From 810530fabdafc98234f89ca465aa3b09a24c9309 Mon Sep 17 00:00:00 2001 From: ma wei Date: Fri, 7 Aug 2015 10:08:37 +0800 Subject: [PATCH 1/7] upgrade dependency check core and utils version to 1.3.0 --- dependency-check-gradle/build.gradle | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dependency-check-gradle/build.gradle b/dependency-check-gradle/build.gradle index 2c0d302a9..c447bc8ec 100644 --- a/dependency-check-gradle/build.gradle +++ b/dependency-check-gradle/build.gradle @@ -46,8 +46,8 @@ dependencies { compile( localGroovy(), gradleApi(), - 'org.owasp:dependency-check-core:1.2.11', - 'org.owasp:dependency-check-utils:1.2.11' + 'org.owasp:dependency-check-core:1.3.0', + 'org.owasp:dependency-check-utils:1.3.0' ) testCompile ('com.netflix.nebula:nebula-test:2.2.+'){ @@ -78,4 +78,4 @@ task integTest(type: Test) { classpath = sourceSets.integTest.runtimeClasspath reports.html.destination = file("$buildDir/reports/integ") jvmArgs '-XX:MaxPermSize=256m' -} \ No newline at end of file +} From 62a0b8da90596a486bf5e5c25878b54833be5626 Mon Sep 17 00:00:00 2001 From: ma wei Date: Fri, 7 Aug 2015 10:09:40 +0800 Subject: [PATCH 2/7] add configuration, let user has ability to control HTTP method used during the update process to avoid proxy problem --- .../DependencyCheckConfigurationExtension.groovy | 2 ++ .../security/plugin/DependencyCheckGradlePlugin.groovy | 1 + .../com/tools/security/tasks/DependencyCheckTask.groovy | 8 ++++++++ .../plugin/DependencyCheckGradlePluginSpec.groovy | 3 +++ 4 files changed, 14 insertions(+) diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy index 8e7a29ce3..e86f66e25 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy @@ -31,4 +31,6 @@ class DependencyCheckConfigurationExtension { String cveUrl20Base = "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz" String outputDirectory = "./reports" + + Boolean quickQueryTimestamp = true; } diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy index 937226401..2274c9af4 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy @@ -49,6 +49,7 @@ class DependencyCheckGradlePlugin implements Plugin { conventionMapping.cveUrl12Base = { extension.cveUrl12Base } conventionMapping.cveUrl20Base = { extension.cveUrl20Base } conventionMapping.outputDirectory = { extension.outputDirectory } + conventionMapping.quickQueryTimestamp = { extension.quickQueryTimestamp } } } } \ No newline at end of file diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy index c76f1ab92..3e371ec81 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy @@ -28,6 +28,7 @@ import org.owasp.dependencycheck.dependency.Dependency import org.owasp.dependencycheck.reporting.ReportGenerator import org.owasp.dependencycheck.utils.Settings +import static org.owasp.dependencycheck.utils.Settings.setBoolean import static org.owasp.dependencycheck.utils.Settings.setString class DependencyCheckTask extends DefaultTask { @@ -47,6 +48,8 @@ class DependencyCheckTask extends DefaultTask { String outputDirectory = "./reports" + Boolean quickQueryTimestamp = true; + DependencyCheckTask() { group = 'Dependency Check' description = 'Produce dependency security report.' @@ -73,6 +76,7 @@ class DependencyCheckTask extends DefaultTask { Settings.initialize() overrideProxySetting() overrideCveUrlSetting() + overrideDownloaderSetting() } def cleanup(engine) { @@ -140,4 +144,8 @@ class DependencyCheckTask extends DefaultTask { setString(Settings.KEYS.CVE_SCHEMA_2_0, getCveUrl20Base()) setString(Settings.KEYS.CVE_SCHEMA_1_2, getCveUrl12Base()) } + + def overrideDownloaderSetting() { + setBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP, getQuickQueryTimestamp()) + } } diff --git a/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy b/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy index 892285197..6a9666240 100644 --- a/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy +++ b/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy @@ -58,6 +58,7 @@ class DependencyCheckGradlePluginSpec extends PluginProjectSpec { task.cveUrl12Base == 