diff --git a/dependency-check-gradle/README.md b/dependency-check-gradle/README.md index 7707db3ec..6c931ecf1 100644 --- a/dependency-check-gradle/README.md +++ b/dependency-check-gradle/README.md @@ -7,17 +7,18 @@ This is a DependencyCheck gradle plugin designed for project which use Gradle as Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. -Current latest version is `0.0.6` - ========= +## What's New +Current latest version is `0.0.7` +- Implement nested configuration for proxy settings +- Bug fix: Remove duplicated configuration items + ## Usage ### Step 1, Apply dependency check gradle plugin -Please refer to either one of the solution - -#### Solution 1,Install from Maven Central (Recommended) +Install from Maven central repo ```groovy buildscript { @@ -25,65 +26,16 @@ buildscript { mavenCentral() } dependencies { - classpath 'com.thoughtworks.tools:dependency-check:0.0.6' + classpath 'com.thoughtworks.tools:dependency-check:0.0.7' } } -``` apply plugin: 'dependency.check' - -#### Solution 2,Install from Gradle Plugin Portal - -[dependency check gradle plugin on Gradle Plugin Portal](https://plugins.gradle.org/plugin/dependency.check) - -**Build script snippet for new, incubating, plugin mechanism introduced in Gradle 2.1:** - -```groovy -plugins { - id "dependency.check" version "0.0.6" -} -``` - -**Build script snippet for use in all Gradle versions:** - -```groovy -buildscript { - repositories { - maven { - url "https://plugins.gradle.org/m2/" - } - } - dependencies { - classpath "gradle.plugin.com.tools.security:dependency-check:0.0.6" - } -} - -apply plugin: "dependency-check" -``` - -#### Solution 3,Install from Bintray - -```groovy -apply plugin: "dependency-check" - -buildscript { - repositories { - maven { - url 'http://dl.bintray.com/wei/maven' - } - mavenCentral() - } - dependencies { - classpath( - 'com.tools.security:dependency-check:0.0.6' - ) - } -} ``` ### Step 2, Run gradle task -Once gradle plugin applied, run following gradle task to check the dependencies: +Once gradle plugin applied, run following gradle task to check dependencies: ``` gradle dependencyCheck @@ -106,14 +58,16 @@ Maybe you have to use proxy to access internet, in this case, you could configur ```groovy dependencyCheck { - proxyServer = "127.0.0.1" // required, the server name or IP address of the proxy - proxyPort = 3128 // required, the port number of the proxy - - // optional, the proxy server might require username - // proxyUsername = "username" - - // optional, the proxy server might require password - // proxyPassword = "password" + proxy { + server = "127.0.0.1" // required, the server name or IP address of the proxy + port = 3128 // required, the port number of the proxy + + // optional, the proxy server might require username + // username = "username" + + // optional, the proxy server might require password + // password = "password" + } } ``` @@ -123,9 +77,6 @@ In addition, if the proxy only allow HTTP `GET` or `POST` methods, you will find ```groovy dependencyCheck { - proxyServer = "127.0.0.1" // required, the server name or IP address of the proxy - proxyPort = 3128 // required, the port number of the proxy - quickQueryTimestamp = false // when set to false, it means use HTTP GET method to query timestamp. (default value is true) } ``` @@ -142,7 +93,7 @@ buildscript { mavenCentral() } dependencies { - classpath "gradle.plugin.com.tools.security:dependency-check:0.0.6" + classpath "gradle.plugin.com.tools.security:dependency-check:0.0.7" } } @@ -159,7 +110,7 @@ buildscript { mavenCentral() } dependencies { - classpath "gradle.plugin.com.tools.security:dependency-check:0.0.6" + classpath "gradle.plugin.com.tools.security:dependency-check:0.0.7" } } diff --git a/dependency-check-gradle/build.gradle b/dependency-check-gradle/build.gradle index 0a960a787..13508a3c4 100644 --- a/dependency-check-gradle/build.gradle +++ b/dependency-check-gradle/build.gradle @@ -73,7 +73,7 @@ task integTest(type: Test) { } group = 'com.thoughtworks.tools' -version = '0.0.6' +version = '0.0.7' targetCompatibility = 1.7 diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/CveExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/CveExtension.groovy new file mode 100644 index 000000000..a91eee97f --- /dev/null +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/CveExtension.groovy @@ -0,0 +1,27 @@ +/* + * This file is part of dependency-check-gradle. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Wei Ma. All Rights Reserved. + */ + +package com.tools.security.extension + +class CveExtension { + String url20Modified + String url12Modified + Integer startYear + String url20Base + String url12Base +} diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckExtension.groovy index a0bc76dfe..e38f63dee 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckExtension.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckExtension.groovy @@ -19,18 +19,9 @@ package com.tools.security.extension class DependencyCheckExtension { - String proxyServer - Integer proxyPort - String proxyUsername - String proxyPassword - - String cveUrl20Modified - String cveUrl12Modified - Integer cveStartYear - String cveUrl20Base - String cveUrl12Base + ProxyExtension proxyExtension + CveExtension cveExtension String outputDirectory = "./reports" - Boolean quickQueryTimestamp; } diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/ProxyExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/ProxyExtension.groovy new file mode 100644 index 000000000..97763ad76 --- /dev/null +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/ProxyExtension.groovy @@ -0,0 +1,26 @@ +/* + * This file is part of dependency-check-gradle. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Wei Ma. All Rights Reserved. + */ + +package com.tools.security.extension + +class ProxyExtension { + String server + Integer port + String username + String password +} diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy index fc9a4df3d..a1f94a13c 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy @@ -18,14 +18,18 @@ package com.tools.security.plugin +import com.tools.security.extension.CveExtension import com.tools.security.extension.DependencyCheckExtension +import com.tools.security.extension.ProxyExtension import com.tools.security.tasks.DependencyCheckTask import org.gradle.api.Plugin import org.gradle.api.Project class DependencyCheckGradlePlugin implements Plugin { - private static final String EXTENSION_NAME = 'dependencyCheck' + private static final String ROOT_EXTENSION_NAME = 'dependencyCheck' private static final String TASK_NAME = 'dependencyCheck' + private static final String PROXY_EXTENSION_NAME = "proxy" + private static final String CVE_EXTENSION_NAME = "cve" @Override void apply(Project project) { @@ -34,7 +38,9 @@ class DependencyCheckGradlePlugin implements Plugin { } def initializeConfigurations(Project project) { - project.extensions.create(EXTENSION_NAME, DependencyCheckExtension) + project.extensions.create(ROOT_EXTENSION_NAME, DependencyCheckExtension) + project.dependencyCheck.extensions.create(PROXY_EXTENSION_NAME, ProxyExtension) + project.dependencyCheck.extensions.create(CVE_EXTENSION_NAME, CveExtension) } def registerTasks(Project project) { diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy index 6c869657c..e81e89e01 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy @@ -112,17 +112,17 @@ class DependencyCheckTask extends DefaultTask { def overrideProxySetting() { if (isProxySettingExist()) { - logger.lifecycle("Using proxy ${config.proxyServer}:${config.proxyPort}") + logger.lifecycle("Using proxy ${config.proxy.server}:${config.proxy.port}") - overrideStringBasedSettingWhenProvided(PROXY_SERVER, config.proxyServer) - overrideStringBasedSettingWhenProvided(PROXY_PORT, "${config.proxyPort}") - overrideStringBasedSettingWhenProvided(PROXY_USERNAME, config.proxyUsername) - overrideStringBasedSettingWhenProvided(PROXY_PASSWORD, config.proxyPassword) + overrideStringSetting(PROXY_SERVER, config.proxy.server) + overrideStringSetting(PROXY_PORT, "${config.proxy.port}") + overrideStringSetting(PROXY_USERNAME, config.proxy.username) + overrideStringSetting(PROXY_PASSWORD, config.proxy.password) } } def isProxySettingExist() { - config.proxyServer != null && config.proxyPort != null + config.proxy.server != null && config.proxy.port != null } def getAllDependencies(project) { @@ -134,32 +134,32 @@ class DependencyCheckTask extends DefaultTask { } def overrideCveUrlSetting() { - overrideStringBasedSettingWhenProvided(CVE_MODIFIED_20_URL, config.cveUrl20Modified) - overrideStringBasedSettingWhenProvided(CVE_MODIFIED_12_URL, config.cveUrl12Modified) - overrideIntegerBasedSettingWhenProvided(CVE_START_YEAR, config.cveStartYear) - overrideStringBasedSettingWhenProvided(CVE_SCHEMA_2_0, config.cveUrl20Base) - overrideStringBasedSettingWhenProvided(CVE_SCHEMA_1_2, config.cveUrl12Base) + overrideStringSetting(CVE_MODIFIED_20_URL, config.cve.url20Modified) + overrideStringSetting(CVE_MODIFIED_12_URL, config.cve.url12Modified) + overrideIntegerSetting(CVE_START_YEAR, config.cve.startYear) + overrideStringSetting(CVE_SCHEMA_2_0, config.cve.url20Base) + overrideStringSetting(CVE_SCHEMA_1_2, config.cve.url12Base) } def