Merge pull request #589 from pierre-ernst/master

Hardening

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java

@@ -255,7 +255,10 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
             // Try evacuating the error stream
             IOUtils.copy(p.getErrorStream(), NullOutputStream.NULL_OUTPUT_STREAM);
 
-            final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
+            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        	factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);	
+    		final DocumentBuilder builder = factory.newDocumentBuilder();       
+            final Document doc = builder.parse(p.getInputStream());
             final XPath xpath = XPathFactory.newInstance().newXPath();
             final String error = xpath.evaluate("/assembly/error", doc);
             if (p.waitFor() != 1 || error == null || error.isEmpty()) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java

@@ -110,8 +110,9 @@ public class CentralSearch {
         if (conn.getResponseCode() == 200) {
             boolean missing = false;
             try {
-                final DocumentBuilder builder = DocumentBuilderFactory
-                        .newInstance().newDocumentBuilder();
+            	DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            	factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);	
+        		final DocumentBuilder builder = factory.newDocumentBuilder();
                 final Document doc = builder.parse(conn.getInputStream());
                 final XPath xpath = XPathFactory.newInstance().newXPath();
                 final String numFound = xpath.evaluate("/response/result/@numFound", doc);

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java

@@ -108,8 +108,9 @@ public class NexusSearch {
 
         if (conn.getResponseCode() == 200) {
             try {
-                final DocumentBuilder builder = DocumentBuilderFactory
-                        .newInstance().newDocumentBuilder();
+            	DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            	factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);	
+        		final DocumentBuilder builder = factory.newDocumentBuilder();
                 final Document doc = builder.parse(conn.getInputStream());
                 final XPath xpath = XPathFactory.newInstance().newXPath();
                 final String groupId = xpath

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java

@@ -56,7 +56,10 @@ public class XPathNuspecParser implements NuspecParser {
     @Override
     public NugetPackage parse(InputStream stream) throws NuspecParseException {
         try {
-            final Document d = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(stream);
+            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);	
+            final Document d = factory.newDocumentBuilder().parse(stream);
+            
             final XPath xpath = XPathFactory.newInstance().newXPath();
             final NugetPackage nuspec = new NugetPackage();
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java

@@ -117,7 +117,8 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
     private List<Cpe> processXML(final File xml) throws UpdateException {
         try {
             final SAXParserFactory factory = SAXParserFactory.newInstance();
-            final SAXParser saxParser = factory.newSAXParser();
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);	
+    		final SAXParser saxParser = factory.newSAXParser();
             final CPEHandler handler = new CPEHandler();
             saxParser.parse(xml, handler);
             return handler.getData();

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java

@@ -138,6 +138,7 @@ public class ProcessTask implements Callable<ProcessTask> {
             SAXException, IOException, SQLException, DatabaseException, ClassNotFoundException {
 
         final SAXParserFactory factory = SAXParserFactory.newInstance();
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);	
         final SAXParser saxParser = factory.newSAXParser();
 
         final NvdCve12Handler cve12Handler = new NvdCve12Handler();

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java

@@ -109,7 +109,8 @@ public class HintParser {
             schemaStream = this.getClass().getClassLoader().getResourceAsStream(HINT_SCHEMA);
             final HintHandler handler = new HintHandler();
             final SAXParserFactory factory = SAXParserFactory.newInstance();
-            factory.setNamespaceAware(true);
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);	
+    		factory.setNamespaceAware(true);
             factory.setValidating(true);
             final SAXParser saxParser = factory.newSAXParser();
             saxParser.setProperty(HintParser.JAXP_SCHEMA_LANGUAGE, HintParser.W3C_XML_SCHEMA);

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java

@@ -85,6 +85,7 @@ public class PomParser {
             final SAXParserFactory factory = SAXParserFactory.newInstance();
 //            factory.setNamespaceAware(true);
 //            factory.setValidating(true);
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);	
             final SAXParser saxParser = factory.newSAXParser();
             final XMLReader xmlReader = saxParser.getXMLReader();
             xmlReader.setContentHandler(handler);

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java

@@ -128,6 +128,7 @@ public class SuppressionParser {
             final SAXParserFactory factory = SAXParserFactory.newInstance();
             factory.setNamespaceAware(true);
             factory.setValidating(true);
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);	
             final SAXParser saxParser = factory.newSAXParser();
             saxParser.setProperty(SuppressionParser.JAXP_SCHEMA_LANGUAGE, SuppressionParser.W3C_XML_SCHEMA);
             saxParser.setProperty(SuppressionParser.JAXP_SCHEMA_SOURCE, new InputSource(schemaStream));

dependency-check-core/src/main/resources/dependencycheck.properties

@@ -4,7 +4,7 @@ autoupdate=true
 max.download.threads=3
 
 # the url to obtain the current engine version from
-engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
+engine.version.url=https://jeremylong.github.io/DependencyCheck/current.txt
 
 #temp.directory defaults to System.getProperty("java.io.tmpdir")
 #temp.directory=[path to temp directory]
@@ -62,7 +62,7 @@ cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
 cve.cpe.startswith.filter=cpe:/a:
 
 cpe.validfordays=30
-cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
+cpe.url=https://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
 
 # the URL for searching Nexus for SHA-1 hashes and whether it's enabled
 analyzer.nexus.enabled=true
@@ -73,7 +73,7 @@ analyzer.nexus.proxy=true
 
 # the URL for searching search.maven.org for SHA-1 and whether it's enabled
 analyzer.central.enabled=true
-analyzer.central.url=http://search.maven.org/solrsearch/select
+analyzer.central.url=https://search.maven.org/solrsearch/select
 
 # the number of nested archives that will be searched.
 archive.scan.depth=3