github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-26 19:11:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into issue696-cli

Browse Source
This commit is contained in:
Jeremy Long
2017-05-20 07:38:12 -04:00
parent 6007be1b5f 6b5cfe1560
commit 006224b52c
9 changed files with 198 additions and 189 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
View File

@@ -1,5 +1,12 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd"> <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress base="true">
<notes><![CDATA[
This suppresses false positives for Microsoft.VisualStudio.QualityTools.UnitTestFramework.dll.
]]></notes>
<filePath regex="true">.*Microsoft\.VisualStudio\.QualityTools\.UnitTestFramework*\.dll</filePath>
<cve>CVE-2014-3802</cve>
</suppress>
<suppress base="true"> <suppress base="true">
<notes><![CDATA[ <notes><![CDATA[
This suppresses false positives for EntityFramework.SqlServer.dll. This suppresses false positives for EntityFramework.SqlServer.dll.

2
dependency-check-core/src/main/resources/dependencycheck.properties
View File

@@ -41,6 +41,8 @@ data.password=DC-Pass1337!
data.driver_name=org.h2.Driver data.driver_name=org.h2.Driver
data.driver_path= data.driver_path=
proxy.disableSchemas=true
# the number of days that the modified nvd cve data holds data for. We don't need # the number of days that the modified nvd cve data holds data for. We don't need
# to update the other files if we are within this timespan. Per NIST this file # to update the other files if we are within this timespan. Per NIST this file
# holds 8 days of updates, we are using 7 just to be safe. # holds 8 days of updates, we are using 7 just to be safe.

