github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 15:53:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'upmaster' into ruby-bundler

Browse Source 
Conflicts:
	dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
This commit is contained in:
Dale Visser
2015-08-30 15:11:33 -04:00
parent a0437bf933 e630c484ff
commit 1e29d2e751
20 changed files with 369 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
View File

@@ -145,13 +145,15 @@ public class DependencyCheckTask extends Task {
/**
* The application name for the report.
*/
private String applicationName = "Dependency-Check";
@Deprecated
private String applicationName = null;
/**
* Get the value of applicationName.
*
* @return the value of applicationName
*/
@Deprecated
public String getApplicationName() {
return applicationName;
}
@@ -161,9 +163,37 @@ public class DependencyCheckTask extends Task {
*
* @param applicationName new value of applicationName
*/
@Deprecated
public void setApplicationName(String applicationName) {
this.applicationName = applicationName;
}
private String projectName = "Dependency-Check";
/**
* Get the value of projectName.
*
* @return the value of projectName
*/
public String getProjectName() {
if (applicationName != null) {
log("Configuration 'applicationName' has been deprecated, please use 'projectName' instead", Project.MSG_WARN);
if ("Dependency-Check".equals(projectName)) {
projectName = applicationName;
}
}
return projectName;
}
/**
* Set the value of projectName.
*
* @param projectName new value of projectName
*/
public void setProjectName(String projectName) {
this.projectName = projectName;
}
/**
* The location of the data directory that contains
*/
@@ -279,8 +309,7 @@ public class DependencyCheckTask extends Task {
}
/**
* The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the
* Site plugin unless the externalReport is set to true. Default is HTML.
* The report format to be generated (HTML, XML, VULN, ALL). Default is HTML.
*/
private String reportFormat = "HTML";
@@ -576,6 +605,29 @@ public class DependencyCheckTask extends Task {
this.centralAnalyzerEnabled = centralAnalyzerEnabled;
}
/**
* Whether or not the local copy of the NVD should be purged.
*/
private boolean purge = false;
/**
* Used to determine if the local copy of the NVD should be purged.
*
* @return true if the local copy of the NVD should be purged
*/
public boolean isPurge() {
return purge;
}
/**
* Set whether or not the local copy of the NVD should be purged.
*
* @param purge setting to true will cause the local copy of the NVD to be deleted.
*/
public void setPurge(boolean purge) {
this.purge = purge;
}
/**
* Whether or not the nexus analyzer is enabled.
*/
@@ -900,7 +952,23 @@ public class DependencyCheckTask extends Task {
dealWithReferences();
validateConfiguration();
populateSettings();
if (purge) {
File db;
try {
db = new File(Settings.getDataDirectory(), "dc.h2.db");
if (db.exists()) {
if (db.delete()) {
log("Database file purged; local copy of the NVD has been removed", Project.MSG_INFO);
} else {
log(String.format("Unable to delete '%s'; please delete the file manually", db.getAbsolutePath()), Project.MSG_ERR);
}
} else {
log(String.format("Unable to purge database; the database file does not exists: %s", db.getAbsolutePath()), Project.MSG_ERR);
}
} catch (IOException ex) {
log("Unable to delete the database", Project.MSG_ERR);
}
}
Engine engine = null;
try {
engine = new Engine(DependencyCheckTask.class.getClassLoader());
@@ -933,7 +1001,7 @@ public class DependencyCheckTask extends Task {
cve.close();
}
}
final ReportGenerator reporter = new ReportGenerator(applicationName, engine.getDependencies(), engine.getAnalyzers(), prop);
final ReportGenerator reporter = new ReportGenerator(getProjectName(), engine.getDependencies(), engine.getAnalyzers(), prop);
reporter.generateReports(reportOutputDirectory, reportFormat);
if (this.failBuildOnCVSS <= 10) {

5
dependency-check-ant/src/site/markdown/configuration.md
View File

@@ -8,7 +8,7 @@ the project's dependencies.
