diff --git a/.travis.yml b/.travis.yml index 3260a07cb..ea4ed6220 100644 --- a/.travis.yml +++ b/.travis.yml @@ -12,5 +12,4 @@ before_install: after_success: - java -cp ~/codacy-coverage-reporter-assembly.jar com.codacy.CodacyCoverageReporter -l Java -r build-reporting/target/coverage-reports/jacoco.xml - - chmod +x coverity_scan.sh - ./coverity_scan.sh diff --git a/coverity_scan.sh b/coverity_scan.sh old mode 100644 new mode 100755 diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java index 05bab0aae..9841a0830 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java @@ -28,16 +28,13 @@ import org.apache.tools.ant.types.ResourceCollection; import org.apache.tools.ant.types.resources.FileProvider; import org.apache.tools.ant.types.resources.Resources; import org.owasp.dependencycheck.Engine; -import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; -import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; import org.owasp.dependencycheck.data.update.exception.UpdateException; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Identifier; import org.owasp.dependencycheck.dependency.Vulnerability; import org.owasp.dependencycheck.exception.ExceptionCollection; import org.owasp.dependencycheck.exception.ReportException; -import org.owasp.dependencycheck.reporting.ReportGenerator; import org.owasp.dependencycheck.reporting.ReportGenerator.Format; import org.owasp.dependencycheck.utils.Settings; import org.slf4j.impl.StaticLoggerBinder; @@ -146,8 +143,8 @@ public class Check extends Update { private boolean updateOnly = false; /** - * The report format to be generated (HTML, XML, VULN, CSV, JSON, ALL). Default is - * HTML. + * The report format to be generated (HTML, XML, VULN, CSV, JSON, ALL). + * Default is HTML. */ private String reportFormat = "HTML"; /** @@ -940,7 +937,7 @@ public class Check extends Update { throw new BuildException(ex); } } - engine.writeReports(getProjectName(),new File(reportOutputDirectory), reportFormat); + engine.writeReports(getProjectName(), new File(reportOutputDirectory), reportFormat); if (this.failBuildOnCVSS <= 10) { checkForFailure(engine.getDependencies()); @@ -1093,8 +1090,8 @@ public class Check extends Update { } /** - * An enumeration of supported report formats: "ALL", "HTML", "XML", "CSV", "JSON", "VULN", - * etc.. + * An enumeration of supported report formats: "ALL", "HTML", "XML", "CSV", + * "JSON", "VULN", etc.. */ public static class ReportFormats extends EnumeratedAttribute { diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index 8b7b709f3..0612c0781 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -28,13 +28,10 @@ import java.util.HashSet; import java.util.List; import java.util.Set; import org.apache.commons.cli.ParseException; -import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; -import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; import org.owasp.dependencycheck.dependency.Dependency; import org.apache.tools.ant.DirectoryScanner; import org.owasp.dependencycheck.dependency.Vulnerability; -import org.owasp.dependencycheck.reporting.ReportGenerator; import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -220,56 +217,11 @@ public class App { String[] excludes, int symLinkDepth, int cvssFailScore) throws InvalidScanPathException, DatabaseException, ExceptionCollection, ReportException { Engine engine = null; - int retCode = 0; try { + final List antStylePaths = getPaths(files); + final Set paths = scanAntStylePaths(antStylePaths, symLinkDepth, excludes); + engine = new Engine(); - final List antStylePaths = new ArrayList<>(); - for (String file : files) { - final String antPath = ensureCanonicalPath(file); - antStylePaths.add(antPath); - } - - final Set paths = new HashSet<>(); - for (String file : antStylePaths) { - LOGGER.debug("Scanning {}", file); - final DirectoryScanner scanner = new DirectoryScanner(); - String include = file.replace('\\', '/'); - File baseDir; - - if (include.startsWith("//")) { - throw new InvalidScanPathException("Unable to scan paths specified by //"); - } else { - final int pos = getLastFileSeparator(include); - final String tmpBase = include.substring(0, pos); - final String tmpInclude = include.substring(pos + 1); - if (tmpInclude.indexOf('*') >= 0 || tmpInclude.indexOf('?') >= 0 - || (new File(include)).isFile()) { - baseDir = new File(tmpBase); - include = tmpInclude; - } else { - baseDir = new File(tmpBase, tmpInclude); - include = "**/*"; - } - } - scanner.setBasedir(baseDir); - final String[] includes = {include}; - scanner.setIncludes(includes); - scanner.setMaxLevelsOfSymlinks(symLinkDepth); - if (symLinkDepth <= 0) { - scanner.setFollowSymlinks(false); - } - if (excludes != null && excludes.length > 0) { - scanner.addExcludes(excludes); - } - scanner.scan(); - if (scanner.getIncludedFilesCount() > 0) { - for (String s : scanner.getIncludedFiles()) { - final File f = new File(baseDir, s); - LOGGER.debug("Found file {}", f.toString()); - paths.add(f); - } - } - } engine.scan(paths); ExceptionCollection exCol = null; @@ -295,19 +247,7 @@ public class App { if (exCol != null && exCol.getExceptions().size() > 0) { throw exCol; } - - //Set the exit code based on whether we found a high enough vulnerability - for (Dependency dep : engine.getDependencies()) { - if (!dep.getVulnerabilities().isEmpty()) { - for (Vulnerability vuln : dep.getVulnerabilities()) { - LOGGER.debug("VULNERABILITY FOUND " + dep.getDisplayFileName()); - if (vuln.getCvssScore() > cvssFailScore) { - retCode = 1; - } - } - } - } - return retCode; + return determineReturnCode(engine, cvssFailScore); } finally { if (engine != null) { engine.cleanup(); @@ -315,6 +255,102 @@ public class App { } } + /** + * Determines the return code based on if one of the dependencies scanned + * has a vulnerability with a CVSS score above the cvssFailScore. + * + * @param engine the engine used during analysis + * @param cvssFailScore the max allowed CVSS score + * @return returns 1 if a severe enough vulnerability is + * identified; otherwise 0 + */ + private int determineReturnCode(Engine engine, int cvssFailScore) { + int retCode = 0; + //Set the exit code based on whether we found a high enough vulnerability + for (Dependency dep : engine.getDependencies()) { + if (!dep.getVulnerabilities().isEmpty()) { + for (Vulnerability vuln : dep.getVulnerabilities()) { + LOGGER.debug("VULNERABILITY FOUND " + dep.getDisplayFileName()); + if (vuln.getCvssScore() > cvssFailScore) { + retCode = 1; + } + } + } + } + return retCode; + } + + /** + * Scans the give Ant Style paths and collects the actual files. + * + * @param antStylePaths a list of ant style paths to scan for actual files + * @param symLinkDepth the depth to traverse symbolic links + * @param excludes an array of ant style excludes + * @return returns the set of identified files + * @throws InvalidScanPathException thrown when the scan path is invalid + * @throws IllegalStateException + */ + private Set scanAntStylePaths(List antStylePaths, int symLinkDepth, String[] excludes) + throws InvalidScanPathException { + final Set paths = new HashSet<>(); + for (String file : antStylePaths) { + LOGGER.debug("Scanning {}", file); + final DirectoryScanner scanner = new DirectoryScanner(); + String include = file.replace('\\', '/'); + File baseDir; + + if (include.startsWith("//")) { + throw new InvalidScanPathException("Unable to scan paths specified by //"); + } else { + final int pos = getLastFileSeparator(include); + final String tmpBase = include.substring(0, pos); + final String tmpInclude = include.substring(pos + 1); + if (tmpInclude.indexOf('*') >= 0 || tmpInclude.indexOf('?') >= 0 + || (new File(include)).isFile()) { + baseDir = new File(tmpBase); + include = tmpInclude; + } else { + baseDir = new File(tmpBase, tmpInclude); + include = "**/*"; + } + } + scanner.setBasedir(baseDir); + final String[] includes = {include}; + scanner.setIncludes(includes); + scanner.setMaxLevelsOfSymlinks(symLinkDepth); + if (symLinkDepth <= 0) { + scanner.setFollowSymlinks(false); + } + if (excludes != null && excludes.length > 0) { + scanner.addExcludes(excludes); + } + scanner.scan(); + if (scanner.getIncludedFilesCount() > 0) { + for (String s : scanner.getIncludedFiles()) { + final File f = new File(baseDir, s); + LOGGER.debug("Found file {}", f.toString()); + paths.add(f); + } + } + } + return paths; + } + + /** + * Determines the ant style paths from the given array of files. + * + * @param files an array of file paths + * @return a list containing ant style paths + */ + private List getPaths(String[] files) { + final List antStylePaths = new ArrayList<>(); + for (String file : files) { + final String antPath = ensureCanonicalPath(file); + antStylePaths.add(antPath); + } + return antStylePaths; + } + /** * Only executes the update phase of dependency-check. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java index 588536842..90390234c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java @@ -50,11 +50,30 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { * The Logger. */ private static final Logger LOGGER = LoggerFactory.getLogger(FalsePositiveAnalyzer.class); - /** * The file filter used to find DLL and EXE. */ private static final FileFilter DLL_EXE_FILTER = FileFilterBuilder.newInstance().addExtensions("dll", "exe").build(); + /** + * Regex to identify core java libraries and a few other commonly + * misidentified ones. + */ + public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|" + + "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|" + + "jdk|jre|jsse)($|:.*)"); + /** + * Regex to identify core jsf libraries. + */ + public static final Pattern CORE_JAVA_JSF = Pattern.compile("^cpe:/a:(sun|oracle|ibm):jsf($|:.*)"); + /** + * Regex to identify core java library files. This is currently incomplete. + */ + public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$"); + /** + * Regex to identify core jsf java library files. This is currently + * incomplete. + */ + public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$"); // /** @@ -214,27 +233,6 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { } } } - /** - * Regex to identify core java libraries and a few other commonly - * misidentified ones. - */ - public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|" - + "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|" - + "jdk|jre|jsse)($|:.*)"); - - /** - * Regex to identify core jsf libraries. - */ - public static final Pattern CORE_JAVA_JSF = Pattern.compile("^cpe:/a:(sun|oracle|ibm):jsf($|:.*)"); - /** - * Regex to identify core java library files. This is currently incomplete. - */ - public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$"); - /** - * Regex to identify core jsf java library files. This is currently - * incomplete. - */ - public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$"); /** * Removes any CPE entries for the JDK/JRE unless the filename ends with diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java index 20e46663a..1260fa3e2 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java @@ -61,6 +61,10 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer { * The types of files on which this will work. */ private static final String SUPPORTED_EXTENSIONS = "nuspec"; + /** + * The file filter used to determine which files this analyzer supports. + */ + private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(SUPPORTED_EXTENSIONS).build(); /** * Initializes the analyzer once before any analysis is performed. @@ -102,12 +106,6 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer { return ANALYSIS_PHASE; } - /** - * The file filter used to determine which files this analyzer supports. - */ - private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions( - SUPPORTED_EXTENSIONS).build(); - /** * Returns the FileFilter * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java index 7d9bf88e9..12e58d3f4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java @@ -105,6 +105,11 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { */ private static final FileFilter PY_FILTER = new SuffixFileFilter(".py"); + /** + * The file filter used to determine which files this analyzer supports. + */ + private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build(); + /** * Returns the name of the Python Package Analyzer. * @@ -125,11 +130,6 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { return AnalysisPhase.INFORMATION_COLLECTION; } - /** - * The file filter used to determine which files this analyzer supports. - */ - private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build(); - /** * Returns the FileFilter * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java index d31705519..c92d8c9f7 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java @@ -17,14 +17,22 @@ */ package org.owasp.dependencycheck.reporting; -import java.io.*; import java.util.List; import com.google.gson.JsonSyntaxException; import com.google.gson.stream.JsonReader; import com.google.gson.stream.JsonToken; -import static com.google.gson.stream.JsonToken.