346
dependency-check-core/src/main/resources/templates/JsonReport.vsl
View File

@@ -1,198 +1,182 @@
{ {
"reportSchema": "1.0", "reportSchema": "1.0",
"analysis": { "scanInfo": {
"scanInfo": { "engineVersion": "$version",
"engineVersion": "$version", "dataSource": [
"dataSource": [ #foreach($prop in $properties.getMetaData().entrySet())
#foreach($prop in $properties.getMetaData().entrySet()) #if($foreach.count > 1),#end{
#if($foreach.count > 1),#end{ "name": "$enc.json($prop.key)",
"name": "$enc.json($prop.key)", "timestamp": "$enc.json($prop.value)"
"timestamp": "$enc.json($prop.value)" }
} #end
#end ]
] },
}, "projectInfo": {
"projectInfo": { "name": "$enc.json($applicationName)",
"name": "$enc.json($applicationName)", #if($groupID)"groupID":"$enc.json($groupID)",#end
#if($groupID)"groupID":"$enc.json($groupID)",#end #if($artifactID)"artifactID":"$enc.json($artifactID)",#end
#if($artifactID)"artifactID":"$enc.json($artifactID)",#end #if($version)"version":"$enc.json($version)",#end
#if($version)"version":"$enc.json($version)",#end "reportDate": "$scanDateXML",
"reportDate": "$scanDateXML", "credits": "This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov"
"credits": "This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov" },
}, "dependencies": [
"dependencies": [ #foreach($dependency in $dependencies)#if($foreach.count > 1),#end{
#foreach($dependency in $dependencies)#if($foreach.count > 1),#end{ "fileName": "$enc.json($dependency.DisplayFileName)",
"fileName": "$enc.json($dependency.DisplayFileName)", "filePath": "$enc.json($dependency.FilePath)",
"filePath": "$enc.json($dependency.FilePath)", "md5": "$enc.json($dependency.Md5sum)",
"md5": "$enc.json($dependency.Md5sum)", "sha1": "$enc.json($dependency.Sha1sum)"
"sha1": "$enc.json($dependency.Sha1sum)" #if($dependency.description),"description": "$enc.json($dependency.description)"#end
#if($dependency.description),"description": "$enc.json($dependency.description)"#end #if($dependency.license),"license": "$enc.json($dependency.license)"#end
#if($dependency.license),"license": "$enc.json($dependency.license)"#end #if ($dependency.getRelatedDependencies().size()>0)
#if ($dependency.getRelatedDependencies().size()>0) ,"relatedDependencies": [
,"relatedDependencies": [ #foreach($related in $dependency.getRelatedDependencies()) #if($foreach.count > 1),#end {
#foreach($related in $dependency.getRelatedDependencies()) #if($foreach.count > 1),#end { "filePath": "$enc.json($related.FilePath)",
"filePath": "$enc.json($related.FilePath)", "sha1": "$enc.json($related.Sha1sum)",
"sha1": "$enc.json($related.Sha1sum)", "md5": "$enc.json($related.Md5sum)"#if($related.getIdentifiers()),#end
"md5": "$enc.json($related.Md5sum)"#if($related.getIdentifiers()),#end "identifiers": [
"identifiers": [ #foreach($id in $related.getIdentifiers())
#foreach($id in $related.getIdentifiers()) #if ($id.type=="maven")
#if ($id.type=="maven") {
{
"type": "$enc.json($id.type)",
"name": "$id.value"
#if( $id.url ),"url": "$enc.json($id.url)"#end
#if ($id.notes),"notes": "$enc.json($id.notes)"#end
}
#end
#end
]
}
#end
]
#end
,"evidenceCollected": {
"vendorEvidence": [
#foreach($evidence in $dependency.getVendorEvidence())
#if($foreach.count > 1),#end{
"type": "vendor",
"confidence": "$enc.json($evidence.getConfidence().toString())",
"source": "$enc.json($evidence.getSource())",
"name": "$enc.json($evidence.getName())",
"value": "$enc.json($evidence.getValue().trim())"
}
#end
],
"productEvidence": [
#foreach($evidence in $dependency.getProductEvidence())
#if($foreach.count > 1),#end{
"type": "product",
"confidence": "$enc.json($evidence.getConfidence().toString())",
"source": "$enc.json($evidence.getSource())",
"name": "$enc.json($evidence.getName())",
"value": "$enc.json($evidence.getValue().trim())"
}
#end
],
"versionEvidence": [
#foreach($evidence in $dependency.getVersionEvidence())
#if($foreach.count > 1),#end{
"type": "version",
"confidence": "$enc.json($evidence.getConfidence().toString())",
"source": "$enc.json($evidence.getSource())",
"name": "$enc.json($evidence.getName())",
