github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 15:53:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

values from the project pom.xml are now taken into account as well

Browse Source 
Former-commit-id: ca6c5b40f09959f162b337f2cb4268a57ce46d3d
This commit is contained in:
Erik Hooijmeijer
2014-10-21 20:09:54 +02:00
parent 1ed7bab375
commit 35c2f4873c
6 changed files with 122 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -7,6 +7,9 @@
# Eclipse project files
.classpath
.project
.settings
maven-eclipse.xml
.externalToolBuilders
# Netbeans configuration
nb-configuration.xml
/target/

37
dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
View File

@@ -27,6 +27,7 @@ import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.dependencycheck.analyzer.AnalysisPhase;
import org.owasp.dependencycheck.analyzer.Analyzer;
import org.owasp.dependencycheck.analyzer.AnalyzerService;
@@ -34,12 +35,14 @@ import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex;
import org.owasp.dependencycheck.data.cpe.IndexException;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.data.nvdcve.ConnectionFactory;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.update.CachedWebDataSource;
import org.owasp.dependencycheck.data.update.UpdateService;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.exception.NoDataException;
import org.owasp.dependencycheck.utils.FileUtils;
@@ -188,7 +191,7 @@ public class Engine implements Serializable {
public void scan(String path) {
if (path.matches("^.*[\\/]\\*\\.[^\\/:*|?<>\"]+$")) {
final String[] parts = path.split("\\*\\.");
final String[] ext = new String[]{parts[parts.length - 1]};
final String[] ext = new String[] { parts[parts.length - 1] };
final File dir = new File(path.substring(0, path.length() - ext[0].length() - 2));
if (dir.isDirectory()) {
final List<File> files = (List<File>) org.apache.commons.io.FileUtils.listFiles(dir, ext, true);
@@ -287,6 +290,17 @@ public class Engine implements Serializable {
* @param file The file to scan.
*/
protected void scanFile(File file) {
scan(file, null);
}
/**
* Scans a specified file. If a dependency is identified it is added to the dependency collection.
* If there is an mavenArtifact present, it will be added to
*
* @param file The file to scan.
* @param mavenArtifact The (optional) Maven artifact.
*/
public void scan(File file, MavenArtifact mavenArtifact) {
if (!file.isFile()) {
final String msg = String.format("Path passed to scanFile(File) is not a file: %s. Skipping the file.", file.toString());
LOGGER.log(Level.FINE, msg);
@@ -297,11 +311,13 @@ public class Engine implements Serializable {
if (extension != null) {
if (supportsExtension(extension)) {
final Dependency dependency = new Dependency(file);
if (mavenArtifact != null) {
dependency.addAsEvidence("project-pom", mavenArtifact, Confidence.HIGH);
}
dependencies.add(dependency);
}
} else {
final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.",
file.toString());
final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.", file.toString());
LOGGER.log(Level.FINEST, msg);
}
}
@@ -326,9 +342,7 @@ public class Engine implements Serializable {
}
final String logHeader = String.format("%n"
+ "----------------------------------------------------%n"
+ "BEGIN ANALYSIS%n"
final String logHeader = String.format("%n" + "----------------------------------------------------%n" + "BEGIN ANALYSIS%n"
+ "----------------------------------------------------");
LOGGER.log(Level.FINE, logHeader);
LOGGER.log(Level.INFO, "Analysis Starting");
@@ -381,9 +395,7 @@ public class Engine implements Serializable {
}
}
final String logFooter = String.format("%n"
+ "----------------------------------------------------%n"
+ "END ANALYSIS%n"
final String logFooter = String.format("%n" + "----------------------------------------------------%n" + "END ANALYSIS%n"
+ "----------------------------------------------------");
LOGGER.log(Level.FINE, logFooter);
LOGGER.log(Level.INFO, "Analysis Complete");
@@ -437,10 +449,8 @@ public class Engine implements Serializable {
try {
source.update();
} catch (UpdateException ex) {
LOGGER.log(Level.WARNING,
"Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.");
LOGGER.log(Level.FINE,
String.format("Unable to update details for %s", source.getClass().getName()), ex);
LOGGER.log(Level.WARNING, "Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.");
LOGGER.log(Level.FINE, String.format("Unable to update details for %s", source.getClass().getName()), ex);
}
}
}
@@ -503,4 +513,5 @@ public class Engine implements Serializable {
throw new NoDataException("No documents exist");
}
}
}

