From 61ac81518abcd1424b2adfa237887e3c84eb1ee0 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 26 Aug 2015 12:27:38 -0400 Subject: [PATCH 1/6] Docs: Added Ruby and Node.js to landing page. Added table row for Node.js in Analyzers list. --- src/site/markdown/analyzers/index.md | 1 + src/site/markdown/index.md | 10 +++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/src/site/markdown/analyzers/index.md b/src/site/markdown/analyzers/index.md index 298c2cd22..45d4a4c14 100644 --- a/src/site/markdown/analyzers/index.md +++ b/src/site/markdown/analyzers/index.md @@ -11,6 +11,7 @@ to extract identification information from the files analyzed. | [Central Analyzer](./central-analyzer.html) | Java archive files (\*.jar) | Searches Maven Central or a configured Nexus repository for the file's SHA1 hash. | | [Jar Analyzer](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). | | [Nexus Analyzer](./nexus-analyzer.html) | Java archive files (\*.jar) | Searches Sonatype or a configured Nexus repository for the file's SHA1 hash. In most cases, superceded by Central Analyzer. | +| [Node.js Package Analyzer](./nodejs-analyzer.html) | NPM package specification files (package.json) | Parse JSON format for metadata. | | [Nuspec Analyzer](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. | | [OpenSSL Analyzer](./openssl-analyzer.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. | | [Python Analyzer](./python-analyzer.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (\*.whl, \*.egg, \*.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. | diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md index b5e4caaaf..d730d711a 100644 --- a/src/site/markdown/index.md +++ b/src/site/markdown/index.md @@ -2,11 +2,11 @@ About ==================== OWASP dependency-check is an open source solution the OWASP Top 10 2013 entry: [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities). -Dependency-check can currently be used to scan Java, .NET, and Python -applications (and their dependent libraries) to identify known vulnerable -components. In addition, Dependency-check can be used to scan some source -code, including OpenSSL source code and source code for projects that use -Autoconf. +Dependency-check can currently be used to scan Java, .NET, Python, Ruby and +Node.js applications (and their dependent libraries) to identify known +vulnerable components. In addition, Dependency-check can be used to scan some +source code, including OpenSSL source code and source code for projects that +use Autoconf. The problem with using known vulnerable components was covered in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "[The Unfortunate Reality of From 4a3061db6dda112daab1988bc4b06e87cfed0705 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 26 Aug 2015 13:54:15 -0400 Subject: [PATCH 2/6] Docs: Added CMake to landing page, and links to Autoconf and CMake. Added missing analyzers to analyzers list. Shortened my analyzer URLs, though not all in site index yet. --- .../{autoconf-analyzer.md => autoconf.md} | 0 src/site/markdown/analyzers/index.md | 22 ++++++++++--------- .../{openssl-analyzer.md => openssl.md} | 0 .../{python-analyzer.md => python.md} | 0 src/site/markdown/index.md | 3 ++- src/site/site.xml | 2 +- 6 files changed, 15 insertions(+), 12 deletions(-) rename src/site/markdown/analyzers/{autoconf-analyzer.md => autoconf.md} (100%) rename src/site/markdown/analyzers/{openssl-analyzer.md => openssl.md} (100%) rename src/site/markdown/analyzers/{python-analyzer.md => python.md} (100%) diff --git a/src/site/markdown/analyzers/autoconf-analyzer.md b/src/site/markdown/analyzers/autoconf.md similarity index 100% rename from src/site/markdown/analyzers/autoconf-analyzer.md rename to src/site/markdown/analyzers/autoconf.md diff --git a/src/site/markdown/analyzers/index.md b/src/site/markdown/analyzers/index.md index 45d4a4c14..b2384f102 100644 --- a/src/site/markdown/analyzers/index.md +++ b/src/site/markdown/analyzers/index.md @@ -5,13 +5,15 @@ to extract identification information from the