github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-13 23:33:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'wmaintw-master'

Browse Source 
Former-commit-id: 16f0045f42b6bb19b7f3e0a7e74afee4a5a62e4c
This commit is contained in:
Jeremy Long
2015-05-23 06:48:08 -04:00
parent 362c7e9c04 399c052129
commit 0604361d4e
12 changed files with 666 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
dependency-check-gradle/.gitignore vendored Normal file
View File

@@ -0,0 +1,12 @@
.idea/
.gradle
*.iml
*.ipr
*.iws
out/
build/
gradle-app.setting
gradle.properties

158
dependency-check-gradle/README.md Normal file
View File

@@ -0,0 +1,158 @@
Dependency-Check-Gradle
=========
**Working in progress**
This is a DependencyCheck gradle plugin designed for project which use Gradle as build script.
Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
=========
## Usage
### Step 1, Apply dependency check gradle plugin
Please refer to either one of the solution
#### Solution 1Bintray
```
apply plugin: "dependency-check"
buildscript {
repositories {
maven {
url 'http://dl.bintray.com/wei/maven'
}
mavenCentral()
}
dependencies {
classpath(
'com.tools.security:dependency-check:0.0.3'
)
}
}
```
#### Solution 2Gradle Plugin Portal
[dependency check gradle plugin on Gradle Plugin Portal](https://plugins.gradle.org/plugin/dependency.check)
**Build script snippet for new, incubating, plugin mechanism introduced in Gradle 2.1:**
```
// buildscript {
// ...
// }
plugins {
id "dependency.check" version "0.0.3"
}
// apply plugin: ...
```
**Build script snippet for use in all Gradle versions:**
```
buildscript {
repositories {
maven {
url "https://plugins.gradle.org/m2/"
}
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.3"
}
}
apply plugin: "dependency.check"
```
**If your project includes multiple sub-project, configure build script this way:**
```
buildscript {
repositories {
maven {
url "https://plugins.gradle.org/m2/"
}
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.3"
}
}
allprojects {
//other plugins you may use
//apply plugin: "java"
apply plugin: "dependency-check"
repositories {
mavenCentral()
}
}
```
or
```
buildscript {
repositories {
maven {
url "https://plugins.gradle.org/m2/"
}
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.3"
}
}
subprojects {
//other plugins you may use
//apply plugin: "java"
apply plugin: "dependency-check"
repositories {
mavenCentral()
}
}
```
In this way, the dependency check will be executed for all projects (including root project) or just sub projects.
#### Solution 3Maven Central
working in progress
### Step 2, Run gradle task
Once gradle plugin applied, run following gradle task to check the dependencies:
```
gradle dependencyCheck
```
The reports will be generated automatically under `./reports` folder.
If your project includes multiple sub-projects, the report will be generated for each sub-project in different sub-directory.
### What if you are behind a proxy?
Maybe you have to use proxy to access internet, in this case, you could configure proxy settings for this plugin:
```
dependencyCheck {
proxyServer = "127.0.0.1" // required, the server name or IP address of the proxy
proxyPort = 3128 // required, the port number of the proxy
// optional, the proxy server might require username
// proxyUsername = "username"
// optional, the proxy server might require password
// proxyPassword = "password"
}
```

