From 61ac81518abcd1424b2adfa237887e3c84eb1ee0 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 26 Aug 2015 12:27:38 -0400 Subject: [PATCH 01/13] Docs: Added Ruby and Node.js to landing page. Added table row for Node.js in Analyzers list. --- src/site/markdown/analyzers/index.md | 1 + src/site/markdown/index.md | 10 +++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/src/site/markdown/analyzers/index.md b/src/site/markdown/analyzers/index.md index 298c2cd22..45d4a4c14 100644 --- a/src/site/markdown/analyzers/index.md +++ b/src/site/markdown/analyzers/index.md @@ -11,6 +11,7 @@ to extract identification information from the files analyzed. | [Central Analyzer](./central-analyzer.html) | Java archive files (\*.jar) | Searches Maven Central or a configured Nexus repository for the file's SHA1 hash. | | [Jar Analyzer](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). | | [Nexus Analyzer](./nexus-analyzer.html) | Java archive files (\*.jar) | Searches Sonatype or a configured Nexus repository for the file's SHA1 hash. In most cases, superceded by Central Analyzer. | +| [Node.js Package Analyzer](./nodejs-analyzer.html) | NPM package specification files (package.json) | Parse JSON format for metadata. | | [Nuspec Analyzer](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. | | [OpenSSL Analyzer](./openssl-analyzer.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. | | [Python Analyzer](./python-analyzer.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (\*.whl, \*.egg, \*.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. | diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md index b5e4caaaf..d730d711a 100644 --- a/src/site/markdown/index.md +++ b/src/site/markdown/index.md @@ -2,11 +2,11 @@ About ==================== OWASP dependency-check is an open source solution the OWASP Top 10 2013 entry: [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities). -Dependency-check can currently be used to scan Java, .NET, and Python -applications (and their dependent libraries) to identify known vulnerable -components. In addition, Dependency-check can be used to scan some source -code, including OpenSSL source code and source code for projects that use -Autoconf. +Dependency-check can currently be used to scan Java, .NET, Python, Ruby and +Node.js applications (and their dependent libraries) to identify known +vulnerable components. In addition, Dependency-check can be used to scan some +source code, including OpenSSL source code and source code for projects that +use Autoconf. The problem with using known vulnerable components was covered in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "[The Unfortunate Reality of From 4a3061db6dda112daab1988bc4b06e87cfed0705 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 26 Aug 2015 13:54:15 -0400 Subject: [PATCH 02/13] Docs: Added CMake to landing page, and links to Autoconf and CMake. Added missing analyzers to analyzers list. Shortened my analyzer URLs, though not all in site index yet. --- .../{autoconf-analyzer.md => autoconf.md} | 0 src/site/markdown/analyzers/index.md | 22 ++++++++++--------- .../{openssl-analyzer.md => openssl.md} | 0 .../{python-analyzer.md => python.md} | 0 src/site/markdown/index.md | 3 ++- src/site/site.xml | 2 +- 6 files changed, 15 insertions(+), 12 deletions(-) rename src/site/markdown/analyzers/{autoconf-analyzer.md => autoconf.md} (100%) rename src/site/markdown/analyzers/{openssl-analyzer.md => openssl.md} (100%) rename src/site/markdown/analyzers/{python-analyzer.md => python.md} (100%) diff --git a/src/site/markdown/analyzers/autoconf-analyzer.md b/src/site/markdown/analyzers/autoconf.md similarity index 100% rename from src/site/markdown/analyzers/autoconf-analyzer.md rename to src/site/markdown/analyzers/autoconf.md diff --git a/src/site/markdown/analyzers/index.md b/src/site/markdown/analyzers/index.md index 45d4a4c14..b2384f102 100644 --- a/src/site/markdown/analyzers/index.md +++ b/src/site/markdown/analyzers/index.md @@ -5,13 +5,15 @@ to extract identification information from the files analyzed. | Analyzer | File Types Scanned | Analysis Method | | -------- | ------------------ | --------------- | -| [Archive Analyzer](./archive-analyzer.html) | Zip archive format (\*.zip, \*.ear, \*.war, \*.jar, \*.sar, \*.apk, \*.nupkg); Tape Archive Format (\*.tar); Gzip format (\*.gz, \*.tgz); Bzip2 format (\*.bz2, \*.tbz2) | Extracts archive contents, then scans contents with all available analyzers. | -| [Assembly Analyzer](./assembly-analyzer.html) | .NET Assemblies (\*.exe, \*.dll) | Uses [GrokAssembly.exe](https://github.com/colezlaw/GrokAssembly), which requires .NET Framework or Mono runtime to be installed. | -| [Autoconf Analyzer](./autoconf-analyzer.html) | Autoconf project configuration files (configure, configure.in, configure.ac) | Regex scan for AC_INIT metadata, including in generated configuration script. | -| [Central Analyzer](./central-analyzer.html) | Java archive files (\*.jar) | Searches Maven Central or a configured Nexus repository for the file's SHA1 hash. | -| [Jar Analyzer](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). | -| [Nexus Analyzer](./nexus-analyzer.html) | Java archive files (\*.jar) | Searches Sonatype or a configured Nexus repository for the file's SHA1 hash. In most cases, superceded by Central Analyzer. | -| [Node.js Package Analyzer](./nodejs-analyzer.html) | NPM package specification files (package.json) | Parse JSON format for metadata. | -| [Nuspec Analyzer](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. | -| [OpenSSL Analyzer](./openssl-analyzer.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. | -| [Python Analyzer](./python-analyzer.