```xml
<target name="dependency-check" description="Dependency-Check Analysis">
<dependency-check applicationname="Hello World"
<dependency-check projectname="Hello World"
reportoutputdirectory="${basedir}"
reportformat="ALL">
@@ -27,7 +27,7 @@ Property | Description | Default Value
----------------------|------------------------------------|------------------
autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
updateOnly | If set to true only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | false
externalReport | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
projectName | The name of the project being scanned. | Dependency-Check
reportOutputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
failBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11
reportFormat | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
@@ -76,3 +76,4 @@ databaseDriverPath | The path to the database driver JAR file; only used if th
connectionString | The connection string used to connect to the database. | &nbsp;
databaseUser | The username used when connecting to the database. | &nbsp;
databasePassword | The password used when connecting to the database. | &nbsp;
purge | Delete the local copy of the NVD. This is used to force a refresh of the data. | &nbsp;

26
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -38,6 +38,7 @@ import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import ch.qos.logback.core.FileAppender;
import java.util.logging.Level;
import org.slf4j.impl.StaticLoggerBinder;
/**
@@ -91,7 +92,28 @@ public class App {
prepareLogger(cli.getVerboseLog());
}
if (cli.isGetVersion()) {
if (cli.isPurge()) {
if (cli.getConnectionString() != null) {
LOGGER.error("Unable to purge the database when using a non-default connection string");
} else {
populateSettings(cli);
File db;
try {
db = new File(Settings.getDataDirectory(), "dc.h2.db");
if (db.exists()) {
if (db.delete()) {
LOGGER.info("Database file purged; local copy of the NVD has been removed");
} else {
LOGGER.error("Unable to delete '{}'; please delete the file manually", db.getAbsolutePath());
}
} else {
LOGGER.error("Unable to purge database; the database file does not exists: {}", db.getAbsolutePath());
}
} catch (IOException ex) {
LOGGER.error("Unable to delete the database");
}
}
} else if (cli.isGetVersion()) {
cli.printVersionInfo();
} else if (cli.isUpdateOnly()) {
populateSettings(cli);
@@ -99,7 +121,7 @@ public class App {
} else if (cli.isRunScan()) {
populateSettings(cli);
try {
runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(),
runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getProjectName(), cli.getScanFiles(),
cli.getExcludeList(), cli.getSymLinkDepth());
} catch (InvalidScanPathException ex) {
LOGGER.error("An invalid scan path was detected; unable to scan '//*' paths");

59
dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View File

@@ -19,6 +19,7 @@ package org.owasp.dependencycheck;
import java.io.File;
import java.io.FileNotFoundException;
import java.util.logging.Level;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.CommandLineParser;
@@ -97,8 +98,8 @@ public final class CliParser {
if (getPathToMono() != null) {
validatePathExists(getPathToMono(), ARGUMENT.PATH_TO_MONO);
}
if (!line.hasOption(ARGUMENT.APP_NAME)) {
throw new ParseException("Missing 'app' argument; the scan cannot be run without the an application name.");
if (!line.hasOption(ARGUMENT.APP_NAME) && !line.hasOption(ARGUMENT.PROJECT)) {
throw new ParseException("Missing '" + ARGUMENT.PROJECT + "' argument; the scan cannot be run without the an project name.");
}
if (line.hasOption(ARGUMENT.OUTPUT_FORMAT)) {
final String format = line.getOptionValue(ARGUMENT.OUTPUT_FORMAT);
@@ -217,9 +218,9 @@ public final class CliParser {
final Option noUpdate = new Option(ARGUMENT.DISABLE_AUTO_UPDATE_SHORT, ARGUMENT.DISABLE_AUTO_UPDATE,
false, "Disables the automatic updating of the CPE data.");
final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ARGUMENT.APP_NAME)
.withDescription("The name of the application being scanned. This is a required argument.")
.create(ARGUMENT.APP_NAME_SHORT);
final Option projectName = OptionBuilder.hasArg().withArgName("name").withLongOpt(ARGUMENT.PROJECT)
.withDescription("The name of the project being scanned. This is a required argument.")
.create();
final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.SCAN)
.withDescription("The path to scan - this option can be specified multiple times. Ant style"
@@ -229,7 +230,7 @@ public final class CliParser {
final Option excludes = OptionBuilder.withArgName("pattern").hasArg().withLongOpt(ARGUMENT.EXCLUDE)
.withDescription("Specify and exclusion pattern. This option can be specified multiple times"
+ " and it accepts Ant style excludsions.")
