Update to dependency-check 10.0.1

Author: stefanneuhaus

README.md

@@ -71,17 +71,18 @@ Updates of the Database are triggered every 2 minutes. The initial update can ta
 
 ## Compatibility
 
-|             Client |  Server |
-|-------------------:|--------:|
-|         `>= 8.0.0` | `9.0.8` |
-|         `>= 8.0.0` | `8.0.0` |
-|            `7.4.4` | `7.4.4` |
-|   `[6.3.0; 7.4.3]` | `6.5.3` |
-|   `[6.1.3; 6.2.2]` | `6.2.0` |
-|   `[6.0.0; 6.1.1]` | `6.0.2` |
-| `[5.0.0; 5.3.2.1]` | `5.0.0` |
-|   `[1.4.1; 4.0.2]` | `4.0.2` |
-|          `< 1.4.1` |    n.a. |
+|             Client |   Server |
+|-------------------:|---------:|
+|         `>= 6.3.0` | `10.0.1` |
+|         `>= 6.3.0` |  `9.0.8` |
+|         `>= 6.3.0` |  `8.0.0` |
+|         `>= 6.3.0` |  `7.4.4` |
+|   `[6.3.0; 7.4.3]` |  `6.5.3` |
+|   `[6.1.3; 6.2.2]` |  `6.2.0` |
+|   `[6.0.0; 6.1.1]` |  `6.0.2` |
+| `[5.0.0; 5.3.2.1]` |  `5.0.0` |
+|   `[1.4.1; 4.0.2]` |  `4.0.2` |
+|          `< 1.4.1` |     n.a. |
 
 The server is not designed for updating its database structure manually. If you update your client to a version which is incompatible with your server version, 
 you should just throw away the old server container and start a new one from a compatible image from scratch.

overlays/dependencycheck/build.gradle

@@ -18,7 +18,7 @@ buildscript {
         mavenCentral()
     }
     dependencies {
-        classpath 'org.owasp:dependency-check-gradle:9.0.8'
+        classpath 'org.owasp:dependency-check-gradle:10.0.1'
         classpath 'com.mysql:mysql-connector-j:8.4.0'
     }
 }

overlays/dependencycheck/update.sh

@@ -1,5 +1,5 @@
 #!/bin/sh
 
-pgrep java && echo "INFO: Update already running." && exit 1
+pgrep -a java && echo "INFO: Update already running." && exit 1
 touch /dependencycheck/update.log
-(cd /dependencycheck && ./gradlew update >>/dependencycheck/update.log 2>&1) || echo "ERROR: update failed."
+(cd /dependencycheck && ./gradlew -s update >>/dependencycheck/update.log 2>&1) || (echo "ERROR: update failed." && exit 2)

overlays/docker-entrypoint-initdb.d/initialize_schema.sql

@@ -36,7 +36,20 @@ CREATE TABLE vulnerability (id int auto_increment PRIMARY KEY, cve VARCHAR(20) U
         v3ImpactScore DECIMAL(3,1), v3AttackVector VARCHAR(20), v3AttackComplexity VARCHAR(20), 
         v3PrivilegesRequired VARCHAR(20), v3UserInteraction VARCHAR(20), v3Scope VARCHAR(20), 
         v3ConfidentialityImpact VARCHAR(20), v3IntegrityImpact VARCHAR(20), v3AvailabilityImpact VARCHAR(20), 
-        v3BaseScore DECIMAL(3,1), v3BaseSeverity VARCHAR(20), v3Version VARCHAR(5));
+        v3BaseScore DECIMAL(3,1), v3BaseSeverity VARCHAR(20), v3Version VARCHAR(5),
+        v4version VARCHAR(5), v4attackVector VARCHAR(15), v4attackComplexity VARCHAR(15),
+        v4attackRequirements VARCHAR(15), v4privilegesRequired VARCHAR(15), v4userInteraction VARCHAR(15),
+        v4vulnConfidentialityImpact VARCHAR(15), v4vulnIntegrityImpact VARCHAR(15), v4vulnAvailabilityImpact VARCHAR(15),
+        v4subConfidentialityImpact VARCHAR(15), v4subIntegrityImpact VARCHAR(15),
+        v4subAvailabilityImpact VARCHAR(15), v4exploitMaturity VARCHAR(20), v4confidentialityRequirement VARCHAR(15),
+        v4integrityRequirement VARCHAR(15), v4availabilityRequirement VARCHAR(15), v4modifiedAttackVector VARCHAR(15),
+        v4modifiedAttackComplexity VARCHAR(15), v4modifiedAttackRequirements VARCHAR(15), v4modifiedPrivilegesRequired VARCHAR(15),
+        v4modifiedUserInteraction VARCHAR(15), v4modifiedVulnConfidentialityImpact VARCHAR(15), v4modifiedVulnIntegrityImpact VARCHAR(15),
+        v4modifiedVulnAvailabilityImpact VARCHAR(15), v4modifiedSubConfidentialityImpact VARCHAR(15), v4modifiedSubIntegrityImpact VARCHAR(15),
+        v4modifiedSubAvailabilityImpact VARCHAR(15), v4safety VARCHAR(15), v4automatable VARCHAR(15), v4recovery VARCHAR(15),
+        v4valueDensity VARCHAR(15), v4vulnerabilityResponseEffort VARCHAR(15), v4providerUrgency VARCHAR(15),
+        v4baseScore DECIMAL(3,1), v4baseSeverity VARCHAR(15), v4threatScore DECIMAL(3,1), v4threatSeverity VARCHAR(15),
+        v4environmentalScore DECIMAL(3,1), v4environmentalSeverity VARCHAR(15), v4source VARCHAR(50), v4type VARCHAR(15));
 