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (\*.whl, \*.egg, \*.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. | +| [Archive](./archive-analyzer.html) | Zip archive format (\*.zip, \*.ear, \*.war, \*.jar, \*.sar, \*.apk, \*.nupkg); Tape Archive Format (\*.tar); Gzip format (\*.gz, \*.tgz); Bzip2 format (\*.bz2, \*.tbz2) | Extracts archive contents, then scans contents with all available analyzers. | +| [Assembly](./assembly-analyzer.html) | .NET Assemblies (\*.exe, \*.dll) | Uses [GrokAssembly.exe](https://github.com/colezlaw/GrokAssembly), which requires .NET Framework or Mono runtime to be installed. | +| [Autoconf](./autoconf.html) | Autoconf project configuration files (configure, configure.in, configure.ac) | [Regex](https://en.wikipedia.org/wiki/Regular_expression) scan for AC_INIT metadata, including in generated configuration script. | +| [Central](./central-analyzer.html) | Java archive files (\*.jar) | Searches Maven Central or a configured Nexus repository for the file's SHA1 hash. | +| [CMake](./cmake.html) | CMake project files (CMakeLists.txt) and scripts (\*.cmake) | Regex scan for project initialization and version setting commands. | +| [Jar](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). | +| [Nexus](./nexus-analyzer.html) | Java archive files (\*.jar) | Searches Sonatype or a configured Nexus repository for the file's SHA1 hash. In most cases, superceded by Central . | +| [Node.js](./nodejs.html) | NPM package specification files (package.json) | Parse JSON format for metadata. | +| [Nuspec](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. | +| [OpenSSL](./openssl.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. | +| [Python](./python.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (\*.whl, \*.egg, \*.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. | +| [Ruby Gemspec](./ruby-gemspec.html) | Ruby makefiles (Rakefile); Ruby Gemspec files (\*.gemspec) | Regex scan Gemspec initialization blocks for metadata. | \ No newline at end of file diff --git a/src/site/markdown/analyzers/openssl-analyzer.md b/src/site/markdown/analyzers/openssl.md similarity index 100% rename from src/site/markdown/analyzers/openssl-analyzer.md rename to src/site/markdown/analyzers/openssl.md diff --git a/src/site/markdown/analyzers/python-analyzer.md b/src/site/markdown/analyzers/python.md similarity index 100% rename from src/site/markdown/analyzers/python-analyzer.md rename to src/site/markdown/analyzers/python.md diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md index d730d711a..ac5e186e8 100644 --- a/src/site/markdown/index.md +++ b/src/site/markdown/index.md @@ -6,7 +6,8 @@ Dependency-check can currently be used to scan Java, .NET, Python, Ruby and Node.js applications (and their dependent libraries) to identify known vulnerable components. In addition, Dependency-check can be used to scan some source code, including OpenSSL source code and source code for projects that -use Autoconf. +use [Autoconf](https://www.gnu.org/software/autoconf/) or +[CMake](http://www.cmake.org/overview/). The problem with using known vulnerable components was covered in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "[The Unfortunate Reality of diff --git a/src/site/site.xml b/src/site/site.xml index 314bf2cbf..9a1e84a98 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -113,7 +113,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. Assembly Analyzer - + Autoconf Analyzer From 6ca8e2644a3d6cf11e775fed56e1845218a4fa10 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 26 Aug 2015 13:59:28 -0400 Subject: [PATCH 03/13] Docs: Fixed sidebar links to OpenSSL and Python analyzer pages. --- src/site/site.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/site/site.xml b/src/site/site.xml index 9a1e84a98..d01be7572 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -128,12 +128,12 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. Nuspec Analyzer - - Python Analyzer - - + OpenSSL Analyzer + + Python Analyzer + From 0fdf377d45a89c915199c7618ab759f3c37aeb5e Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 26 Aug 2015 14:11:30 -0400 Subject: [PATCH 04/13] Docs: Added CMake analyzer page. --- src/site/markdown/analyzers/cmake.md | 11 +++++++++++ src/site/site.xml | 3 +++ 2 files changed, 14 insertions(+) create mode 100644 src/site/markdown/analyzers/cmake.md diff --git a/src/site/markdown/analyzers/cmake.md b/src/site/markdown/analyzers/cmake.md new file mode 100644 index 000000000..2cc0a1889 --- /dev/null +++ b/src/site/markdown/analyzers/cmake.md @@ -0,0 +1,11 @@ +CMake Analyzer +============== + +OWASP dependency-check includes an analyzer that will scan CMake project +configuration files. The analyzer will collect as much information it can +about the project. The information collected is internally referred to as +evidence and is grouped into vendor, product, and version buckets. Other +analyzers later use this evidence to identify any Common Platform Enumeration +(CPE) identifiers that apply. + +File names scanned: CMakeLists.txt, \*.cmake diff --git a/src/site/site.xml b/src/site/site.xml index d01be7572..bde648d43 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -119,6 +119,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. Central Analyzer + + CMake Analyzer + Jar Analyzer From 62c05049a7c4a50dd05f6a945dbd659afc43cb23 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 26 Aug 2015 14:25:32 -0400 Subject: [PATCH 05/13] Docs: Added node.js page, fixed typos in Python page. --- src/site/markdown/analyzers/nodejs.md | 14 ++++++++++++++ src/site/markdown/analyzers/python.md | 13 +++++++------ src/site/site.xml | 3 +++ 3 files changed, 24 insertions(+), 6 deletions(-) create mode 100644 src/site/markdown/analyzers/nodejs.md diff --git a/src/site/markdown/analyzers/nodejs.md b/src/site/markdown/analyzers/nodejs.md new file mode 100644 index 000000000..e987d7541 --- /dev/null +++ b/src/site/markdown/analyzers/nodejs.md @@ -0,0 +1,14 @@ +Node.js Analyzer +================ + +OWASP dependency-check includes an analyzer that will scan [Node Package Manager](https://www.npmjs.com/) +package specification files. The analyzer(s) will collect as much information +it can about the package. The information collected is internally referred to +as evidence and is grouped into vendor, product, and version buckets. Other +analyzers later use this evidence to identify any Common Platform Enumeration +(CPE) identifiers that apply. + +__Note:__ Also consider using the Node Security Project auditing tool, +[nsp](https://nodesecurity.io/tools). + +Files Types Scanned: [package.json](https://docs.npmjs.com/files/package.json) diff --git a/src/site/markdown/analyzers/python.md b/src/site/markdown/analyzers/python.md index af77720aa..7ad7eeee8 100644 --- a/src/site/markdown/analyzers/python.md +++ b/src/site/markdown/analyzers/python.md @@ -1,10 +1,11 @@ Python Analyzer ============== -OWASP dependency-check includes an analyzer that will scan Python artifacts. The -analyzer(s) will collect as much information it can about the python artifacts. -The information collected is internally referred to as evidence and is grouped into -vendor, product, and version buckets. Other analyzers later use this evidence to -identify any Common Platform Enumeration (CPE) identifiers that apply. +OWASP dependency-check includes an analyzer that will scan Python artifacts. +The analyzer(s) will collect as much information it can about the Python +artifacts. The information collected is internally referred to as evidence and +is grouped into vendor, product, and version buckets. Other analyzers later +use this evidence to identify any Common Platform Enumeration (CPE) +identifiers that apply. -Files Types Scanned: py, whl, egg, zip, PKG-INFO, and METADATA +Files Types Scanned: py, whl, egg, zip, PKG-INFO, and METADATA \ No newline at end of file diff --git a/src/site/site.xml b/src/site/site.xml index bde648d43..78750b929 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -128,6 +128,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. Nexus Analyzer + + Node.js Analyzer + Nuspec Analyzer From 1fffebd497d6b911337c381d6416634ecfdcf692 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 26 Aug 2015 14:40:36 -0400 Subject: [PATCH 06/13] Docs: Added Ruby Gemspec analyzer page, fixed typos on Node.js page. --- src/site/markdown/analyzers/nodejs.md | 2 +- src/site/markdown/analyzers/ruby-gemspec.md | 15 +++++++++++++++ src/site/site.xml | 3 +++ 3 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 src/site/markdown/analyzers/ruby-gemspec.md diff --git a/src/site/markdown/analyzers/nodejs.md b/src/site/markdown/analyzers/nodejs.md index e987d7541..103a0354f 100644 --- a/src/site/markdown/analyzers/nodejs.md +++ b/src/site/markdown/analyzers/nodejs.md @@ -2,7 +2,7 @@ Node.js Analyzer ================ OWASP dependency-check includes an analyzer that will scan [Node Package Manager](https://www.npmjs.com/) -package specification files. The analyzer(s) will collect as much information +package specification files. The analyzer will collect as much information as it can about the package. The information collected is internally referred to as evidence and is grouped into vendor, product, and version buckets. Other analyzers later use this evidence to identify any Common Platform Enumeration diff --git a/src/site/markdown/analyzers/ruby-gemspec.md b/src/site/markdown/analyzers/ruby-gemspec.md new file mode 100644 index 000000000..ece5d3bb8 --- /dev/null +++ b/src/site/markdown/analyzers/ruby-gemspec.md @@ -0,0 +1,15 @@ +Ruby Gemspec Analyzer +===================== + +OWASP dependency-check includes an analyzer that will scan [Ruby Gem](https://rubygems.org/) +[specifications](http://guides.rubygems.org/specification-reference/). The +analyzer will collect as much information as it can about the Gem. The +information collected is internally referred to as evidence and is grouped +into vendor, product, and version buckets. Other analyzers later use this +evidence to identify any Common Platform Enumeration (CPE) identifiers that +apply. + +__Note:__ Also consider using the Ruby +[bundler-audit](https://github.com/rubysec/bundler-audit#readme) tool. + +Files Types Scanned: Rakefile, \*.gemspec \ No newline at end of file diff --git a/src/site/site.xml b/src/site/site.xml index 78750b929..0ee832dae 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -140,6 +140,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. Python Analyzer + + Ruby Gemspec Analyzer + From c41a2882805dd95a3707d30f3969209cda639b10 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Fri, 28 Aug 2015 05:27:00 -0400 Subject: [PATCH 07/13] added null checks --- .../owasp/dependencycheck/reporting/EscapeTool.java | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java index cf955bc27..f44d4b0d9 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java @@ -24,8 +24,8 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** - * An extremely simple wrapper around various escape utils to perform URL and HTML encoding within the reports. This - * class was created to simplify the velocity configuration and avoid using the "built-in" escape tool. + * An extremely simple wrapper around various escape utils to perform URL and