.create();
.create("p");
final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.PROP)
.withDescription("A property file to load.")
@@ -265,9 +266,9 @@ public final class CliParser {
options.addOptionGroup(og)
.addOptionGroup(exog)
.addOption(projectName)
.addOption(out)
.addOption(outputFormat)
.addOption(appName)
.addOption(version)
.addOption(help)
.addOption(advancedHelp)
@@ -398,6 +399,10 @@ public final class CliParser {
final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NEXUS)
.withDescription("Disable the Nexus Analyzer.").create();
final Option purge = OptionBuilder.withLongOpt(ARGUMENT.PURGE_NVD)
.withDescription("Purges the local NVD data cache")
.create();
options.addOption(updateOnly)
.addOption(cve12Base)
.addOption(cve20Base)
@@ -435,7 +440,8 @@ public final class CliParser {
.addOption(nexusUsesProxy)
.addOption(additionalZipExtensions)
.addOption(pathToMono)
.addOption(pathToBundleAudit);
.addOption(pathToBundleAudit)
.addOption(purge);
}
/**
@@ -451,8 +457,12 @@ public final class CliParser {
final Option proxyServer = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.PROXY_URL)
.withDescription("The proxy url argument is deprecated, use proxyserver instead.")
.create();
final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ARGUMENT.APP_NAME)
.withDescription("The name of the project being scanned.")
.create(ARGUMENT.APP_NAME_SHORT);
options.addOption(proxyServer);
options.addOption(appName);
}
/**
@@ -741,8 +751,14 @@ public final class CliParser {
*
* @return the application name.
*/
public String getApplicationName() {
return line.getOptionValue(ARGUMENT.APP_NAME);
public String getProjectName() {
String appName = line.getOptionValue(ARGUMENT.APP_NAME);
String name = line.getOptionValue(ARGUMENT.PROJECT);
if (name == null && appName != null) {
name = appName;
LOGGER.warn("The '" + ARGUMENT.APP_NAME + "' argument should no longer be used; use '" + ARGUMENT.PROJECT + "' instead.");
}
return name;
}
/**
@@ -894,7 +910,7 @@ public final class CliParser {
* @return <code>true</code> if auto-update is allowed; otherwise <code>false</code>
*/
public boolean isAutoUpdate() {
return (line == null) || !line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE);
return line != null && !line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE);
}
/**
@@ -903,7 +919,16 @@ public final class CliParser {
* @return <code>true</code> if the update only flag has been set; otherwise <code>false</code>.
*/
public boolean isUpdateOnly() {
return (line == null) || line.hasOption(ARGUMENT.UPDATE_ONLY);
return line != null && line.hasOption(ARGUMENT.UPDATE_ONLY);
}
/**
* Checks if the purge NVD flag has been set.
*
* @return <code>true</code> if the purge nvd flag has been set; otherwise <code>false</code>.
*/
public boolean isPurge() {
return line != null && line.hasOption(ARGUMENT.PURGE_NVD);
}
/**
@@ -985,6 +1010,10 @@ public final class CliParser {
* The long CLI argument name specifying that only the update phase should be executed; no scan should be run.
*/
public static final String UPDATE_ONLY = "updateonly";
/**
* The long CLI argument name specifying that only the update phase should be executed; no scan should be run.
*/
public static final String PURGE_NVD = "purge";
/**
* The long CLI argument name specifying the directory to write the reports to.
*/
@@ -1001,13 +1030,19 @@ public final class CliParser {
* The short CLI argument name specifying the output format to write the reports to.
*/
public static final String OUTPUT_FORMAT_SHORT = "f";
/**
* The long CLI argument name specifying the name of the project to be scanned.
*/
public static final String PROJECT = "project";
/**
* The long CLI argument name specifying the name of the application to be scanned.
*/
@Deprecated
public static final String APP_NAME = "app";
/**
* The short CLI argument name specifying the name of the application to be scanned.
*/
@Deprecated
public static final String APP_NAME_SHORT = "a";
/**
* The long CLI argument name asking for help.

