github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-04-17 14:10:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into issue696-cli

Browse Source
This commit is contained in:
Jeremy Long
2017-05-20 07:38:12 -04:00
parent 6007be1b5f 6b5cfe1560
commit 006224b52c
9 changed files with 198 additions and 189 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
View File

@@ -1,5 +1,12 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd"> <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress base="true">
<notes><![CDATA[
This suppresses false positives for Microsoft.VisualStudio.QualityTools.UnitTestFramework.dll.
]]></notes>
<filePath regex="true">.*Microsoft\.VisualStudio\.QualityTools\.UnitTestFramework*\.dll</filePath>
<cve>CVE-2014-3802</cve>
</suppress>
<suppress base="true"> <suppress base="true">
<notes><![CDATA[ <notes><![CDATA[
This suppresses false positives for EntityFramework.SqlServer.dll. This suppresses false positives for EntityFramework.SqlServer.dll.

2
dependency-check-core/src/main/resources/dependencycheck.properties
View File

@@ -41,6 +41,8 @@ data.password=DC-Pass1337!
data.driver_name=org.h2.Driver data.driver_name=org.h2.Driver
data.driver_path= data.driver_path=
proxy.disableSchemas=true
# the number of days that the modified nvd cve data holds data for. We don't need # the number of days that the modified nvd cve data holds data for. We don't need
# to update the other files if we are within this timespan. Per NIST this file # to update the other files if we are within this timespan. Per NIST this file
# holds 8 days of updates, we are using 7 just to be safe. # holds 8 days of updates, we are using 7 just to be safe.

