mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-03-24 10:01:35 +01:00
Merge branch 'master' of github.com:jeremylong/DependencyCheck
This commit is contained in:
Jeremy Long
@@ -7,17 +7,18 @@ This is a DependencyCheck gradle plugin designed for project which use Gradle as
|
|||||||
|
|
||||||
Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
|
Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
|
||||||
|
|
||||||
Current latest version is `0.0.6`
|
|
||||||
|
|
||||||
=========
|
=========
|
||||||
|
|
||||||
|
## What's New
|
||||||
|
Current latest version is `0.0.7`
|
||||||
|
- Implement nested configuration for proxy settings
|
||||||
|
- Bug fix: Remove duplicated configuration items
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
|
||||||
### Step 1, Apply dependency check gradle plugin
|
### Step 1, Apply dependency check gradle plugin
|
||||||
|
|
||||||
Please refer to either one of the solution
|
Install from Maven central repo
|
||||||
|
|
||||||
#### Solution 1,Install from Maven Central (Recommended)
|
|
||||||
|
|
||||||
```groovy
|
```groovy
|
||||||
buildscript {
|
buildscript {
|
||||||
@@ -25,65 +26,16 @@ buildscript {
|
|||||||
mavenCentral()
|
mavenCentral()
|
||||||
}
|
}
|
||||||
dependencies {
|
dependencies {
|
||||||
classpath 'com.thoughtworks.tools:dependency-check:0.0.6'
|
classpath 'com.thoughtworks.tools:dependency-check:0.0.7'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
```
|
|
||||||
|
|
||||||
apply plugin: 'dependency.check'
|
apply plugin: 'dependency.check'
|
||||||
|
|
||||||
#### Solution 2,Install from Gradle Plugin Portal
|
|
||||||
|
|
||||||
[dependency check gradle plugin on Gradle Plugin Portal](https://plugins.gradle.org/plugin/dependency.check)
|
|
||||||
|
|
||||||
**Build script snippet for new, incubating, plugin mechanism introduced in Gradle 2.1:**
|
|
||||||
|
|
||||||
```groovy
|
|
||||||
plugins {
|
|
||||||
id "dependency.check" version "0.0.6"
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
**Build script snippet for use in all Gradle versions:**
|
|
||||||
|
|
||||||
```groovy
|
|
||||||
buildscript {
|
|
||||||
repositories {
|
|
||||||
maven {
|
|
||||||
url "https://plugins.gradle.org/m2/"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
dependencies {
|
|
||||||
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.6"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
apply plugin: "dependency-check"
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Solution 3,Install from Bintray
|
|
||||||
|
|
||||||
```groovy
|
|
||||||
apply plugin: "dependency-check"
|
|
||||||
|
|
||||||
buildscript {
|
|
||||||
repositories {
|
|
||||||
maven {
|
|
||||||
url 'http://dl.bintray.com/wei/maven'
|
|
||||||
}
|
|
||||||
mavenCentral()
|
|
||||||
}
|
|
||||||
dependencies {
|
|
||||||
classpath(
|
|
||||||
'com.tools.security:dependency-check:0.0.6'
|
|
||||||
)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
```
|
||||||
|
|
||||||
### Step 2, Run gradle task
|
### Step 2, Run gradle task
|
||||||
|
|
||||||
Once gradle plugin applied, run following gradle task to check the dependencies:
|
Once gradle plugin applied, run following gradle task to check dependencies:
|
||||||
|
|
||||||
```
|
```
|
||||||
gradle dependencyCheck
|
gradle dependencyCheck
|
||||||
@@ -106,14 +58,16 @@ Maybe you have to use proxy to access internet, in this case, you could configur
|
|||||||
|
