diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java index c06f2ac77..71fa3cb16 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java @@ -145,13 +145,15 @@ public class DependencyCheckTask extends Task { /** * The application name for the report. */ - private String applicationName = "Dependency-Check"; + @Deprecated + private String applicationName = null; /** * Get the value of applicationName. * * @return the value of applicationName */ + @Deprecated public String getApplicationName() { return applicationName; } @@ -161,9 +163,37 @@ public class DependencyCheckTask extends Task { * * @param applicationName new value of applicationName */ + @Deprecated public void setApplicationName(String applicationName) { this.applicationName = applicationName; } + + private String projectName = "Dependency-Check"; + + /** + * Get the value of projectName. + * + * @return the value of projectName + */ + public String getProjectName() { + if (applicationName != null) { + log("Configuration 'applicationName' has been deprecated, please use 'projectName' instead", Project.MSG_WARN); + if ("Dependency-Check".equals(projectName)) { + projectName = applicationName; + } + } + return projectName; + } + + /** + * Set the value of projectName. + * + * @param projectName new value of projectName + */ + public void setProjectName(String projectName) { + this.projectName = projectName; + } + /** * The location of the data directory that contains */ @@ -279,8 +309,7 @@ public class DependencyCheckTask extends Task { } /** - * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the - * Site plugin unless the externalReport is set to true. Default is HTML. + * The report format to be generated (HTML, XML, VULN, ALL). Default is HTML. */ private String reportFormat = "HTML"; @@ -576,6 +605,29 @@ public class DependencyCheckTask extends Task { this.centralAnalyzerEnabled = centralAnalyzerEnabled; } + /** + * Whether or not the local copy of the NVD should be purged. + */ + private boolean purge = false; + + /** + * Used to determine if the local copy of the NVD should be purged. + * + * @return true if the local copy of the NVD should be purged + */ + public boolean isPurge() { + return purge; + } + + /** + * Set whether or not the local copy of the NVD should be purged. + * + * @param purge setting to true will cause the local copy of the NVD to be deleted. + */ + public void setPurge(boolean purge) { + this.purge = purge; + } + /** * Whether or not the nexus analyzer is enabled. */ @@ -900,7 +952,23 @@ public class DependencyCheckTask extends Task { dealWithReferences(); validateConfiguration(); populateSettings(); - + if (purge) { + File db; + try { + db = new File(Settings.getDataDirectory(), "dc.h2.db"); + if (db.exists()) { + if (db.delete()) { + log("Database file purged; local copy of the NVD has been removed", Project.MSG_INFO); + } else { + log(String.format("Unable to delete '%s'; please delete the file manually", db.getAbsolutePath()), Project.MSG_ERR); + } + } else { + log(String.format("Unable to purge database; the database file does not exists: %s", db.getAbsolutePath()), Project.MSG_ERR); + } + } catch (IOException ex) { + log("Unable to delete the database", Project.MSG_ERR); + } + } Engine engine = null; try { engine = new Engine(DependencyCheckTask.class.getClassLoader()); @@ -933,7 +1001,7 @@ public class DependencyCheckTask extends Task { cve.close(); } } - final ReportGenerator reporter = new ReportGenerator(applicationName, engine.getDependencies(), engine.getAnalyzers(), prop); + final ReportGenerator reporter = new ReportGenerator(getProjectName(), engine.getDependencies(), engine.getAnalyzers(), prop); reporter.generateReports(reportOutputDirectory, reportFormat); if (this.failBuildOnCVSS <= 10) { diff --git a/dependency-check-ant/src/site/markdown/configuration.md b/dependency-check-ant/src/site/markdown/configuration.md index 7534f128c..ab4e4d169 100644 --- a/dependency-check-ant/src/site/markdown/configuration.md +++ b/dependency-check-ant/src/site/markdown/configuration.md @@ -8,7 +8,7 @@ the project's dependencies. ```xml - @@ -27,7 +27,7 @@ Property | Description | Default Value ----------------------|------------------------------------|------------------ autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true updateOnly | If set to true only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | false -externalReport | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false +projectName | The name of the project being scanned. | Dependency-Check reportOutputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target' failBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11 