 CREATE TABLE `reference` (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255),
 	CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE);
@@ -118,8 +131,21 @@ CREATE PROCEDURE update_vulnerability (
     IN p_v3ExploitabilityScore DECIMAL(3,1), IN p_v3ImpactScore DECIMAL(3,1), IN p_v3AttackVector VARCHAR(20), 
     IN p_v3AttackComplexity VARCHAR(20), IN p_v3PrivilegesRequired VARCHAR(20), IN p_v3UserInteraction VARCHAR(20), 
     IN p_v3Scope VARCHAR(20), IN p_v3ConfidentialityImpact VARCHAR(20), IN p_v3IntegrityImpact VARCHAR(20), 
-    IN p_v3AvailabilityImpact VARCHAR(20), IN p_v3BaseScore DECIMAL(3,1), IN p_v3BaseSeverity VARCHAR(20), 
-    IN p_v3Version VARCHAR(5))
+    IN p_v3AvailabilityImpact VARCHAR(20), IN p_v3BaseScore DECIMAL(3,1), IN p_v3BaseSeverity VARCHAR(20),
+    IN p_v3Version VARCHAR(5), IN p_v4version VARCHAR(5), IN p_v4attackVector VARCHAR(15), IN p_v4attackComplexity VARCHAR(15),
+    IN p_v4attackRequirements VARCHAR(15), IN p_v4privilegesRequired VARCHAR(15), IN p_v4userInteraction VARCHAR(15),
+    IN p_v4vulnConfidentialityImpact VARCHAR(15), IN p_v4vulnIntegrityImpact VARCHAR(15), IN p_v4vulnAvailabilityImpact VARCHAR(15),
+    IN p_v4subConfidentialityImpact VARCHAR(15), IN p_v4subIntegrityImpact VARCHAR(15), IN p_v4subAvailabilityImpact VARCHAR(15),
+    IN p_v4exploitMaturity VARCHAR(20), IN p_v4confidentialityRequirement VARCHAR(15), IN p_v4integrityRequirement VARCHAR(15),
+    IN p_v4availabilityRequirement VARCHAR(15), IN p_v4modifiedAttackVector VARCHAR(15), IN p_v4modifiedAttackComplexity VARCHAR(15),
+    IN p_v4modifiedAttackRequirements VARCHAR(15), IN p_v4modifiedPrivilegesRequired VARCHAR(15), IN p_v4modifiedUserInteraction VARCHAR(15),
+    IN p_v4modifiedVulnConfidentialityImpact VARCHAR(15), IN p_v4modifiedVulnIntegrityImpact VARCHAR(15),
+    IN p_v4modifiedVulnAvailabilityImpact VARCHAR(15), IN p_v4modifiedSubConfidentialityImpact VARCHAR(15),
+    IN p_v4modifiedSubIntegrityImpact VARCHAR(15), IN p_v4modifiedSubAvailabilityImpact VARCHAR(15), IN p_v4safety VARCHAR(15),
+    IN p_v4automatable VARCHAR(15), IN p_v4recovery VARCHAR(15), IN p_v4valueDensity VARCHAR(15), IN p_v4vulnerabilityResponseEffort VARCHAR(15),
+    IN p_v4providerUrgency VARCHAR(15), IN p_v4baseScore DECIMAL(3,1), IN p_v4baseSeverity VARCHAR(15), IN p_v4threatScore DECIMAL(3,1),
+    IN p_v4threatSeverity VARCHAR(15), IN p_v4environmentalScore DECIMAL(3,1), IN p_v4environmentalSeverity VARCHAR(15),
+    IN p_v4source VARCHAR(50), IN p_v4type VARCHAR(15))
 BEGIN
 DECLARE vulnerabilityId INT DEFAULT 0;
 