|
||||||
```groovy
|
```groovy
|
||||||
dependencyCheck {
|
dependencyCheck {
|
||||||
proxyServer = "127.0.0.1" // required, the server name or IP address of the proxy
|
proxy {
|
||||||
proxyPort = 3128 // required, the port number of the proxy
|
server = "127.0.0.1" // required, the server name or IP address of the proxy
|
||||||
|
port = 3128 // required, the port number of the proxy
|
||||||
|
|
||||||
// optional, the proxy server might require username
|
// optional, the proxy server might require username
|
||||||
// proxyUsername = "username"
|
// username = "username"
|
||||||
|
|
||||||
// optional, the proxy server might require password
|
// optional, the proxy server might require password
|
||||||
// proxyPassword = "password"
|
// password = "password"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
@@ -123,9 +77,6 @@ In addition, if the proxy only allow HTTP `GET` or `POST` methods, you will find
|
|||||||
|
|
||||||
```groovy
|
```groovy
|
||||||
dependencyCheck {
|
dependencyCheck {
|
||||||
proxyServer = "127.0.0.1" // required, the server name or IP address of the proxy
|
|
||||||
proxyPort = 3128 // required, the port number of the proxy
|
|
||||||
|
|
||||||
quickQueryTimestamp = false // when set to false, it means use HTTP GET method to query timestamp. (default value is true)
|
quickQueryTimestamp = false // when set to false, it means use HTTP GET method to query timestamp. (default value is true)
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
@@ -142,7 +93,7 @@ buildscript {
|
|||||||
mavenCentral()
|
mavenCentral()
|
||||||
}
|
}
|
||||||
dependencies {
|
dependencies {
|
||||||
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.6"
|
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.7"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -159,7 +110,7 @@ buildscript {
|
|||||||
mavenCentral()
|
mavenCentral()
|
||||||
}
|
}
|
||||||
dependencies {
|
dependencies {
|
||||||
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.6"
|
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.7"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -73,7 +73,7 @@ task integTest(type: Test) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
group = 'com.thoughtworks.tools'
|
group = 'com.thoughtworks.tools'
|
||||||
version = '0.0.6'
|
version = '0.0.7'
|
||||||
|
|
||||||
targetCompatibility = 1.7
|
targetCompatibility = 1.7
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,27 @@
|
|||||||
|
/*
|
||||||
|
* This file is part of dependency-check-gradle.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package com.tools.security.extension
|
||||||
|
|
||||||
|
class CveExtension {
|
||||||
|
String url20Modified
|
||||||
|
String url12Modified
|
||||||
|
Integer startYear
|
||||||
|
String url20Base
|
||||||
|
String url12Base
|
||||||
|
}
|
||||||
@@ -19,18 +19,9 @@
|
|||||||
package com.tools.security.extension
|
package com.tools.security.extension
|
||||||
|
|
||||||
class DependencyCheckExtension {
|
class DependencyCheckExtension {
|
||||||
String proxyServer
|
ProxyExtension proxyExtension
|
||||||
Integer proxyPort
|
CveExtension cveExtension
|
||||||
String proxyUsername
|
|
||||||
String proxyPassword
|
|
||||||
|
|
||||||
String cveUrl20Modified
|
|
||||||
String cveUrl12Modified
|
|
||||||
Integer cveStartYear
|
|
||||||
String cveUrl20Base
|
|
||||||
String cveUrl12Base
|
|
||||||
|
|
||||||
String outputDirectory = "./reports"