*; import com.google.gson.stream.JsonWriter; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.io.OutputStream; +import java.io.OutputStreamWriter; +import java.io.UnsupportedEncodingException; import java.math.BigDecimal; import java.nio.charset.StandardCharsets; import org.apache.velocity.VelocityContext; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java index 45308b9e6..5adf36d05 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java @@ -31,12 +31,6 @@ import java.util.regex.Pattern; * @author Jeremy Long */ public final class UrlStringUtils { - - /** - * Private constructor for a utility class. - */ - private UrlStringUtils() { - } /** * A regular expression to test if a string contains a URL. */ @@ -45,7 +39,18 @@ public final class UrlStringUtils { * A regular expression to test if a string is a URL. */ private static final Pattern IS_URL_TEST = Pattern.compile("^(ht|f)tps?://.*", Pattern.CASE_INSENSITIVE); + /** + * A listing of domain parts that should not be used as evidence. Yes, this + * is an incomplete list. + */ + private static final Set IGNORE_LIST = new HashSet<>( + Arrays.asList("www", "com", "org", "gov", "info", "name", "net", "pro", "tel", "mobi", "xxx")); + /** + * Private constructor for a utility class. + */ + private UrlStringUtils() { + } /** * Tests if the text provided contains a URL. This is somewhat limited * search in that it only looks for (ftp|http|https):// @@ -66,12 +71,6 @@ public final class UrlStringUtils { public static boolean isUrl(String text) { return IS_URL_TEST.matcher(text).matches(); } - /** - * A listing of domain parts that should not be used as evidence. Yes, this - * is an incomplete list. - */ - private static final Set IGNORE_LIST = new HashSet<>( - Arrays.asList("www", "com", "org", "gov", "info", "name", "net", "pro", "tel", "mobi", "xxx")); /** *

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlEntity.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlEntity.java index acad80fa7..9e436d9bc 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlEntity.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlEntity.java @@ -12,7 +12,8 @@ import java.util.Map; * * @author https://stackoverflow.com/users/823393/oldcurmudgeon */ -public class XmlEntity { +public final class XmlEntity { + /** * The map of HTML entities. */ @@ -292,8 +293,8 @@ public class XmlEntity { /** * Converts a named XML entity into its HTML encoded Unicode code point. * - * @param s the named entity (note, this should not include the leading '&' - * or trailing ';' + * @param s the named entity (note, this should not include the leading + * '&' or trailing ';' * @return the HTML encoded Unicode code point representation of the named * entity */ diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlInputStream.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlInputStream.java index 2879c2baf..f981c228b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlInputStream.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlInputStream.java @@ -162,7 +162,7 @@ public class XmlInputStream extends FilterInputStream { throw new IOException("Invalid/Unknown reference '&" + reference + ";'"); } } else { - // Did not terminate properly! + // Did not terminate properly! // Perhaps an & on its own or a malformed reference. // Either way, escape the & pushBack.append("&").append(reference).append((char) ch); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/Hints.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/Hints.java index 34e465004..d44ed7984 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/Hints.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/Hints.java @@ -31,6 +31,11 @@ public class Hints { */ private List hintRules; + /** + * The duplicating hint rules. + */ + private List vendorDuplicatingHintRules; + /** * Get the value of hintRules. * @@ -49,11 +54,6 @@ public class Hints { this.hintRules = hintRules; } - /** - * The duplicating hint rules. - */ - private List vendorDuplicatingHintRules; - /** * Get the value of vendorDuplicatingHintRules. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/package-info.