3
dependency-check-cli/src/site/markdown/arguments.md
View File

@@ -5,7 +5,7 @@ The following table lists the command line arguments:
Short | Argument&nbsp;Name&nbsp;&nbsp; | Parameter | Description | Requirement
-------|-----------------------|-----------------|-------------|------------
\-a | \-\-app | \<name\> | The name of the application being scanned. This is a required argument. | Required
| \-\-project | \<name\> | The name of the project being scanned. | Required
\-s | \-\-scan | \<path\> | The path to scan \- this option can be specified multiple times. It is also possible to specify Ant style paths (e.g. directory/**/*.jar). | Required
| \-\-exclude | \<pattern\> | The path patterns to exclude from the scan \- this option can be specified multiple times. This accepts Ant style path patterns (e.g. **/exclude/**). | Optional
| \-\-symLink | \<depth\> | The depth that symbolic links will be followed; the default is 0 meaning symbolic links will not be followed. | Optional
@@ -58,3 +58,4 @@ Short | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Paramete
| \-\-dbPassword | \<password\> | The password for connecting to the database. | &nbsp;
| \-\-dbUser | \<user\> | The username used to connect to the database. | &nbsp;
\-d | \-\-data | \<path\> | The location of the data directory used to store persistent data. This option should generally not be set. | &nbsp;
| \-\-purge | | Delete the local copy of the NVD. This is used to force a refresh of the data. | &nbsp;

13
dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java
View File

@@ -24,8 +24,8 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* An extremely simple wrapper around various escape utils to perform URL and HTML encoding within the reports. This
* class was created to simplify the velocity configuration and avoid using the "built-in" escape tool.
* An extremely simple wrapper around various escape utils to perform URL and HTML encoding within the reports. This class was
* created to simplify the velocity configuration and avoid using the "built-in" escape tool.
*
* @author Jeremy Long
*/
@@ -43,6 +43,9 @@ public class EscapeTool {
* @return the URL encoded text
*/
public String url(String text) {
if (text == null || text.isEmpty()) {
return text;
}
try {
return URLEncoder.encode(text, "UTF-8");
} catch (UnsupportedEncodingException ex) {
@@ -59,6 +62,9 @@ public class EscapeTool {
* @return the HTML encoded text
*/
public String html(String text) {
if (text == null || text.isEmpty()) {
return text;
}
return StringEscapeUtils.escapeHtml(text);
}
@@ -69,6 +75,9 @@ public class EscapeTool {
* @return the XML encoded text
*/
public String xml(String text) {
if (text == null || text.isEmpty()) {
return text;
}
return StringEscapeUtils.escapeXml(text);
}
}

2
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
View File

@@ -119,6 +119,8 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
//we shouldn't write this because nothing is configured to generate this report.
outputDir = new File(current.getBuild().getDirectory());
}
getLog().warn("\n\n\nwritting: " + outputDir);
getLog().warn("for: " + current.getName());
writeReports(engine, current, outputDir);
}
}

11
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View File

@@ -233,6 +233,15 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
*/
@Parameter(property = "connectionString", defaultValue = "", required = false)
private String connectionString;
/**
* Returns the connection string.
*
* @return the connection string
*/
protected String getConnectionString() {
return connectionString;
}
/**
* The database driver name. An example would be org.h2.Driver.
*/
@@ -594,7 +603,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
* Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
* required to change the proxy url, port, and connection timeout.
*/
private void populateSettings() {
protected void populateSettings() {
Settings.initialize();
InputStream mojoProperties = null;
try {

107
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java Normal file
View File

@@ -0,0 +1,107 @@
/*
* This file is part of dependency-check-maven.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.maven;
import java.io.File;
import java.io.IOException;
import java.util.Locale;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.MojoFailureException;
import org.apache.maven.plugins.annotations.LifecyclePhase;
import org.apache.maven.plugins.annotations.Mojo;
import org.apache.maven.plugins.annotations.ResolutionScope;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.utils.Settings;
/**
* Maven Plugin that purges the local copy of the NVD data.
*
* @author Jeremy Long
*/
@Mojo(
name = "purge",
defaultPhase = LifecyclePhase.GENERATE_RESOURCES,
threadSafe = true,
requiresDependencyResolution = ResolutionScope.NONE,
requiresOnline = true
)
public class PurgeMojo extends BaseDependencyCheckMojo {
/**
* Returns false; this mojo cannot generate a report.