58
dependency-check-core/src/main/resources/templates/JsonReport.vsl
View File

@@ -1,6 +1,5 @@
{ {
"reportSchema": "1.0", "reportSchema": "1.0",
"analysis": {
"scanInfo": { "scanInfo": {
"engineVersion": "$version", "engineVersion": "$version",
"dataSource": [ "dataSource": [
@@ -110,8 +109,7 @@
] ]
#if($dependency.getVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0) #if($dependency.getVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0)
,"vulnerabilities": [ ,"vulnerabilities": [
#foreach($vuln in $dependency.getVulnerabilities()) #foreach($vuln in $dependency.getVulnerabilities())#if($foreach.count > 1),#end {
#if($foreach.count > 1),#end {
"name": "$enc.json($vuln.name)", "name": "$enc.json($vuln.name)",
"cvssScore": "$vuln.cvssScore", "cvssScore": "$vuln.cvssScore",
"cvssAccessVector": "$enc.json($vuln.cvssAccessVector)", "cvssAccessVector": "$enc.json($vuln.cvssAccessVector)",
@@ -120,36 +118,29 @@
"cvssConfidentialImpact": "$enc.json($vuln.cvssConfidentialityImpact)", "cvssConfidentialImpact": "$enc.json($vuln.cvssConfidentialityImpact)",
"cvssIntegrityImpact": "$enc.json($vuln.cvssIntegrityImpact)", "cvssIntegrityImpact": "$enc.json($vuln.cvssIntegrityImpact)",
"cvssAvailabilityImpact": "$enc.json($vuln.cvssAvailabilityImpact)", "cvssAvailabilityImpact": "$enc.json($vuln.cvssAvailabilityImpact)",
#if ($vuln.cvssScore<4.0) #if ($vuln.cvssScore<4.0)"severity": "Low",
"severity": "Low", #elseif ($vuln.cvssScore>=7.0)"severity": "High",
#elseif ($vuln.cvssScore>=7.0) #else "severity": "Medium",#end
"severity": "High", "cwe": "#if ($vuln.cwe)$enc.json($vuln.cwe)#end",
#else
"severity": "Medium",
#end
#if($vuln.cwe)"cwe": "$enc.json($vuln.cwe)",#end
"description": "$enc.json($vuln.description)", "description": "$enc.json($vuln.description)",
#if ($vuln.notes)"notes": "$enc.json($vuln.notes)"#end "notes": "#if ($vuln.notes)$enc.json($vuln.notes)#end",
"references": [ "references": [
#foreach($ref in $vuln.getReferences()) #foreach($ref in $vuln.getReferences())
#if($foreach.count > 1),#end { #if($foreach.count > 1),#end {
"source": "$enc.json($ref.source)", "source": "$enc.json($ref.source)",
"url": "$enc.json($ref.url)", "url": "$enc.json($ref.url)",
"name": "$enc.json($ref.name)" "name": "$enc.json($ref.name)"
} }#end
#end
], ],
"vulnerableSoftware": [ "vulnerableSoftware": [
#foreach($vs in $vuln.getVulnerableSoftware()) #foreach($vs in $vuln.getVulnerableSoftware())
#if($foreach.count > 1),#end { #if($foreach.count > 1),#end {
#if($vs.hasPreviousVersion()) "allPreviousVersion": "true",#end
"software": "$enc.json($vs.name)" "software": "$enc.json($vs.name)"
} #if($vs.hasPreviousVersion()) ,"allPreviousVersion": "true"#end
#end
]
}#end }#end
] ]
#end }#end
]#end
#if($dependency.getSuppressedVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0) #if($dependency.getSuppressedVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0)
,"suppressedVulnerabilities": [ ,"suppressedVulnerabilities": [
@@ -166,33 +157,26 @@
#elseif ($vuln.cvssScore>=7.0) "severity": "High", #elseif ($vuln.cvssScore>=7.0) "severity": "High",
#else "severity": "Medium", #else "severity": "Medium",
#end #end
#if ($vuln.cwe)"cwe": "$enc.json($vuln.cwe)",#end "cwe": "#if ($vuln.cwe)$enc.json($vuln.cwe)#end",
"description": "$enc.json($vuln.description)" "description": "$enc.json($vuln.description)",
#if ($vuln.notes),"notes": "$enc.json($vuln.notes)"#end "notes": "#if ($vuln.notes)$enc.json($vuln.notes)#end",
,"references": [ "references": [
#foreach($ref in $vuln.getReferences()) #foreach($ref in $vuln.getReferences())
#if($foreach.count > 1),#end { #if($foreach.count > 1),#end {
"source": "$enc.json($ref.source)", "source": "$enc.json($ref.source)",
"url": "$enc.json($ref.url)", "url": "$enc.json($ref.url)",
"name": "$enc.json($ref.name)" "name": "$enc.json($ref.name)"
} }#end
#end
], ],
"vulnerableSoftware": [ "vulnerableSoftware": [
#foreach($vs in $vuln.getVulnerableSoftware()) #foreach($vs in $vuln.getVulnerableSoftware())
#if($foreach.count > 1),#end { #if($foreach.count > 1),#end {
#if($vs.hasPreviousVersion()) "allPreviousVersion": "true",#end
"name": "$enc.json($vs.name)" "name": "$enc.json($vs.name)"
} #if($vs.hasPreviousVersion()) ,"allPreviousVersion": "true"#end
#end }#end
]
}#end
]#end
}#end
] ]
} }
#end
]
#end
}
#end
]
}
}

1
dependency-check-core/src/test/resources/dependencycheck.properties
View File

@@ -36,6 +36,7 @@ data.password=DC-Pass1337!
data.driver_name=org.h2.Driver data.driver_name=org.h2.Driver
data.driver_path= data.driver_path=
proxy.disableSchemas=true
# the number of days that the modified nvd cve data holds data for. We don't need # the number of days that the modified nvd cve data holds data for. We don't need
# to update the other files if we are within this timespan. Per NIST this file # to update the other files if we are within this timespan. Per NIST this file
# holds 8 days of updates, we are using 7 just to be safe. # holds 8 days of updates, we are using 7 just to be safe.