reportFormat | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML @@ -76,3 +76,4 @@ databaseDriverPath | The path to the database driver JAR file; only used if th connectionString | The connection string used to connect to the database. |   databaseUser | The username used when connecting to the database. |   databasePassword | The password used when connecting to the database. |   +purge | Delete the local copy of the NVD. This is used to force a refresh of the data. |   diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index 274f2fb55..e810342bd 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -38,6 +38,7 @@ import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import ch.qos.logback.core.FileAppender; +import java.util.logging.Level; import org.slf4j.impl.StaticLoggerBinder; /** @@ -91,7 +92,28 @@ public class App { prepareLogger(cli.getVerboseLog()); } - if (cli.isGetVersion()) { + if (cli.isPurge()) { + if (cli.getConnectionString() != null) { + LOGGER.error("Unable to purge the database when using a non-default connection string"); + } else { + populateSettings(cli); + File db; + try { + db = new File(Settings.getDataDirectory(), "dc.h2.db"); + if (db.exists()) { + if (db.delete()) { + LOGGER.info("Database file purged; local copy of the NVD has been removed"); + } else { + LOGGER.error("Unable to delete '{}'; please delete the file manually", db.getAbsolutePath()); + } + } else { + LOGGER.error("Unable to purge database; the database file does not exists: {}", db.getAbsolutePath()); + } + } catch (IOException ex) { + LOGGER.error("Unable to delete the database"); + } + } + } else if (cli.isGetVersion()) { cli.printVersionInfo(); } else if (cli.isUpdateOnly()) { populateSettings(cli); @@ -99,7 +121,7 @@ public class App { } else if (cli.isRunScan()) { populateSettings(cli); try { - runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), + runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getProjectName(), cli.getScanFiles(), cli.getExcludeList(), cli.getSymLinkDepth()); } catch (InvalidScanPathException ex) { LOGGER.error("An invalid scan path was detected; unable to scan '//*' paths"); diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java index 18d7454e8..07adadf28 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -19,6 +19,7 @@ package org.owasp.dependencycheck; import java.io.File; import java.io.FileNotFoundException; +import java.util.logging.Level; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.CommandLineParser; @@ -97,8 +98,8 @@ public final class CliParser { if (getPathToMono() != null) { validatePathExists(getPathToMono(), ARGUMENT.PATH_TO_MONO); } - if (!line.hasOption(ARGUMENT.APP_NAME)) { - throw new ParseException("Missing 'app' argument; the scan cannot be run without the an application name."); + if (!line.hasOption(ARGUMENT.APP_NAME) && !line.hasOption(ARGUMENT.PROJECT)) { + throw new ParseException("Missing '" + ARGUMENT.PROJECT + "' argument; the scan cannot be run without the an project name."); } if (line.hasOption(ARGUMENT.OUTPUT_FORMAT)) { final String format = line.getOptionValue(ARGUMENT.OUTPUT_FORMAT); @@ -217,9 +218,9 @@ public final class CliParser { final Option noUpdate = new Option(ARGUMENT.DISABLE_AUTO_UPDATE_SHORT, ARGUMENT.DISABLE_AUTO_UPDATE, false, "Disables the automatic updating of the CPE data."); - final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ARGUMENT.APP_NAME) - .withDescription("The name of the application being scanned. This is a required argument.") - .create(ARGUMENT.APP_NAME_SHORT); + final Option projectName = OptionBuilder.hasArg().withArgName("name").withLongOpt(ARGUMENT.PROJECT) + .withDescription("The name of the project being scanned. This is a required argument.") + .create(); final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.SCAN) .withDescription("The path to scan - this option can be specified multiple times. Ant style" @@ -229,7 +230,7 @@ public final class CliParser { final Option excludes = OptionBuilder.withArgName("pattern").hasArg().withLongOpt(ARGUMENT.EXCLUDE) .withDescription("Specify and exclusion pattern. This option can be specified multiple times" + " and it accepts Ant style excludsions.") - .create(); + .create("p"); final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.PROP) .withDescription("A property file to load.") @@ -265,9 +266,9 @@ public final class CliParser { options.addOptionGroup(og) .addOptionGroup(exog) + .addOption(projectName) .addOption(out) .addOption(outputFormat) - .addOption(appName) .addOption(version) .addOption(help) .addOption(advancedHelp) @@ -398,6 +399,10 @@ public final class CliParser { final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NEXUS) .withDescription("Disable the Nexus Analyzer.").create(); + final Option purge = OptionBuilder.withLongOpt(ARGUMENT.PURGE_NVD) + .withDescription("Purges the local NVD data cache") + .create(); + options.addOption(updateOnly) .addOption(cve12Base) .addOption(cve20Base) @@ -435,7 +440,8 @@ public final class CliParser { .addOption(nexusUsesProxy) .addOption(additionalZipExtensions) .addOption(pathToMono) - .addOption(pathToBundleAudit); + .addOption(pathToBundleAudit) + .addOption(purge); } /** @@ -451,8 +457,12 @@ public final class CliParser { final Option proxyServer = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.PROXY_URL) .withDescription("The proxy url argument is deprecated, use proxyserver instead.") .create(); + final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ARGUMENT.APP_NAME) + .withDescription("The name of the project being scanned.") + .create(ARGUMENT.APP_NAME_SHORT); options.addOption(proxyServer); + options.addOption(appName); } /** @@ -741,8 +751,14 @@ public final class CliParser { * * @return the application name. */ - public String getApplicationName() { - return line.getOptionValue(ARGUMENT.APP_NAME); + public String getProjectName() { + String appName = line.getOptionValue(ARGUMENT.APP_NAME); + String name = line.getOptionValue(ARGUMENT.PROJECT); + if (name == null && appName != null) { + name = appName; + LOGGER.warn("The '" + ARGUMENT.APP_NAME + "' argument should no longer be used; use '" + ARGUMENT.PROJECT + "' instead."); + } + return name; } /** @@ -894,7 +910,7 @@ public final class CliParser { * @return true if auto-update is allowed; otherwise false */ public boolean isAutoUpdate() { - return (line == null) || !line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE); + return line != null && !line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE); } /** @@ -903,7 +919,16 @@ public final class CliParser { * @return true if the update only flag has been set; otherwise false. */ public boolean isUpdateOnly() { - return (line == null) || line.hasOption(ARGUMENT.UPDATE_ONLY); + return line != null && line.hasOption(ARGUMENT.UPDATE_ONLY); + } + + /** + * Checks if the purge NVD flag has been set. + * + * @return true if the purge nvd flag has been set; otherwise false. + */ + public boolean isPurge() { + return line != null && line.hasOption(ARGUMENT.PURGE_NVD); } /** @@ -985,6 +1010,10 @@ public final class CliParser { * The long CLI argument name specifying that only the update phase should be executed; no scan should be run. */ public static final String UPDATE_ONLY = "updateonly"; + /** + * The long CLI argument name specifying that only the update phase should be executed; no scan should be run. + */ + public static final String PURGE_NVD = "purge"; /** * The long CLI argument name specifying the directory to write the reports to. */ @@ -1001,13 +1030,19 @@ public final class CliParser { * The short CLI argument name specifying the output format to write the reports to. */ public static final String OUTPUT_FORMAT_SHORT = "f"; + /** + * The long CLI argument name specifying the name of the project to be scanned. + */ + public static final String PROJECT = "project"; /** * The long CLI argument name specifying the name of the application to be scanned. */ + @Deprecated public static final String APP_NAME = "app"; /** * The short CLI argument name specifying the name of the application to be scanned. */ + @Deprecated public static final String APP_NAME_SHORT = "a"; /** * The long CLI argument name asking for help. diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md index 0953f85f3..1e6a5a461 100644 --- a/dependency-check-cli/src/site/markdown/arguments.md +++ b/dependency-check-cli/src/site/markdown/arguments.md @@ -5,7 +5,7 @@ The following table lists the command line arguments: Short | Argument Name   | Parameter | Description | Requirement -------|-----------------------|-----------------|-------------|------------ - \-a | \-\-app | \ | The name of the application being scanned. This is a required argument. | Required + | \-\-project | \ | The name of the project being scanned. | Required \-s | \-\-scan | \ | The path to scan \- this option can be specified multiple times. It is also possible to specify Ant style paths (e.g. directory/**/*.jar). | Required | \-\-exclude | \ | The path patterns to exclude from the scan \- this option can be specified multiple times. This accepts Ant style path patterns (e.g. **/exclude/**). | Optional | \-\-symLink | \ | The depth that symbolic links will be followed; the default is 0 meaning symbolic links will not be followed. | Optional @@ -58,3 +58,4 @@ Short | Argument Name        | Paramete | \-\-dbPassword | \ | The password for connecting to the database. |   | \-\-dbUser | \ | The username used to connect to the database. |   \-d | \-\-data | \ | The location of the data directory used to store persistent data. This option should generally not be set. |   + | \-\-purge | | Delete the local copy of the NVD. This is used to force a refresh of the data. |   \ No newline at end of file diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java index cf955bc27..f44d4b0d9 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java @@ -24,8 +24,8 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** - * An extremely simple wrapper around various escape utils to perform URL and HTML encoding within the reports. This - * class was created to simplify the velocity configuration and avoid using the "built-in" escape tool. + * An extremely simple wrapper around various escape utils to perform URL and HTML encoding within the reports. This class was + * created to simplify the velocity configuration and avoid using the "built-in" escape tool. * * @author Jeremy Long */ @@ -43,6 +43,9 @@ public class EscapeTool { * @return the URL encoded text */ public String url(String text) { + if (text == null || text.isEmpty()) { + return text; + } try { return URLEncoder.encode(text, "UTF-8"); } catch (UnsupportedEncodingException ex) { @@ -59,6 +62,9 @@ public class EscapeTool { * @return the HTML encoded text */ public String html(String text) { + if (text == null || text.isEmpty()) { + return text; + } return StringEscapeUtils.escapeHtml(text); } @@ -69,6 +75,9 @@ public class EscapeTool { * @return the XML encoded text */ public String xml(String text) { + if (text == null || text.isEmpty()) { + return text; + } return StringEscapeUtils.escapeXml(text); } } diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java index 38ecf9f81..82697e6d5 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java @@ -119,6 +119,8 @@ public class AggregateMojo extends BaseDependencyCheckMojo { //we shouldn't write this because nothing is configured to generate this report. outputDir = new File(current.getBuild().getDirectory()); } + getLog().warn("\n\n\nwritting: " + outputDir); + getLog().warn("for: " + current.getName()); writeReports(engine, current, outputDir); } } diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index ef223cd92..82ccaf15a 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -233,6 +233,15 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma */ @Parameter(property = "connectionString", defaultValue = "", required = false) private String connectionString; + + /** + * Returns the connection string. + * + * @return the connection string + */ + protected String getConnectionString() { + return connectionString; + } /** * The database driver name. An example would be org.h2.Driver. */ @@ -594,7 +603,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties * required to change the proxy url, port, and connection timeout. */ - private void populateSettings() { + protected void populateSettings() { Settings.initialize(); InputStream mojoProperties = null; try { diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java new file mode 100644 index 000000000..d9f766498 --- /dev/null +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java @@ -0,0 +1,107 @@ +/* + * This file is part of dependency-check-maven. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.maven; + +import java.io.File; +import java.io.IOException; +import java.util.Locale; +import org.apache.maven.plugin.MojoExecutionException; +import org.apache.maven.plugin.MojoFailureException; +import org.apache.maven.plugins.annotations.LifecyclePhase; +import org.apache.maven.plugins.annotations.Mojo; +import org.apache.maven.plugins.annotations.ResolutionScope; +import org.owasp.dependencycheck.data.nvdcve.DatabaseException; +import org.owasp.dependencycheck.utils.Settings; + +/** + * Maven Plugin that purges the local copy of the NVD data. + * + * @author Jeremy Long + */ +@Mojo( + name = "purge", + defaultPhase = LifecyclePhase.GENERATE_RESOURCES, + threadSafe = true, + requiresDependencyResolution = ResolutionScope.NONE, + requiresOnline = true +) +public class PurgeMojo extends BaseDependencyCheckMojo { + + /** + * Returns false; this mojo cannot generate a report. + * + * @return false + */ + @Override + public boolean canGenerateReport() { + return false; + } + + /** + * Purges