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/package-info.java new file mode 100644 index 000000000..73efcac63 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/package-info.java @@ -0,0 +1,4 @@ +/** + * Contains classes used to fix XML prior to parsing. + */ +package org.owasp.dependencycheck.xml; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java index 014d8043e..a073b5ff6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java @@ -74,11 +74,22 @@ public class PomHandler extends DefaultHandler { * The url element. */ public static final String URL = "url"; - /** * The pom model. */ private final Model model = new Model(); + /** + * The stack of elements processed; used to determine the parent node. + */ + private final Deque stack = new ArrayDeque<>(); + /** + * The license object. + */ + private License license = null; + /** + * The current node text being extracted from the element. + */ + private StringBuilder currentText; /** * Returns the model obtained from the pom.xml. @@ -88,19 +99,6 @@ public class PomHandler extends DefaultHandler { public Model getModel() { return model; } - /** - * The stack of elements processed; used to determine the parent node. - */ - private final Deque stack = new ArrayDeque<>(); - /** - * The license object. - */ - private License license = null; - - /** - * The current node text being extracted from the element. - */ - private StringBuilder currentText; /** * Handles the start element event. @@ -194,10 +192,8 @@ public class PomHandler extends DefaultHandler { } break; case LICENSES: - if (LICENSE.equals(qName)) { - if (license != null) { - model.addLicense(license); - } + if (LICENSE.equals(qName) && license != null) { + model.addLicense(license); } break; default: diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIT.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIT.java index a85d34793..df0d58ecb 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIT.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIT.java @@ -19,15 +19,11 @@ package org.owasp.dependencycheck; import java.io.File; import java.io.IOException; -import static org.junit.Assert.assertTrue; import org.junit.Test; -import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; -import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; import org.owasp.dependencycheck.exception.ExceptionCollection; import org.owasp.dependencycheck.exception.ReportException; -import org.owasp.dependencycheck.reporting.ReportGenerator; import org.owasp.dependencycheck.utils.InvalidSettingException; import org.owasp.dependencycheck.utils.Settings; import static org.junit.Assert.assertTrue; diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java index 562a5bff3..d0eee79c7 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java @@ -58,7 +58,7 @@ public class CPEAnalyzerIT extends BaseDBTestCase { String vendor = "apache software foundation"; String product = "struts 2 core"; - String version = "2.1.2"; + CPEAnalyzer instance = new CPEAnalyzer(); String queryText = instance.buildSearch(vendor, product, null, null); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySqlIT.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySqlIT.java index e37fecafb..f3e6657c8 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySqlIT.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySqlIT.java @@ -19,10 +19,6 @@ package org.owasp.dependencycheck.data.nvdcve; import java.util.List; import java.util.Set; -import static org.junit.Assert.assertFalse; - -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; import org.junit.Test; import org.owasp.dependencycheck.BaseTest; diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java index c0392df31..719ba17b6 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java @@ -47,14 +47,10 @@ public class ReportGeneratorIT extends BaseDBTestCase { /** * Generates an XML report containing known vulnerabilities and realistic * data and validates the generated XML document against the XSD. - * - * @throws Exception */ @Test public void testGenerateReport() { try { - String templateName = "XmlReport"; - File f = new File("target/test-reports"); if (!f.exists()) { f.mkdir(); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java index 8107aa31d..0a4cc5980 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java @@ -66,7 +66,7 @@ public class UrlStringUtilsTest { assertEquals(expResult, result); text = "http://github.com/jeremylong/DependencyCheck/something"; - expResult = Arrays.asList("github", "jeremylong", "DependencyCheck", "something");; + expResult = Arrays.asList("github", "jeremylong", "DependencyCheck", "something"); result = UrlStringUtils.extractImportantUrlData(text); assertEquals(expResult, result); } diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/ArtifactScopeExcluded.