87
dependency-check-gradle/build.gradle Normal file
View File

@@ -0,0 +1,87 @@
buildscript {
repositories {
maven {
url "https://plugins.gradle.org/m2/"
}
}
dependencies {
classpath "com.gradle.publish:plugin-publish-plugin:0.9.0"
}
}
plugins {
id 'nu.studer.plugindev' version '1.0.3'
}
apply plugin: 'idea'
apply plugin: 'groovy'
apply plugin: 'maven'
apply plugin: "com.gradle.plugin-publish"
repositories {
mavenCentral()
}
dependencies {
compile(
localGroovy(),
gradleApi(),
'org.owasp:dependency-check-core:1.2.11',
'org.owasp:dependency-check-utils:1.2.10'
)
}
group = 'com.tools.security'
version = '0.0.3'
//-------------------------------
// Local debug use only
//
uploadArchives {
repositories {
mavenDeployer {
repository(url: uri('../../../repo'))
}
}
}
//-------------------------------
// publish to Bintray
plugindev {
pluginId = 'dependency.check'
pluginName = 'dependency-check'
pluginImplementationClass 'com.tools.security.plugin.DependencyCheckGradlePlugin'
pluginDescription 'This is dependency check gradle plugin.'
pluginLicenses 'Apache-2.0'
pluginTags 'dependency check', 'security'
authorId 'wmaintw'
authorName 'Wei Ma'
authorEmail 'wma@thoughtworks.com'
projectUrl 'https://github.com/wmaintw/DependencyCheck'
projectIssuesUrl 'https://github.com/wmaintw/DependencyCheck/issues'
projectVcsUrl 'git@github.com:wmaintw/DependencyCheck.git'
projectInceptionYear '2015'
done()
}
bintray {
user = bintrayUser
key = bintrayUserKey
pkg.repo = bintrayRepo
}
// publish to gradle plugin portal
pluginBundle {
website = 'https://github.com/wmaintw/DependencyCheck'
vcsUrl = 'git@github.com:wmaintw/DependencyCheck.git'
description = 'This is dependency check gradle plugin.'
tags = ['dependency check', 'security']
plugins {
dependencyCheckPlugin {
id = 'dependency.check'
displayName = 'dependency-check'
}
}
}

164
dependency-check-gradle/gradlew vendored Executable file
View File

@@ -0,0 +1,164 @@
#!/usr/bin/env bash
##############################################################################
##
## Gradle start up script for UN*X
##
##############################################################################
# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
DEFAULT_JVM_OPTS=""
APP_NAME="Gradle"
APP_BASE_NAME=`basename "$0"`
# Use the maximum available, or set MAX_FD != -1 to use that value.
MAX_FD="maximum"
warn ( ) {
echo "$*"
}
die ( ) {
echo
echo "$*"
echo
exit 1
}
# OS specific support (must be 'true' or 'false').
cygwin=false
msys=false
darwin=false
case "`uname`" in
CYGWIN* )
cygwin=true
;;
Darwin* )
darwin=true
;;
MINGW* )
msys=true
;;
esac
# For Cygwin, ensure paths are in UNIX format before anything is touched.
if $cygwin ; then
[ -n "$JAVA_HOME" ] && JAVA_HOME=`cygpath --unix "$JAVA_HOME"`
fi
# Attempt to set APP_HOME
# Resolve links: $0 may be a link
PRG="$0"
# Need this for relative symlinks.
while [ -h "$PRG" ] ; do
ls=`ls -ld "$PRG"`
link=`expr "$ls" : '.*-> \(.*\)$'`
if expr "$link" : '/.*' > /dev/null; then
PRG="$link"
else
PRG=`dirname "$PRG"`"/$link"
fi
done
SAVED="`pwd`"
cd "`dirname \"$PRG\"`/" >&-
APP_HOME="`pwd -P`"
cd "$SAVED" >&-
CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
# Determine the Java command to use to start the JVM.
if [ -n "$JAVA_HOME" ] ; then
if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
# IBM's JDK on AIX uses strange locations for the executables
JAVACMD="$JAVA_HOME/jre/sh/java"
else
JAVACMD="$JAVA_HOME/bin/java"
fi
if [ ! -x "$JAVACMD" ] ; then
die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
Please set the JAVA_HOME variable in your environment to match the
location of your Java installation."
fi
else
JAVACMD="java"
which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
Please set the JAVA_HOME variable in your environment to match the
location of your Java installation."
fi
# Increase the maximum file descriptors if we can.
if [ "$cygwin" = "false" -a "$darwin" = "false" ] ; then
MAX_FD_LIMIT=`ulimit -H -n`
if [ $? -eq 0 ] ; then
if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
MAX_FD="$MAX_FD_LIMIT"
fi
ulimit -n $MAX_FD
if [ $? -ne 0 ] ; then
warn "Could not set maximum file descriptor limit: $MAX_FD"
fi
else
warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
fi
fi
# For Darwin, add options to specify how the application appears in the dock
if $darwin; then
GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
fi
# For Cygwin, switch paths to Windows format before running java
if $cygwin ; then
APP_HOME=`cygpath --path --mixed "$APP_HOME"`
CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
# We build the pattern for arguments to be converted via cygpath
ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
SEP=""
for dir in $ROOTDIRSRAW ; do
ROOTDIRS="$ROOTDIRS$SEP$dir"
SEP="|"
done
OURCYGPATTERN="(^($ROOTDIRS))"
# Add a user-defined pattern to the cygpath arguments
if [ "$GRADLE_CYGPATTERN" != "" ] ; then
OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
fi
# Now convert the arguments - kludge to limit ourselves to /bin/sh
i=0
for arg in "$@" ; do
CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option
if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition
eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
else
eval `echo args$i`="\"$arg\""
fi
i=$((i+1))
done
case $i in
(0) set -- ;;
(1) set -- "$args0" ;;
(2) set -- "$args0" "$args1" ;;
(3) set -- "$args0" "$args1" "$args2" ;;
(4) set -- "$args0" "$args1" "$args2" "$args3" ;;
(5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
(6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
(7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
(8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
(9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
esac
fi
# Split up the JVM_OPTS And GRADLE_OPTS values into an array, following the shell quoting and substitution rules
function splitJvmOpts() {
JVM_OPTS=("$@")
}
eval splitJvmOpts $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS
JVM_OPTS[${#JVM_OPTS[*]}]="-Dorg.gradle.appname=$APP_BASE_NAME"
exec "$JAVACMD" "${JVM_OPTS[@]}" -classpath "$CLASSPATH" org.gradle.wrapper.GradleWrapperMain "$@"