the local copy of the NVD. + * + * @throws MojoExecutionException thrown if there is an exception executing the goal + * @throws MojoFailureException thrown if dependency-check is configured to fail the build + */ + @Override + public void runCheck() throws MojoExecutionException, MojoFailureException { + + if (getConnectionString() != null && !getConnectionString().isEmpty()) { + getLog().error("Unable to purge the local NVD when using a non-default connection string"); + } else { + populateSettings(); + File db; + try { + db = new File(Settings.getDataDirectory(), "dc.h2.db"); + if (db.exists()) { + if (db.delete()) { + getLog().info("Database file purged; local copy of the NVD has been removed"); + } else { + getLog().error(String.format("Unable to delete '%s'; please delete the file manually", db.getAbsolutePath())); + } + } else { + getLog().error(String.format("Unable to purge database; the database file does not exists: %s", db.getAbsolutePath())); + } + } catch (IOException ex) { + getLog().error("Unable to delete the database"); + } + Settings.cleanup(); + } + } + + /** + * Returns the report name. + * + * @param locale the location + * @return the report name + */ + public String getName(Locale locale) { + return "dependency-check-purge"; + } + + /** + * Gets the description of the Dependency-Check report to be displayed in the Maven Generated Reports page. + * + * @param locale The Locale to get the description for + * @return the description + */ + public String getDescription(Locale locale) { + return "Purges the local cache of the NVD dataT."; + } + +} diff --git a/dependency-check-maven/src/site/markdown/configuration.md b/dependency-check-maven/src/site/markdown/configuration.md index afe2e9e99..7bc6afcd7 100644 --- a/dependency-check-maven/src/site/markdown/configuration.md +++ b/dependency-check-maven/src/site/markdown/configuration.md @@ -6,6 +6,7 @@ Goal | Description aggregate | Runs dependency-check against the child projects and aggregates the results into a single report. check | Runs dependency-check against the project and generates a report. update-only | Updates the local cache of the NVD data from NIST. +purge | Deletes the local copy of the NVD. This is used to force a refresh of the data. Configuration ==================== @@ -49,13 +50,13 @@ Advanced Configuration The following properties can be configured in the plugin. However, they are less frequently changed. One exception may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment. -Property | Description | Default Value ----------------------|--------------------------------------------------------------------------|------------------ -cveUrl12Modified | URL for the modified CVE 1.2. | http://nvd.nist.gov/download/nvdcve-modified.xml -cveUrl20Modified | URL for the modified CVE 2.0. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml -cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml -cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml -connectionTimeout | Sets the URL Connection Timeout used when downloading external data. |   +Property | Description | Default Value +---------------------|---------------------------------------------------------------------------------------------|------------------ +cveUrl12Modified | URL for the modified CVE 1.2. | http://nvd.nist.gov/download/nvdcve-modified.xml +cveUrl20Modified | URL for the modified CVE 2.0. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml +cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml +cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml +connectionTimeout | Sets the URL Connection Timeout used when downloading external data. |   dataDirectory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. |   databaseDriverName | The name of the database driver. Example: org.h2.Driver. |   databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |   diff --git a/src/site/markdown/analyzers/autoconf-analyzer.md b/src/site/markdown/analyzers/autoconf.md similarity index 100% rename from src/site/markdown/analyzers/autoconf-analyzer.md rename to src/site/markdown/analyzers/autoconf.md diff --git a/src/site/markdown/analyzers/cmake.md b/src/site/markdown/analyzers/cmake.md new file mode 100644 index 000000000..2cc0a1889 --- /dev/null +++ b/src/site/markdown/analyzers/cmake.md @@ -0,0 +1,11 @@ +CMake Analyzer +============== + +OWASP dependency-check includes an analyzer that will scan CMake project +configuration files. The analyzer will collect as much information it can +about the project. The information collected is internally referred to as +evidence