"value": "$enc.json($evidence.getValue().trim())"
}
#end
]
},
"identifiers": [
#foreach($id in $dependency.getIdentifiers())#if($foreach.count > 1),#end{
"name": "$id.value",
"type": "$enc.json($id.type)",
#if($id.confidence)"confidence": "$id.confidence",#end
#if($id.url)"url": "$enc.json($id.url)",#end
#if($id.description )"description": "$enc.json($id.description)",#end
#if ($id.notes)"notes": "$enc.json($id.notes)",#end
"suppressedIdentifiers": [
#foreach($id in $dependency.getSuppressedIdentifiers())
#if($foreach.count > 1),#end{
"type": "$enc.json($id.type)", "type": "$enc.json($id.type)",
#if($id.confidence)"confidence": "$id.confidence",#end "name": "$id.value"
"name": "$id.value", #if( $id.url ),"url": "$enc.json($id.url)"#end
#if($id.url)"url": "$enc.json($id.url),"#end #if ($id.notes),"notes": "$enc.json($id.notes)"#end
#if($id.description)"description": "$enc.json($id.description)",#end }
#if ($id.notes)"notes": "$enc.json($id.notes)"#end
}
#end #end
] #end
]
}
#end
]
#end
,"evidenceCollected": {
"vendorEvidence": [
#foreach($evidence in $dependency.getVendorEvidence())
#if($foreach.count > 1),#end{
"type": "vendor",
"confidence": "$enc.json($evidence.getConfidence().toString())",
"source": "$enc.json($evidence.getSource())",
"name": "$enc.json($evidence.getName())",
"value": "$enc.json($evidence.getValue().trim())"
}
#end
],
"productEvidence": [
#foreach($evidence in $dependency.getProductEvidence())
#if($foreach.count > 1),#end{
"type": "product",
"confidence": "$enc.json($evidence.getConfidence().toString())",
"source": "$enc.json($evidence.getSource())",
"name": "$enc.json($evidence.getName())",
"value": "$enc.json($evidence.getValue().trim())"
}
#end
],
"versionEvidence": [
#foreach($evidence in $dependency.getVersionEvidence())
#if($foreach.count > 1),#end{
"type": "version",
"confidence": "$enc.json($evidence.getConfidence().toString())",
"source": "$enc.json($evidence.getSource())",
"name": "$enc.json($evidence.getName())",
"value": "$enc.json($evidence.getValue().trim())"
} }
#end #end
] ]
#if($dependency.getVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0) },
,"vulnerabilities": [ "identifiers": [
#foreach($vuln in $dependency.getVulnerabilities()) #foreach($id in $dependency.getIdentifiers())#if($foreach.count > 1),#end{
#if($foreach.count > 1),#end { "name": "$id.value",
"name": "$enc.json($vuln.name)", "type": "$enc.json($id.type)",
"cvssScore": "$vuln.cvssScore", #if($id.confidence)"confidence": "$id.confidence",#end
"cvssAccessVector": "$enc.json($vuln.cvssAccessVector)", #if($id.url)"url": "$enc.json($id.url)",#end
"cvssAccessComplexity": "$enc.json($vuln.cvssAccessComplexity)", #if($id.description )"description": "$enc.json($id.description)",#end
"cvssAuthenticationr": "$enc.json($vuln.cvssAuthentication)", #if ($id.notes)"notes": "$enc.json($id.notes)",#end
"cvssConfidentialImpact": "$enc.json($vuln.cvssConfidentialityImpact)", "suppressedIdentifiers": [
"cvssIntegrityImpact": "$enc.json($vuln.cvssIntegrityImpact)", #foreach($id in $dependency.getSuppressedIdentifiers())
"cvssAvailabilityImpact": "$enc.json($vuln.cvssAvailabilityImpact)", #if($foreach.count > 1),#end{
#if ($vuln.cvssScore<4.0) "type": "$enc.json($id.type)",
"severity": "Low", #if($id.confidence)"confidence": "$id.confidence",#end
#elseif ($vuln.cvssScore>=7.0) "name": "$id.value",
"severity": "High", #if($id.url)"url": "$enc.json($id.url),"#end
#else #if($id.description)"description": "$enc.json($id.description)",#end
"severity": "Medium", #if ($id.notes)"notes": "$enc.json($id.notes)"#end
#end
#if($vuln.cwe)"cwe": "$enc.json($vuln.cwe)",#end
"description": "$enc.json($vuln.description)",
#if ($vuln.notes)"notes": "$enc.json($vuln.notes)"#end
"references": [
#foreach($ref in $vuln.getReferences())
#if($foreach.count > 1),#end {
"source": "$enc.json($ref.source)",
"url": "$enc.json($ref.url)",
"name": "$enc.json($ref.name)"
}
#end
],
"vulnerableSoftware": [
#foreach($vs in $vuln.getVulnerableSoftware())
#if($foreach.count > 1),#end {
#if($vs.hasPreviousVersion()) "allPreviousVersion": "true",#end
"software": "$enc.json($vs.name)"
} }
