github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-17 09:06:55 +01:00
Code Issues Packages Projects Releases Wiki Activity

merge owasp 1.4.1

Browse Source
This commit is contained in:
bjiang
2016-07-12 16:22:05 -04:00
parent 00d4ee47de f23003ead3
commit 2fa8507d69
105 changed files with 2246 additions and 482 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java
View File

@@ -31,7 +31,6 @@ import java.net.URL;
import java.security.InvalidAlgorithmParameterException;
import java.util.zip.GZIPInputStream;
import java.util.zip.InflaterInputStream;
import static java.lang.String.format;
/**
@@ -46,7 +45,8 @@ public final class Downloader {
*/
private static final Logger LOGGER = LoggerFactory.getLogger(Downloader.class);
/**
* The maximum number of redirects that will be followed when attempting to download a file.
* The maximum number of redirects that will be followed when attempting to
* download a file.
*/
private static final int MAX_REDIRECT_ATTEMPTS = 5;
@@ -71,7 +71,8 @@ public final class Downloader {
*
* @param url the URL of the file to download
* @param outputPath the path to the save the file to
* @throws DownloadFailedException is thrown if there is an error downloading the file
* @throws DownloadFailedException is thrown if there is an error
* downloading the file
*/
public static void fetchFile(URL url, File outputPath) throws DownloadFailedException {
fetchFile(url, outputPath, true);
@@ -82,8 +83,10 @@ public final class Downloader {
*
* @param url the URL of the file to download
* @param outputPath the path to the save the file to
* @param useProxy whether to use the configured proxy when downloading files
* @throws DownloadFailedException is thrown if there is an error downloading the file
* @param useProxy whether to use the configured proxy when downloading
* files
* @throws DownloadFailedException is thrown if there is an error
* downloading the file
*/
public static void fetchFile(URL url, File outputPath, boolean useProxy) throws DownloadFailedException {
if ("file".equalsIgnoreCase(url.getProtocol())) {
@@ -172,7 +175,7 @@ public final class Downloader {
}
LOGGER.debug("Download of {} complete", url.toString());
} catch (IOException ex) {
analyzeException(ex);
checkForSslExceptionn(ex);
final String msg = format("Error saving '%s' to file '%s'%nConnection Timeout: %d%nEncoding: %s%n",
url.toString(), outputPath.getAbsolutePath(), conn.getConnectTimeout(), encoding);
throw new DownloadFailedException(msg, ex);
@@ -205,14 +208,32 @@ public final class Downloader {
}
/**
* Makes an HTTP Head request to retrieve the last modified date of the given URL. If the file:// protocol is specified, then
* the lastTimestamp of the file is returned.
* Makes an HTTP Head request to retrieve the last modified date of the
* given URL. If the file:// protocol is specified, then the lastTimestamp
* of the file is returned.
*
* @param url the URL to retrieve the timestamp from
* @return an epoch timestamp
* @throws DownloadFailedException is thrown if an exception occurs making the HTTP request
* @throws DownloadFailedException is thrown if an exception occurs making
* the HTTP request
*/
public static long getLastModified(URL url) throws DownloadFailedException {
return getLastModified(url, false);
}
/**
* Makes an HTTP Head request to retrieve the last modified date of the
* given URL. If the file:// protocol is specified, then the lastTimestamp
* of the file is returned.
*
* @param url the URL to retrieve the timestamp from
* @param isRetry indicates if this is a retry - to prevent endless loop and
* stack overflow
* @return an epoch timestamp
* @throws DownloadFailedException is thrown if an exception occurs making
* the HTTP request
*/
private static long getLastModified(URL url, boolean isRetry) throws DownloadFailedException {
long timestamp = 0;
//TODO add the FTP protocol?
if ("file".equalsIgnoreCase(url.getProtocol())) {
@@ -240,17 +261,20 @@ public final class Downloader {
} catch (URLConnectionFailureException ex) {
throw new DownloadFailedException(format("Error creating URL Connection for HTTP %s request.", httpMethod), ex);
} catch (IOException ex) {
analyzeException(ex);
checkForSslExceptionn(ex);
LOGGER.debug("IO Exception: " + ex.getMessage(), ex);
if (ex.getCause() != null) {
LOGGER.debug("IO Exception cause: " + ex.getCause().getMessage(), ex.getCause());
}
try {
//retry
if (!Settings.getBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP)) {
Settings.setBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP, true);
return getLastModified(url);
if (!isRetry && Settings.getBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP)) {
Settings.setBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP, false);
return getLastModified(url, true);
}
} catch (InvalidSettingException ex1) {
LOGGER.debug("invalid setting?", ex);
}
throw new DownloadFailedException(format("Error making HTTP %s request.", httpMethod), ex);
} finally {
if (conn != null) {
@@ -266,13 +290,15 @@ public final class Downloader {
}
/**
* Analyzes the IOException, logs the appropriate information for debugging purposes, and then throws a
* DownloadFailedException that wraps the IO Exception.
* Analyzes the IOException, logs the appropriate information for debugging
* purposes, and then throws a DownloadFailedException that wraps the IO
* Exception.
*
* @param ex the original exception
* @throws DownloadFailedException a wrapper exception that contains the original exception as the cause
* @throws DownloadFailedException a wrapper exception that contains the
* original exception as the cause
*/
protected static void analyzeException(IOException ex) throws DownloadFailedException {
protected static void checkForSslExceptionn(IOException ex) throws DownloadFailedException {
Throwable cause = ex;
while (cause != null) {
if (cause instanceof InvalidAlgorithmParameterException) {
@@ -300,7 +326,8 @@ public final class Downloader {
}
/**
* Determines if the HTTP method GET or HEAD should be used to check the timestamp on external resources.
* Determines if the HTTP method GET or HEAD should be used to check the
* timestamp on external resources.
*
* @return true if configured to use HEAD requests
*/

13
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -99,6 +99,13 @@ public final class Settings {
* The database schema version.
*/
public static final String DB_VERSION = "data.version";
/**
* The starts with filter used to exclude CVE entries from the database.
* By default this is set to 'cpe:/a:' which limits the CVEs imported to
* just those that are related to applications. If this were set to just
* 'cpe:' the OS, hardware, and application related CVEs would be imported.
*/
public static final String CVE_CPE_STARTS_WITH_FILTER = "cve.cpe.startswith.filter";
/**
* The properties key for the URL to retrieve the "meta" data from about the CVE entries.
*/
@@ -182,9 +189,13 @@ public final class Settings {
*/
public static final String MAX_DOWNLOAD_THREAD_POOL_SIZE = "max.download.threads";
/**
* The key for a list of suppression files.
* The key for the suppression file.
*/
public static final String SUPPRESSION_FILE = "suppression.file";
/**
* The key for the hint file.
*/
public static final String HINTS_FILE = "hints.file";
/**
* The properties key for whether the Jar Analyzer is enabled.
*/