mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-15 00:03:43 +01:00
Merge branch 'master' of github.com:jeremylong/DependencyCheck
This commit is contained in:
Jeremy Long
@@ -7,17 +7,18 @@ This is a DependencyCheck gradle plugin designed for project which use Gradle as
|
||||
|
||||
Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
|
||||
|
||||
Current latest version is `0.0.6`
|
||||
|
||||
=========
|
||||
|
||||
## What's New
|
||||
Current latest version is `0.0.7`
|
||||
- Implement nested configuration for proxy settings
|
||||
- Bug fix: Remove duplicated configuration items
|
||||
|
||||
## Usage
|
||||
|
||||
### Step 1, Apply dependency check gradle plugin
|
||||
|
||||
Please refer to either one of the solution
|
||||
|
||||
#### Solution 1,Install from Maven Central (Recommended)
|
||||
Install from Maven central repo
|
||||
|
||||
```groovy
|
||||
buildscript {
|
||||
@@ -25,65 +26,16 @@ buildscript {
|
||||
mavenCentral()
|
||||
}
|
||||
dependencies {
|
||||
classpath 'com.thoughtworks.tools:dependency-check:0.0.6'
|
||||
classpath 'com.thoughtworks.tools:dependency-check:0.0.7'
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
apply plugin: 'dependency.check'
|
||||
|
||||
#### Solution 2,Install from Gradle Plugin Portal
|
||||
|
||||
[dependency check gradle plugin on Gradle Plugin Portal](https://plugins.gradle.org/plugin/dependency.check)
|
||||
|
||||
**Build script snippet for new, incubating, plugin mechanism introduced in Gradle 2.1:**
|
||||
|
||||
```groovy
|
||||
plugins {
|
||||
id "dependency.check" version "0.0.6"
|
||||
}
|
||||
```
|
||||
|
||||
**Build script snippet for use in all Gradle versions:**
|
||||
|
||||
```groovy
|
||||
buildscript {
|
||||
repositories {
|
||||
maven {
|
||||
url "https://plugins.gradle.org/m2/"
|
||||
}
|
||||
}
|
||||
dependencies {
|
||||
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.6"
|
||||
}
|
||||
}
|
||||
|
||||
apply plugin: "dependency-check"
|
||||
```
|
||||
|
||||
#### Solution 3,Install from Bintray
|
||||
|
||||
```groovy
|
||||
apply plugin: "dependency-check"
|
||||
|
||||
buildscript {
|
||||
repositories {
|
||||
maven {
|
||||
url 'http://dl.bintray.com/wei/maven'
|
||||
}
|
||||
mavenCentral()
|
||||
}
|
||||
dependencies {
|
||||
classpath(
|
||||
'com.tools.security:dependency-check:0.0.6'
|
||||
)
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Step 2, Run gradle task
|
||||
|
||||
Once gradle plugin applied, run following gradle task to check the dependencies:
|
||||
Once gradle plugin applied, run following gradle task to check dependencies:
|
||||
|
||||
```
|
||||
gradle dependencyCheck
|
||||
@@ -106,14 +58,16 @@ Maybe you have to use proxy to access internet, in this case, you could configur
|
||||
|
||||
```groovy
|
||||
dependencyCheck {
|
||||
proxyServer = "127.0.0.1" // required, the server name or IP address of the proxy
|
||||
proxyPort = 3128 // required, the port number of the proxy
|
||||
|
||||
// optional, the proxy server might require username
|
||||
// proxyUsername = "username"
|
||||
|
||||
// optional, the proxy server might require password
|
||||
// proxyPassword = "password"
|
||||
proxy {
|
||||
server = "127.0.0.1" // required, the server name or IP address of the proxy
|
||||
port = 3128 // required, the port number of the proxy
|
||||
|
||||
// optional, the proxy server might require username
|
||||
// username = "username"
|
||||
|
||||
// optional, the proxy server might require password
|
||||
// password = "password"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
@@ -123,9 +77,6 @@ In addition, if the proxy only allow HTTP `GET` or `POST` methods, you will find