4
dependency-check-maven/src/it/729-system-scope-resolved/postbuild.groovy
View File

@@ -25,6 +25,6 @@ def slurper = new JsonSlurper()
def json = slurper.parse(new File(basedir, "target/dependency-check-report.json"), "UTF-8") def json = slurper.parse(new File(basedir, "target/dependency-check-report.json"), "UTF-8")
assert json instanceof Map assert json instanceof Map
assert json.analysis.dependencies instanceof List assert json.dependencies instanceof List
assert json.analysis.dependencies.size()==1 assert json.dependencies.size()==1
return true; return true;

4
dependency-check-maven/src/it/729-system-scope-skipped/postbuild.groovy
View File

@@ -25,6 +25,6 @@ def slurper = new JsonSlurper()
def json = slurper.parse(new File(basedir, "target/dependency-check-report.json"), "UTF-8") def json = slurper.parse(new File(basedir, "target/dependency-check-report.json"), "UTF-8")
assert json instanceof Map assert json instanceof Map
assert json.analysis.dependencies instanceof List assert json.dependencies instanceof List
assert json.analysis.dependencies.size()==0 assert json.dependencies.size()==0
return true; return true;

6
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -185,6 +185,12 @@ public final class Settings {
* The properties key for the URL to retrieve the CPE. * The properties key for the URL to retrieve the CPE.
*/ */
public static final String CPE_URL = "cpe.url"; public static final String CPE_URL = "cpe.url";
/**
* Whether or not if using basic auth with a proxy the system setting
* 'jdk.http.auth.tunneling.disabledSchemes' should be set to an empty
* string.
*/
public static final String PROXY_DISABLE_SCHEMAS = "proxy.disableSchemas";
/** /**
* The properties key for the proxy server. * The properties key for the proxy server.
* *

16
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
View File

@@ -67,12 +67,12 @@ public final class URLConnectionFactory {
@SuppressFBWarnings(value = "RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE", justification = "Just being extra safe") @SuppressFBWarnings(value = "RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE", justification = "Just being extra safe")
public static HttpURLConnection createHttpURLConnection(URL url) throws URLConnectionFailureException { public static HttpURLConnection createHttpURLConnection(URL url) throws URLConnectionFailureException {
HttpURLConnection conn = null; HttpURLConnection conn = null;
final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_SERVER); final String proxyHost = Settings.getString(Settings.KEYS.PROXY_SERVER);
try { try {
if (proxyUrl != null && !matchNonProxy(url)) { if (proxyHost != null && !matchNonProxy(url)) {
final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT); final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
final SocketAddress address = new InetSocketAddress(proxyUrl, proxyPort); final SocketAddress address = new InetSocketAddress(proxyHost, proxyPort);
final String username = Settings.getString(Settings.KEYS.PROXY_USERNAME); final String username = Settings.getString(Settings.KEYS.PROXY_USERNAME);
final String password = Settings.getString(Settings.KEYS.PROXY_PASSWORD); final String password = Settings.getString(Settings.KEYS.PROXY_PASSWORD);
@@ -81,7 +81,15 @@ public final class URLConnectionFactory {
final Authenticator auth = new Authenticator() { final Authenticator auth = new Authenticator() {
@Override @Override
public PasswordAuthentication getPasswordAuthentication() { public PasswordAuthentication getPasswordAuthentication() {
if (getRequestorType().equals(Authenticator.RequestorType.PROXY)) { if (proxyHost.equals(getRequestingHost()) || getRequestorType().equals(Authenticator.RequestorType.PROXY)) {
LOGGER.debug("Using the configured proxy username and password");
try {
if (Settings.getBoolean(Settings.KEYS.PROXY_DISABLE_SCHEMAS, true)) {
System.setProperty("jdk.http.auth.tunneling.disabledSchemes", "");
}
} catch (InvalidSettingException ex) {
LOGGER.trace("This exception can be ignored", ex);
}
return new PasswordAuthentication(username, password.toCharArray()); return new PasswordAuthentication(username, password.toCharArray());
} }
return super.getPasswordAuthentication(); return super.getPasswordAuthentication();

1
dependency-check-utils/src/test/resources/dependencycheck.properties
View File

@@ -36,6 +36,7 @@ data.password=DC-Pass1337!
data.driver_name=org.h2.Driver data.driver_name=org.h2.Driver
data.driver_path= data.driver_path=
proxy.disableSchemas=true
# the path to the cpe xml file # the path to the cpe xml file
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz
# the path to the cpe meta data file. # the path to the cpe meta data file.