From 8c970b5f3d23488403ff1da05a098ca02838446c Mon Sep 17 00:00:00 2001 From: Stefan Neuhaus Date: Fri, 5 Jul 2024 12:26:56 +0200 Subject: [PATCH] Update to dependency-check 10.0.1 --- README.md | 23 ++--- overlays/dependencycheck/build.gradle | 2 +- overlays/dependencycheck/update.sh | 4 +- .../initialize_schema.sql | 86 +++++++++++++++++-- test/project_uptodate/build.gradle | 2 +- 5 files changed, 93 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index ce48857..07aec00 100644 --- a/README.md +++ b/README.md @@ -71,17 +71,18 @@ Updates of the Database are triggered every 2 minutes. The initial update can ta ## Compatibility -| Client | Server | -|-------------------:|--------:| -| `>= 8.0.0` | `9.0.8` | -| `>= 8.0.0` | `8.0.0` | -| `7.4.4` | `7.4.4` | -| `[6.3.0; 7.4.3]` | `6.5.3` | -| `[6.1.3; 6.2.2]` | `6.2.0` | -| `[6.0.0; 6.1.1]` | `6.0.2` | -| `[5.0.0; 5.3.2.1]` | `5.0.0` | -| `[1.4.1; 4.0.2]` | `4.0.2` | -| `< 1.4.1` | n.a. | +| Client | Server | +|-------------------:|---------:| +| `>= 6.3.0` | `10.0.1` | +| `>= 6.3.0` | `9.0.8` | +| `>= 6.3.0` | `8.0.0` | +| `>= 6.3.0` | `7.4.4` | +| `[6.3.0; 7.4.3]` | `6.5.3` | +| `[6.1.3; 6.2.2]` | `6.2.0` | +| `[6.0.0; 6.1.1]` | `6.0.2` | +| `[5.0.0; 5.3.2.1]` | `5.0.0` | +| `[1.4.1; 4.0.2]` | `4.0.2` | +| `< 1.4.1` | n.a. | The server is not designed for updating its database structure manually. If you update your client to a version which is incompatible with your server version, you should just throw away the old server container and start a new one from a compatible image from scratch. diff --git a/overlays/dependencycheck/build.gradle b/overlays/dependencycheck/build.gradle index 9a84e49..2d4787d 100644 --- a/overlays/dependencycheck/build.gradle +++ b/overlays/dependencycheck/build.gradle @@ -18,7 +18,7 @@ buildscript { mavenCentral() } dependencies { - classpath 'org.owasp:dependency-check-gradle:9.0.8' + classpath 'org.owasp:dependency-check-gradle:10.0.1' classpath 'com.mysql:mysql-connector-j:8.4.0' } } diff --git a/overlays/dependencycheck/update.sh b/overlays/dependencycheck/update.sh index 98b00df..6036f69 100755 --- a/overlays/dependencycheck/update.sh +++ b/overlays/dependencycheck/update.sh @@ -1,5 +1,5 @@ #!/bin/sh -pgrep java && echo "INFO: Update already running." && exit 1 +pgrep -a java && echo "INFO: Update already running." && exit 1 touch /dependencycheck/update.log -(cd /dependencycheck && ./gradlew update >>/dependencycheck/update.log 2>&1) || echo "ERROR: update failed." +(cd /dependencycheck && ./gradlew -s update >>/dependencycheck/update.log 2>&1) || (echo "ERROR: update failed." && exit 2) diff --git a/overlays/docker-entrypoint-initdb.d/initialize_schema.sql b/overlays/docker-entrypoint-initdb.d/initialize_schema.sql index 830a981..a1c14dc 100644 --- a/overlays/docker-entrypoint-initdb.d/initialize_schema.sql +++ b/overlays/docker-entrypoint-initdb.d/initialize_schema.sql @@ -36,7 +36,20 @@ CREATE TABLE vulnerability (id int auto_increment PRIMARY KEY, cve VARCHAR(20) U v3ImpactScore DECIMAL(3,1), v3AttackVector VARCHAR(20), v3AttackComplexity VARCHAR(20), v3PrivilegesRequired VARCHAR(20), v3UserInteraction VARCHAR(20), v3Scope VARCHAR(20), v3ConfidentialityImpact VARCHAR(20), v3IntegrityImpact VARCHAR(20), v3AvailabilityImpact VARCHAR(20), - v3BaseScore DECIMAL(3,1), v3BaseSeverity VARCHAR(20), v3Version VARCHAR(5)); + v3BaseScore DECIMAL(3,1), v3BaseSeverity VARCHAR(20), v3Version VARCHAR(5), + v4version