26
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
View File

@@ -24,13 +24,13 @@ import java.net.URL;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.data.nexus.NexusSearch;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.utils.Settings;
/**
@@ -152,29 +152,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
try {
final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
if (ma.getGroupId() != null && !"".equals(ma.getGroupId())) {
dependency.getVendorEvidence().addEvidence("nexus", "groupid", ma.getGroupId(), Confidence.HIGH);
}
if (ma.getArtifactId() != null && !"".equals(ma.getArtifactId())) {
dependency.getProductEvidence().addEvidence("nexus", "artifactid", ma.getArtifactId(), Confidence.HIGH);
}
if (ma.getVersion() != null && !"".equals(ma.getVersion())) {
dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(), Confidence.HIGH);
}
if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) {
boolean found = false;
for (Identifier i : dependency.getIdentifiers()) {
if ("maven".equals(i.getType()) && i.getValue().equals(ma.toString())) {
found = true;
i.setConfidence(Confidence.HIGHEST);
i.setUrl(ma.getArtifactUrl());
break;
}
}
if (!found) {
dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl(), Confidence.HIGHEST);
}
}
dependency.addAsEvidence("nexus", ma, Confidence.HIGH);
} catch (IllegalArgumentException iae) {
//dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));

39
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
View File

@@ -26,6 +26,8 @@ import java.util.SortedSet;
import java.util.TreeSet;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.utils.Checksum;
import org.owasp.dependencycheck.utils.FileUtils;
@@ -316,6 +318,38 @@ public class Dependency implements Serializable, Comparable<Dependency> {
this.identifiers.add(i);
}
/**
* Adds the maven artifact as evidence.
* @param source The source of the evidence.
* @param mavenArtifact The maven artifact.
* @param confidence The confidence level of this evidence.
*/
public void addAsEvidence(String source, MavenArtifact mavenArtifact, Confidence confidence) {
if (mavenArtifact.getGroupId() != null && !"".equals(mavenArtifact.getGroupId())) {
this.getVendorEvidence().addEvidence(source, "groupid", mavenArtifact.getGroupId(), confidence);
}
if (mavenArtifact.getArtifactId() != null && !"".equals(mavenArtifact.getArtifactId())) {
this.getProductEvidence().addEvidence(source, "artifactid", mavenArtifact.getArtifactId(), confidence);
}
if (mavenArtifact.getVersion() != null && !"".equals(mavenArtifact.getVersion())) {
this.getVersionEvidence().addEvidence(source, "version", mavenArtifact.getVersion(), confidence);
}
if (mavenArtifact.getArtifactUrl() != null && !"".equals(mavenArtifact.getArtifactUrl())) {
boolean found = false;
for (Identifier i : this.getIdentifiers()) {
if ("maven".equals(i.getType()) && i.getValue().equals(mavenArtifact.toString())) {
found = true;
i.setConfidence(Confidence.HIGHEST);
i.setUrl(mavenArtifact.getArtifactUrl());
break;
}
}
if (!found) {
this.addIdentifier("maven", mavenArtifact.toString(), mavenArtifact.getArtifactUrl(), Confidence.HIGHEST);
}
}
}
/**
* Adds an entry to the list of detected Identifiers for the dependency file.
*
@@ -324,6 +358,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
public void addIdentifier(Identifier identifier) {
this.identifiers.add(identifier);
}
/**
* A set of identifiers that have been suppressed.
*/
@@ -441,6 +476,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
public EvidenceCollection getVersionEvidence() {
return this.versionEvidence;
}
/**
* The description of the JAR file.
*/
@@ -463,6 +499,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
public void setDescription(String description) {
this.description = description;
}
/**
* The license that this dependency uses.
*/
@@ -485,6 +522,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
public void setLicense(String license) {
this.license = license;
}
/**
* A list of vulnerabilities for this dependency.
*/
@@ -540,6 +578,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
public void addVulnerability(Vulnerability vulnerability) {
this.vulnerabilities.add(vulnerability);
}
/**
* A collection of related dependencies.
*/