HTML encoding within the reports. This class was + * created to simplify the velocity configuration and avoid using the "built-in" escape tool. * * @author Jeremy Long */ @@ -43,6 +43,9 @@ public class EscapeTool { * @return the URL encoded text */ public String url(String text) { + if (text == null || text.isEmpty()) { + return text; + } try { return URLEncoder.encode(text, "UTF-8"); } catch (UnsupportedEncodingException ex) { @@ -59,6 +62,9 @@ public class EscapeTool { * @return the HTML encoded text */ public String html(String text) { + if (text == null || text.isEmpty()) { + return text; + } return StringEscapeUtils.escapeHtml(text); } @@ -69,6 +75,9 @@ public class EscapeTool { * @return the XML encoded text */ public String xml(String text) { + if (text == null || text.isEmpty()) { + return text; + } return StringEscapeUtils.escapeXml(text); } } From 7a8f7199c863cd7eb0eca64c3470c40e501e31da Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 29 Aug 2015 06:48:52 -0400 Subject: [PATCH 08/13] renaming app argument to project per issue #320 --- .../java/org/owasp/dependencycheck/App.java | 2 +- .../org/owasp/dependencycheck/CliParser.java | 32 ++++++++++++++----- .../dependencycheck/maven/AggregateMojo.java | 2 ++ 3 files changed, 27 insertions(+), 9 deletions(-) diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index ffa1779a8..dbc557a61 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -98,7 +98,7 @@ public class App { } else if (cli.isRunScan()) { populateSettings(cli); try { - runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), + runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getProjectName(), cli.getScanFiles(), cli.getExcludeList(), cli.getSymLinkDepth()); } catch (InvalidScanPathException ex) { LOGGER.error("An invalid scan path was detected; unable to scan '//*' paths"); diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java index b48e316c9..02cf78d31 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -97,8 +97,8 @@ public final class CliParser { if (getPathToMono() != null) { validatePathExists(getPathToMono(), ARGUMENT.PATH_TO_MONO); } - if (!line.hasOption(ARGUMENT.APP_NAME)) { - throw new ParseException("Missing 'app' argument; the scan cannot be run without the an application name."); + if (!line.hasOption(ARGUMENT.APP_NAME) && !line.hasOption(ARGUMENT.PROJECT)) { + throw new ParseException("Missing '" + ARGUMENT.PROJECT + "' argument; the scan cannot be run without the an project name."); } if (line.hasOption(ARGUMENT.OUTPUT_FORMAT)) { final String format = line.getOptionValue(ARGUMENT.OUTPUT_FORMAT); @@ -217,9 +217,9 @@ public final class CliParser { final Option noUpdate = new Option(ARGUMENT.DISABLE_AUTO_UPDATE_SHORT, ARGUMENT.DISABLE_AUTO_UPDATE, false, "Disables the automatic updating of the CPE data."); - final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ARGUMENT.APP_NAME) - .withDescription("The name of the application being scanned. This is a required argument.") - .create(ARGUMENT.APP_NAME_SHORT); + final Option projectName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ARGUMENT.PROJECT) + .withDescription("The name of the project being scanned. This is a required argument.") + .create(); final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.SCAN) .withDescription("The path to scan - this option can be specified multiple times. Ant style" @@ -267,7 +267,7 @@ public final class CliParser { .addOptionGroup(exog) .addOption(out) .addOption(outputFormat) - .addOption(appName) + .addOption(projectName) .addOption(version) .addOption(help) .addOption(advancedHelp) @@ -444,8 +444,12 @@ public final class CliParser { final Option proxyServer = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.PROXY_URL) .withDescription("The proxy url argument is deprecated, use proxyserver instead.") .create(); + final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ARGUMENT.APP_NAME) + .withDescription("The name of the project being scanned. This is a required argument.") + .create(ARGUMENT.APP_NAME_SHORT); options.addOption(proxyServer); + options.addOption(appName); } /** @@ -715,8 +719,14 @@ public final class CliParser { * * @return the application name. */ - public String getApplicationName() { - return line.getOptionValue(ARGUMENT.APP_NAME); + public String getProjectName() { + String appName = line.getOptionValue(ARGUMENT.APP_NAME); + String name = line.getOptionValue(ARGUMENT.PROJECT); + if (name == null && appName != null) { + name = appName; + LOGGER.warn("The '" + ARGUMENT.APP_NAME + "' should no longer be used; use '" + ARGUMENT.PROJECT + "' instead."); + } + return name; } /** @@ -975,13 +985,19 @@ public final class CliParser { * The short CLI argument name specifying the output format to write the reports to. */ public static final String OUTPUT_FORMAT_SHORT = "f"; + /** + * The long CLI argument name specifying the name of the project to be scanned. + */ + public static final String PROJECT = "project"; /** * The long CLI argument name specifying the name of the application to be scanned. */ + @Deprecated public static final String APP_NAME = "app"; /** * The short CLI argument name specifying the name of the application to be scanned. */ + @Deprecated public static final String APP_NAME_SHORT = "a"; /** * The long CLI argument name asking for help. diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java index 38ecf9f81..82697e6d5 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java @@ -119,6 +119,8 @@ public class AggregateMojo extends BaseDependencyCheckMojo { //we shouldn't write this because nothing is configured to generate this report. outputDir = new