Merge pull request #305 from wmaintw/master

[new pull request] Implement configuration item "quickQueryTimpstamp" in grade plugin

dependency-check-gradle/.gitignore

@@ -1,5 +1,6 @@
 .idea/
 .gradle
+gradle/
 
 *.iml
 *.ipr

dependency-check-gradle/README.md

@@ -7,6 +7,8 @@ This is a DependencyCheck gradle plugin designed for project which use Gradle as
 
 Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
 
+Current latest version is `0.0.6`
+
 =========
 
 ## Usage
@@ -15,7 +17,7 @@ Dependency-Check is a utility that attempts to detect publicly disclosed vulnera
 
 Please refer to either one of the solution
 
-#### Solution 1，Install from Maven Central
+#### Solution 1，Install from Maven Central (Recommended)
 
 ```groovy
 buildscript {
@@ -23,7 +25,7 @@ buildscript {
         mavenCentral()
     }
     dependencies {
-        classpath 'com.thoughtworks.tools:dependency-check:0.0.5'
+        classpath 'com.thoughtworks.tools:dependency-check:0.0.6'
     }
 }
 ```
@@ -38,7 +40,7 @@ apply plugin: 'dependency.check'
 
 ```groovy
 plugins {
-    id "dependency.check" version "0.0.5"
+    id "dependency.check" version "0.0.6"
 }
 ```
 
@@ -52,11 +54,11 @@ buildscript {
     }
   }
   dependencies {
-    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.5"
+    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.6"
   }
 }
 
-apply plugin: "dependency.check"
+apply plugin: "dependency-check"
 ```
 
 #### Solution 3，Install from Bintray
@@ -73,7 +75,7 @@ buildscript {
     }
     dependencies {
         classpath(
-                'com.tools.security:dependency-check:0.0.5'
+                'com.tools.security:dependency-check:0.0.6'
         )
     }
 }
@@ -115,6 +117,19 @@ dependencyCheck {
 }
 ```
 
+In addition, if the proxy only allow HTTP `GET` or `POST` methods, you will find that the update process will always fail,
+ the root cause is that every time you run `dependencyCheck` task, it will try to query the latest timestamp to determine whether need to perform an update action,
+ and for performance reason the HTTP method it uses by default is `HEAD`, which probably is disabled or not supported by the proxy. To avoid this problem, you can simply change the HTTP method by below configuration:
+
+```groovy
+dependencyCheck {
+    proxyServer = "127.0.0.1"      // required, the server name or IP address of the proxy
+    proxyPort = 3128               // required, the port number of the proxy
+
+    quickQueryTimestamp = false    // when set to false, it means use HTTP GET method to query timestamp. (default value is true)
+}
+```
+
 ### What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
 
 Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below:
@@ -127,7 +142,7 @@ buildscript {
     mavenCentral()
   }
   dependencies {
-    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.5"
+    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.6"
   }
 }
 
@@ -144,7 +159,7 @@ buildscript {
     mavenCentral()
   }
   dependencies {
-    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.5"
+    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.6"
   }
 }
 

dependency-check-gradle/build.gradle

@@ -46,23 +46,15 @@ dependencies {
     compile(
             localGroovy(),
             gradleApi(),
-            'org.owasp:dependency-check-core:1.2.11',
-            'org.owasp:dependency-check-utils:1.2.11'
+            'org.owasp:dependency-check-core:1.3.0',
+            'org.owasp:dependency-check-utils:1.3.0'
     )
 
-    testCompile ('com.netflix.nebula:nebula-test:2.2.+'){
+    testCompile ('com.netflix.nebula:nebula-test:2.2.2'){
         exclude group: 'org.codehaus.groovy'
     }
 }
 
-group = 'com.thoughtworks.tools'
-version = '0.0.5'
-
-apply from: 'conf/publish/local.gradle'
-//apply from: 'conf/publish/maven.gradle'
-apply from: 'conf/publish/gradlePluginsPortal.gradle'
-//apply from: 'conf/publish/bintray.gradle'        // according to the documentation of plugindev, this line has to be placed and the very end of the build file
-
 sourceSets {
     integTest {
         groovy.srcDir file('src/integTest/groovy')
@@ -78,4 +70,12 @@ task integTest(type: Test) {
     classpath = sourceSets.integTest.runtimeClasspath
     reports.html.destination = file("$buildDir/reports/integ")
     jvmArgs '-XX:MaxPermSize=256m'
-}
+}
+
+group = 'com.thoughtworks.tools'
+version = '0.0.6'
+
+apply from: 'conf/publish/local.gradle'
+//apply from: 'conf/publish/maven.gradle'
+apply from: 'conf/publish/gradlePluginsPortal.gradle'
+//apply from: 'conf/publish/bintray.gradle'        // according to the documentation of plugindev, this line has to be placed and the very end of the build file