|
String outputDirectory = "./reports"
|
||||||
|
|
||||||
Boolean quickQueryTimestamp;
|
Boolean quickQueryTimestamp;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,26 @@
|
|||||||
|
/*
|
||||||
|
* This file is part of dependency-check-gradle.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package com.tools.security.extension
|
||||||
|
|
||||||
|
class ProxyExtension {
|
||||||
|
String server
|
||||||
|
Integer port
|
||||||
|
String username
|
||||||
|
String password
|
||||||
|
}
|
||||||
@@ -18,14 +18,18 @@
|
|||||||
|
|
||||||
package com.tools.security.plugin
|
package com.tools.security.plugin
|
||||||
|
|
||||||
|
import com.tools.security.extension.CveExtension
|
||||||
import com.tools.security.extension.DependencyCheckExtension
|
import com.tools.security.extension.DependencyCheckExtension
|
||||||
|
import com.tools.security.extension.ProxyExtension
|
||||||
import com.tools.security.tasks.DependencyCheckTask
|
import com.tools.security.tasks.DependencyCheckTask
|
||||||
import org.gradle.api.Plugin
|
import org.gradle.api.Plugin
|
||||||
import org.gradle.api.Project
|
import org.gradle.api.Project
|
||||||
|
|
||||||
class DependencyCheckGradlePlugin implements Plugin<Project> {
|
class DependencyCheckGradlePlugin implements Plugin<Project> {
|
||||||
private static final String EXTENSION_NAME = 'dependencyCheck'
|
private static final String ROOT_EXTENSION_NAME = 'dependencyCheck'
|
||||||
private static final String TASK_NAME = 'dependencyCheck'
|
private static final String TASK_NAME = 'dependencyCheck'
|
||||||
|
private static final String PROXY_EXTENSION_NAME = "proxy"
|
||||||
|
private static final String CVE_EXTENSION_NAME = "cve"
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
void apply(Project project) {
|
void apply(Project project) {
|
||||||
@@ -34,7 +38,9 @@ class DependencyCheckGradlePlugin implements Plugin<Project> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
def initializeConfigurations(Project project) {
|
def initializeConfigurations(Project project) {
|
||||||
project.extensions.create(EXTENSION_NAME, DependencyCheckExtension)
|
project.extensions.create(ROOT_EXTENSION_NAME, DependencyCheckExtension)
|
||||||
|
project.dependencyCheck.extensions.create(PROXY_EXTENSION_NAME, ProxyExtension)
|
||||||
|
project.dependencyCheck.extensions.create(CVE_EXTENSION_NAME, CveExtension)
|
||||||
}
|
}
|
||||||
|
|
||||||
def registerTasks(Project project) {
|
def registerTasks(Project project) {
|
||||||
|
|||||||
@@ -112,17 +112,17 @@ class DependencyCheckTask extends DefaultTask {
|
|||||||
|
|
||||||
def overrideProxySetting() {
|
def overrideProxySetting() {
|
||||||
if (isProxySettingExist()) {
|
if (isProxySettingExist()) {
|
||||||
logger.lifecycle("Using proxy ${config.proxyServer}:${config.proxyPort}")
|
logger.lifecycle("Using proxy ${config.proxy.server}:${config.proxy.port}")
|
||||||
|
|
||||||
overrideStringBasedSettingWhenProvided(PROXY_SERVER, config.proxyServer)
|
overrideStringSetting(PROXY_SERVER, config.proxy.server)
|
||||||
overrideStringBasedSettingWhenProvided(PROXY_PORT, "${config.proxyPort}")
|
overrideStringSetting(PROXY_PORT, "${config.proxy.port}")
|
||||||
overrideStringBasedSettingWhenProvided(PROXY_USERNAME, config.proxyUsername)
|
overrideStringSetting(PROXY_USERNAME, config.proxy.username)
|
||||||
overrideStringBasedSettingWhenProvided(PROXY_PASSWORD, config.proxyPassword)