*
* @return <code>false</code>
*/
@Override
public boolean canGenerateReport() {
return false;
}
/**
* Purges the local copy of the NVD.
*
* @throws MojoExecutionException thrown if there is an exception executing the goal
* @throws MojoFailureException thrown if dependency-check is configured to fail the build
*/
@Override
public void runCheck() throws MojoExecutionException, MojoFailureException {
if (getConnectionString() != null && !getConnectionString().isEmpty()) {
getLog().error("Unable to purge the local NVD when using a non-default connection string");
} else {
populateSettings();
File db;
try {
db = new File(Settings.getDataDirectory(), "dc.h2.db");
if (db.exists()) {
if (db.delete()) {
getLog().info("Database file purged; local copy of the NVD has been removed");
} else {
getLog().error(String.format("Unable to delete '%s'; please delete the file manually", db.getAbsolutePath()));
}
} else {
getLog().error(String.format("Unable to purge database; the database file does not exists: %s", db.getAbsolutePath()));
}
} catch (IOException ex) {
getLog().error("Unable to delete the database");
}
Settings.cleanup();
}
}
/**
* Returns the report name.
*
* @param locale the location
* @return the report name
*/
public String getName(Locale locale) {
return "dependency-check-purge";
}
/**
* Gets the description of the Dependency-Check report to be displayed in the Maven Generated Reports page.
*
* @param locale The Locale to get the description for
* @return the description
*/
public String getDescription(Locale locale) {
return "Purges the local cache of the NVD dataT.";
}
}

15
dependency-check-maven/src/site/markdown/configuration.md
View File

@@ -6,6 +6,7 @@ Goal | Description
aggregate | Runs dependency-check against the child projects and aggregates the results into a single report.
check | Runs dependency-check against the project and generates a report.
update-only | Updates the local cache of the NVD data from NIST.
purge | Deletes the local copy of the NVD. This is used to force a refresh of the data.
Configuration
====================
@@ -49,13 +50,13 @@ Advanced Configuration
The following properties can be configured in the plugin. However, they are less frequently changed. One exception
may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.
Property | Description | Default Value
---------------------|--------------------------------------------------------------------------|------------------
cveUrl12Modified | URL for the modified CVE 1.2. | http://nvd.nist.gov/download/nvdcve-modified.xml
cveUrl20Modified | URL for the modified CVE 2.0. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml
cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
connectionTimeout | Sets the URL Connection Timeout used when downloading external data. | &nbsp;
Property | Description | Default Value
---------------------|---------------------------------------------------------------------------------------------|------------------
cveUrl12Modified | URL for the modified CVE 1.2. | http://nvd.nist.gov/download/nvdcve-modified.xml
cveUrl20Modified | URL for the modified CVE 2.0. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml
cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
connectionTimeout | Sets the URL Connection Timeout used when downloading external data. | &nbsp;
dataDirectory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. | &nbsp;
databaseDriverName | The name of the database driver. Example: org.h2.Driver. | &nbsp;
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp;

0
src/site/markdown/analyzers/autoconf-analyzer.md → src/site/markdown/analyzers/autoconf.md
View File

11
src/site/markdown/analyzers/cmake.md Normal file
View File

@@ -0,0 +1,11 @@
CMake Analyzer
==============
OWASP dependency-check includes an analyzer that will scan CMake project
configuration files. The analyzer will collect as much information it can
about the project. The information collected is internally referred to as
evidence and is grouped into vendor, product, and version buckets. Other
analyzers later use this evidence to identify any Common Platform Enumeration
(CPE) identifiers that apply.
File names scanned: CMakeLists.txt, \*.cmake

21
src/site/markdown/analyzers/index.md
View File

@@ -5,12 +5,15 @@ to extract identification information from the files analyzed.