VARCHAR(5), v4attackVector VARCHAR(15), v4attackComplexity VARCHAR(15), + v4attackRequirements VARCHAR(15), v4privilegesRequired VARCHAR(15), v4userInteraction VARCHAR(15), + v4vulnConfidentialityImpact VARCHAR(15), v4vulnIntegrityImpact VARCHAR(15), v4vulnAvailabilityImpact VARCHAR(15), + v4subConfidentialityImpact VARCHAR(15), v4subIntegrityImpact VARCHAR(15), + v4subAvailabilityImpact VARCHAR(15), v4exploitMaturity VARCHAR(20), v4confidentialityRequirement VARCHAR(15), + v4integrityRequirement VARCHAR(15), v4availabilityRequirement VARCHAR(15), v4modifiedAttackVector VARCHAR(15), + v4modifiedAttackComplexity VARCHAR(15), v4modifiedAttackRequirements VARCHAR(15), v4modifiedPrivilegesRequired VARCHAR(15), + v4modifiedUserInteraction VARCHAR(15), v4modifiedVulnConfidentialityImpact VARCHAR(15), v4modifiedVulnIntegrityImpact VARCHAR(15), + v4modifiedVulnAvailabilityImpact VARCHAR(15), v4modifiedSubConfidentialityImpact VARCHAR(15), v4modifiedSubIntegrityImpact VARCHAR(15), + v4modifiedSubAvailabilityImpact VARCHAR(15), v4safety VARCHAR(15), v4automatable VARCHAR(15), v4recovery VARCHAR(15), + v4valueDensity VARCHAR(15), v4vulnerabilityResponseEffort VARCHAR(15), v4providerUrgency VARCHAR(15), + v4baseScore DECIMAL(3,1), v4baseSeverity VARCHAR(15), v4threatScore DECIMAL(3,1), v4threatSeverity VARCHAR(15), + v4environmentalScore DECIMAL(3,1), v4environmentalSeverity VARCHAR(15), v4source VARCHAR(50), v4type VARCHAR(15)); CREATE TABLE `reference` (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255), CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE); @@ -118,8 +131,21 @@ CREATE PROCEDURE update_vulnerability ( IN p_v3ExploitabilityScore DECIMAL(3,1), IN p_v3ImpactScore DECIMAL(3,1), IN p_v3AttackVector VARCHAR(20), IN p_v3AttackComplexity VARCHAR(20), IN p_v3PrivilegesRequired VARCHAR(20), IN p_v3UserInteraction VARCHAR(20), IN p_v3Scope VARCHAR(20), IN p_v3ConfidentialityImpact VARCHAR(20), IN p_v3IntegrityImpact VARCHAR(20), - IN p_v3AvailabilityImpact VARCHAR(20), IN p_v3BaseScore DECIMAL(3,1), IN p_v3BaseSeverity VARCHAR(20), - IN p_v3Version VARCHAR(5)) + IN p_v3AvailabilityImpact VARCHAR(20), IN p_v3BaseScore DECIMAL(3,1), IN p_v3BaseSeverity VARCHAR(20), + IN p_v3Version VARCHAR(5), IN p_v4version VARCHAR(5), IN p_v4attackVector VARCHAR(15), IN p_v4attackComplexity VARCHAR(15), + IN p_v4attackRequirements VARCHAR(15), IN p_v4privilegesRequired VARCHAR(15), IN p_v4userInteraction VARCHAR(15), + IN p_v4vulnConfidentialityImpact VARCHAR(15), IN p_v4vulnIntegrityImpact VARCHAR(15), IN p_v4vulnAvailabilityImpact VARCHAR(15), + IN p_v4subConfidentialityImpact VARCHAR(15), IN p_v4subIntegrityImpact VARCHAR(15), IN p_v4subAvailabilityImpact VARCHAR(15), + IN p_v4exploitMaturity VARCHAR(20), IN p_v4confidentialityRequirement VARCHAR(15), IN p_v4integrityRequirement VARCHAR(15), + IN p_v4availabilityRequirement VARCHAR(15), IN p_v4modifiedAttackVector VARCHAR(15), IN p_v4modifiedAttackComplexity VARCHAR(15), + IN p_v4modifiedAttackRequirements VARCHAR(15), IN p_v4modifiedPrivilegesRequired VARCHAR(15), IN p_v4modifiedUserInteraction VARCHAR(15), + IN p_v4modifiedVulnConfidentialityImpact VARCHAR(15), IN p_v4modifiedVulnIntegrityImpact VARCHAR(15), + IN p_v4modifiedVulnAvailabilityImpact VARCHAR(15), IN p_v4modifiedSubConfidentialityImpact VARCHAR(15), + IN p_v4modifiedSubIntegrityImpact VARCHAR(15), IN p_v4modifiedSubAvailabilityImpact VARCHAR(15), IN p_v4safety VARCHAR(15), + IN