90
dependency-check-gradle/gradlew.bat vendored Normal file
View File

@@ -0,0 +1,90 @@
@if "%DEBUG%" == "" @echo off
@rem ##########################################################################
@rem
@rem Gradle startup script for Windows
@rem
@rem ##########################################################################
@rem Set local scope for the variables with windows NT shell
if "%OS%"=="Windows_NT" setlocal
@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
set DEFAULT_JVM_OPTS=
set DIRNAME=%~dp0
if "%DIRNAME%" == "" set DIRNAME=.
set APP_BASE_NAME=%~n0
set APP_HOME=%DIRNAME%
@rem Find java.exe
if defined JAVA_HOME goto findJavaFromJavaHome
set JAVA_EXE=java.exe
%JAVA_EXE% -version >NUL 2>&1
if "%ERRORLEVEL%" == "0" goto init
echo.
echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
echo.
echo Please set the JAVA_HOME variable in your environment to match the
echo location of your Java installation.
goto fail
:findJavaFromJavaHome
set JAVA_HOME=%JAVA_HOME:"=%
set JAVA_EXE=%JAVA_HOME%/bin/java.exe
if exist "%JAVA_EXE%" goto init
echo.
echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
echo.
echo Please set the JAVA_HOME variable in your environment to match the
echo location of your Java installation.
goto fail
:init
@rem Get command-line arguments, handling Windowz variants
if not "%OS%" == "Windows_NT" goto win9xME_args
if "%@eval[2+2]" == "4" goto 4NT_args
:win9xME_args
@rem Slurp the command line arguments.
set CMD_LINE_ARGS=
set _SKIP=2
:win9xME_args_slurp
if "x%~1" == "x" goto execute
set CMD_LINE_ARGS=%*
goto execute
:4NT_args
@rem Get arguments from the 4NT Shell from JP Software
set CMD_LINE_ARGS=%$
:execute
@rem Setup the command line
set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
@rem Execute Gradle
"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
:end
@rem End local scope for the variables with windows NT shell
if "%ERRORLEVEL%"=="0" goto mainEnd
:fail
rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
rem the _cmd.exe /c_ return code!
if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
exit /b 1
:mainEnd
if "%OS%"=="Windows_NT" endlocal
:omega

35
dependency-check-gradle/pom.xml Normal file
View File

@@ -0,0 +1,35 @@
<!--
This file is part of dependency-check-maven.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Copyright (c) 2013 Jeremy Long. All Rights Reserved.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<url>http://maven.apache.org</url>
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.11-SNAPSHOT</version>
</parent>
<artifactId>dependency-check-gradle</artifactId>
<packaging>jar</packaging>
<name>Dependency-Check Gradle Plugin</name>
<description>dependency-check-gradle is a Gradle Plugin that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The plugin will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description>
<inceptionYear>2015</inceptionYear>
</project>

1
dependency-check-gradle/settings.gradle Normal file
View File

@@ -0,0 +1 @@
rootProject.name = 'dependency-check'

8
dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy Normal file
View File

@@ -0,0 +1,8 @@
package com.tools.security.extension
class DependencyCheckConfigurationExtension {
String proxyServer
Integer proxyPort
String proxyUsername = ""
String proxyPassword = ""
}