File(current.getBuild().getDirectory()); } + getLog().warn("\n\n\nwritting: " + outputDir); + getLog().warn("for: " + current.getName()); writeReports(engine, current, outputDir); } } From 8bb92815cbd0ec6ff713975def6eaeed0a938e70 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 29 Aug 2015 06:58:13 -0400 Subject: [PATCH 09/13] added argument to purge local NVD per issue #328 --- .../org/owasp/dependencycheck/CliParser.java | 24 ++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java index 02cf78d31..33fb11fa7 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -394,6 +394,10 @@ public final class CliParser { final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NEXUS) .withDescription("Disable the Nexus Analyzer.").create(); + final Option purge = OptionBuilder.withLongOpt(ARGUMENT.PROJECT) + .withDescription("Purges the local NVD data cache") + .create(); + options.addOption(updateOnly) .addOption(cve12Base) .addOption(cve20Base) @@ -428,7 +432,8 @@ public final class CliParser { .addOption(nexusUrl) .addOption(nexusUsesProxy) .addOption(additionalZipExtensions) - .addOption(pathToMono); + .addOption(pathToMono) + .addOption(purge); } /** @@ -878,7 +883,7 @@ public final class CliParser { * @return true if auto-update is allowed; otherwise false */ public boolean isAutoUpdate() { - return (line == null) || !line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE); + return line != null && !line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE); } /** @@ -887,7 +892,16 @@ public final class CliParser { * @return true if the update only flag has been set; otherwise false. */ public boolean isUpdateOnly() { - return (line == null) || line.hasOption(ARGUMENT.UPDATE_ONLY); + return line != null && line.hasOption(ARGUMENT.UPDATE_ONLY); + } + + /** + * Checks if the purge NVD flag has been set. + * + * @return true if the purge nvd flag has been set; otherwise false. + */ + public boolean isPurge() { + return line != null && line.hasOption(ARGUMENT.PURGE_NVD); } /** @@ -969,6 +983,10 @@ public final class CliParser { * The long CLI argument name specifying that only the update phase should be executed; no scan should be run. */ public static final String UPDATE_ONLY = "updateonly"; + /** + * The long CLI argument name specifying that only the update phase should be executed; no scan should be run. + */ + public static final String PURGE_NVD = "purgelocalnvd"; /** * The long CLI argument name specifying the directory to write the reports to. */ From b29387364031dd22dc4e532aafa74effebe23fa2 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 29 Aug 2015 07:12:40 -0400 Subject: [PATCH 10/13] finished deprecating the application name argument in favor of project name per issue #320 --- .../taskdefs/DependencyCheckTask.java | 37 +++++++++++++++++-- .../src/site/markdown/configuration.md | 4 +- .../src/site/markdown/arguments.md | 2 +- 3 files changed, 36 insertions(+), 7 deletions(-) diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java index c06f2ac77..6892dc63a 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java @@ -145,13 +145,15 @@ public class DependencyCheckTask extends Task { /** * The application name for the report. */ - private String applicationName = "Dependency-Check"; + @Deprecated + private String applicationName = null; /** * Get the value of applicationName. * * @return the value of applicationName */ + @Deprecated public String getApplicationName() { return applicationName; } @@ -161,9 +163,37 @@ public class DependencyCheckTask extends Task { * * @param applicationName new value of applicationName */ + @Deprecated public void setApplicationName(String applicationName) { this.applicationName = applicationName; } + + private String projectName = "Dependency-Check"; + + /** + * Get the value of projectName. + * + * @return the value of projectName + */ + public String getProjectName() { + if (applicationName != null) { + log("Configuration 'applicationName' has been deprecated, please use 'projectName' instead", Project.MSG_WARN); + if ("Dependency-Check".equals(projectName)) { + projectName = applicationName; + } + } + return projectName; + } + + /** + * Set the value of projectName. + * + * @param projectName new value of projectName + */ + public void setProjectName(String projectName) { + this.projectName = projectName; + } + /** * The location of the data directory that contains */ @@ -279,8 +309,7 @@ public class DependencyCheckTask extends Task { } /** - * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the - * Site plugin unless the externalReport is set to true. Default is HTML. + * The report format to be generated (HTML, XML, VULN, ALL). Default is HTML. */ private String reportFormat = "HTML"; @@ -933,7 +962,7 @@ public class DependencyCheckTask extends Task { cve.close(); } } - final ReportGenerator reporter = new ReportGenerator(applicationName, engine.getDependencies(), engine.getAnalyzers(), prop); + final ReportGenerator reporter = new ReportGenerator(getProjectName(), engine.getDependencies(), engine.getAnalyzers(), prop); reporter.generateReports(reportOutputDirectory, reportFormat); if (this.failBuildOnCVSS <= 10) { diff --git a/dependency-check-ant/src/site/markdown/configuration.md b/dependency-check-ant/src/site/markdown/configuration.md index 7534f128c..3b751cfc3 100644 --- a/dependency-check-ant/src/site/markdown/configuration.md +++ b/dependency-check-ant/src/site/markdown/configuration.md @@ -8,7 +8,7 @@ the project's dependencies. ```xml - @@ -27,7 +27,7 @@ Property | Description | Default Value ----------------------|------------------------------------|------------------ autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true