40
dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java
View File

@@ -17,16 +17,20 @@
*/
package org.owasp.dependencycheck.dependency;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import java.io.File;
import java.util.List;
import java.util.Set;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
/**
*
@@ -152,7 +156,7 @@ public class DependencyTest {
public void testGetMd5sum() {
File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
Dependency instance = new Dependency(file);
// assertEquals("89CE9E36AA9A9E03F1450936D2F4F8DD0F961F8B", result.getSha1sum());
// assertEquals("89CE9E36AA9A9E03F1450936D2F4F8DD0F961F8B", result.getSha1sum());
String expResult = "C30B57142E1CCBC1EFD5CD15F307358F";
String result = instance.getMd5sum();
assertEquals(expResult, result);
@@ -294,4 +298,34 @@ public class DependencyTest {
EvidenceCollection result = instance.getVersionEvidence();
assertTrue(true); //this is just a getter setter pair.
}
/**
* Test of addAsEvidence method, of class Dependency.
*/
@Test
public void testAddAsEvidence() {
Dependency instance = new Dependency();
MavenArtifact mavenArtifact = new MavenArtifact("group", "artifact", "version", "url");
instance.addAsEvidence("pom", mavenArtifact, Confidence.HIGH);
assertTrue(instance.getEvidence().contains(Confidence.HIGH));
assertFalse(instance.getEvidence().getEvidence("pom", "groupid").isEmpty());
assertFalse(instance.getEvidence().getEvidence("pom", "artifactid").isEmpty());
assertFalse(instance.getEvidence().getEvidence("pom", "version").isEmpty());
assertFalse(instance.getIdentifiers().isEmpty());
}
/**
* Test of addAsEvidence method, of class Dependency.
*/
@Test
public void testAddAsEvidenceWithEmptyArtefact() {
Dependency instance = new Dependency();
MavenArtifact mavenArtifact = new MavenArtifact(null, null, null, null);
instance.addAsEvidence("pom", mavenArtifact, Confidence.HIGH);
assertFalse(instance.getEvidence().contains(Confidence.HIGH));
assertTrue(instance.getEvidence().getEvidence("pom", "groupid").isEmpty());
assertTrue(instance.getEvidence().getEvidence("pom", "artifactid").isEmpty());
assertTrue(instance.getEvidence().getEvidence("pom", "version").isEmpty());
assertTrue(instance.getIdentifiers().isEmpty());
}
}

