./openssl.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. |
 | [Ruby bundler&#8209;audit](./bundle-audit.html) | Ruby `Gemfile.lock` files | Executes bundle-audit and incorporates the results into the dependency-check report. |

diff --git a/src/site/markdown/related.md b/src/site/markdown/related.md
@@ -9,7 +9,7 @@ Related FOSS Projects
 * [The Victims Project](https://github.com/victims)
 * [Ruby Bundler-Audit](https://github.com/rubysec/bundler-audit)
 * [Retire.js](http://bekk.github.io/retire.js/)
-* [Node Security Project](https://nodesecurity.io/)
+* [NPM Public Advisories](https://www.npmjs.com/advisories)
 
 Vulnerability Sources
 ------------------------