@@ -146,7 +172,25 @@ IF vulnerabilityId > 0 THEN
         `v3ExploitabilityScore`=p_v3ExploitabilityScore, `v3ImpactScore`=p_v3ImpactScore, `v3AttackVector`=p_v3AttackVector, 
         `v3AttackComplexity`=p_v3AttackComplexity, `v3PrivilegesRequired`=p_v3PrivilegesRequired, `v3UserInteraction`=p_v3UserInteraction, 
         `v3Scope`=p_v3Scope, `v3ConfidentialityImpact`=p_v3ConfidentialityImpact, `v3IntegrityImpact`=p_v3IntegrityImpact, 
-        `v3AvailabilityImpact`=p_v3AvailabilityImpact, `v3BaseScore`=p_v3BaseScore, `v3BaseSeverity`=p_v3BaseSeverity, `v3Version`=p_v3Version
+        `v3AvailabilityImpact`=p_v3AvailabilityImpact, `v3BaseScore`=p_v3BaseScore, `v3BaseSeverity`=p_v3BaseSeverity, `v3Version`=p_v3Version,
+        `v4version`=p_v4version, `v4attackVector`=p_v4attackVector, `v4attackComplexity`=p_v4attackComplexity,
+        `v4attackRequirements`=p_v4attackRequirements, `v4privilegesRequired`=p_v4privilegesRequired,
+        `v4userInteraction`=p_v4userInteraction, `v4vulnConfidentialityImpact`=p_v4vulnConfidentialityImpact,
+        `v4vulnIntegrityImpact`=p_v4vulnIntegrityImpact, `v4vulnAvailabilityImpact`=p_v4vulnAvailabilityImpact,
+        `v4subConfidentialityImpact`=p_v4subConfidentialityImpact, `v4subIntegrityImpact`=p_v4subIntegrityImpact,
+        `v4subAvailabilityImpact`=p_v4subAvailabilityImpact, `v4exploitMaturity`=p_v4exploitMaturity,
+        `v4confidentialityRequirement`=p_v4confidentialityRequirement, `v4integrityRequirement`=p_v4integrityRequirement,
+        `v4availabilityRequirement`=p_v4availabilityRequirement, `v4modifiedAttackVector`=p_v4modifiedAttackVector,
+        `v4modifiedAttackComplexity`=p_v4modifiedAttackComplexity, `v4modifiedAttackRequirements`=p_v4modifiedAttackRequirements,
+        `v4modifiedPrivilegesRequired`=p_v4modifiedPrivilegesRequired, `v4modifiedUserInteraction`=p_v4modifiedUserInteraction,
+        `v4modifiedVulnConfidentialityImpact`=p_v4modifiedVulnConfidentialityImpact, `v4modifiedVulnIntegrityImpact`=p_v4modifiedVulnIntegrityImpact,
+        `v4modifiedVulnAvailabilityImpact`=p_v4modifiedVulnAvailabilityImpact, `v4modifiedSubConfidentialityImpact`=p_v4modifiedSubConfidentialityImpact,
+        `v4modifiedSubIntegrityImpact`=p_v4modifiedSubIntegrityImpact, `v4modifiedSubAvailabilityImpact`=p_v4modifiedSubAvailabilityImpact,
+        `v4safety`=p_v4safety, `v4automatable`=p_v4automatable, `v4recovery`=p_v4recovery, `v4valueDensity`=p_v4valueDensity,
+        `v4vulnerabilityResponseEffort`=p_v4vulnerabilityResponseEffort, `v4providerUrgency`=p_v4providerUrgency,
+        `v4baseScore`=p_v4baseScore, `v4baseSeverity`=p_v4baseSeverity, `v4threatScore`=p_v4threatScore,
+        `v4threatSeverity`=p_v4threatSeverity, `v4environmentalScore`=p_v4environmentalScore, `v4environmentalSeverity`=p_v4environmentalSeverity,
+        `v4source`=p_v4source, `v4type`=p_v4type
         WHERE id=vulnerabilityId;
 ELSE
     INSERT INTO vulnerability (`cve`, `description`, 
@@ -159,8 +203,21 @@ ELSE
         `v3ImpactScore`, `v3AttackVector`, `v3AttackComplexity`, 
         `v3PrivilegesRequired`, `v3UserInteraction`, `v3Scope`, 
         `v3ConfidentialityImpact`, `v3IntegrityImpact`, `v3AvailabilityImpact`, 
-        `v3BaseScore`, `v3BaseSeverity`, `v3Version`) 
-        VALUES (p_cveId, p_description, 
+        `v3BaseScore`, `v3BaseSeverity`, `v3Version`, `v4version`, `v4attackVector`,