dependency-check-gradle/conf/publish/maven.gradle

@@ -66,6 +66,11 @@ task javadocJar(type: Jar) {
     from javadoc
 }
 
+task sourcesJar(type: Jar, dependsOn: classes) {
+    classifier = 'sources'
+    from sourceSets.main.allSource
+}
+
 artifacts {
     archives javadocJar, sourcesJar
 }

dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy

@@ -31,4 +31,6 @@ class DependencyCheckConfigurationExtension {
     String cveUrl20Base = "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz"
 
     String outputDirectory = "./reports"
+
+    Boolean quickQueryTimestamp = true;
 }

dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy

@@ -49,6 +49,7 @@ class DependencyCheckGradlePlugin implements Plugin<Project> {
             conventionMapping.cveUrl12Base = { extension.cveUrl12Base }
             conventionMapping.cveUrl20Base = { extension.cveUrl20Base }
             conventionMapping.outputDirectory = { extension.outputDirectory }
+            conventionMapping.quickQueryTimestamp = { extension.quickQueryTimestamp }
         }
     }
 }

dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy

@@ -28,6 +28,7 @@ import org.owasp.dependencycheck.dependency.Dependency
 import org.owasp.dependencycheck.reporting.ReportGenerator
 import org.owasp.dependencycheck.utils.Settings
 
+import static org.owasp.dependencycheck.utils.Settings.setBoolean
 import static org.owasp.dependencycheck.utils.Settings.setString
 
 class DependencyCheckTask extends DefaultTask {
@@ -47,6 +48,8 @@ class DependencyCheckTask extends DefaultTask {
 
     String outputDirectory = "./reports"
 
+    Boolean quickQueryTimestamp = true;
+
     DependencyCheckTask() {
         group = 'Dependency Check'
         description = 'Produce dependency security report.'
@@ -73,6 +76,7 @@ class DependencyCheckTask extends DefaultTask {
         Settings.initialize()
         overrideProxySetting()
         overrideCveUrlSetting()
+        overrideDownloaderSetting()
     }
 
     def cleanup(engine) {
@@ -140,4 +144,8 @@ class DependencyCheckTask extends DefaultTask {
         setString(Settings.KEYS.CVE_SCHEMA_2_0, getCveUrl20Base())
         setString(Settings.KEYS.CVE_SCHEMA_1_2, getCveUrl12Base())
     }
+
+    def overrideDownloaderSetting() {
+        setBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP, getQuickQueryTimestamp())
+    }
 }

dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency.check.properties

@@ -0,0 +1,19 @@
+#
+# This file is part of dependency-check-gradle.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Copyright (c) 2015 Wei Ma. All Rights Reserved.
+#
+
+implementation-class=com.tools.security.plugin.DependencyCheckGradlePlugin

dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy

@@ -58,6 +58,7 @@ class DependencyCheckGradlePluginSpec extends PluginProjectSpec {
         task.cveUrl12Base == 'https://nvd.nist.gov/download/nvdcve-%d.xml.gz'
         task.cveUrl20Base == 'https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz'
         task.outputDirectory == './reports'
+        task.quickQueryTimestamp == true
     }
 
     def 'tasks use correct values when extension is used'() {
@@ -73,6 +74,7 @@ class DependencyCheckGradlePluginSpec extends PluginProjectSpec {
             cveUrl12Base = 'cveUrl12Base'
             cveUrl20Base = 'cveUrl20Base'
             outputDirectory = 'outputDirectory'
+            quickQueryTimestamp = false
         }
 
         then:
@@ -87,5 +89,6 @@ class DependencyCheckGradlePluginSpec extends PluginProjectSpec {
         task.cveUrl12Base == 'cveUrl12Base'
         task.cveUrl20Base == 'cveUrl20Base'
         task.outputDirectory == 'outputDirectory'
+        task.quickQueryTimestamp == false
     }
 }