files analyzed. | Analyzer | File Types Scanned | Analysis Method | | -------- | ------------------ | --------------- | -| [Archive Analyzer](./archive-analyzer.html) | Zip archive format (\*.zip, \*.ear, \*.war, \*.jar, \*.sar, \*.apk, \*.nupkg); Tape Archive Format (\*.tar); Gzip format (\*.gz, \*.tgz); Bzip2 format (\*.bz2, \*.tbz2) | Extracts archive contents, then scans contents with all available analyzers. | -| [Assembly Analyzer](./assembly-analyzer.html) | .NET Assemblies (\*.exe, \*.dll) | Uses [GrokAssembly.exe](https://github.com/colezlaw/GrokAssembly), which requires .NET Framework or Mono runtime to be installed. | -| [Autoconf Analyzer](./autoconf-analyzer.html) | Autoconf project configuration files (configure, configure.in, configure.ac) | Regex scan for AC_INIT metadata, including in generated configuration script. | -| [Central Analyzer](./central-analyzer.html) | Java archive files (\*.jar) | Searches Maven Central or a configured Nexus repository for the file's SHA1 hash. | -| [Jar Analyzer](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). | -| [Nexus Analyzer](./nexus-analyzer.html) | Java archive files (\*.jar) | Searches Sonatype or a configured Nexus repository for the file's SHA1 hash. In most cases, superceded by Central Analyzer. | -| [Node.js Package Analyzer](./nodejs-analyzer.html) | NPM package specification files (package.json) | Parse JSON format for metadata. | -| [Nuspec Analyzer](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. | -| [OpenSSL Analyzer](./openssl-analyzer.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. | -| [Python Analyzer](./python-analyzer.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (\*.whl, \*.egg, \*.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. | +| [Archive](./archive-analyzer.html) | Zip archive format (\*.zip, \*.ear, \*.war, \*.jar, \*.sar, \*.apk, \*.nupkg); Tape Archive Format (\*.tar); Gzip format (\*.gz, \*.tgz); Bzip2 format (\*.bz2, \*.tbz2) | Extracts archive contents, then scans contents with all available analyzers. | +| [Assembly](./assembly-analyzer.html) | .NET Assemblies (\*.exe, \*.dll) | Uses [GrokAssembly.exe](https://github.com/colezlaw/GrokAssembly), which requires .NET Framework or Mono runtime to be installed. | +| [Autoconf](./autoconf.html) | Autoconf project configuration files (configure, configure.in, configure.ac) | [Regex](https://en.wikipedia.org/wiki/Regular_expression) scan for AC_INIT metadata, including in generated configuration script. | +| [Central](./central-analyzer.html) | Java archive files (\*.jar) | Searches Maven Central or a configured Nexus repository for the file's SHA1 hash. | +| [CMake](./cmake.html) | CMake project files (CMakeLists.txt) and scripts (\*.cmake) | Regex scan for project initialization and version setting commands. | +| [Jar](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). | +| [Nexus](./nexus-analyzer.html) | Java archive files (\*.jar) | Searches Sonatype or a configured Nexus repository for the file's SHA1 hash. In most cases, superceded by Central . | +| [Node.js](./nodejs.html) | NPM package specification files (package.json) | Parse JSON format for metadata. | +| [Nuspec](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. | +| [OpenSSL](./openssl.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. | +| [Python](./python.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (\*.whl, \*.egg, \*.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. | +| [Ruby Gemspec](./ruby-gemspec.html) | Ruby makefiles (Rakefile); Ruby Gemspec files (\*.gemspec) | Regex scan Gemspec initialization blocks for metadata. | \ No newline at end of file diff --git a/src/site/markdown/analyzers/openssl-analyzer.md b/src/site/markdown/analyzers/openssl.md similarity index 100% rename from src/site/markdown/analyzers/openssl-analyzer.md rename to src/site/markdown/analyzers/openssl.md diff --git a/src/site/markdown/analyzers/python-analyzer.md b/src/site/markdown/analyzers/python.md similarity index 100% rename from