|
||||
|
||||
```groovy
|
||||
dependencyCheck {
|
||||
proxyServer = "127.0.0.1" // required, the server name or IP address of the proxy
|
||||
proxyPort = 3128 // required, the port number of the proxy
|
||||
|
||||
quickQueryTimestamp = false // when set to false, it means use HTTP GET method to query timestamp. (default value is true)
|
||||
}
|
||||
```
|
||||
@@ -142,7 +93,7 @@ buildscript {
|
||||
mavenCentral()
|
||||
}
|
||||
dependencies {
|
||||
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.6"
|
||||
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.7"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -159,7 +110,7 @@ buildscript {
|
||||
mavenCentral()
|
||||
}
|
||||
dependencies {
|
||||
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.6"
|
||||
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.7"
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -73,7 +73,7 @@ task integTest(type: Test) {
|
||||
}
|
||||
|
||||
group = 'com.thoughtworks.tools'
|
||||
version = '0.0.6'
|
||||
version = '0.0.7'
|
||||
|
||||
targetCompatibility = 1.7
|
||||
|
||||
|
||||
@@ -0,0 +1,27 @@
|
||||
/*
|
||||
* This file is part of dependency-check-gradle.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
|
||||
*/
|
||||
|
||||
package com.tools.security.extension
|
||||
|
||||
class CveExtension {
|
||||
String url20Modified
|
||||
String url12Modified
|
||||
Integer startYear
|
||||
String url20Base
|
||||
String url12Base
|
||||
}
|
||||
@@ -19,18 +19,9 @@
|
||||
package com.tools.security.extension
|
||||
|
||||
class DependencyCheckExtension {
|
||||
String proxyServer
|
||||
Integer proxyPort
|
||||
String proxyUsername
|
||||
String proxyPassword
|
||||
|
||||
String cveUrl20Modified
|
||||
String cveUrl12Modified
|
||||
Integer cveStartYear
|
||||
String cveUrl20Base
|
||||
String cveUrl12Base
|
||||
ProxyExtension proxyExtension
|
||||
CveExtension cveExtension
|
||||
|
||||
String outputDirectory = "./reports"
|
||||
|
||||
Boolean quickQueryTimestamp;
|
||||
}
|
||||
|
||||
@@ -0,0 +1,26 @@
|
||||
/*
|
||||
* This file is part of dependency-check-gradle.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
|
||||
*/
|
||||
|
||||
package com.tools.security.extension
|
||||
|
||||
class ProxyExtension {
|
||||
String server
|
||||
Integer port
|
||||
String username
|
||||
String password
|
||||
}
|
||||
@@ -18,14 +18,18 @@
|
||||
|
||||
package com.tools.security.plugin
|
||||
|
||||
import com.tools.security.extension.CveExtension
|
||||
import com.tools.security.extension.DependencyCheckExtension
|
||||
import com.tools.security.extension.ProxyExtension
|
||||
import com.tools.security.tasks.DependencyCheckTask
|
||||
import org.gradle.api.Plugin
|
||||
import org.gradle.api.Project
|
||||
|
||||
class DependencyCheckGradlePlugin implements Plugin<Project> {
|
||||
private static final String EXTENSION_NAME = 'dependencyCheck'
|
||||
private static final String ROOT_EXTENSION_NAME = 'dependencyCheck'
|
||||
private static final String TASK_NAME = 'dependencyCheck'
|
||||
private static final String PROXY_EXTENSION_NAME = "proxy"
|
||||
private static final String CVE_EXTENSION_NAME = "cve"
|
||||
|
||||
@Override
|
||||
void apply(Project project) {
|
||||
@@ -34,7 +38,9 @@ class DependencyCheckGradlePlugin implements Plugin<Project> {
|
||||
}
|
||||
|
||||
def initializeConfigurations(Project project) {
|
||||
project.extensions.create(EXTENSION_NAME, DependencyCheckExtension)
|
||||
project.extensions.create(ROOT_EXTENSION_NAME, DependencyCheckExtension)
|
||||
project.dependencyCheck.extensions.create(PROXY_EXTENSION_NAME, ProxyExtension)
|
||||