| Analyzer | File Types Scanned | Analysis Method |
| -------- | ------------------ | --------------- |
| [Archive Analyzer](./archive-analyzer.html) | Zip archive format (\*.zip, \*.ear, \*.war, \*.jar, \*.sar, \*.apk, \*.nupkg); Tape Archive Format (\*.tar); Gzip format (\*.gz, \*.tgz); Bzip2 format (\*.bz2, \*.tbz2) | Extracts archive contents, then scans contents with all available analyzers. |
| [Assembly Analyzer](./assembly-analyzer.html) | .NET Assemblies (\*.exe, \*.dll) | Uses [GrokAssembly.exe](https://github.com/colezlaw/GrokAssembly), which requires .NET Framework or Mono runtime to be installed. |
| [Autoconf Analyzer](./autoconf-analyzer.html) | Autoconf project configuration files (configure, configure.in, configure.ac) | Regex scan for AC_INIT metadata, including in generated configuration script. |
| [Central Analyzer](./central-analyzer.html) | Java archive files (\*.jar) | Searches Maven Central or a configured Nexus repository for the file's SHA1 hash. |
| [Jar Analyzer](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). |
| [Nexus Analyzer](./nexus-analyzer.html) | Java archive files (\*.jar) | Searches Sonatype or a configured Nexus repository for the file's SHA1 hash. In most cases, superceded by Central Analyzer. |
| [Nuspec Analyzer](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. |
| [OpenSSL Analyzer](./openssl-analyzer.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. |
| [Python Analyzer](./python-analyzer.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (\*.whl, \*.egg, \*.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. |
| [Archive](./archive-analyzer.html) | Zip archive format (\*.zip, \*.ear, \*.war, \*.jar, \*.sar, \*.apk, \*.nupkg); Tape Archive Format (\*.tar); Gzip format (\*.gz, \*.tgz); Bzip2 format (\*.bz2, \*.tbz2) | Extracts archive contents, then scans contents with all available analyzers. |
| [Assembly](./assembly-analyzer.html) | .NET Assemblies (\*.exe, \*.dll) | Uses [GrokAssembly.exe](https://github.com/colezlaw/GrokAssembly), which requires .NET Framework or Mono runtime to be installed. |
| [Autoconf](./autoconf.html) | Autoconf project configuration files (configure, configure.in, configure.ac) | [Regex](https://en.wikipedia.org/wiki/Regular_expression) scan for AC_INIT metadata, including in generated configuration script. |
| [Central](./central-analyzer.html) | Java archive files (\*.jar) | Searches Maven Central or a configured Nexus repository for the file's SHA1 hash. |
| [CMake](./cmake.html) | CMake project files (CMakeLists.txt) and scripts (\*.cmake) | Regex scan for project initialization and version setting commands. |
| [Jar](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). |
| [Nexus](./nexus-analyzer.html) | Java archive files (\*.jar) | Searches Sonatype or a configured Nexus repository for the file's SHA1 hash. In most cases, superceded by Central . |
| [Node.js](./nodejs.html) | NPM package specification files (package.json) | Parse JSON format for metadata. |
| [Nuspec](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. |
| [OpenSSL](./openssl.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. |
| [Python](./python.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (\*.whl, \*.egg, \*.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. |
| [Ruby Gemspec](./ruby-gemspec.html) | Ruby makefiles (Rakefile); Ruby Gemspec files (\*.gemspec) | Regex scan Gemspec initialization blocks for metadata. |

14
src/site/markdown/analyzers/nodejs.md Normal file
View File

@@ -0,0 +1,14 @@
Node.js Analyzer
================
OWASP dependency-check includes an analyzer that will scan [Node Package Manager](https://www.npmjs.com/)
package specification files. The analyzer will collect as much information as
it can about the package. The information collected is internally referred to
as evidence and is grouped into vendor, product, and version buckets. Other
analyzers later use this evidence to identify any Common Platform Enumeration
(CPE) identifiers that apply.
__Note:__ Also consider using the Node Security Project auditing tool,
[nsp](https://nodesecurity.io/tools).
Files Types Scanned: [package.json](https://docs.npmjs.com/files/package.json)

0
src/site/markdown/analyzers/openssl-analyzer.md → src/site/markdown/analyzers/openssl.md
View File

10
src/site/markdown/analyzers/python-analyzer.md
View File

@@ -1,10 +0,0 @@
Python Analyzer
==============
OWASP dependency-check includes an analyzer that will scan Python artifacts. The
analyzer(s) will collect as much information it can about the python artifacts.
The information collected is internally referred to as evidence and is grouped into
vendor, product, and version buckets. Other analyzers later use this evidence to
identify any Common Platform Enumeration (CPE) identifiers that apply.