#end #end
] ]
}#end }
]
#end #end
]
#if($dependency.getSuppressedVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0) #if($dependency.getVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0)
,"suppressedVulnerabilities": [ ,"vulnerabilities": [
#foreach($vuln in $dependency.getSuppressedVulnerabilities())#if($foreach.count > 1),#end { #foreach($vuln in $dependency.getVulnerabilities())#if($foreach.count > 1),#end {
"name": "$enc.json($vuln.name)", "name": "$enc.json($vuln.name)",
"cvssScore": "$vuln.cvssScore", "cvssScore": "$vuln.cvssScore",
"cvssAccessVector": "$enc.json($vuln.cvssAccessVector)", "cvssAccessVector": "$enc.json($vuln.cvssAccessVector)",
"cvssAccessComplexity": "$enc.json($vuln.cvssAccessComplexity)", "cvssAccessComplexity": "$enc.json($vuln.cvssAccessComplexity)",
"cvssAuthenticationr": "$enc.json($vuln.cvssAuthentication)", "cvssAuthenticationr": "$enc.json($vuln.cvssAuthentication)",
"cvssConfidentialImpact": "$enc.json($vuln.cvssConfidentialityImpact)", "cvssConfidentialImpact": "$enc.json($vuln.cvssConfidentialityImpact)",
"cvssIntegrityImpact": "$enc.json($vuln.cvssIntegrityImpact)", "cvssIntegrityImpact": "$enc.json($vuln.cvssIntegrityImpact)",
"cvssAvailabilityImpact": "$enc.json($vuln.cvssAvailabilityImpact)", "cvssAvailabilityImpact": "$enc.json($vuln.cvssAvailabilityImpact)",
#if ($vuln.cvssScore<4.0) "severity": "Low", #if ($vuln.cvssScore<4.0)"severity": "Low",
#elseif ($vuln.cvssScore>=7.0) "severity": "High", #elseif ($vuln.cvssScore>=7.0)"severity": "High",
#else "severity": "Medium", #else "severity": "Medium",#end
#end "cwe": "#if ($vuln.cwe)$enc.json($vuln.cwe)#end",
#if ($vuln.cwe)"cwe": "$enc.json($vuln.cwe)",#end "description": "$enc.json($vuln.description)",
"description": "$enc.json($vuln.description)" "notes": "#if ($vuln.notes)$enc.json($vuln.notes)#end",
#if ($vuln.notes),"notes": "$enc.json($vuln.notes)"#end "references": [
,"references": [ #foreach($ref in $vuln.getReferences())
#foreach($ref in $vuln.getReferences()) #if($foreach.count > 1),#end {
#if($foreach.count > 1),#end {
"source": "$enc.json($ref.source)", "source": "$enc.json($ref.source)",
"url": "$enc.json($ref.url)", "url": "$enc.json($ref.url)",
"name": "$enc.json($ref.name)" "name": "$enc.json($ref.name)"
} }#end
#end ],
], "vulnerableSoftware": [
"vulnerableSoftware": [ #foreach($vs in $vuln.getVulnerableSoftware())
#foreach($vs in $vuln.getVulnerableSoftware()) #if($foreach.count > 1),#end {
#if($foreach.count > 1),#end { "software": "$enc.json($vs.name)"
#if($vs.hasPreviousVersion()) "allPreviousVersion": "true",#end #if($vs.hasPreviousVersion()) ,"allPreviousVersion": "true"#end
"name": "$enc.json($vs.name)" }#end
}
#end
]
}
#end
] ]
#end }#end
]#end
} #if($dependency.getSuppressedVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0)
#end ,"suppressedVulnerabilities": [
] #foreach($vuln in $dependency.getSuppressedVulnerabilities())#if($foreach.count > 1),#end {
} "name": "$enc.json($vuln.name)",
"cvssScore": "$vuln.cvssScore",
"cvssAccessVector": "$enc.json($vuln.cvssAccessVector)",
"cvssAccessComplexity": "$enc.json($vuln.cvssAccessComplexity)",
"cvssAuthenticationr": "$enc.json($vuln.cvssAuthentication)",
"cvssConfidentialImpact": "$enc.json($vuln.cvssConfidentialityImpact)",
"cvssIntegrityImpact": "$enc.json($vuln.cvssIntegrityImpact)",
"cvssAvailabilityImpact": "$enc.json($vuln.cvssAvailabilityImpact)",
#if ($vuln.cvssScore<4.0) "severity": "Low",
#elseif ($vuln.cvssScore>=7.0) "severity": "High",
#else "severity": "Medium",
#end
"cwe": "#if ($vuln.cwe)$enc.json($vuln.cwe)#end",
"description": "$enc.json($vuln.description)",
"notes": "#if ($vuln.notes)$enc.json($vuln.notes)#end",
"references": [
#foreach($ref in $vuln.getReferences())
#if($foreach.count > 1),#end {
"source": "$enc.json($ref.source)",
"url": "$enc.json($ref.url)",
"name": "$enc.json($ref.name)"
}#end
],
"vulnerableSoftware": [
#foreach($vs in $vuln.getVulnerableSoftware())
#if($foreach.count > 1),#end {
"name": "$enc.json($vs.name)"
#if($vs.hasPreviousVersion()) ,"allPreviousVersion": "true"#end
}#end
]
}#end
]#end
}#end
]
} }