|
overrideStringSetting(PROXY_PASSWORD, config.proxy.password)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
def isProxySettingExist() {
|
def isProxySettingExist() {
|
||||||
config.proxyServer != null && config.proxyPort != null
|
config.proxy.server != null && config.proxy.port != null
|
||||||
}
|
}
|
||||||
|
|
||||||
def getAllDependencies(project) {
|
def getAllDependencies(project) {
|
||||||
@@ -134,32 +134,32 @@ class DependencyCheckTask extends DefaultTask {
|
|||||||
}
|
}
|
||||||
|
|
||||||
def overrideCveUrlSetting() {
|
def overrideCveUrlSetting() {
|
||||||
overrideStringBasedSettingWhenProvided(CVE_MODIFIED_20_URL, config.cveUrl20Modified)
|
overrideStringSetting(CVE_MODIFIED_20_URL, config.cve.url20Modified)
|
||||||
overrideStringBasedSettingWhenProvided(CVE_MODIFIED_12_URL, config.cveUrl12Modified)
|
overrideStringSetting(CVE_MODIFIED_12_URL, config.cve.url12Modified)
|
||||||
overrideIntegerBasedSettingWhenProvided(CVE_START_YEAR, config.cveStartYear)
|
overrideIntegerSetting(CVE_START_YEAR, config.cve.startYear)
|
||||||
overrideStringBasedSettingWhenProvided(CVE_SCHEMA_2_0, config.cveUrl20Base)
|
overrideStringSetting(CVE_SCHEMA_2_0, config.cve.url20Base)
|
||||||
overrideStringBasedSettingWhenProvided(CVE_SCHEMA_1_2, config.cveUrl12Base)
|
overrideStringSetting(CVE_SCHEMA_1_2, config.cve.url12Base)
|
||||||
}
|
}
|
||||||
|
|
||||||
def overrideDownloaderSetting() {
|
def overrideDownloaderSetting() {
|
||||||
overrideBooleanBasedSettingWhenProvided(DOWNLOADER_QUICK_QUERY_TIMESTAMP, config.quickQueryTimestamp)
|
overrideBooleanSetting(DOWNLOADER_QUICK_QUERY_TIMESTAMP, config.quickQueryTimestamp)
|
||||||
}
|
}
|
||||||
|
|
||||||
private overrideStringBasedSettingWhenProvided(String key, String providedValue) {
|
private overrideStringSetting(String key, String providedValue) {
|
||||||
if (providedValue != null) {
|
if (providedValue != null) {
|
||||||
logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]")
|
logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]")
|
||||||
setString(key, providedValue)
|
setString(key, providedValue)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private overrideIntegerBasedSettingWhenProvided(String key, Integer providedValue) {
|
private overrideIntegerSetting(String key, Integer providedValue) {
|
||||||
if (providedValue != null) {
|
if (providedValue != null) {
|
||||||
logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]")
|
logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]")
|
||||||
setString(key, "${providedValue}")
|
setString(key, "${providedValue}")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private overrideBooleanBasedSettingWhenProvided(String key, Boolean providedValue) {
|
private overrideBooleanSetting(String key, Boolean providedValue) {
|
||||||
if (providedValue != null) {
|
if (providedValue != null) {
|
||||||
logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]")
|
logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]")
|
||||||
setBoolean(key, providedValue)
|
setBoolean(key, providedValue)
|
||||||
|
|||||||
@@ -48,15 +48,15 @@ class DependencyCheckGradlePluginSpec extends PluginProjectSpec {
|
|||||||
expect:
|
expect:
|
||||||
task.group == 'Dependency Check'
|
task.group == 'Dependency Check'
|
||||||
task.description == 'Produce dependency security report.'
|
task.description == 'Produce dependency security report.'