23
dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy Normal file
View File

@@ -0,0 +1,23 @@
package com.tools.security.plugin
import com.tools.security.extension.DependencyCheckConfigurationExtension
import com.tools.security.tasks.DependencyCheckTask
import org.gradle.api.Plugin
import org.gradle.api.Project
class DependencyCheckGradlePlugin implements Plugin<Project> {
@Override
void apply(Project project) {
initializeConfigurations(project)
registerTasks(project)
}
def initializeConfigurations(Project project) {
project.extensions.create("dependencyCheck", DependencyCheckConfigurationExtension)
}
def registerTasks(Project project) {
project.tasks.create("dependencyCheck", DependencyCheckTask)
}
}

86
dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy Normal file
View File

@@ -0,0 +1,86 @@
package com.tools.security.tasks
import org.gradle.api.DefaultTask
import org.gradle.api.artifacts.Configuration
import org.gradle.api.artifacts.ResolvedArtifact
import org.gradle.api.tasks.TaskAction
import org.owasp.dependencycheck.Engine
import org.owasp.dependencycheck.data.nvdcve.CveDB
import org.owasp.dependencycheck.dependency.Dependency
import org.owasp.dependencycheck.reporting.ReportGenerator
import org.owasp.dependencycheck.utils.Settings
import static org.owasp.dependencycheck.utils.Settings.setString
class DependencyCheckTask extends DefaultTask {
def currentProjectName = project.getName()
@TaskAction
def check() {
initializeSettings()
def engine = initializeEngine()
verifyDependencies(engine)
analyzeDependencies(engine)
retrieveVulnerabilities(engine)
generateReport(engine)
}
private Engine initializeEngine() {
new Engine()
}
def initializeSettings() {
Settings.initialize()
overrideProxySetting()
}
def verifyDependencies(engine) {
logger.lifecycle("Verifying dependencies for project ${currentProjectName}")
getAllDependencies(project).each { engine.scan(it) }
}
def analyzeDependencies(Engine engine) {
logger.lifecycle("Checking for updates and analyzing vulnerabilities for dependencies")
engine.analyzeDependencies()
}
def retrieveVulnerabilities(Engine engine) {
def vulnerabilities = engine.getDependencies().collect { Dependency dependency ->
dependency.getVulnerabilities()
}.flatten()
logger.lifecycle("Found ${vulnerabilities.size()} vulnerabilities in project ${currentProjectName}")
}
def generateReport(Engine engine) {
logger.lifecycle("Generating report for project ${currentProjectName}")
def reportGenerator = new ReportGenerator(currentProjectName, engine.dependencies, engine.analyzers,
new CveDB().databaseProperties)
reportGenerator.generateReports("./reports/${currentProjectName}", ReportGenerator.Format.ALL)
}
def overrideProxySetting() {
if (isProxySettingExist()) {
logger.lifecycle("Using proxy ${project.dependencyCheck.proxyServer}:${project.dependencyCheck.proxyPort}")
setString(Settings.KEYS.PROXY_SERVER, project.dependencyCheck.proxyServer)
setString(Settings.KEYS.PROXY_PORT, "${project.dependencyCheck.proxyPort}")
setString(Settings.KEYS.PROXY_USERNAME, project.dependencyCheck.proxyUsername)
setString(Settings.KEYS.PROXY_PASSWORD, project.dependencyCheck.proxyPassword)
}
}
def isProxySettingExist() {
project.dependencyCheck.proxyServer != null && project.dependencyCheck.proxyPort != null
}
def getAllDependencies(project) {
return project.getConfigurations().collect { Configuration configuration ->
configuration.getResolvedConfiguration().getResolvedArtifacts().collect { ResolvedArtifact artifact ->
artifact.getFile()
}
}.flatten();
}
}

1
dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency-check.properties Normal file
View File

@@ -0,0 +1 @@
implementation-class=com.tools.security.plugin.DependencyCheckGradlePlugin

1
pom.xml
View File

@@ -28,6 +28,7 @@ Copyright (c) 2012 - Jeremy Long
<module>dependency-check-cli</module>
<module>dependency-check-ant</module>
<module>dependency-check-maven</module>
<module>dependency-check-gradle</module>
<module>dependency-check-jenkins</module>
<module>dependency-check-utils</module>
</modules>