Add test data for node.Js report

[thib3113]

Following this issue #135 I'm adding some tests datas

[Reamer]

Hi @thib3113
this is quite interesting, it seems that vulnerabilities found via NPM have no cvss score. (Take a look into comment jeremylong/DependencyCheck#1366 (comment))
What would be a good solution for this case?
Ignoring NPM vulnerabilities or set a default score (0-10).

[Reamer]

Please pretty print your big xml file. Possible tools: https://stackoverflow.com/questions/16090869/how-to-pretty-print-xml-from-the-command-line

[thib3113]

About the big file, I've just add it to show how big can become a node.js analysis . So just adding this to test an "unmodified" report . But I can pretty print it without problems ( but tomorrow ) .

About the npm part, I know npm audit return a vulnerability level ( telling if vulnerability is important, medium or low ), so it's will maybe be updated in dependency check tool ( node.js analyser is buggy some times, and show really lot of warnings ) . So, for the moment, set it to middle score by default ? To tell it's not a low vulnerability, and not a high vulnerability, just unknown level.

I'll read your link tomorrow too .

[thib3113]

So, after some research, it seems the version 5.0.0-SNAPSHOT ( directly from the git, with commit jeremylong/DependencyCheck@c747bac ) , seems to produce this in the xml :

<vulnerability source="NPM">
    <name>786</name>
    <severity>low</severity>
    <cwes/>
    <description>
        Versions of `braces` prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
    </description>
    <references>
        <reference>
            <source>Advisory 786: Regular Expression Denial of Service</source>
            <name>
                - [GitHub Commit](https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451)
            </name>
        </reference>
    </references>
    <vulnerableSoftware>
        <software>cpe:2.3:a:*:braces:\&lt;2.3.1:*:*:*:*:*:*:*</software>
    </vulnerableSoftware>
</vulnerability>

As you can see, a severity node is added, with the level, but undocumented in the xsd ( I've open an issue jeremylong/DependencyCheck#1873 about it )

[Reamer]

Hi @thib3113,
I added a small Workaround till dependency-check-5.0.0 is released. Please add some more asserts in your test method - in special the "workaround values". #141

[thib3113]

Hi @Reamer , here is it, I add more assertions, testing jquery, brace, and kind of ( jquery contain a NVD vulnerability, brace a NPM vulnerability, and kind-of without vulnerabilities ) .

( I'm not a java developper, so I didn't really know how to test only this 3 dependencies on the big report, so I've done 3 basics conditions )

[Reamer]

All good, thanks for your work.