Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xsd 2.0 not up to date #1873

Closed
thib3113 opened this issue Apr 25, 2019 · 3 comments
Closed

xsd 2.0 not up to date #1873

thib3113 opened this issue Apr 25, 2019 · 3 comments
Labels
bug
Milestone
5.0.0-M3

Comments

@thib3113
Copy link
Contributor

thib3113 commented Apr 25, 2019
edited
Loading

Describe the bug
Npm source add a new xml node, not documented on https://jeremylong.github.io/DependencyCheck/dependency-check.2.0.xsd .

Exemple :

<vulnerability source="NPM">
    <name>786</name>
    <severity>low</severity>
    <cwes/>
    <description>
        Versions of `braces` prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
    </description>
    <references>
        <reference>
            <source>Advisory 786: Regular Expression Denial of Service</source>
            <name>
                - [GitHub Commit](https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451)
            </name>
        </reference>
    </references>
    <vulnerableSoftware>
        <software>cpe:2.3:a:*:braces:\&lt;2.3.1:*:*:*:*:*:*:*</software>
    </vulnerableSoftware>
</vulnerability>

here, severity is not valid here

** Version of dependency-check used **
The problem occurs using version 5.0.0-SNAPSHOT ( cloned from git, on the commit c747bac )

To Reproduce
Steps to reproduce the behavior:

  1. Run the test ReportGeneratorIT.testGenerateReport with adding a nodejs test ( pull request is coming )

Expected behavior
Update the xsd
@thib3113 thib3113 added the bug label Apr 25, 2019
@thib3113 thib3113 mentioned this issue Apr 25, 2019
Merged
@jeremylong
Copy link
Owner

Sorry -we have done a poor job of publishing things during the long journey of the 5.0.0 release. The field has already been added to the dev branch:

DependencyCheck/core/src/main/resources/schema/dependency-check.2.0.xsd

Line 141 in c747bac

<xs:element name="severity" type="xs:string" minOccurs="0" maxOccurs="1"/>

We are hoping to be complete with the 5.0.0 release soon.

@thib3113
Copy link
Contributor Author

Oh sorry ... jetbrains doesn't see it and use the web version . So ... good if you support it :D . But maybe did you need to update xsd version to 2.1 ? ( I know the sonaqube plugin alreay check the 2.0 version, but will not support the severity )

@jeremylong
Copy link
Owner

Regarding the 2.0 vs 2.1 - the only thing on the DC side that uses the 2.0 schema are pre-release version (milestone releases). However, I suppose you are right - others have been using the milestone releases in production so we probably should update the schema version.

jeremylong added a commit that referenced this issue Apr 25, 2019
@jeremylong
updates per #1873
0a7cc78
@jeremylong jeremylong added this to the 5.0.0-M3 milestone May 6, 2019
@lock lock bot locked and limited conversation to collaborators Jun 6, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
5.0.0-M3
Development

No branches or pull requests
2 participants
@jeremylong @thib3113