updateOnly | If set to true only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | false -externalReport | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false +projectName | The name of the project being scanned. | Dependency-Check reportOutputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target' failBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11 reportFormat | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md index ededf1f2d..0a22250ee 100644 --- a/dependency-check-cli/src/site/markdown/arguments.md +++ b/dependency-check-cli/src/site/markdown/arguments.md @@ -5,7 +5,7 @@ The following table lists the command line arguments: Short | Argument Name   | Parameter | Description | Requirement -------|-----------------------|-----------------|-------------|------------ - \-a | \-\-app | \ | The name of the application being scanned. This is a required argument. | Required + | \-\-project | \ | The name of the project being scanned. | Required \-s | \-\-scan | \ | The path to scan \- this option can be specified multiple times. It is also possible to specify Ant style paths (e.g. directory/**/*.jar). | Required | \-\-exclude | \ | The path patterns to exclude from the scan \- this option can be specified multiple times. This accepts Ant style path patterns (e.g. **/exclude/**). | Optional | \-\-symLink | \ | The depth that symbolic links will be followed; the default is 0 meaning symbolic links will not be followed. | Optional From 83af70bb59f2b03039a90f8b67878cfe4d5a057f Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 29 Aug 2015 07:57:54 -0400 Subject: [PATCH 11/13] corrected argument name for the purge nvd option --- .../java/org/owasp/dependencycheck/CliParser.java | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java index 33fb11fa7..25d6e0614 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -19,6 +19,7 @@ package org.owasp.dependencycheck; import java.io.File; import java.io.FileNotFoundException; +import java.util.logging.Level; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.CommandLineParser; @@ -217,7 +218,7 @@ public final class CliParser { final Option noUpdate = new Option(ARGUMENT.DISABLE_AUTO_UPDATE_SHORT, ARGUMENT.DISABLE_AUTO_UPDATE, false, "Disables the automatic updating of the CPE data."); - final Option projectName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ARGUMENT.PROJECT) + final Option projectName = OptionBuilder.hasArg().withArgName("name").withLongOpt(ARGUMENT.PROJECT) .withDescription("The name of the project being scanned. This is a required argument.") .create(); @@ -229,7 +230,7 @@ public final class CliParser { final Option excludes = OptionBuilder.withArgName("pattern").hasArg().withLongOpt(ARGUMENT.EXCLUDE) .withDescription("Specify and exclusion pattern. This option can be specified multiple times" + " and it accepts Ant style excludsions.") - .create(); + .create("p"); final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.PROP) .withDescription("A property file to load.") @@ -265,9 +266,9 @@ public final class CliParser { options.addOptionGroup(og) .addOptionGroup(exog) + .addOption(projectName) .addOption(out) .addOption(outputFormat) - .addOption(projectName) .addOption(version) .addOption(help) .addOption(advancedHelp) @@ -394,7 +395,7 @@ public final class CliParser { final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NEXUS) .withDescription("Disable the Nexus Analyzer.").create(); - final Option purge = OptionBuilder.withLongOpt(ARGUMENT.PROJECT) + final Option purge = OptionBuilder.withLongOpt(ARGUMENT.PURGE_NVD) .withDescription("Purges the local NVD data cache") .create(); @@ -450,7 +451,7 @@ public final class CliParser { .withDescription("The proxy url argument is deprecated, use proxyserver instead.") .create(); final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ARGUMENT.APP_NAME) - .withDescription("The name of the project being scanned. This is a required argument.") + .withDescription("The name of the project being scanned.") .create(ARGUMENT.APP_NAME_SHORT); options.addOption(proxyServer); @@ -727,9 +728,11 @@ public final class CliParser { public String getProjectName() { String appName = line.getOptionValue(ARGUMENT.APP_NAME); String name = line.getOptionValue(ARGUMENT.PROJECT); + LOGGER.error("PROJECT NAME: " + line.getOptionValue(ARGUMENT.PROJECT)); + if (name == null && appName != null) { name = appName; - LOGGER.warn("The '" + ARGUMENT.APP_NAME + "' should no longer be used; use '" + ARGUMENT.PROJECT + "' instead."); + LOGGER.warn("The '" + ARGUMENT.APP_NAME + "' argument should no longer be used; use '" + ARGUMENT.PROJECT + "' instead."); } return name; } From 29626666a74e69fb57b02918d063172dadcd949b Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 29 Aug 2015 08:38:49 -0400 Subject: [PATCH 12/13] removed debug logging --- .../src/main/java/org/owasp/dependencycheck/CliParser.