Files Types Scanned: py, whl, egg, zip, PKG-INFO, and METADATA

11
src/site/markdown/analyzers/python.md Normal file
View File

@@ -0,0 +1,11 @@
Python Analyzer
==============
OWASP dependency-check includes an analyzer that will scan Python artifacts.
The analyzer(s) will collect as much information it can about the Python
artifacts. The information collected is internally referred to as evidence and
is grouped into vendor, product, and version buckets. Other analyzers later
use this evidence to identify any Common Platform Enumeration (CPE)
identifiers that apply.
Files Types Scanned: py, whl, egg, zip, PKG-INFO, and METADATA

15
src/site/markdown/analyzers/ruby-gemspec.md Normal file
View File

@@ -0,0 +1,15 @@
Ruby Gemspec Analyzer
=====================
OWASP dependency-check includes an analyzer that will scan [Ruby Gem](https://rubygems.org/)
[specifications](http://guides.rubygems.org/specification-reference/). The
analyzer will collect as much information as it can about the Gem. The
information collected is internally referred to as evidence and is grouped
into vendor, product, and version buckets. Other analyzers later use this
evidence to identify any Common Platform Enumeration (CPE) identifiers that
apply.
__Note:__ Also consider using the Ruby
[bundler-audit](https://github.com/rubysec/bundler-audit#readme) tool.
Files Types Scanned: Rakefile, \*.gemspec

11
src/site/markdown/index.md
View File

@@ -2,11 +2,12 @@ About
====================
OWASP dependency-check is an open source solution the OWASP Top 10 2013 entry:
[A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
Dependency-check can currently be used to scan Java, .NET, and Python
applications (and their dependent libraries) to identify known vulnerable
components. In addition, Dependency-check can be used to scan some source
code, including OpenSSL source code and source code for projects that use
Autoconf.
Dependency-check can currently be used to scan Java, .NET, Python, Ruby and
Node.js applications (and their dependent libraries) to identify known
vulnerable components. In addition, Dependency-check can be used to scan some
source code, including OpenSSL source code and source code for projects that
use [Autoconf](https://www.gnu.org/software/autoconf/) or
[CMake](http://www.cmake.org/overview/).
The problem with using known vulnerable components was covered in a paper by
Jeff Williams and Arshan Dabirsiaghi titled, "[The Unfortunate Reality of

17
src/site/site.xml
View File

@@ -113,26 +113,35 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<item name="Assembly Analyzer" href="./analyzers/assembly-analyzer.html">
<description>Assembly Analyzer</description>
</item>
<item name="Autoconf Analyzer" href="./analyzers/autoconf-analyzer.html">
<item name="Autoconf Analyzer" href="./analyzers/autoconf.html">
<description>Autoconf Analyzer</description>
</item>
<item name="Central Analyzer" href="./analyzers/central-analyzer.html">
<description>Central Analyzer</description>
</item>
<item name="CMake Analyzer" href="./analyzers/cmake.html">
<description>CMake Analyzer</description>
</item>
<item name="Jar Analyzer" href="./analyzers/jar-analyzer.html">
<description>Jar Analyzer</description>
</item>
<item name="Nexus Analyzer" href="./analyzers/nexus-analyzer.html">
<description>Nexus Analyzer</description>
</item>
<item name="Node.js Analyzer" href="./analyzers/nodejs.html">
<description>Node.js Analyzer</description>
</item>
<item name="Nuspec Analyzer" href="./analyzers/nuspec-analyzer.html">
<description>Nuspec Analyzer</description>
</item>
<item name="Python Analyzer" href="./analyzers/python-analyzer.html">
<item name="OpenSSL Analyzer" href="./analyzers/openssl.html">
<description>OpenSSL Analyzer</description>
</item>
<item name="Python Analyzer" href="./analyzers/python.html">
<description>Python Analyzer</description>
</item>
<item name="OpenSSL Analyzer" href="./analyzers/openssl-analyzer.html">
<description>OpenSSL Analyzer</description>
<item name="Ruby Gemspec Analyzer" href="./analyzers/ruby-gemspec.html">
<description>Ruby Gemspec Analyzer</description>
</item>
</item>
<item collapse="true" name="Modules" href="./modules.html">