'https://nvd.nist.gov/download/nvdcve-%d.xml.gz' task.cveUrl20Base == 'https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz' task.outputDirectory == './reports' + task.quickQueryTimestamp == true } def 'tasks use correct values when extension is used'() { @@ -73,6 +74,7 @@ class DependencyCheckGradlePluginSpec extends PluginProjectSpec { cveUrl12Base = 'cveUrl12Base' cveUrl20Base = 'cveUrl20Base' outputDirectory = 'outputDirectory' + quickQueryTimestamp = false } then: @@ -87,5 +89,6 @@ class DependencyCheckGradlePluginSpec extends PluginProjectSpec { task.cveUrl12Base == 'cveUrl12Base' task.cveUrl20Base == 'cveUrl20Base' task.outputDirectory == 'outputDirectory' + task.quickQueryTimestamp == false } } From 0472471ac984ac25520668c336bf8e93abcac26b Mon Sep 17 00:00:00 2001 From: ma wei Date: Fri, 7 Aug 2015 10:11:34 +0800 Subject: [PATCH 3/7] update the gradle plugin version to 0.0.6 --- dependency-check-gradle/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-gradle/build.gradle b/dependency-check-gradle/build.gradle index c447bc8ec..ed71a7c3d 100644 --- a/dependency-check-gradle/build.gradle +++ b/dependency-check-gradle/build.gradle @@ -56,7 +56,7 @@ dependencies { } group = 'com.thoughtworks.tools' -version = '0.0.5' +version = '0.0.6' apply from: 'conf/publish/local.gradle' //apply from: 'conf/publish/maven.gradle' From d1dbde28907530cd80c3b4151000f44816ea983e Mon Sep 17 00:00:00 2001 From: ma wei Date: Fri, 7 Aug 2015 10:13:00 +0800 Subject: [PATCH 4/7] fix issue that fail to publish gradle plugin to maven central --- dependency-check-gradle/build.gradle | 18 +++++++++--------- .../conf/publish/maven.gradle | 5 +++++ 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/dependency-check-gradle/build.gradle b/dependency-check-gradle/build.gradle index ed71a7c3d..18f7454a7 100644 --- a/dependency-check-gradle/build.gradle +++ b/dependency-check-gradle/build.gradle @@ -50,19 +50,11 @@ dependencies { 'org.owasp:dependency-check-utils:1.3.0' ) - testCompile ('com.netflix.nebula:nebula-test:2.2.+'){ + testCompile ('com.netflix.nebula:nebula-test:2.2.2'){ exclude group: 'org.codehaus.groovy' } } -group = 'com.thoughtworks.tools' -version = '0.0.6' - -apply from: 'conf/publish/local.gradle' -//apply from: 'conf/publish/maven.gradle' -apply from: 'conf/publish/gradlePluginsPortal.gradle' -//apply from: 'conf/publish/bintray.gradle' // according to the documentation of plugindev, this line has to be placed and the very end of the build file - sourceSets { integTest { groovy.srcDir file('src/integTest/groovy') @@ -79,3 +71,11 @@ task integTest(type: Test) { reports.html.destination = file("$buildDir/reports/integ") jvmArgs '-XX:MaxPermSize=256m' } + +group = 'com.thoughtworks.tools' +version = '0.0.6' + +apply from: 'conf/publish/local.gradle' +//apply from: 'conf/publish/maven.gradle' +apply from: 'conf/publish/gradlePluginsPortal.gradle' +//apply from: 'conf/publish/bintray.gradle' // according to the documentation of plugindev, this line has to be placed and the very end of the build file \ No newline at end of file diff --git a/dependency-check-gradle/conf/publish/maven.gradle b/dependency-check-gradle/conf/publish/maven.gradle index 5f9787387..462ced0f7 100644 --- a/dependency-check-gradle/conf/publish/maven.gradle +++ b/dependency-check-gradle/conf/publish/maven.gradle @@ -66,6 +66,11 @@ task javadocJar(type: Jar) { from javadoc } +task sourcesJar(type: Jar, dependsOn: classes) { + classifier = 'sources' + from sourceSets.main.allSource +} + artifacts { archives javadocJar, sourcesJar } From 706967147156d2ced8355c1a20d19eeb89ab1947 Mon Sep 17 00:00:00 2001 From: ma wei Date: Fri, 7 Aug 2015 10:13:27 +0800 Subject: [PATCH 5/7] fix issue that fail to publish gradle plugin to gradle plugin portal --- .../dependency.check.properties | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency.check.properties diff --git a/dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency.check.properties b/dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency.check.properties new file mode 100644 index 000000000..877c70050 --- /dev/null +++ b/dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency.check.properties @@ -0,0 +1,19 @@ +# +# This file is part of dependency-check-gradle. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Copyright (c) 2015 Wei Ma. All Rights Reserved. +# + +implementation-class=com.tools.security.plugin.DependencyCheckGradlePlugin \ No newline at end of file From 7837718d04d1a7a56b4ff3489fda6bc9445e3b81 Mon Sep 17 00:00:00 2001 From: ma wei Date: Fri, 7 Aug 2015 10:13:53 +0800 Subject: [PATCH 6/7] update README file --- dependency-check-gradle/README.md | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/dependency-check-gradle/README.md b/dependency-check-gradle/README.md index ead2a50af..7707db3ec 100644 --- a/dependency-check-gradle/README.md +++ b/dependency-check-gradle/README.md @@ -7,6 +7,8 @@ This is a DependencyCheck gradle plugin designed for project which use Gradle as Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. +Current latest version is `0.0.6` + ========= ## Usage @@ -15,7 +17,7 @@ Dependency-Check is a utility that attempts to detect publicly disclosed vulnera Please refer to either one of the solution -#### Solution 1,Install from Maven Central +#### Solution 1,Install from Maven Central (Recommended) ```groovy buildscript { @@ -23,7 +25,7 @@ buildscript { mavenCentral() } dependencies { - classpath 'com.thoughtworks.tools:dependency-check:0.0.5' + classpath 'com.thoughtworks.tools:dependency-check:0.0.6' } } ``` @@ -38,7 +40,7 @@ apply plugin: 'dependency.check' ```groovy plugins { - id "dependency.check" version "0.0.5" + id "dependency.check" version "0.0.6" } ``` @@ -52,11 +54,11 @@ buildscript { } } dependencies { - classpath "gradle.plugin.com.tools.security:dependency-check:0.0.5" + classpath "gradle.plugin.com.tools.security:dependency-check:0.0.6" } } -apply plugin: "dependency.check" +apply plugin: "dependency-check" ``` #### Solution 3,Install from Bintray @@ -73,7 +75,7 @@ buildscript { } dependencies { classpath( - 'com.tools.security:dependency-check:0.0.5' + 'com.tools.security:dependency-check:0.0.6' ) } } @@ -115,6 +117,19 @@ dependencyCheck { } ``` +In addition, if the proxy only allow HTTP `GET` or `POST` methods, you will find that the update process will always fail, + the root cause is that every time you run `dependencyCheck` task, it will try to query the latest timestamp to determine whether need to perform an update action, + and for performance reason the HTTP method it uses by default is `HEAD`, which probably is disabled or not supported by the proxy. To avoid this problem, you can simply change the HTTP method by below configuration: + +```groovy +dependencyCheck { + proxyServer = "127.0.0.1" // required, the server name or IP address of the proxy + proxyPort = 3128 // required, the port number of the proxy + + quickQueryTimestamp = false // when set to false, it means use HTTP GET method to query timestamp. (default value is true) +} +``` + ### What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project? Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below: @@ -127,7 +142,7 @@ buildscript { mavenCentral() } dependencies { - classpath "gradle.plugin.com.tools.security:dependency-check:0.0.5" + classpath "gradle.plugin.com.tools.security:dependency-check:0.0.6" } } @@ -144,7 +159,7 @@ buildscript { mavenCentral() } dependencies { - classpath "gradle.plugin.com.tools.security:dependency-check:0.0.5" + classpath "gradle.plugin.com.tools.security:dependency-check:0.0.6" } } From c39eec32f2d02cde0fa91e6a542dfb32705a2fd9 Mon Sep 17 00:00:00 2001 From: ma wei Date: Fri, 7 Aug 2015 10:14:34 +0800 Subject: [PATCH 7/7] ignore gradle generated temporary files --- dependency-check-gradle/.gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/dependency-check-gradle/.gitignore b/dependency-check-gradle/.gitignore index 2a132566c..487d7533f 100644 --- a/dependency-check-gradle/.gitignore +++ b/dependency-check-gradle/.gitignore @@ -1,5 +1,6 @@ .idea/ .gradle +gradle/ *.iml *.ipr