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java index 25d6e0614..eb91022f1 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -728,8 +728,6 @@ public final class CliParser { public String getProjectName() { String appName = line.getOptionValue(ARGUMENT.APP_NAME); String name = line.getOptionValue(ARGUMENT.PROJECT); - LOGGER.error("PROJECT NAME: " + line.getOptionValue(ARGUMENT.PROJECT)); - if (name == null && appName != null) { name = appName; LOGGER.warn("The '" + ARGUMENT.APP_NAME + "' argument should no longer be used; use '" + ARGUMENT.PROJECT + "' instead."); From e630c484ffc66ff3d745812244e0a79b637962e0 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 30 Aug 2015 07:02:26 -0400 Subject: [PATCH 13/13] implementing the purge feature as requested in issue #328 --- .../taskdefs/DependencyCheckTask.java | 41 ++++++- .../src/site/markdown/configuration.md | 1 + .../java/org/owasp/dependencycheck/App.java | 24 +++- .../org/owasp/dependencycheck/CliParser.java | 2 +- .../src/site/markdown/arguments.md | 1 + .../maven/BaseDependencyCheckMojo.java | 11 +- .../dependencycheck/maven/PurgeMojo.java | 107 ++++++++++++++++++ .../src/site/markdown/configuration.md | 15 +-- 8 files changed, 191 insertions(+), 11 deletions(-) create mode 100644 dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java index 6892dc63a..71fa3cb16 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java @@ -605,6 +605,29 @@ public class DependencyCheckTask extends Task { this.centralAnalyzerEnabled = centralAnalyzerEnabled; } + /** + * Whether or not the local copy of the NVD should be purged. + */ + private boolean purge = false; + + /** + * Used to determine if the local copy of the NVD should be purged. + * + * @return true if the local copy of the NVD should be purged + */ + public boolean isPurge() { + return purge; + } + + /** + * Set whether or not the local copy of the NVD should be purged. + * + * @param purge setting to true will cause the local copy of the NVD to be deleted. + */ + public void setPurge(boolean purge) { + this.purge = purge; + } + /** * Whether or not the nexus analyzer is enabled. */ @@ -929,7 +952,23 @@ public class DependencyCheckTask extends Task { dealWithReferences(); validateConfiguration(); populateSettings(); - + if (purge) { + File db; + try { + db = new File(Settings.getDataDirectory(), "dc.h2.db"); + if (db.exists()) { + if (db.delete()) { + log("Database file purged; local copy of the NVD has been removed", Project.MSG_INFO); + } else { + log(String.format("Unable to delete '%s'; please delete the file manually", db.getAbsolutePath()), Project.MSG_ERR); + } + } else { + log(String.format("Unable to purge database; the database file does not exists: %s", db.getAbsolutePath()), Project.MSG_ERR); + } + } catch (IOException ex) { + log("Unable to delete the database", Project.MSG_ERR); + } + } Engine engine = null; try { engine = new Engine(DependencyCheckTask.class.getClassLoader()); diff --git a/dependency-check-ant/src/site/markdown/configuration.md b/dependency-check-ant/src/site/markdown/configuration.md index 3b751cfc3..ab4e4d169 100644 --- a/dependency-check-ant/src/site/markdown/configuration.md +++ b/dependency-check-ant/src/site/markdown/configuration.md @@ -76,3 +76,4 @@ databaseDriverPath | The path to the database driver JAR file; only used if th connectionString | The connection string used to connect to the database. |   databaseUser | The username used when connecting to the database. |   databasePassword | The password used when connecting to the database. |   +purge | Delete the local copy of the NVD. This is used to force a refresh of the data. |   diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index dbc557a61..ca5aa8e77 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -37,6 +37,7 @@ import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import ch.qos.logback.core.FileAppender; +import java.util.logging.Level; import org.slf4j.impl.StaticLoggerBinder; /** @@ -90,7 +91,28 @@ public class App { prepareLogger(cli.getVerboseLog()); } - if (cli.isGetVersion()) { + if (cli.isPurge()) { + if (cli.getConnectionString() != null) { + LOGGER.error("Unable to purge the database when using a non-default connection string"); + } else { + populateSettings(cli); + File db; + try { + db = new File(Settings.getDataDirectory(), "dc.h2.db"); + if (db.exists()) { + if (db.delete()) { + LOGGER.info("Database file purged; local copy of the NVD has been removed"); + } else { + LOGGER.error("Unable to delete '{}'; please delete the file manually", db.getAbsolutePath()); + } + } else { + LOGGER.error("Unable to purge database; the database file does not exists: {}", db.getAbsolutePath()); + } + } catch (IOException ex) { + LOGGER.error("Unable to delete the database"); + } + } + } else if (cli.isGetVersion()) { cli.printVersionInfo(); } else if (cli.isUpdateOnly()) { populateSettings(cli); diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java index eb91022f1..07b2ad1f8 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -987,7 +987,7 @@ public final class CliParser { /** * The long CLI argument name specifying that only the update phase should be executed; no scan should be run. */ - public static final String PURGE_NVD = "purgelocalnvd"; + public static final String PURGE_NVD = "purge"; /** * The long CLI argument name specifying the directory to write the reports to. */ diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md index 0a22250ee..97c285571 100644 --- a/dependency-check-cli/src/site/markdown/arguments.md +++ b/dependency-check-cli/src/site/markdown/arguments.md @@ -56,3 +56,4 @@ Short | Argument Name        | Paramete | \-\-dbPassword | \ | The password for connecting to the database. |   | \-\-dbUser | \ | The username used to connect to the database. |   \-d | \-\-data | \ | The location of the data directory used to store persistent data. This option should generally not be set. |   + | \-\-purge | | Delete the local copy of the NVD. This is used to force a refresh of the data. |   \ No newline at end of file diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index ef223cd92..82ccaf15a 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -233,6 +233,15 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma */ @Parameter(property = "connectionString", defaultValue = "", required = false) private String connectionString; + + /** + * Returns the connection string. + * + * @return the connection string + */ + protected String getConnectionString() { + return connectionString; + } /** * The database driver name. An example would be org.h2.Driver. */ @@ -594,7 +603,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties * required to change the proxy url, port, and connection timeout. */ - private void populateSettings() { + protected void populateSettings() { Settings.initialize(); InputStream mojoProperties = null; try { diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java new file mode 100644 index 000000000..d9f766498 --- /dev/null +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java @@ -0,0 +1,107 @@ +/* + * This file is part of dependency-check-maven. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.maven; + +import java.io.File; +import java.io.IOException; +import java.util.Locale; +import org.apache.maven.plugin.MojoExecutionException; +import org.apache.maven.plugin.MojoFailureException; +import org.apache.maven.plugins.annotations.LifecyclePhase; +import org.apache.maven.plugins.annotations.Mojo; +import org.apache.maven.plugins.annotations.ResolutionScope; +import org.owasp.dependencycheck.data.nvdcve.DatabaseException; +import org.owasp.dependencycheck.utils.Settings; + +/** + * Maven Plugin that purges the local copy of the NVD data. + * + * @author Jeremy Long + */ +@Mojo( + name = "purge", + defaultPhase = LifecyclePhase.GENERATE_RESOURCES, + threadSafe = true, + requiresDependencyResolution = ResolutionScope.NONE, + requiresOnline = true +) +public class PurgeMojo extends BaseDependencyCheckMojo { + + /** + * Returns false; this mojo cannot generate a report. + * + * @return false + */ + @Override + public boolean canGenerateReport() { + return false; + } + + /** + * Purges the local copy of the NVD. + * + * @throws MojoExecutionException thrown if there is an exception executing the goal + * @throws MojoFailureException thrown if dependency-check is configured to fail the build + */ + @Override + public void runCheck() throws MojoExecutionException, MojoFailureException { + + if (getConnectionString() != null && !getConnectionString().isEmpty()) { + getLog().error("Unable to purge the local NVD when using a non-default connection string"); + } else { + populateSettings(); + File db; + try { + db = new File(Settings.getDataDirectory(), "dc.h2.db"); + if (db.exists()) { + if (db.delete()) { + getLog().info("Database file purged; local copy of the NVD has been removed"); + } else { + getLog().error(String.format("Unable to delete '%s'; please delete the file manually", db.getAbsolutePath())); + } + } else { + getLog().error(String.format("Unable to purge database; the database file does not exists: %s", db.getAbsolutePath())); + } + } catch (IOException ex) { + getLog().error("Unable to delete the database"); + } + Settings.cleanup(); + } + } + + /** + * Returns the report name. + * + * @param locale the location + * @return the report name + */ + public String getName(Locale locale) { + return "dependency-check-purge"; + } + + /** + * Gets the description of the Dependency-Check report to be displayed in the Maven Generated Reports page. + * + * @param locale The Locale to get the description for + * @return the description + */ + public String getDescription(Locale locale) { + return "Purges the local cache of the NVD dataT."; + } + +} diff --git a/dependency-check-maven/src/site/markdown/configuration.md b/dependency-check-maven/src/site/markdown/configuration.md index afe2e9e99..7bc6afcd7 100644 --- a/dependency-check-maven/src/site/markdown/configuration.md +++ b/dependency-check-maven/src/site/markdown/configuration.md @@ -6,6 +6,7 @@ Goal | Description aggregate | Runs dependency-check against the child projects and aggregates the results into a single report. check | Runs dependency-check against the project and generates a report. update-only | Updates the local cache of the NVD data from NIST. +purge | Deletes the local copy of the NVD. This is used to force a refresh of the data. Configuration ==================== @@ -49,13 +50,13 @@ Advanced Configuration The following properties can be configured in the plugin. However, they are less frequently changed. One exception may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment. -Property | Description | Default Value ----------------------|--------------------------------------------------------------------------|------------------ -cveUrl12Modified | URL for the modified CVE 1.2. | http://nvd.nist.gov/download/nvdcve-modified.xml -cveUrl20Modified | URL for the modified CVE 2.0. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml -cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml -cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml -connectionTimeout | Sets the URL Connection Timeout used when downloading external data. |   +Property | Description | Default Value +---------------------|---------------------------------------------------------------------------------------------|------------------ +cveUrl12Modified | URL for the modified CVE 1.2. | http://nvd.nist.gov/download/nvdcve-modified.xml +cveUrl20Modified | URL for the modified CVE 2.0. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml +cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml +cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml +connectionTimeout | Sets the URL Connection Timeout used when downloading external data. |   dataDirectory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. |   databaseDriverName | The name of the database driver. Example: org.h2.Driver. |   databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |