ci(dependency check): Add dependency check reports for sample repository

Author: ryden54

odc-reports/dependency-check-junit.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?><testsuites failures="3" name="dependency-check" tests="8">
+  <testsuite failures="0" id="0" name="/src/vendor/phpmailer/phpmailer/examples/scripts/XRegExp.js" package="XRegExp.js" skipped="0" tests="1" timestamp="2022-06-20T07:06:37.451489">
+    <testcase classname="dependency-check" name="XRegExp.js"/>
+  </testsuite>
+  <testsuite failures="0" id="1" name="/src/vendor/swaggest/json-schema/composer.lock:swaggest/json-diff/3.8.3" package="json-diff:3.8.3" skipped="0" tests="1" timestamp="2022-06-20T07:06:37.451489">
+    <testcase classname="dependency-check" name="json-diff:3.8.3"/>
+  </testsuite>
+  <testsuite failures="3" id="2" name="/src/composer.lock:phpmailer/phpmailer/5.2.28" package="phpmailer:5.2.28" skipped="0" tests="3" timestamp="2022-06-20T07:06:37.451489">
+    <testcase classname="CVE-2021-34551" name="pkg:composer/phpmailer/[email protected]">
+      <failure message="cvssV3: HIGH, score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)"/>
+      <system-out>PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname.</system-out>
+      <system-err>location: /src/composer.lock:phpmailer/phpmailer/5.2.28</system-err>
+    </testcase>
+    <testcase classname="CVE-2021-3603" name="pkg:composer/phpmailer/[email protected]">
+      <failure message="cvssV3: HIGH, score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)"/>
+      <system-out>PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project&apos;s scope by other means). If the $patternselect parameter to validateAddress() is set to &apos;php&apos; (the default, defined by PHPMailer::$validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.</system-out>
+      <system-err>location: /src/composer.lock:phpmailer/phpmailer/5.2.28</system-err>
+    </testcase>
+    <testcase classname="CVE-2020-13625" name="pkg:composer/phpmailer/[email protected]">
+      <failure message="cvssV3: HIGH, score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)"/>
+      <system-out>PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.</system-out>
+      <system-err>location: /src/composer.lock:phpmailer/phpmailer/5.2.28</system-err>
+    </testcase>
+  </testsuite>
+  <testsuite failures="0" id="3" name="/src/vendor/swaggest/json-schema/composer.lock:symfony/polyfill-mbstring/1.19.0" package="polyfill-mbstring:1.19.0" skipped="0" tests="1" timestamp="2022-06-20T07:06:37.451489">
+    <testcase classname="dependency-check" name="polyfill-mbstring:1.19.0"/>
+  </testsuite>
+  <testsuite failures="0" id="4" name="/src/vendor/swaggest/json-schema/composer.lock:phplang/scope-exit/1.0.0" package="scope-exit:1.0.0" skipped="0" tests="1" timestamp="2022-06-20T07:06:37.451489">
+    <testcase classname="dependency-check" name="scope-exit:1.0.0"/>
+  </testsuite>
+  <testsuite failures="0" id="5" name="/src/vendor/phpmailer/phpmailer/examples/scripts/shAutoloader.js" package="shAutoloader.js" skipped="0" tests="1" timestamp="2022-06-20T07:06:37.451489">
+    <testcase classname="dependency-check" name="shAutoloader.js"/>
+  </testsuite>
+  <testsuite failures="0" id="6" name="/src/vendor/phpmailer/phpmailer/examples/scripts/shBrushPhp.js" package="shBrushPhp.js" skipped="0" tests="1" timestamp="2022-06-20T07:06:37.451489">
+    <testcase classname="dependency-check" name="shBrushPhp.js"/>
+  </testsuite>
+  <testsuite failures="0" id="7" name="/src/vendor/phpmailer/phpmailer/examples/scripts/shCore.js" package="shCore.js" skipped="0" tests="1" timestamp="2022-06-20T07:06:37.451489">
+    <testcase classname="dependency-check" name="shCore.js"/>
+  </testsuite>
+  <testsuite failures="0" id="8" name="/src/vendor/phpmailer/phpmailer/examples/scripts/shLegacy.js" package="shLegacy.js" skipped="0" tests="1" timestamp="2022-06-20T07:06:37.451489">
+    <testcase classname="dependency-check" name="shLegacy.js"/>
+  </testsuite>
+</testsuites>

odc-reports/dependency-check-report.csv

@@ -0,0 +1,4 @@
+"Project","ScanDate","DependencyName","DependencyPath","Description","License","Md5","Sha1","Identifiers","CPE","CVE","CWE","Vulnerability","Source","CVSSv2_Severity","CVSSv2_Score","CVSSv2","CVSSv3_BaseSeverity","CVSSv3_BaseScore","CVSSv3","CPE Confidence","Evidence Count"
+php-dependency-track-sample-1,"Mon, 20 Jun 2022 07:06:37 GMT",phpmailer:5.2.28,/src/composer.lock:phpmailer/phpmailer/5.2.28,"","","","",pkg:composer/phpmailer/[email protected],"cpe:2.3:a:phpmailer:phpmailer:5.2.28:*:*:*:*:*:*:*, cpe:2.3:a:phpmailer_project:phpmailer:5.2.28:*:*:*:*:*:*:*",CVE-2021-34551,CWE-434 Unrestricted Upload of File with Dangerous Type,PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname.,NVD,MEDIUM,5.1,/AV:N/AC:H/Au:N/C:P/I:P/A:P,HIGH,8.1,CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H,HIGHEST,3
+php-dependency-track-sample-1,"Mon, 20 Jun 2022 07:06:37 GMT",phpmailer:5.2.28,/src/composer.lock:phpmailer/phpmailer/5.2.28,"","","","",pkg:composer/phpmailer/[email protected],"cpe:2.3:a:phpmailer:phpmailer:5.2.28:*:*:*:*:*:*:*, cpe:2.3:a:phpmailer_project:phpmailer:5.2.28:*:*:*:*:*:*:*",CVE-2021-3603,CWE-829 Inclusion of Functionality from Untrusted Control Sphere,"PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.",NVD,MEDIUM,6.8,/AV:N/AC:M/Au:N/C:P/I:P/A:P,HIGH,8.1,CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H,HIGHEST,3
+php-dependency-track-sample-1,"Mon, 20 Jun 2022 07:06:37 GMT",phpmailer:5.2.28,/src/composer.lock:phpmailer/phpmailer/5.2.28,"","","","",pkg:composer/phpmailer/[email protected],"cpe:2.3:a:phpmailer:phpmailer:5.2.28:*:*:*:*:*:*:*, cpe:2.3:a:phpmailer_project:phpmailer:5.2.28:*:*:*:*:*:*:*",CVE-2020-13625,CWE-116 Improper Encoding or Escaping of Output,PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.,NVD,MEDIUM,5.0,/AV:N/AC:L/Au:N/C:N/I:P/A:N,HIGH,7.5,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N,HIGHEST,3