src/site/markdown/analyzers/python-analyzer.md rename to src/site/markdown/analyzers/python.md diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md index d730d711a..ac5e186e8 100644 --- a/src/site/markdown/index.md +++ b/src/site/markdown/index.md @@ -6,7 +6,8 @@ Dependency-check can currently be used to scan Java, .NET, Python, Ruby and Node.js applications (and their dependent libraries) to identify known vulnerable components. In addition, Dependency-check can be used to scan some source code, including OpenSSL source code and source code for projects that -use Autoconf. +use [Autoconf](https://www.gnu.org/software/autoconf/) or +[CMake](http://www.cmake.org/overview/). The problem with using known vulnerable components was covered in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "[The Unfortunate Reality of diff --git a/src/site/site.xml b/src/site/site.xml index 314bf2cbf..9a1e84a98 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -113,7 +113,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. Assembly Analyzer - + Autoconf Analyzer From 6ca8e2644a3d6cf11e775fed56e1845218a4fa10 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 26 Aug 2015 13:59:28 -0400 Subject: [PATCH 3/6] Docs: Fixed sidebar links to OpenSSL and Python analyzer pages. --- src/site/site.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/site/site.xml b/src/site/site.xml index 9a1e84a98..d01be7572 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -128,12 +128,12 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. Nuspec Analyzer - - Python Analyzer - - + OpenSSL Analyzer + + Python Analyzer + From 0fdf377d45a89c915199c7618ab759f3c37aeb5e Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 26 Aug 2015 14:11:30 -0400 Subject: [PATCH 4/6] Docs: Added CMake analyzer page. --- src/site/markdown/analyzers/cmake.md | 11 +++++++++++ src/site/site.xml | 3 +++ 2 files changed, 14 insertions(+) create mode 100644 src/site/markdown/analyzers/cmake.md diff --git a/src/site/markdown/analyzers/cmake.md b/src/site/markdown/analyzers/cmake.md new file mode 100644 index 000000000..2cc0a1889 --- /dev/null +++ b/src/site/markdown/analyzers/cmake.md @@ -0,0 +1,11 @@ +CMake Analyzer +============== + +OWASP dependency-check includes an analyzer that will scan CMake project +configuration files. The analyzer will collect as much information it can +about the project. The information collected is internally referred to as +evidence and is grouped into vendor, product, and version buckets. Other +analyzers later use this evidence to identify any Common Platform Enumeration +(CPE) identifiers that apply. + +File names scanned: CMakeLists.txt, \*.cmake diff --git a/src/site/site.xml b/src/site/site.xml index d01be7572..bde648d43 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -119,6 +119,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. Central Analyzer + + CMake Analyzer + Jar Analyzer From 62c05049a7c4a50dd05f6a945dbd659afc43cb23 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 26 Aug 2015 14:25:32 -0400 Subject: [PATCH 5/6] Docs: Added node.js page, fixed typos in Python page. --- src/site/markdown/analyzers/nodejs.md | 14 ++++++++++++++ src/site/markdown/analyzers/python.md | 13 +++++++------ src/site/site.xml | 3 +++ 3 files changed, 24 insertions(+), 6 deletions(-) create mode 100644 src/site/markdown/analyzers/nodejs.md diff --git a/src/site/markdown/analyzers/nodejs.md b/src/site/markdown/analyzers/nodejs.md new file mode 100644 index 000000000..e987d7541 --- /dev/null +++ b/src/site/markdown/analyzers/nodejs.md @@ -0,0 +1,14 @@ +Node.js Analyzer +================ + +OWASP dependency-check includes an analyzer that will scan [Node Package Manager](https://www.npmjs.com/) +package specification files. The analyzer(s) will collect as much information +it can about the package. The information collected is internally referred to +as evidence and is grouped into vendor, product, and version buckets. Other +analyzers later use this evidence to identify any Common Platform Enumeration +(CPE) identifiers that apply. + +__Note:__ Also consider using the Node Security Project auditing tool, +[nsp](https://nodesecurity.io/tools). + +Files Types Scanned: [package.json](https://docs.npmjs.com/files/package.json) diff --git a/src/site/markdown/analyzers/python.md b/src/site/markdown/analyzers/python.md index af77720aa..7ad7eeee8 100644 --- a/src/site/markdown/analyzers/python.md +++ b/src/site/markdown/analyzers/python.md @@ -1,10 +1,11 @@ Python Analyzer ============== -OWASP dependency-check includes an analyzer that will scan Python artifacts. The -analyzer(s) will collect as much information it can about the python artifacts. -The information collected is internally referred to as evidence and is grouped into -vendor, product, and version buckets. Other analyzers later use this evidence to -identify any Common Platform Enumeration (CPE) identifiers that apply. +OWASP dependency-check includes an analyzer that will scan Python artifacts. +The analyzer(s) will collect as much information it can about the Python +artifacts. The information collected is internally referred to as evidence and +is grouped into vendor, product, and version buckets. Other analyzers later +use this evidence to identify any Common Platform Enumeration (CPE) +identifiers that apply. -Files Types Scanned: py, whl, egg, zip, PKG-INFO, and METADATA +Files Types Scanned: py, whl, egg, zip, PKG-INFO, and METADATA \ No newline at end of file diff --git a/src/site/site.xml b/src/site/site.xml index bde648d43..78750b929 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -128,6 +128,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. Nexus Analyzer + + Node.js Analyzer + Nuspec Analyzer From 1fffebd497d6b911337c381d6416634ecfdcf692 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 26 Aug 2015 14:40:36 -0400 Subject: [PATCH 6/6] Docs: Added Ruby Gemspec analyzer page, fixed typos on Node.js page. --- src/site/markdown/analyzers/nodejs.md | 2 +- src/site/markdown/analyzers/ruby-gemspec.md | 15 +++++++++++++++ src/site/site.xml | 3 +++ 3 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 src/site/markdown/analyzers/ruby-gemspec.md diff --git a/src/site/markdown/analyzers/nodejs.md b/src/site/markdown/analyzers/nodejs.md index e987d7541..103a0354f 100644 --- a/src/site/markdown/analyzers/nodejs.md +++ b/src/site/markdown/analyzers/nodejs.md @@ -2,7 +2,7 @@ Node.js Analyzer ================ OWASP dependency-check includes an analyzer that will scan [Node Package Manager](https://www.npmjs.com/) -package specification files. The analyzer(s) will collect as much information +package specification files. The analyzer will collect as much information as it can about the package. The information collected is internally referred to as evidence and is grouped into vendor, product, and version buckets. Other analyzers later use this evidence to identify any Common Platform Enumeration diff --git a/src/site/markdown/analyzers/ruby-gemspec.md b/src/site/markdown/analyzers/ruby-gemspec.md new file mode 100644 index 000000000..ece5d3bb8 --- /dev/null +++ b/src/site/markdown/analyzers/ruby-gemspec.md @@ -0,0 +1,15 @@ +Ruby Gemspec Analyzer +===================== + +OWASP dependency-check includes an analyzer that will scan [Ruby Gem](https://rubygems.org/) +[specifications](http://guides.rubygems.org/specification-reference/). The +analyzer will collect as much information as it can about the Gem. The +information collected is internally referred to as evidence and is grouped +into vendor, product, and version buckets. Other analyzers later use this +evidence to identify any Common Platform Enumeration (CPE) identifiers that +apply. + +__Note:__ Also consider using the Ruby +[bundler-audit](https://github.com/rubysec/bundler-audit#readme) tool. + +Files Types Scanned: Rakefile, \*.gemspec \ No newline at end of file diff --git a/src/site/site.xml b/src/site/site.xml index 78750b929..0ee832dae 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -140,6 +140,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. Python Analyzer + + Ruby Gemspec Analyzer +