updates to resolve issue #71 - added configuration for cve urls

Former-commit-id: 4074c6f54b8813166cbc24b8f51b2ab00a861f50
2026-01-15 00:03:43 +01:00 · 2014-02-15 07:50:00 -05:00
parent f16db8298b
commit 22e3b9b544
3 changed files with 97 additions and 10 deletions
--- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java
+++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java
@@ -248,7 +248,31 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
     */
    @Parameter(property = "skipProvidedScope", defaultValue = "false", required = false)
    private boolean skipProvidedScope = false;
-
+    /**
+     * The data directory, hold DC SQL DB.
+     */
+    @Parameter(property = "dataDirectory", defaultValue = "", required = false)
+    private String dataDirectory;
+    /**
+     * Data Mirror URL for CVE 1.2
+     */
+    @Parameter(property = "cveUrl12Modified", defaultValue = "", required = false)
+    private String cveUrl12Modified;
+    /**
+     * Data Mirror URL for CVE 2.0
+     */
+    @Parameter(property = "cveUrl20Modified", defaultValue = "", required = false)
+    private String cveUrl20Modified;
+    /**
+     * Base Data Mirror URL for CVE 1.2
+     */
+    @Parameter(property = "cveUrl12Base", defaultValue = "", required = false)
+    private String cveUrl12Base;
+    /**
+     * Data Mirror URL for CVE 2.0
+     */
+    @Parameter(property = "cveUrl20Base", defaultValue = "", required = false)
+    private String cveUrl20Base;

    // </editor-fold>
    /**
@@ -265,16 +289,19 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
        final Engine engine = new Engine();
        final Set<Artifact> artifacts = project.getArtifacts();
        for (Artifact a : artifacts) {
-            if (skipTestScope && Artifact.SCOPE_TEST.equals(a.getScope()))
-                    continue;
-
-            if (skipProvidedScope && Artifact.SCOPE_PROVIDED.equals(a.getScope()))
+            if (skipTestScope && Artifact.SCOPE_TEST.equals(a.getScope())) {
                continue;
+            }

-            if (skipRuntimeScope && !Artifact.SCOPE_RUNTIME.equals(a.getScope()))
+            if (skipProvidedScope && Artifact.SCOPE_PROVIDED.equals(a.getScope())) {
                continue;
+            }

-                engine.scan(a.getFile().getAbsolutePath());
+            if (skipRuntimeScope && !Artifact.SCOPE_RUNTIME.equals(a.getScope())) {
+                continue;
+            }
+
+            engine.scan(a.getFile().getAbsolutePath());
        }
        engine.analyzeDependencies();
        return engine;
@@ -734,9 +761,30 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
        if (zipExtensions != null && !zipExtensions.isEmpty()) {
            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
        }
+
+        // Scope Exclusion
        Settings.setBoolean(Settings.KEYS.SKIP_TEST_SCOPE, skipTestScope);
        Settings.setBoolean(Settings.KEYS.SKIP_RUNTIME_SCOPE, skipRuntimeScope);
        Settings.setBoolean(Settings.KEYS.SKIP_PROVIDED_SCOPE, skipProvidedScope);
+
+        // Data Directory
+        if (dataDirectory != null && !dataDirectory.isEmpty()) {
+            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
+        }
+
+        // CVE Data Mirroring
+        if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
+        }
+        if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
+        }
+        if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
+        }
+        if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
+        }
    }

    /**
--- a/dependency-check-maven/src/site/markdown/configuration.md
+++ b/dependency-check-maven/src/site/markdown/configuration.md
@@ -23,6 +23,11 @@ connectionString     | The connection string used to connect to the database. |
 databaseUser         | The username used when connecting to the database. |
 databasePassword     | The password used when connecting to the database. |
 zipExtensions        | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |
-skipTestScope | Should be skip analysis for artifacts with Test Scope (default: true) |
-skipProvidedScope | Should be skip analysis for artifacts with Provided Scope (default: false) |
-skipRuntimeScope | Should be skip analysis for artifacts with Runtime Scope (default: false) |
+skipTestScope | Should be skip analysis for artifacts with Test Scope | true
+skipProvidedScope | Should be skip analysis for artifacts with Provided Scope | false
+skipRuntimeScope | Should be skip analysis for artifacts with Runtime Scope | false
+dataDirectory | Data directory to hold SQL CVEs contents. This should generally not be changed. |
+cveUrl12Modified | URL for the modified CVE 1.2 | http://nvd.nist.gov/download/nvdcve-modified.xml
+cveUrl20Modified | URL for the modified CVE 2.0 | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
+cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml
+cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
--- a/dependency-check-maven/src/site/markdown/usage.md.vm
+++ b/dependency-check-maven/src/site/markdown/usage.md.vm
@@ -135,4 +135,38 @@ Create the DependencyCheck-report.html and skip artifacts no bundled in distribu
    ...
 </project>
 ```
+Example 5:
+---------------------
+Create the DependencyCheck-report.html and use internal mirroring of CVE contents
+
+```xml
+<project>
+    <build>
+        <plugins>
+            ...
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <version>${project.version}</version>
+                <configuration>
+                    <cveUrl12Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-modified.xml</cveUrl12Modified>
+                    <cveUrl20Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-modified.xml</cveUrl20Modified>
+                    <cveUrl12Base>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-%d.xml</cveUrl12Base>
+                    <cveUrl20Base>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-%d.xml</cveUrl20Base>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>check</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            ...
+        </plugins>
+        ...
+    </build>
+    ...
+</project>
+```