|
||||||
project.dependencyCheck.proxyServer == null
|
project.dependencyCheck.proxy.server == null
|
||||||
project.dependencyCheck.proxyPort == null
|
project.dependencyCheck.proxy.port == null
|
||||||
project.dependencyCheck.proxyUsername == null
|
project.dependencyCheck.proxy.username == null
|
||||||
project.dependencyCheck.proxyPassword == null
|
project.dependencyCheck.proxy.password == null
|
||||||
project.dependencyCheck.cveUrl12Modified == null
|
project.dependencyCheck.cve.url12Modified == null
|
||||||
project.dependencyCheck.cveUrl20Modified == null
|
project.dependencyCheck.cve.url20Modified == null
|
||||||
project.dependencyCheck.cveStartYear == null
|
project.dependencyCheck.cve.startYear == null
|
||||||
project.dependencyCheck.cveUrl12Base == null
|
project.dependencyCheck.cve.url12Base == null
|
||||||
project.dependencyCheck.cveUrl20Base == null
|
project.dependencyCheck.cve.url20Base == null
|
||||||
project.dependencyCheck.outputDirectory == './reports'
|
project.dependencyCheck.outputDirectory == './reports'
|
||||||
project.dependencyCheck.quickQueryTimestamp == null
|
project.dependencyCheck.quickQueryTimestamp == null
|
||||||
}
|
}
|
||||||
@@ -64,29 +64,35 @@ class DependencyCheckGradlePluginSpec extends PluginProjectSpec {
|
|||||||
def 'tasks use correct values when extension is used'() {
|
def 'tasks use correct values when extension is used'() {
|
||||||
when:
|
when:
|
||||||
project.dependencyCheck {
|
project.dependencyCheck {
|
||||||
proxyServer = '127.0.0.1'
|
proxy {
|
||||||
proxyPort = 3128
|
server = '127.0.0.1'
|
||||||
proxyUsername = 'proxyUsername'
|
port = 3128
|
||||||
proxyPassword = 'proxyPassword'
|
username = 'proxyUsername'
|
||||||
cveUrl12Modified = 'cveUrl12Modified'
|
password = 'proxyPassword'
|
||||||
cveUrl20Modified = 'cveUrl20Modified'
|
}
|
||||||
cveStartYear = 2002
|
|
||||||
cveUrl12Base = 'cveUrl12Base'
|
cve {
|
||||||
cveUrl20Base = 'cveUrl20Base'
|
startYear = 2002
|
||||||
|
url12Base = 'cveUrl12Base'
|
||||||
|
url20Base = 'cveUrl20Base'
|
||||||
|
url12Modified = 'cveUrl12Modified'
|
||||||
|
url20Modified = 'cveUrl20Modified'
|
||||||
|
}
|
||||||
|
|
||||||
outputDirectory = 'outputDirectory'
|
outputDirectory = 'outputDirectory'
|
||||||
quickQueryTimestamp = false
|
quickQueryTimestamp = false
|
||||||
}
|
}
|
||||||
|
|
||||||
then:
|
then:
|
||||||
project.dependencyCheck.proxyServer == '127.0.0.1'
|
project.dependencyCheck.proxy.server == '127.0.0.1'
|
||||||
project.dependencyCheck.proxyPort == 3128
|
project.dependencyCheck.proxy.port == 3128
|
||||||
project.dependencyCheck.proxyUsername == 'proxyUsername'
|
project.dependencyCheck.proxy.username == 'proxyUsername'
|
||||||
project.dependencyCheck.proxyPassword == 'proxyPassword'
|
project.dependencyCheck.proxy.password == 'proxyPassword'
|
||||||
project.dependencyCheck.cveUrl12Modified == 'cveUrl12Modified'
|
project.dependencyCheck.cve.url12Modified == 'cveUrl12Modified'
|
||||||
project.dependencyCheck.cveUrl20Modified == 'cveUrl20Modified'
|
project.dependencyCheck.cve.url20Modified == 'cveUrl20Modified'
|
||||||
project.dependencyCheck.cveStartYear == 2002
|
project.dependencyCheck.cve.startYear == 2002
|
||||||
project.dependencyCheck.cveUrl12Base == 'cveUrl12Base'
|
project.dependencyCheck.cve.url12Base == 'cveUrl12Base'
|
||||||
project.dependencyCheck.cveUrl20Base == 'cveUrl20Base'
|
project.dependencyCheck.cve.url20Base == 'cveUrl20Base'
|
||||||
project.dependencyCheck.outputDirectory == 'outputDirectory'
|
project.dependencyCheck.outputDirectory == 'outputDirectory'
|
||||||
project.dependencyCheck.quickQueryTimestamp == false
|
project.dependencyCheck.quickQueryTimestamp == false
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user