overrideDownloaderSetting() { - overrideBooleanBasedSettingWhenProvided(DOWNLOADER_QUICK_QUERY_TIMESTAMP, config.quickQueryTimestamp) + overrideBooleanSetting(DOWNLOADER_QUICK_QUERY_TIMESTAMP, config.quickQueryTimestamp) } - private overrideStringBasedSettingWhenProvided(String key, String providedValue) { + private overrideStringSetting(String key, String providedValue) { if (providedValue != null) { logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]") setString(key, providedValue) } } - private overrideIntegerBasedSettingWhenProvided(String key, Integer providedValue) { + private overrideIntegerSetting(String key, Integer providedValue) { if (providedValue != null) { logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]") setString(key, "${providedValue}") } } - private overrideBooleanBasedSettingWhenProvided(String key, Boolean providedValue) { + private overrideBooleanSetting(String key, Boolean providedValue) { if (providedValue != null) { logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]") setBoolean(key, providedValue) diff --git a/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy b/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy index a75db628b..43ddd93b0 100644 --- a/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy +++ b/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy @@ -48,15 +48,15 @@ class DependencyCheckGradlePluginSpec extends PluginProjectSpec { expect: task.group == 'Dependency Check' task.description == 'Produce dependency security report.' - project.dependencyCheck.proxyServer == null - project.dependencyCheck.proxyPort == null - project.dependencyCheck.proxyUsername == null - project.dependencyCheck.proxyPassword == null - project.dependencyCheck.cveUrl12Modified == null - project.dependencyCheck.cveUrl20Modified == null - project.dependencyCheck.cveStartYear == null - project.dependencyCheck.cveUrl12Base == null - project.dependencyCheck.cveUrl20Base == null + project.dependencyCheck.proxy.server == null + project.dependencyCheck.proxy.port == null + project.dependencyCheck.proxy.username == null + project.dependencyCheck.proxy.password == null + project.dependencyCheck.cve.url12Modified == null + project.dependencyCheck.cve.url20Modified == null + project.dependencyCheck.cve.startYear == null + project.dependencyCheck.cve.url12Base == null + project.dependencyCheck.cve.url20Base == null project.dependencyCheck.outputDirectory == './reports' project.dependencyCheck.quickQueryTimestamp == null } @@ -64,29 +64,35 @@ class DependencyCheckGradlePluginSpec extends PluginProjectSpec { def 'tasks use correct values when extension is used'() { when: project.dependencyCheck { - proxyServer = '127.0.0.1' - proxyPort = 3128 - proxyUsername = 'proxyUsername' - proxyPassword = 'proxyPassword' - cveUrl12Modified = 'cveUrl12Modified' - cveUrl20Modified = 'cveUrl20Modified' - cveStartYear = 2002 - cveUrl12Base = 'cveUrl12Base' - cveUrl20Base = 'cveUrl20Base' + proxy { + server = '127.0.0.1' + port = 3128 + username = 'proxyUsername' + password = 'proxyPassword' + } + + cve { + startYear = 2002 + url12Base = 'cveUrl12Base' + url20Base = 'cveUrl20Base' + url12Modified = 'cveUrl12Modified' + url20Modified = 'cveUrl20Modified' + } + outputDirectory = 'outputDirectory' quickQueryTimestamp = false } then: - project.dependencyCheck.proxyServer == '127.0.0.1' - project.dependencyCheck.proxyPort == 3128 - project.dependencyCheck.proxyUsername == 'proxyUsername' - project.dependencyCheck.proxyPassword == 'proxyPassword' - project.dependencyCheck.cveUrl12Modified == 'cveUrl12Modified' - project.dependencyCheck.cveUrl20Modified == 'cveUrl20Modified' - project.dependencyCheck.cveStartYear == 2002 - project.dependencyCheck.cveUrl12Base == 'cveUrl12Base' - project.dependencyCheck.cveUrl20Base == 'cveUrl20Base' + project.dependencyCheck.proxy.server == '127.0.0.1' + project.dependencyCheck.proxy.port == 3128 + project.dependencyCheck.proxy.username == 'proxyUsername' + project.dependencyCheck.proxy.password == 'proxyPassword' + project.dependencyCheck.cve.url12Modified == 'cveUrl12Modified' + project.dependencyCheck.cve.url20Modified == 'cveUrl20Modified' + project.dependencyCheck.cve.startYear == 2002 + project.dependencyCheck.cve.url12Base == 'cveUrl12Base' + project.dependencyCheck.cve.url20Base == 'cveUrl20Base' project.dependencyCheck.outputDirectory == 'outputDirectory' project.dependencyCheck.quickQueryTimestamp == false }