and is grouped into vendor, product, and version buckets. Other +analyzers later use this evidence to identify any Common Platform Enumeration +(CPE) identifiers that apply. + +File names scanned: CMakeLists.txt, \*.cmake diff --git a/src/site/markdown/analyzers/index.md b/src/site/markdown/analyzers/index.md index 298c2cd22..b2384f102 100644 --- a/src/site/markdown/analyzers/index.md +++ b/src/site/markdown/analyzers/index.md @@ -5,12 +5,15 @@ to extract identification information from the files analyzed. | Analyzer | File Types Scanned | Analysis Method | | -------- | ------------------ | --------------- | -| [Archive Analyzer](./archive-analyzer.html) | Zip archive format (\*.zip, \*.ear, \*.war, \*.jar, \*.sar, \*.apk, \*.nupkg); Tape Archive Format (\*.tar); Gzip format (\*.gz, \*.tgz); Bzip2 format (\*.bz2, \*.tbz2) | Extracts archive contents, then scans contents with all available analyzers. | -| [Assembly Analyzer](./assembly-analyzer.html) | .NET Assemblies (\*.exe, \*.dll) | Uses [GrokAssembly.exe](https://github.com/colezlaw/GrokAssembly), which requires .NET Framework or Mono runtime to be installed. | -| [Autoconf Analyzer](./autoconf-analyzer.html) | Autoconf project configuration files (configure, configure.in, configure.ac) | Regex scan for AC_INIT metadata, including in generated configuration script. | -| [Central Analyzer](./central-analyzer.html) | Java archive files (\*.jar) | Searches Maven Central or a configured Nexus repository for the file's SHA1 hash. | -| [Jar Analyzer](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). | -| [Nexus Analyzer](./nexus-analyzer.html) | Java archive files (\*.jar) | Searches Sonatype or a configured Nexus repository for the file's SHA1 hash. In most cases, superceded by Central Analyzer. | -| [Nuspec Analyzer](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. | -| [OpenSSL Analyzer](./openssl-analyzer.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. | -| [Python Analyzer](./python-analyzer.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (\*.whl, \*.egg, \*.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. | +| [Archive](./archive-analyzer.html) | Zip archive format (\*.zip, \*.ear, \*.war, \*.jar, \*.sar, \*.apk, \*.nupkg); Tape Archive Format (\*.tar); Gzip format (\*.gz, \*.tgz); Bzip2 format (\*.bz2, \*.tbz2) | Extracts archive contents, then scans contents with all available analyzers. | +| [Assembly](./assembly-analyzer.html) | .NET Assemblies (\*.exe, \*.dll) | Uses [GrokAssembly.exe](https://github.com/colezlaw/GrokAssembly), which requires .NET Framework or Mono runtime to be installed. | +| [Autoconf](./autoconf.html) | Autoconf project configuration files (configure, configure.in, configure.ac) | [Regex](https://en.wikipedia.org/wiki/Regular_expression) scan for AC_INIT metadata, including in generated configuration script. | +| [Central](./central-analyzer.html) | Java archive files (\*.jar) | Searches Maven Central or a configured Nexus repository for the file's SHA1 hash. | +| [CMake](./cmake.html) | CMake project files (CMakeLists.txt) and scripts (\*.cmake) | Regex scan for project initialization and version setting commands. | +| [Jar](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). | +| [Nexus](./nexus-analyzer.html) | Java archive files (\*.jar) | Searches Sonatype or a configured Nexus repository for the file's SHA1 hash. In most cases, superceded by Central . | +| [Node.js](./nodejs.html) | NPM package specification files (package.json) | Parse JSON format for metadata. | +| [Nuspec](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. | +| [OpenSSL](./openssl.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. | +| [Python](./python.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (\*.whl, \*.egg, \*.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. | +| [Ruby Gemspec](./ruby-gemspec.html) | Ruby makefiles (Rakefile); Ruby Gemspec files (\*.gemspec) | Regex scan Gemspec initialization blocks for metadata. | \ No newline at end of file diff --git a/src/site/markdown/analyzers/nodejs.md b/src/site/markdown/analyzers/nodejs.md new file mode 100644 index 000000000..103a0354f --- /dev/null +++ b/src/site/markdown/analyzers/nodejs.md @@ -0,0 +1,14 @@ +Node.js Analyzer +================ + +OWASP dependency-check includes an analyzer that will scan [Node Package Manager](https://www.npmjs.com/) +package specification files. The analyzer will collect as much information as +it can about the package. The information collected is internally referred to +as evidence and is grouped into vendor, product, and version buckets. Other +analyzers later use this evidence to identify any Common Platform Enumeration +(CPE) identifiers that apply. + +__Note:__ Also consider using the Node Security Project auditing tool, +[nsp](https://nodesecurity.io/tools). + +Files Types Scanned: [package.json](https://docs.npmjs.com/files/package.json) diff --git a/src/site/markdown/analyzers/openssl-analyzer.md b/src/site/markdown/analyzers/openssl.md similarity index 100% rename from src/site/markdown/analyzers/openssl-analyzer.md rename to src/site/markdown/analyzers/openssl.md diff --git a/src/site/markdown/analyzers/python-analyzer.md b/src/site/markdown/analyzers/python-analyzer.md deleted file mode 100644 index af77720aa..000000000 --- a/src/site/markdown/analyzers/python-analyzer.md +++ /dev/null @@ -1,10 +0,0 @@ -Python Analyzer -============== - -OWASP dependency-check includes an analyzer that will scan Python artifacts. The -analyzer(s) will collect as much information it can about the python artifacts. -The information collected is internally referred to as evidence and is grouped into -vendor, product, and version buckets. Other analyzers later use this evidence to -identify any Common Platform Enumeration (CPE) identifiers that apply. - -Files Types Scanned: py, whl, egg, zip, PKG-INFO, and METADATA diff --git a/src/site/markdown/analyzers/python.md b/src/site/markdown/analyzers/python.md new file mode 100644 index 000000000..7ad7eeee8 --- /dev/null +++ b/src/site/markdown/analyzers/python.md @@ -0,0 +1,11 @@ +Python Analyzer +============== + +OWASP dependency-check includes an analyzer that will scan Python artifacts. +The analyzer(s) will collect as much information it can about the Python +artifacts. The information collected is internally referred to as evidence and +is grouped into vendor, product, and version buckets. Other analyzers later +use this evidence to identify any Common Platform Enumeration (CPE) +identifiers that apply. + +Files Types Scanned: py, whl, egg, zip, PKG-INFO, and METADATA \ No newline at end of file diff --git a/src/site/markdown/analyzers/ruby-gemspec.md b/src/site/markdown/analyzers/ruby-gemspec.md new file mode 100644 index 000000000..ece5d3bb8 --- /dev/null +++ b/src/site/markdown/analyzers/ruby-gemspec.md @@ -0,0 +1,15 @@ +Ruby Gemspec Analyzer +===================== + +OWASP dependency-check includes an analyzer that will scan [Ruby Gem](https://rubygems.org/) +[specifications](http://guides.rubygems.org/specification-reference/). The +analyzer will collect as much information as it can about the Gem. The +information collected is internally referred to as evidence and is grouped +into vendor, product, and version buckets. Other analyzers later use this +evidence to identify any Common Platform Enumeration (CPE) identifiers that +apply. + +__Note:__ Also consider using the Ruby +[bundler-audit](https://github.com/rubysec/bundler-audit#readme) tool. + +Files Types Scanned: Rakefile, \*.gemspec \ No newline at end of file diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md index b5e4caaaf..ac5e186e8 100644 --- a/src/site/markdown/index.md +++ b/src/site/markdown/index.md @@ -2,11 +2,12 @@ About ==================== OWASP dependency-check is an open source solution the OWASP Top 10 2013 entry: [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities). -Dependency-check can currently be used to scan Java, .NET, and Python -applications (and their dependent libraries) to identify known vulnerable -components. In addition, Dependency-check can be used to scan some source -code, including OpenSSL source code and source code for projects that use -Autoconf. +Dependency-check can currently be used to scan Java, .NET, Python, Ruby and +Node.js applications (and their dependent libraries) to identify known +vulnerable components. In addition, Dependency-check can be used to scan some +source code, including OpenSSL source code and source code for projects that +use [Autoconf](https://www.gnu.org/software/autoconf/) or +[CMake](http://www.cmake.org/overview/). The problem with using known vulnerable components was covered in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "[The Unfortunate Reality of diff --git a/src/site/site.xml b/src/site/site.xml index 314bf2cbf..0ee832dae 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -113,26 +113,35 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. Assembly Analyzer - + Autoconf Analyzer Central Analyzer + + CMake Analyzer + Jar Analyzer Nexus Analyzer + + Node.js Analyzer + Nuspec Analyzer - + + OpenSSL Analyzer + + Python Analyzer - - OpenSSL Analyzer + + Ruby Gemspec Analyzer