From 81b2b966ba22c70f8b5055c1b4461e5ba8eda717 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 6 May 2017 10:48:31 -0400 Subject: [PATCH 1/5] added additional check to add proxy credentials --- .../dependencycheck/utils/URLConnectionFactory.java | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java index 83802e482..01b02e40c 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java @@ -67,12 +67,12 @@ public final class URLConnectionFactory { @SuppressFBWarnings(value = "RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE", justification = "Just being extra safe") public static HttpURLConnection createHttpURLConnection(URL url) throws URLConnectionFailureException { HttpURLConnection conn = null; - final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_SERVER); + final String proxyHost = Settings.getString(Settings.KEYS.PROXY_SERVER); try { - if (proxyUrl != null && !matchNonProxy(url)) { + if (proxyHost != null && !matchNonProxy(url)) { final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT); - final SocketAddress address = new InetSocketAddress(proxyUrl, proxyPort); + final SocketAddress address = new InetSocketAddress(proxyHost, proxyPort); final String username = Settings.getString(Settings.KEYS.PROXY_USERNAME); final String password = Settings.getString(Settings.KEYS.PROXY_PASSWORD); @@ -81,7 +81,8 @@ public final class URLConnectionFactory { final Authenticator auth = new Authenticator() { @Override public PasswordAuthentication getPasswordAuthentication() { - if (getRequestorType().equals(Authenticator.RequestorType.PROXY)) { + if (proxyHost.equals(getRequestingHost()) || getRequestorType().equals(Authenticator.RequestorType.PROXY)) { + LOGGER.debug("Using the configured proxy username and password"); return new PasswordAuthentication(username, password.toCharArray()); } return super.getPasswordAuthentication(); From c4fe9216704cb06695a51abfe41bbd267f3ab057 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 14 May 2017 09:25:56 -0400 Subject: [PATCH 2/5] updated report template --- .../main/resources/templates/JsonReport.vsl | 346 +++++++++--------- 1 file changed, 165 insertions(+), 181 deletions(-) diff --git a/dependency-check-core/src/main/resources/templates/JsonReport.vsl b/dependency-check-core/src/main/resources/templates/JsonReport.vsl index 5bf5c1aad..f5851146d 100644 --- a/dependency-check-core/src/main/resources/templates/JsonReport.vsl +++ b/dependency-check-core/src/main/resources/templates/JsonReport.vsl @@ -1,198 +1,182 @@ { "reportSchema": "1.0", - "analysis": { - "scanInfo": { - "engineVersion": "$version", - "dataSource": [ - #foreach($prop in $properties.getMetaData().entrySet()) - #if($foreach.count > 1),#end{ - "name": "$enc.json($prop.key)", - "timestamp": "$enc.json($prop.value)" - } - #end - ] - }, - "projectInfo": { - "name": "$enc.json($applicationName)", - #if($groupID)"groupID":"$enc.json($groupID)",#end - #if($artifactID)"artifactID":"$enc.json($artifactID)",#end - #if($version)"version":"$enc.json($version)",#end - "reportDate": "$scanDateXML", - "credits": "This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov" - }, - "dependencies": [ - #foreach($dependency in $dependencies)#if($foreach.count > 1),#end{ - "fileName": "$enc.json($dependency.DisplayFileName)", - "filePath": "$enc.json($dependency.FilePath)", - "md5": "$enc.json($dependency.Md5sum)", - "sha1": "$enc.json($dependency.Sha1sum)" - #if($dependency.description),"description": "$enc.json($dependency.description)"#end - #if($dependency.license),"license": "$enc.json($dependency.license)"#end - #if ($dependency.getRelatedDependencies().size()>0) - ,"relatedDependencies": [ - #foreach($related in $dependency.getRelatedDependencies()) #if($foreach.count > 1),#end { - "filePath": "$enc.json($related.FilePath)", - "sha1": "$enc.json($related.Sha1sum)", - "md5": "$enc.json($related.Md5sum)"#if($related.getIdentifiers()),#end - "identifiers": [ - #foreach($id in $related.getIdentifiers()) - #if ($id.type=="maven") - { - "type": "$enc.json($id.type)", - "name": "$id.value" - #if( $id.url ),"url": "$enc.json($id.url)"#end - #if ($id.notes),"notes": "$enc.json($id.notes)"#end - } - #end - #end - ] - } - #end - ] - #end - ,"evidenceCollected": { - "vendorEvidence": [ - #foreach($evidence in $dependency.getVendorEvidence()) - #if($foreach.count > 1),#end{ - "type": "vendor", - "confidence": "$enc.json($evidence.getConfidence().toString())", - "source": "$enc.json($evidence.getSource())", - "name": "$enc.json($evidence.getName())", - "value": "$enc.json($evidence.getValue().trim())" - } - #end - ], - "productEvidence": [ - #foreach($evidence in $dependency.getProductEvidence()) - #if($foreach.count > 1),#end{ - "type": "product", - "confidence": "$enc.json($evidence.getConfidence().toString())", - "source": "$enc.json($evidence.getSource())", - "name": "$enc.json($evidence.getName())", - "value": "$enc.json($evidence.getValue().trim())" - } - #end - ], - "versionEvidence": [ - #foreach($evidence in $dependency.getVersionEvidence()) - #if($foreach.count > 1),#end{ - "type": "version", - "confidence": "$enc.json($evidence.getConfidence().toString())", - "source": "$enc.json($evidence.getSource())", - "name": "$enc.json($evidence.getName())", - "value": "$enc.json($evidence.getValue().trim())" - } - #end - ] - }, - "identifiers": [ - #foreach($id in $dependency.getIdentifiers())#if($foreach.count > 1),#end{ - "name": "$id.value", - "type": "$enc.json($id.type)", - #if($id.confidence)"confidence": "$id.confidence",#end - #if($id.url)"url": "$enc.json($id.url)",#end - #if($id.description )"description": "$enc.json($id.description)",#end - #if ($id.notes)"notes": "$enc.json($id.notes)",#end - "suppressedIdentifiers": [ - #foreach($id in $dependency.getSuppressedIdentifiers()) - #if($foreach.count > 1),#end{ + "scanInfo": { + "engineVersion": "$version", + "dataSource": [ + #foreach($prop in $properties.getMetaData().entrySet()) + #if($foreach.count > 1),#end{ + "name": "$enc.json($prop.key)", + "timestamp": "$enc.json($prop.value)" + } + #end + ] + }, + "projectInfo": { + "name": "$enc.json($applicationName)", + #if($groupID)"groupID":"$enc.json($groupID)",#end + #if($artifactID)"artifactID":"$enc.json($artifactID)",#end + #if($version)"version":"$enc.json($version)",#end + "reportDate": "$scanDateXML", + "credits": "This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov" + }, + "dependencies": [ + #foreach($dependency in $dependencies)#if($foreach.count > 1),#end{ + "fileName": "$enc.json($dependency.DisplayFileName)", + "filePath": "$enc.json($dependency.FilePath)", + "md5": "$enc.json($dependency.Md5sum)", + "sha1": "$enc.json($dependency.Sha1sum)" + #if($dependency.description),"description": "$enc.json($dependency.description)"#end + #if($dependency.license),"license": "$enc.json($dependency.license)"#end + #if ($dependency.getRelatedDependencies().size()>0) + ,"relatedDependencies": [ + #foreach($related in $dependency.getRelatedDependencies()) #if($foreach.count > 1),#end { + "filePath": "$enc.json($related.FilePath)", + "sha1": "$enc.json($related.Sha1sum)", + "md5": "$enc.json($related.Md5sum)"#if($related.getIdentifiers()),#end + "identifiers": [ + #foreach($id in $related.getIdentifiers()) + #if ($id.type=="maven") + { "type": "$enc.json($id.type)", - #if($id.confidence)"confidence": "$id.confidence",#end - "name": "$id.value", - #if($id.url)"url": "$enc.json($id.url),"#end - #if($id.description)"description": "$enc.json($id.description)",#end - #if ($id.notes)"notes": "$enc.json($id.notes)"#end - } + "name": "$id.value" + #if( $id.url ),"url": "$enc.json($id.url)"#end + #if ($id.notes),"notes": "$enc.json($id.notes)"#end + } #end - ] + #end + ] + } + #end + ] + #end + ,"evidenceCollected": { + "vendorEvidence": [ + #foreach($evidence in $dependency.getVendorEvidence()) + #if($foreach.count > 1),#end{ + "type": "vendor", + "confidence": "$enc.json($evidence.getConfidence().toString())", + "source": "$enc.json($evidence.getSource())", + "name": "$enc.json($evidence.getName())", + "value": "$enc.json($evidence.getValue().trim())" + } + #end + ], + "productEvidence": [ + #foreach($evidence in $dependency.getProductEvidence()) + #if($foreach.count > 1),#end{ + "type": "product", + "confidence": "$enc.json($evidence.getConfidence().toString())", + "source": "$enc.json($evidence.getSource())", + "name": "$enc.json($evidence.getName())", + "value": "$enc.json($evidence.getValue().trim())" + } + #end + ], + "versionEvidence": [ + #foreach($evidence in $dependency.getVersionEvidence()) + #if($foreach.count > 1),#end{ + "type": "version", + "confidence": "$enc.json($evidence.getConfidence().toString())", + "source": "$enc.json($evidence.getSource())", + "name": "$enc.json($evidence.getName())", + "value": "$enc.json($evidence.getValue().trim())" } #end ] - #if($dependency.getVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0) - ,"vulnerabilities": [ - #foreach($vuln in $dependency.getVulnerabilities()) - #if($foreach.count > 1),#end { - "name": "$enc.json($vuln.name)", - "cvssScore": "$vuln.cvssScore", - "cvssAccessVector": "$enc.json($vuln.cvssAccessVector)", - "cvssAccessComplexity": "$enc.json($vuln.cvssAccessComplexity)", - "cvssAuthenticationr": "$enc.json($vuln.cvssAuthentication)", - "cvssConfidentialImpact": "$enc.json($vuln.cvssConfidentialityImpact)", - "cvssIntegrityImpact": "$enc.json($vuln.cvssIntegrityImpact)", - "cvssAvailabilityImpact": "$enc.json($vuln.cvssAvailabilityImpact)", - #if ($vuln.cvssScore<4.0) - "severity": "Low", - #elseif ($vuln.cvssScore>=7.0) - "severity": "High", - #else - "severity": "Medium", - #end - #if($vuln.cwe)"cwe": "$enc.json($vuln.cwe)",#end - "description": "$enc.json($vuln.description)", - #if ($vuln.notes)"notes": "$enc.json($vuln.notes)"#end - "references": [ - #foreach($ref in $vuln.getReferences()) - #if($foreach.count > 1),#end { - "source": "$enc.json($ref.source)", - "url": "$enc.json($ref.url)", - "name": "$enc.json($ref.name)" - } - #end - ], - "vulnerableSoftware": [ - #foreach($vs in $vuln.getVulnerableSoftware()) - #if($foreach.count > 1),#end { - #if($vs.hasPreviousVersion()) "allPreviousVersion": "true",#end - "software": "$enc.json($vs.name)" + }, + "identifiers": [ + #foreach($id in $dependency.getIdentifiers())#if($foreach.count > 1),#end{ + "name": "$id.value", + "type": "$enc.json($id.type)", + #if($id.confidence)"confidence": "$id.confidence",#end + #if($id.url)"url": "$enc.json($id.url)",#end + #if($id.description )"description": "$enc.json($id.description)",#end + #if ($id.notes)"notes": "$enc.json($id.notes)",#end + "suppressedIdentifiers": [ + #foreach($id in $dependency.getSuppressedIdentifiers()) + #if($foreach.count > 1),#end{ + "type": "$enc.json($id.type)", + #if($id.confidence)"confidence": "$id.confidence",#end + "name": "$id.value", + #if($id.url)"url": "$enc.json($id.url),"#end + #if($id.description)"description": "$enc.json($id.description)",#end + #if ($id.notes)"notes": "$enc.json($id.notes)"#end } #end ] - }#end - ] + } #end - - #if($dependency.getSuppressedVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0) - ,"suppressedVulnerabilities": [ - #foreach($vuln in $dependency.getSuppressedVulnerabilities())#if($foreach.count > 1),#end { - "name": "$enc.json($vuln.name)", - "cvssScore": "$vuln.cvssScore", - "cvssAccessVector": "$enc.json($vuln.cvssAccessVector)", - "cvssAccessComplexity": "$enc.json($vuln.cvssAccessComplexity)", - "cvssAuthenticationr": "$enc.json($vuln.cvssAuthentication)", - "cvssConfidentialImpact": "$enc.json($vuln.cvssConfidentialityImpact)", - "cvssIntegrityImpact": "$enc.json($vuln.cvssIntegrityImpact)", - "cvssAvailabilityImpact": "$enc.json($vuln.cvssAvailabilityImpact)", - #if ($vuln.cvssScore<4.0) "severity": "Low", - #elseif ($vuln.cvssScore>=7.0) "severity": "High", - #else "severity": "Medium", - #end - #if ($vuln.cwe)"cwe": "$enc.json($vuln.cwe)",#end - "description": "$enc.json($vuln.description)" - #if ($vuln.notes),"notes": "$enc.json($vuln.notes)"#end - ,"references": [ - #foreach($ref in $vuln.getReferences()) - #if($foreach.count > 1),#end { + ] + #if($dependency.getVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0) + ,"vulnerabilities": [ + #foreach($vuln in $dependency.getVulnerabilities())#if($foreach.count > 1),#end { + "name": "$enc.json($vuln.name)", + "cvssScore": "$vuln.cvssScore", + "cvssAccessVector": "$enc.json($vuln.cvssAccessVector)", + "cvssAccessComplexity": "$enc.json($vuln.cvssAccessComplexity)", + "cvssAuthenticationr": "$enc.json($vuln.cvssAuthentication)", + "cvssConfidentialImpact": "$enc.json($vuln.cvssConfidentialityImpact)", + "cvssIntegrityImpact": "$enc.json($vuln.cvssIntegrityImpact)", + "cvssAvailabilityImpact": "$enc.json($vuln.cvssAvailabilityImpact)", + #if ($vuln.cvssScore<4.0)"severity": "Low", + #elseif ($vuln.cvssScore>=7.0)"severity": "High", + #else "severity": "Medium",#end + "cwe": "#if ($vuln.cwe)$enc.json($vuln.cwe)#end", + "description": "$enc.json($vuln.description)", + "notes": "#if ($vuln.notes)$enc.json($vuln.notes)#end", + "references": [ + #foreach($ref in $vuln.getReferences()) + #if($foreach.count > 1),#end { "source": "$enc.json($ref.source)", "url": "$enc.json($ref.url)", "name": "$enc.json($ref.name)" - } - #end - ], - "vulnerableSoftware": [ - #foreach($vs in $vuln.getVulnerableSoftware()) - #if($foreach.count > 1),#end { - #if($vs.hasPreviousVersion()) "allPreviousVersion": "true",#end - "name": "$enc.json($vs.name)" - } - #end - ] - } - #end + }#end + ], + "vulnerableSoftware": [ + #foreach($vs in $vuln.getVulnerableSoftware()) + #if($foreach.count > 1),#end { + "software": "$enc.json($vs.name)" + #if($vs.hasPreviousVersion()) ,"allPreviousVersion": "true"#end + }#end ] - #end + }#end + ]#end - } - #end - ] - } + #if($dependency.getSuppressedVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0) + ,"suppressedVulnerabilities": [ + #foreach($vuln in $dependency.getSuppressedVulnerabilities())#if($foreach.count > 1),#end { + "name": "$enc.json($vuln.name)", + "cvssScore": "$vuln.cvssScore", + "cvssAccessVector": "$enc.json($vuln.cvssAccessVector)", + "cvssAccessComplexity": "$enc.json($vuln.cvssAccessComplexity)", + "cvssAuthenticationr": "$enc.json($vuln.cvssAuthentication)", + "cvssConfidentialImpact": "$enc.json($vuln.cvssConfidentialityImpact)", + "cvssIntegrityImpact": "$enc.json($vuln.cvssIntegrityImpact)", + "cvssAvailabilityImpact": "$enc.json($vuln.cvssAvailabilityImpact)", + #if ($vuln.cvssScore<4.0) "severity": "Low", + #elseif ($vuln.cvssScore>=7.0) "severity": "High", + #else "severity": "Medium", + #end + "cwe": "#if ($vuln.cwe)$enc.json($vuln.cwe)#end", + "description": "$enc.json($vuln.description)", + "notes": "#if ($vuln.notes)$enc.json($vuln.notes)#end", + "references": [ + #foreach($ref in $vuln.getReferences()) + #if($foreach.count > 1),#end { + "source": "$enc.json($ref.source)", + "url": "$enc.json($ref.url)", + "name": "$enc.json($ref.name)" + }#end + ], + "vulnerableSoftware": [ + #foreach($vs in $vuln.getVulnerableSoftware()) + #if($foreach.count > 1),#end { + "name": "$enc.json($vs.name)" + #if($vs.hasPreviousVersion()) ,"allPreviousVersion": "true"#end + }#end + ] + }#end + ]#end + }#end + ] } From ea93f315d586ddb5a4d10bfb11f1262cecf04716 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 14 May 2017 09:27:51 -0400 Subject: [PATCH 3/5] updated test case for new report format --- .../src/it/729-system-scope-resolved/postbuild.groovy | 4 ++-- .../src/it/729-system-scope-skipped/postbuild.groovy | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/dependency-check-maven/src/it/729-system-scope-resolved/postbuild.groovy b/dependency-check-maven/src/it/729-system-scope-resolved/postbuild.groovy index c1d6476e4..c00deb74c 100644 --- a/dependency-check-maven/src/it/729-system-scope-resolved/postbuild.groovy +++ b/dependency-check-maven/src/it/729-system-scope-resolved/postbuild.groovy @@ -25,6 +25,6 @@ def slurper = new JsonSlurper() def json = slurper.parse(new File(basedir, "target/dependency-check-report.json"), "UTF-8") assert json instanceof Map -assert json.analysis.dependencies instanceof List -assert json.analysis.dependencies.size()==1 +assert json.dependencies instanceof List +assert json.dependencies.size()==1 return true; diff --git a/dependency-check-maven/src/it/729-system-scope-skipped/postbuild.groovy b/dependency-check-maven/src/it/729-system-scope-skipped/postbuild.groovy index 335aaa589..a529f85fd 100644 --- a/dependency-check-maven/src/it/729-system-scope-skipped/postbuild.groovy +++ b/dependency-check-maven/src/it/729-system-scope-skipped/postbuild.groovy @@ -25,6 +25,6 @@ def slurper = new JsonSlurper() def json = slurper.parse(new File(basedir, "target/dependency-check-report.json"), "UTF-8") assert json instanceof Map -assert json.analysis.dependencies instanceof List -assert json.analysis.dependencies.size()==0 +assert json.dependencies instanceof List +assert json.dependencies.size()==0 return true; From 898412eaeac8958e733de0764005fdfa4e632d69 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 14 May 2017 17:19:26 -0400 Subject: [PATCH 4/5] default to remove auth schemas for proxy connections - added a property to disable this functionality. Fix for issue #718 --- .../src/main/resources/dependencycheck.properties | 2 ++ .../src/test/resources/dependencycheck.properties | 1 + .../java/org/owasp/dependencycheck/utils/Settings.java | 6 ++++++ .../owasp/dependencycheck/utils/URLConnectionFactory.java | 7 +++++++ .../src/test/resources/dependencycheck.properties | 1 + 5 files changed, 17 insertions(+) diff --git a/dependency-check-core/src/main/resources/dependencycheck.properties b/dependency-check-core/src/main/resources/dependencycheck.properties index bf2797f85..eb33d9aad 100644 --- a/dependency-check-core/src/main/resources/dependencycheck.properties +++ b/dependency-check-core/src/main/resources/dependencycheck.properties @@ -41,6 +41,8 @@ data.password=DC-Pass1337! data.driver_name=org.h2.Driver data.driver_path= + +proxy.disableSchemas=true # the number of days that the modified nvd cve data holds data for. We don't need # to update the other files if we are within this timespan. Per NIST this file # holds 8 days of updates, we are using 7 just to be safe. diff --git a/dependency-check-core/src/test/resources/dependencycheck.properties b/dependency-check-core/src/test/resources/dependencycheck.properties index 449e1bc5f..d6083bf81 100644 --- a/dependency-check-core/src/test/resources/dependencycheck.properties +++ b/dependency-check-core/src/test/resources/dependencycheck.properties @@ -36,6 +36,7 @@ data.password=DC-Pass1337! data.driver_name=org.h2.Driver data.driver_path= +proxy.disableSchemas=true # the number of days that the modified nvd cve data holds data for. We don't need # to update the other files if we are within this timespan. Per NIST this file # holds 8 days of updates, we are using 7 just to be safe. diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index aac1d40ed..da96ad1c6 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -185,6 +185,12 @@ public final class Settings { * The properties key for the URL to retrieve the CPE. */ public static final String CPE_URL = "cpe.url"; + /** + * Whether or not if using basic auth with a proxy the system setting + * 'jdk.http.auth.tunneling.disabledSchemes' should be set to an empty + * string. + */ + public static final String PROXY_DISABLE_SCHEMAS = "proxy.disableSchemas"; /** * The properties key for the proxy server. * diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java index 01b02e40c..e8557aad0 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java @@ -83,6 +83,13 @@ public final class URLConnectionFactory { public PasswordAuthentication getPasswordAuthentication() { if (proxyHost.equals(getRequestingHost()) || getRequestorType().equals(Authenticator.RequestorType.PROXY)) { LOGGER.debug("Using the configured proxy username and password"); + try { + if (Settings.getBoolean(Settings.KEYS.PROXY_DISABLE_SCHEMAS, true)) { + System.setProperty("jdk.http.auth.tunneling.disabledSchemes", ""); + } + } catch (InvalidSettingException ex) { + LOGGER.trace("This exception can be ignored", ex); + } return new PasswordAuthentication(username, password.toCharArray()); } return super.getPasswordAuthentication(); diff --git a/dependency-check-utils/src/test/resources/dependencycheck.properties b/dependency-check-utils/src/test/resources/dependencycheck.properties index 619ec54ce..4da62d632 100644 --- a/dependency-check-utils/src/test/resources/dependencycheck.properties +++ b/dependency-check-utils/src/test/resources/dependencycheck.properties @@ -36,6 +36,7 @@ data.password=DC-Pass1337! data.driver_name=org.h2.Driver data.driver_path= +proxy.disableSchemas=true # the path to the cpe xml file cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz # the path to the cpe meta data file. From 1402b20a6b92c64324c85107c6e95cb8ff585b50 Mon Sep 17 00:00:00 2001 From: Seth Jackson Date: Thu, 18 May 2017 13:40:00 -0400 Subject: [PATCH 5/5] Suppress UnitTestFramework false positives. --- .../main/resources/dependencycheck-base-suppression.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml index 2234195fa..a4d0c1d32 100644 --- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml +++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml @@ -1,5 +1,12 @@ + + + .*Microsoft\.VisualStudio\.QualityTools\.UnitTestFramework*\.dll + CVE-2014-3802 +