project.dependencyCheck.extensions.create(CVE_EXTENSION_NAME, CveExtension)
|
||||
}
|
||||
|
||||
def registerTasks(Project project) {
|
||||
|
||||
@@ -112,17 +112,17 @@ class DependencyCheckTask extends DefaultTask {
|
||||
|
||||
def overrideProxySetting() {
|
||||
if (isProxySettingExist()) {
|
||||
logger.lifecycle("Using proxy ${config.proxyServer}:${config.proxyPort}")
|
||||
logger.lifecycle("Using proxy ${config.proxy.server}:${config.proxy.port}")
|
||||
|
||||
overrideStringBasedSettingWhenProvided(PROXY_SERVER, config.proxyServer)
|
||||
overrideStringBasedSettingWhenProvided(PROXY_PORT, "${config.proxyPort}")
|
||||
overrideStringBasedSettingWhenProvided(PROXY_USERNAME, config.proxyUsername)
|
||||
overrideStringBasedSettingWhenProvided(PROXY_PASSWORD, config.proxyPassword)
|
||||
overrideStringSetting(PROXY_SERVER, config.proxy.server)
|
||||
overrideStringSetting(PROXY_PORT, "${config.proxy.port}")
|
||||
overrideStringSetting(PROXY_USERNAME, config.proxy.username)
|
||||
overrideStringSetting(PROXY_PASSWORD, config.proxy.password)
|
||||
}
|
||||
}
|
||||
|
||||
def isProxySettingExist() {
|
||||
config.proxyServer != null && config.proxyPort != null
|
||||
config.proxy.server != null && config.proxy.port != null
|
||||
}
|
||||
|
||||
def getAllDependencies(project) {
|
||||
@@ -134,32 +134,32 @@ class DependencyCheckTask extends DefaultTask {
|
||||
}
|
||||
|
||||
def overrideCveUrlSetting() {
|
||||
overrideStringBasedSettingWhenProvided(CVE_MODIFIED_20_URL, config.cveUrl20Modified)
|
||||
overrideStringBasedSettingWhenProvided(CVE_MODIFIED_12_URL, config.cveUrl12Modified)
|
||||
overrideIntegerBasedSettingWhenProvided(CVE_START_YEAR, config.cveStartYear)
|
||||
overrideStringBasedSettingWhenProvided(CVE_SCHEMA_2_0, config.cveUrl20Base)
|
||||
overrideStringBasedSettingWhenProvided(CVE_SCHEMA_1_2, config.cveUrl12Base)
|
||||
overrideStringSetting(CVE_MODIFIED_20_URL, config.cve.url20Modified)
|
||||
overrideStringSetting(CVE_MODIFIED_12_URL, config.cve.url12Modified)
|
||||
overrideIntegerSetting(CVE_START_YEAR, config.cve.startYear)
|
||||
overrideStringSetting(CVE_SCHEMA_2_0, config.cve.url20Base)
|
||||
overrideStringSetting(CVE_SCHEMA_1_2, config.cve.url12Base)
|
||||
}
|
||||
|
||||
def overrideDownloaderSetting() {
|
||||
overrideBooleanBasedSettingWhenProvided(DOWNLOADER_QUICK_QUERY_TIMESTAMP, config.quickQueryTimestamp)
|
||||
overrideBooleanSetting(DOWNLOADER_QUICK_QUERY_TIMESTAMP, config.quickQueryTimestamp)
|
||||
}
|
||||
|
||||
private overrideStringBasedSettingWhenProvided(String key, String providedValue) {
|
||||
private overrideStringSetting(String key, String providedValue) {
|
||||
if (providedValue != null) {
|
||||
logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]")
|
||||
setString(key, providedValue)
|
||||
}
|
||||
}
|
||||
|
||||
private overrideIntegerBasedSettingWhenProvided(String key, Integer providedValue) {
|
||||
private overrideIntegerSetting(String key, Integer providedValue) {
|
||||
if (providedValue != null) {
|
||||
logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]")
|
||||
setString(key, "${providedValue}")
|
||||
}
|
||||
}
|
||||
|
||||
private overrideBooleanBasedSettingWhenProvided(String key, Boolean providedValue) {
|
||||
private overrideBooleanSetting(String key, Boolean providedValue) {
|
||||
if (providedValue != null) {
|
||||
logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]")
|
||||
setBoolean(key, providedValue)
|
||||
|
||||
@@ -48,15 +48,15 @@ class DependencyCheckGradlePluginSpec extends PluginProjectSpec {
|
||||
expect:
|
||||
task.group == 'Dependency Check'
|
||||
task.description == 'Produce dependency security report.'