p_v4automatable VARCHAR(15), IN p_v4recovery VARCHAR(15), IN p_v4valueDensity VARCHAR(15), IN p_v4vulnerabilityResponseEffort VARCHAR(15), + IN p_v4providerUrgency VARCHAR(15), IN p_v4baseScore DECIMAL(3,1), IN p_v4baseSeverity VARCHAR(15), IN p_v4threatScore DECIMAL(3,1), + IN p_v4threatSeverity VARCHAR(15), IN p_v4environmentalScore DECIMAL(3,1), IN p_v4environmentalSeverity VARCHAR(15), + IN p_v4source VARCHAR(50), IN p_v4type VARCHAR(15)) BEGIN DECLARE vulnerabilityId INT DEFAULT 0; @@ -146,7 +172,25 @@ IF vulnerabilityId > 0 THEN `v3ExploitabilityScore`=p_v3ExploitabilityScore, `v3ImpactScore`=p_v3ImpactScore, `v3AttackVector`=p_v3AttackVector, `v3AttackComplexity`=p_v3AttackComplexity, `v3PrivilegesRequired`=p_v3PrivilegesRequired, `v3UserInteraction`=p_v3UserInteraction, `v3Scope`=p_v3Scope, `v3ConfidentialityImpact`=p_v3ConfidentialityImpact, `v3IntegrityImpact`=p_v3IntegrityImpact, - `v3AvailabilityImpact`=p_v3AvailabilityImpact, `v3BaseScore`=p_v3BaseScore, `v3BaseSeverity`=p_v3BaseSeverity, `v3Version`=p_v3Version + `v3AvailabilityImpact`=p_v3AvailabilityImpact, `v3BaseScore`=p_v3BaseScore, `v3BaseSeverity`=p_v3BaseSeverity, `v3Version`=p_v3Version, + `v4version`=p_v4version, `v4attackVector`=p_v4attackVector, `v4attackComplexity`=p_v4attackComplexity, + `v4attackRequirements`=p_v4attackRequirements, `v4privilegesRequired`=p_v4privilegesRequired, + `v4userInteraction`=p_v4userInteraction, `v4vulnConfidentialityImpact`=p_v4vulnConfidentialityImpact, + `v4vulnIntegrityImpact`=p_v4vulnIntegrityImpact, `v4vulnAvailabilityImpact`=p_v4vulnAvailabilityImpact, + `v4subConfidentialityImpact`=p_v4subConfidentialityImpact, `v4subIntegrityImpact`=p_v4subIntegrityImpact, + `v4subAvailabilityImpact`=p_v4subAvailabilityImpact, `v4exploitMaturity`=p_v4exploitMaturity, + `v4confidentialityRequirement`=p_v4confidentialityRequirement, `v4integrityRequirement`=p_v4integrityRequirement, + `v4availabilityRequirement`=p_v4availabilityRequirement, `v4modifiedAttackVector`=p_v4modifiedAttackVector, + `v4modifiedAttackComplexity`=p_v4modifiedAttackComplexity, `v4modifiedAttackRequirements`=p_v4modifiedAttackRequirements, + `v4modifiedPrivilegesRequired`=p_v4modifiedPrivilegesRequired, `v4modifiedUserInteraction`=p_v4modifiedUserInteraction, + `v4modifiedVulnConfidentialityImpact`=p_v4modifiedVulnConfidentialityImpact, `v4modifiedVulnIntegrityImpact`=p_v4modifiedVulnIntegrityImpact, + `v4modifiedVulnAvailabilityImpact`=p_v4modifiedVulnAvailabilityImpact, `v4modifiedSubConfidentialityImpact`=p_v4modifiedSubConfidentialityImpact, + `v4modifiedSubIntegrityImpact`=p_v4modifiedSubIntegrityImpact, `v4modifiedSubAvailabilityImpact`=p_v4modifiedSubAvailabilityImpact, + `v4safety`=p_v4safety, `v4automatable`=p_v4automatable, `v4recovery`=p_v4recovery, `v4valueDensity`=p_v4valueDensity, + `v4vulnerabilityResponseEffort`=p_v4vulnerabilityResponseEffort, `v4providerUrgency`=p_v4providerUrgency, + `v4baseScore`=p_v4baseScore, `v4baseSeverity`=p_v4baseSeverity, `v4threatScore`=p_v4threatScore, + `v4threatSeverity`=p_v4threatSeverity, `v4environmentalScore`=p_v4environmentalScore, `v4environmentalSeverity`=p_v4environmentalSeverity, + `v4source`=p_v4source, `v4type`=p_v4type WHERE id=vulnerabilityId; ELSE INSERT INTO vulnerability (`cve`, `description`, @@ -159,8 +203,21 @@ ELSE `v3ImpactScore`, `v3AttackVector`, `v3AttackComplexity`, `v3PrivilegesRequired`, `v3UserInteraction`, `v3Scope`, `v3ConfidentialityImpact`, `v3IntegrityImpact`, `v3AvailabilityImpact`, - `v3BaseScore`, `v3BaseSeverity`, `v3Version`) - VALUES (p_cveId, p_description, + `v3BaseScore`, `v3BaseSeverity`, `v3Version`, `v4version`, `v4attackVector`, + `v4attackComplexity`, `v4attackRequirements`, `v4privilegesRequired`, `v4userInteraction`, + `v4vulnConfidentialityImpact`, `v4vulnIntegrityImpact`, `v4vulnAvailabilityImpact`, + `v4subConfidentialityImpact`, `v4subIntegrityImpact`, `v4subAvailabilityImpact`, + `v4exploitMaturity`, `v4confidentialityRequirement`, `v4integrityRequirement`, + `v4availabilityRequirement`, `v4modifiedAttackVector`, `v4modifiedAttackComplexity`, + `v4modifiedAttackRequirements`, `v4modifiedPrivilegesRequired`, `v4modifiedUserInteraction`, + `v4modifiedVulnConfidentialityImpact`, `v4modifiedVulnIntegrityImpact`, + `v4modifiedVulnAvailabilityImpact`, `v4modifiedSubConfidentialityImpact`, + `v4modifiedSubIntegrityImpact`, `v4modifiedSubAvailabilityImpact`, `v4safety`, + `v4automatable`, `v4recovery`, `v4valueDensity`, `v4vulnerabilityResponseEffort`, + `v4providerUrgency`, `v4baseScore`, `v4baseSeverity`, `v4threatScore`, + `v4threatSeverity`, `v4environmentalScore`, `v4environmentalSeverity`, + `v4source`, `v4type`) + VALUES (p_cveId, p_description, p_v2Severity, p_v2ExploitabilityScore, p_v2ImpactScore, p_v2AcInsufInfo, p_v2ObtainAllPrivilege, p_v2ObtainUserPrivilege, p_v2ObtainOtherPrivilege, p_v2UserInteractionRequired, @@ -170,8 +227,19 @@ ELSE p_v3ImpactScore, p_v3AttackVector, p_v3AttackComplexity, p_v3PrivilegesRequired, p_v3UserInteraction, p_v3Scope, p_v3ConfidentialityImpact, p_v3IntegrityImpact, p_v3AvailabilityImpact, - p_v3BaseScore, p_v3BaseSeverity, p_v3Version); - + p_v3BaseScore, p_v3BaseSeverity, p_v3Version, p_v4version, + p_v4attackVector, p_v4attackComplexity, p_v4attackRequirements, p_v4privilegesRequired, + p_v4userInteraction, p_v4vulnConfidentialityImpact, p_v4vulnIntegrityImpact, p_v4vulnAvailabilityImpact, + p_v4subConfidentialityImpact, p_v4subIntegrityImpact, p_v4subAvailabilityImpact, p_v4exploitMaturity, + p_v4confidentialityRequirement, p_v4integrityRequirement, p_v4availabilityRequirement, + p_v4modifiedAttackVector, p_v4modifiedAttackComplexity, p_v4modifiedAttackRequirements, + p_v4modifiedPrivilegesRequired, p_v4modifiedUserInteraction, p_v4modifiedVulnConfidentialityImpact, + p_v4modifiedVulnIntegrityImpact, p_v4modifiedVulnAvailabilityImpact, p_v4modifiedSubConfidentialityImpact, + p_v4modifiedSubIntegrityImpact, p_v4modifiedSubAvailabilityImpact, p_v4safety, p_v4automatable, p_v4recovery, + p_v4valueDensity, p_v4vulnerabilityResponseEffort, p_v4providerUrgency, p_v4baseScore, p_v4baseSeverity, + p_v4threatScore, p_v4threatSeverity, p_v4environmentalScore, p_v4environmentalSeverity, + p_v4source, p_v4type); + SET vulnerabilityId = LAST_INSERT_ID(); END IF; SET SQL_SAFE_UPDATES = @OLD_SQL_SAFE_UPDATES; @@ -283,4 +351,4 @@ END // DELIMITER ; -INSERT INTO properties(id, value) VALUES ('version', '5.4'); +INSERT INTO properties(id, value) VALUES ('version', '5.5'); diff --git a/test/project_uptodate/build.gradle b/test/project_uptodate/build.gradle index 2ed059b..9b6549b 100644 --- a/test/project_uptodate/build.gradle +++ b/test/project_uptodate/build.gradle @@ -3,7 +3,7 @@ buildscript { mavenCentral() } dependencies { - classpath 'org.owasp:dependency-check-gradle:9.0.8' + classpath 'org.owasp:dependency-check-gradle:10.0.1' classpath 'com.mysql:mysql-connector-j:8.4.0' } }