+        `v4attackComplexity`, `v4attackRequirements`, `v4privilegesRequired`, `v4userInteraction`,
+        `v4vulnConfidentialityImpact`, `v4vulnIntegrityImpact`, `v4vulnAvailabilityImpact`,
+        `v4subConfidentialityImpact`, `v4subIntegrityImpact`, `v4subAvailabilityImpact`,
+        `v4exploitMaturity`, `v4confidentialityRequirement`, `v4integrityRequirement`,
+        `v4availabilityRequirement`, `v4modifiedAttackVector`, `v4modifiedAttackComplexity`,
+        `v4modifiedAttackRequirements`, `v4modifiedPrivilegesRequired`, `v4modifiedUserInteraction`,
+        `v4modifiedVulnConfidentialityImpact`, `v4modifiedVulnIntegrityImpact`,
+        `v4modifiedVulnAvailabilityImpact`, `v4modifiedSubConfidentialityImpact`,
+        `v4modifiedSubIntegrityImpact`, `v4modifiedSubAvailabilityImpact`, `v4safety`,
+        `v4automatable`, `v4recovery`, `v4valueDensity`, `v4vulnerabilityResponseEffort`,
+        `v4providerUrgency`, `v4baseScore`, `v4baseSeverity`, `v4threatScore`,
+        `v4threatSeverity`, `v4environmentalScore`, `v4environmentalSeverity`,
+        `v4source`, `v4type`)
+        VALUES (p_cveId, p_description,
         p_v2Severity, p_v2ExploitabilityScore, 
         p_v2ImpactScore, p_v2AcInsufInfo, p_v2ObtainAllPrivilege, 
         p_v2ObtainUserPrivilege, p_v2ObtainOtherPrivilege, p_v2UserInteractionRequired, 
@@ -170,8 +227,19 @@ ELSE
         p_v3ImpactScore, p_v3AttackVector, p_v3AttackComplexity, 
         p_v3PrivilegesRequired, p_v3UserInteraction, p_v3Scope, 
         p_v3ConfidentialityImpact, p_v3IntegrityImpact, p_v3AvailabilityImpact, 
-        p_v3BaseScore, p_v3BaseSeverity, p_v3Version);
-        
+        p_v3BaseScore, p_v3BaseSeverity, p_v3Version, p_v4version,
+        p_v4attackVector, p_v4attackComplexity, p_v4attackRequirements, p_v4privilegesRequired,
+        p_v4userInteraction, p_v4vulnConfidentialityImpact, p_v4vulnIntegrityImpact, p_v4vulnAvailabilityImpact,
+        p_v4subConfidentialityImpact, p_v4subIntegrityImpact, p_v4subAvailabilityImpact, p_v4exploitMaturity,
+        p_v4confidentialityRequirement, p_v4integrityRequirement, p_v4availabilityRequirement,
+        p_v4modifiedAttackVector, p_v4modifiedAttackComplexity, p_v4modifiedAttackRequirements,
+        p_v4modifiedPrivilegesRequired, p_v4modifiedUserInteraction, p_v4modifiedVulnConfidentialityImpact,
+        p_v4modifiedVulnIntegrityImpact, p_v4modifiedVulnAvailabilityImpact, p_v4modifiedSubConfidentialityImpact,
+        p_v4modifiedSubIntegrityImpact, p_v4modifiedSubAvailabilityImpact, p_v4safety, p_v4automatable, p_v4recovery,
+        p_v4valueDensity, p_v4vulnerabilityResponseEffort, p_v4providerUrgency, p_v4baseScore, p_v4baseSeverity,
+        p_v4threatScore, p_v4threatSeverity, p_v4environmentalScore, p_v4environmentalSeverity,
+        p_v4source, p_v4type);
+
         SET vulnerabilityId = LAST_INSERT_ID();
 END IF;
 SET SQL_SAFE_UPDATES = @OLD_SQL_SAFE_UPDATES;
@@ -283,4 +351,4 @@ END //
 
 DELIMITER ;
 
-INSERT INTO properties(id, value) VALUES ('version', '5.4');
+INSERT INTO properties(id, value) VALUES ('version', '5.5');

test/project_uptodate/build.gradle

@@ -3,7 +3,7 @@ buildscript {
         mavenCentral()
     }
     dependencies {
-        classpath 'org.owasp:dependency-check-gradle:9.0.8'
+        classpath 'org.owasp:dependency-check-gradle:10.0.1'
         classpath 'com.mysql:mysql-connector-j:8.4.0'
     }
 }