1
dependency-check-core/src/test/resources/dependencycheck.properties
View File

@@ -36,6 +36,7 @@ data.password=DC-Pass1337!
data.driver_name=org.h2.Driver data.driver_name=org.h2.Driver
data.driver_path= data.driver_path=
proxy.disableSchemas=true
# the number of days that the modified nvd cve data holds data for. We don't need # the number of days that the modified nvd cve data holds data for. We don't need
# to update the other files if we are within this timespan. Per NIST this file # to update the other files if we are within this timespan. Per NIST this file
# holds 8 days of updates, we are using 7 just to be safe. # holds 8 days of updates, we are using 7 just to be safe.

4
dependency-check-maven/src/it/729-system-scope-resolved/postbuild.groovy
View File

@@ -25,6 +25,6 @@ def slurper = new JsonSlurper()
def json = slurper.parse(new File(basedir, "target/dependency-check-report.json"), "UTF-8") def json = slurper.parse(new File(basedir, "target/dependency-check-report.json"), "UTF-8")
assert json instanceof Map assert json instanceof Map
assert json.analysis.dependencies instanceof List assert json.dependencies instanceof List
assert json.analysis.dependencies.size()==1 assert json.dependencies.size()==1
return true; return true;

4
dependency-check-maven/src/it/729-system-scope-skipped/postbuild.groovy
View File

@@ -25,6 +25,6 @@ def slurper = new JsonSlurper()
def json = slurper.parse(new File(basedir, "target/dependency-check-report.json"), "UTF-8") def json = slurper.parse(new File(basedir, "target/dependency-check-report.json"), "UTF-8")
assert json instanceof Map assert json instanceof Map
assert json.analysis.dependencies instanceof List assert json.dependencies instanceof List
assert json.analysis.dependencies.size()==0 assert json.dependencies.size()==0
return true; return true;

6
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -185,6 +185,12 @@ public final class Settings {
* The properties key for the URL to retrieve the CPE. * The properties key for the URL to retrieve the CPE.
*/ */
public static final String CPE_URL = "cpe.url"; public static final String CPE_URL = "cpe.url";
/**
* Whether or not if using basic auth with a proxy the system setting
* 'jdk.http.auth.tunneling.disabledSchemes' should be set to an empty
* string.
*/
public static final String PROXY_DISABLE_SCHEMAS = "proxy.disableSchemas";
/** /**
* The properties key for the proxy server. * The properties key for the proxy server.
* *

16
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
View File

@@ -67,12 +67,12 @@ public final class URLConnectionFactory {
@SuppressFBWarnings(value = "RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE", justification = "Just being extra safe") @SuppressFBWarnings(value = "RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE", justification = "Just being extra safe")
public static HttpURLConnection createHttpURLConnection(URL url) throws URLConnectionFailureException { public static HttpURLConnection createHttpURLConnection(URL url) throws URLConnectionFailureException {
HttpURLConnection conn = null; HttpURLConnection conn = null;
final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_SERVER); final String proxyHost = Settings.getString(Settings.KEYS.PROXY_SERVER);
try { try {
if (proxyUrl != null && !matchNonProxy(url)) { if (proxyHost != null && !matchNonProxy(url)) {
final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT); final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
final SocketAddress address = new InetSocketAddress(proxyUrl, proxyPort); final SocketAddress address = new InetSocketAddress(proxyHost, proxyPort);
final String username = Settings.getString(Settings.KEYS.PROXY_USERNAME); final String username = Settings.getString(Settings.KEYS.PROXY_USERNAME);
final String password = Settings.getString(Settings.KEYS.PROXY_PASSWORD); final String password = Settings.getString(Settings.KEYS.PROXY_PASSWORD);
@@ -81,7 +81,15 @@ public final class URLConnectionFactory {
final Authenticator auth = new Authenticator() { final Authenticator auth = new Authenticator() {
@Override @Override
public PasswordAuthentication getPasswordAuthentication() { public PasswordAuthentication getPasswordAuthentication() {
if (getRequestorType().equals(Authenticator.RequestorType.PROXY)) { if (proxyHost.equals(getRequestingHost()) || getRequestorType().equals(Authenticator.RequestorType.PROXY)) {
LOGGER.debug("Using the configured proxy username and password");
try {
if (Settings.getBoolean(Settings.KEYS.PROXY_DISABLE_SCHEMAS, true)) {
System.setProperty("jdk.http.auth.tunneling.disabledSchemes", "");
}
} catch (InvalidSettingException ex) {
LOGGER.trace("This exception can be ignored", ex);
}
return new PasswordAuthentication(username, password.toCharArray()); return new PasswordAuthentication(username, password.toCharArray());
} }
return super.getPasswordAuthentication(); return super.getPasswordAuthentication();

1
dependency-check-utils/src/test/resources/dependencycheck.properties
View File

@@ -36,6 +36,7 @@ data.password=DC-Pass1337!
data.driver_name=org.h2.Driver data.driver_name=org.h2.Driver
data.driver_path= data.driver_path=
proxy.disableSchemas=true
# the path to the cpe xml file # the path to the cpe xml file
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz
# the path to the cpe meta data file. # the path to the cpe meta data file.