|
||||
project.dependencyCheck.proxyServer == null
|
||||
project.dependencyCheck.proxyPort == null
|
||||
project.dependencyCheck.proxyUsername == null
|
||||
project.dependencyCheck.proxyPassword == null
|
||||
project.dependencyCheck.cveUrl12Modified == null
|
||||
project.dependencyCheck.cveUrl20Modified == null
|
||||
project.dependencyCheck.cveStartYear == null
|
||||
project.dependencyCheck.cveUrl12Base == null
|
||||
project.dependencyCheck.cveUrl20Base == null
|
||||
project.dependencyCheck.proxy.server == null
|
||||
project.dependencyCheck.proxy.port == null
|
||||
project.dependencyCheck.proxy.username == null
|
||||
project.dependencyCheck.proxy.password == null
|
||||
project.dependencyCheck.cve.url12Modified == null
|
||||
project.dependencyCheck.cve.url20Modified == null
|
||||
project.dependencyCheck.cve.startYear == null
|
||||
project.dependencyCheck.cve.url12Base == null
|
||||
project.dependencyCheck.cve.url20Base == null
|
||||
project.dependencyCheck.outputDirectory == './reports'
|
||||
project.dependencyCheck.quickQueryTimestamp == null
|
||||
}
|
||||
@@ -64,29 +64,35 @@ class DependencyCheckGradlePluginSpec extends PluginProjectSpec {
|
||||
def 'tasks use correct values when extension is used'() {
|
||||
when:
|
||||
project.dependencyCheck {
|
||||
proxyServer = '127.0.0.1'
|
||||
proxyPort = 3128
|
||||
proxyUsername = 'proxyUsername'
|
||||
proxyPassword = 'proxyPassword'
|
||||
cveUrl12Modified = 'cveUrl12Modified'
|
||||
cveUrl20Modified = 'cveUrl20Modified'
|
||||
cveStartYear = 2002
|
||||
cveUrl12Base = 'cveUrl12Base'
|
||||
cveUrl20Base = 'cveUrl20Base'
|
||||
proxy {
|
||||
server = '127.0.0.1'
|
||||
port = 3128
|
||||
username = 'proxyUsername'
|
||||
password = 'proxyPassword'
|
||||
}
|
||||
|
||||
cve {
|
||||
startYear = 2002
|
||||
url12Base = 'cveUrl12Base'
|
||||
url20Base = 'cveUrl20Base'
|
||||
url12Modified = 'cveUrl12Modified'
|
||||
url20Modified = 'cveUrl20Modified'
|
||||
}
|
||||
|
||||
outputDirectory = 'outputDirectory'
|
||||
quickQueryTimestamp = false
|
||||
}
|
||||
|
||||
then:
|
||||
project.dependencyCheck.proxyServer == '127.0.0.1'
|
||||
project.dependencyCheck.proxyPort == 3128
|
||||
project.dependencyCheck.proxyUsername == 'proxyUsername'
|
||||
project.dependencyCheck.proxyPassword == 'proxyPassword'
|
||||
project.dependencyCheck.cveUrl12Modified == 'cveUrl12Modified'
|
||||
project.dependencyCheck.cveUrl20Modified == 'cveUrl20Modified'
|
||||
project.dependencyCheck.cveStartYear == 2002
|
||||
project.dependencyCheck.cveUrl12Base == 'cveUrl12Base'
|
||||
project.dependencyCheck.cveUrl20Base == 'cveUrl20Base'
|
||||
project.dependencyCheck.proxy.server == '127.0.0.1'
|
||||
project.dependencyCheck.proxy.port == 3128
|
||||
project.dependencyCheck.proxy.username == 'proxyUsername'
|
||||
project.dependencyCheck.proxy.password == 'proxyPassword'
|
||||
project.dependencyCheck.cve.url12Modified == 'cveUrl12Modified'
|
||||
project.dependencyCheck.cve.url20Modified == 'cveUrl20Modified'
|
||||
project.dependencyCheck.cve.startYear == 2002
|
||||
project.dependencyCheck.cve.url12Base == 'cveUrl12Base'
|
||||
project.dependencyCheck.cve.url20Base == 'cveUrl20Base'
|
||||
project.dependencyCheck.outputDirectory == 'outputDirectory'
|
||||
project.dependencyCheck.quickQueryTimestamp == false
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user