38
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java
View File

@@ -32,6 +32,7 @@ import java.util.Locale;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.maven.artifact.Artifact;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.MojoFailureException;
@@ -46,6 +47,7 @@ import org.apache.maven.settings.Proxy;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
@@ -58,9 +60,7 @@ import org.owasp.dependencycheck.utils.Settings;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
@Mojo(name = "check", defaultPhase = LifecyclePhase.COMPILE, threadSafe = true,
requiresDependencyResolution = ResolutionScope.RUNTIME_PLUS_SYSTEM,
requiresOnline = true)
@Mojo(name = "check", defaultPhase = LifecyclePhase.COMPILE, threadSafe = true, requiresDependencyResolution = ResolutionScope.RUNTIME_PLUS_SYSTEM, requiresOnline = true)
public class DependencyCheckMojo extends ReportAggregationMojo {
//<editor-fold defaultstate="collapsed" desc="Private fields">
@@ -292,6 +292,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
@Parameter(property = "externalReport")
@Deprecated
private String externalReport = null;
// </editor-fold>
/**
* Constructs a new dependency-check-mojo.
@@ -326,8 +327,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
if (excludeFromScan(a)) {
continue;
}
localEngine.scan(a.getFile().getAbsolutePath());
localEngine.scan(a.getFile().getAbsoluteFile(), new MavenArtifact(a.getGroupId(), a.getArtifactId(), a.getVersion()));
}
localEngine.analyzeDependencies();
@@ -396,8 +396,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
}
if (proxyUrl != null && !proxyUrl.isEmpty()) {
LOGGER.warning("Deprecated configuration detected, proxyUrl will be ignored; use the maven settings "
+ "to configure the proxy instead");
LOGGER.warning("Deprecated configuration detected, proxyUrl will be ignored; use the maven settings " + "to configure the proxy instead");
}
final Proxy proxy = getMavenProxy();
if (proxy != null) {
@@ -510,6 +509,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
}
return null;
}
//</editor-fold>
/**
@@ -530,8 +530,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
checkForFailure(engine.getDependencies());
}
} catch (DatabaseException ex) {
LOGGER.log(Level.SEVERE,
"Unable to connect to the dependency-check database; analysis has stopped");
LOGGER.log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
LOGGER.log(Level.FINE, "", ex);
}
}
@@ -580,16 +579,15 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
engine = initializeEngine();
engine.getDependencies().addAll(deps);
} catch (DatabaseException ex) {
final String msg = String.format("An unrecoverable exception with the dependency-check initialization occured while scanning %s",
getProject().getName());
final String msg = String.format("An unrecoverable exception with the dependency-check initialization occured while scanning %s", getProject()
.getName());
throw new MavenReportException(msg, ex);
}
} else {
try {
engine = executeDependencyCheck();
} catch (DatabaseException ex) {
final String msg = String.format("An unrecoverable exception with the dependency-check scan occured while scanning %s",
getProject().getName());
final String msg = String.format("An unrecoverable exception with the dependency-check scan occured while scanning %s", getProject().getName());
throw new MavenReportException(msg, ex);
}
}
@@ -612,8 +610,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
try {
engine = executeDependencyCheck(project);
} catch (DatabaseException ex) {
final String msg = String.format("An unrecoverable exception with the dependency-check scan occured while scanning %s",
project.getName());
final String msg = String.format("An unrecoverable exception with the dependency-check scan occured while scanning %s", project.getName());
throw new MavenReportException(msg, ex);
}
}
@@ -646,8 +643,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
* @return the output name
*/
public String getOutputName() {
if ("HTML".equalsIgnoreCase(this.format)
|| "ALL".equalsIgnoreCase(this.format)) {
if ("HTML".equalsIgnoreCase(this.format) || "ALL".equalsIgnoreCase(this.format)) {
return "dependency-check-report";
} else if ("XML".equalsIgnoreCase(this.format)) {
return "dependency-check-report.xml#";
@@ -685,8 +681,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
* @return the description
*/
public String getDescription(Locale locale) {
return "A report providing details on any published "
+ "vulnerabilities within project dependencies. This report is a best effort but may contain "
return "A report providing details on any published " + "vulnerabilities within project dependencies. This report is a best effort but may contain "
+ "false positives and false negatives.";
}
@@ -740,6 +735,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
protected boolean canGenerateAggregateReport() {
return isAggregate() && isLastProject();
}
// </editor-fold>
//<editor-fold defaultstate="collapsed" desc="Methods to fail build or show summary">
@@ -807,12 +803,12 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
}
}
if (summary.length() > 0) {
final String msg = String.format("%n%n"
+ "One or more dependencies were identified with known vulnerabilities:%n%n%s"
final String msg = String.format("%n%n" + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
+ "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
LOGGER.log(Level.WARNING, msg);
}
}
//</editor-fold>
//<editor-fold defaultstate="collapsed" desc="Methods to read/write the serialized data file">