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/ArtifactScopeExcluded.java index 0ee4e83d4..ab373f13d 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/ArtifactScopeExcluded.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/ArtifactScopeExcluded.java @@ -18,49 +18,77 @@ package org.owasp.dependencycheck.maven; import org.owasp.dependencycheck.utils.Filter; - -import static org.apache.maven.artifact.Artifact.SCOPE_RUNTIME_PLUS_SYSTEM; +import static org.apache.maven.artifact.Artifact.SCOPE_COMPILE_PLUS_RUNTIME; +import static org.apache.maven.artifact.Artifact.SCOPE_RUNTIME; +import static org.apache.maven.artifact.Artifact.SCOPE_SYSTEM; +import static org.apache.maven.artifact.Artifact.SCOPE_TEST; +import static org.apache.maven.artifact.Artifact.SCOPE_PROVIDED; /** - * Tests is the artifact should be included in the scan (i.e. is the - * dependency in a scope that is being scanned). + * Utility class to determine if an artifact should be excluded. * - * @param scope the scope of the artifact to test - * @return true if the artifact is in an excluded scope; - * otherwise false + * @author Josh Cain */ public class ArtifactScopeExcluded extends Filter { - private final boolean skipTestScope; - private final boolean skipProvidedScope; - private final boolean skipSystemScope; - private final boolean skipRuntimeScope; + /** + * Whether or not to skip the test scope. + */ + private final boolean skipTestScope; + /** + * Whether or not to skip the provided scope. + */ + private final boolean skipProvidedScope; + /** + * Whether or not to skip the system scope. + */ + private final boolean skipSystemScope; + /** + * Whether or not to skip the runtime scope. + */ + private final boolean skipRuntimeScope; - public ArtifactScopeExcluded(final boolean skipTestScope, final boolean skipProvidedScope, final boolean skipSystemScope, final boolean skipRuntimeScope) { - this.skipTestScope = skipTestScope; - this.skipProvidedScope = skipProvidedScope; - this.skipSystemScope = skipSystemScope; - this.skipRuntimeScope = skipRuntimeScope; - } + /** + * Constructs a new ArtifactScopeExcluded object. + * + * @param skipTestScope whether or not to skip the test scope + * @param skipProvidedScope whether or not to skip the provided scope + * @param skipSystemScope whether or not to skip the system scope + * @param skipRuntimeScope whether or not to skip the runtime scope + */ + public ArtifactScopeExcluded(final boolean skipTestScope, final boolean skipProvidedScope, + final boolean skipSystemScope, final boolean skipRuntimeScope) { + this.skipTestScope = skipTestScope; + this.skipProvidedScope = skipProvidedScope; + this.skipSystemScope = skipSystemScope; + this.skipRuntimeScope = skipRuntimeScope; + } - @Override - public boolean passes(final String scope) { - if (skipTestScope && org.apache.maven.artifact.Artifact.SCOPE_TEST.equals(scope)) { - return true; - } - if (skipProvidedScope && org.apache.maven.artifact.Artifact.SCOPE_PROVIDED.equals(scope)) { - return true; - } - if (skipSystemScope && org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(scope)) { - return true; - } - if (skipRuntimeScope && org.apache.maven.artifact.Artifact.SCOPE_RUNTIME.equals(scope)) { - return true; - } - if (skipRuntimeScope && skipSystemScope && org.apache.maven.artifact.Artifact.SCOPE_COMPILE_PLUS_RUNTIME.equals(SCOPE_RUNTIME_PLUS_SYSTEM)) { - return true; - } - - return false; - } + /** + * Tests is the artifact should be included in the scan (i.e. is the + * dependency in a scope that is being scanned). + * + * @param scope the scope of the artifact to test + * @return true if the artifact is in an excluded scope; + * otherwise false + */ + @Override + public boolean passes(final String scope) { + if (skipTestScope && SCOPE_TEST.equals(scope)) { + return true; + } + if (skipProvidedScope && SCOPE_PROVIDED.equals(scope)) { + return true; + } + if (skipSystemScope && SCOPE_SYSTEM.equals(scope)) { + return true; + } + if (skipRuntimeScope && SCOPE_RUNTIME.equals(scope)) { + return true; + } + if (skipRuntimeScope && skipSystemScope && SCOPE_COMPILE_PLUS_RUNTIME.equals(scope)) { + return true; + } + return false; + } } diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index a91d5224d..692bf2eec 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -465,7 +465,10 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma @Deprecated private String externalReport = null; - protected Filter artifactScopeExcluded; + /** + * The artifact scope filter. + */ + private Filter artifactScopeExcluded; // // @@ -650,7 +653,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma String version = null; if (org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(dependencyNode.getArtifact().getScope())) { for (org.apache.maven.model.Dependency d : project.getDependencies()) { - Artifact a = dependencyNode.getArtifact(); + final Artifact a = dependencyNode.getArtifact(); if (d.getSystemPath() != null && artifactsMatch(d, a)) { artifactFile = new File(d.getSystemPath()); @@ -1048,6 +1051,15 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma return format; } + /** + * Returns the artifact scope excluded filter. + * + * @return the artifact scope excluded filter + */ + protected Filter getArtifactScopeExcluded() { + return artifactScopeExcluded; + } + // /** * Checks to see if a vulnerability has been identified with a CVSS score diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java index 2540fd280..75b20e8e4 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java @@ -64,7 +64,7 @@ public class CheckMojo extends BaseDependencyCheckMojo { public boolean canGenerateReport() { boolean isCapable = false; for (Artifact a : getProject().getArtifacts()) { - if (!artifactScopeExcluded.passes(a.getScope())) { + if (!getArtifactScopeExcluded().passes(a.getScope())) { isCapable = true; break; } diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java index 643b83aea..fa4565946 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java @@ -17,9 +17,6 @@ */ package org.owasp.dependencycheck.utils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - import java.io.File; import java.io.FileInputStream; import java.io.IOException; @@ -36,10 +33,6 @@ import java.security.NoSuchAlgorithmException; */ public final class Checksum { - /** - * The logger. - */ - private static final Logger LOGGER = LoggerFactory.getLogger(Checksum.class); /** * Hex code characters used in getHex. */ diff --git a/pom.xml b/pom.xml index c76264c30..6601a294b 100644 --- a/pom.xml +++ b/pom.xml @@ -124,12 +124,10 @@ Copyright (c) 2012 - Jeremy Long UTF-8 UTF-8 github - 4.7.2 1.9.8 - 1.7.23 - 1.1.9 + 1.7.24 + 1.2.0 3.0 2.17 @@ -199,7 +197,7 @@ Copyright (c) 2012 - Jeremy Long org.apache.maven.plugins maven-failsafe-plugin - 2.19.1 + 2.20 org.apache.maven.plugins @@ -234,7 +232,7 @@ Copyright (c) 2012 - Jeremy Long org.apache.maven.plugins maven-surefire-plugin - 2.19.1 + 2.20 org.apache.maven.plugins @@ -670,7 +668,7 @@ Copyright (c) 2012 - Jeremy Long com.google.code.gson gson - 2.3.1 + 2.4 com.h2database @@ -680,7 +678,7 @@ Copyright (c) 2012 - Jeremy Long commons-cli commons-cli - 1.3.1 + 1.4 commons-io @@ -691,7 +689,7 @@ Copyright (c) 2012 - Jeremy Long org.apache.commons commons-lang3 - 3.3.2 + 3.4 com.sun.mail @@ -717,7 +715,7 @@ Copyright (c) 2012 - Jeremy Long org.apache.commons commons-compress - 1.13 + 1.14 org.apache.ant @@ -815,7 +813,7 @@ Copyright (c) 2012 - Jeremy Long org.jmockit jmockit - 1.26 + 1.27 test diff --git a/src/main/config/checkstyle-header.txt b/src/main/config/checkstyle-header.txt index ac81f0010..8d34b1ad4 100644 --- a/src/main/config/checkstyle-header.txt +++ b/src/main/config/checkstyle-header.txt @@ -13,6 +13,6 @@ ^ \* See the License for the specific language governing permissions and\s*$ ^ \* limitations under the License\.\s*$ ^ \*\s*$ -^ \* Copyright \(c\) 201[0-9] (Jeremy Long|Steve Springett|Stefan Neuhaus|Bianca Jiang|IBM Corporation|The OWASP Foundation|Institute for Defense Analyses)\. All Rights Reserved\.\s*$ +^ \* Copyright \(c\) 201[0-9] (Jeremy Long|Steve Springett|Stefan Neuhaus|Bianca Jiang|Josh Cain|IBM Corporation|The OWASP Foundation|Institute for Defense Analyses)\. All Rights Reserved\.\s*$ ^ \*/\s*$ ^package diff --git a/src/site/resources/general/dep-check-date.sh b/src/site/resources/general/dep-check-date.sh index 21130bf8d..24a5c484b 100755 --- a/src/site/resources/general/dep-check-date.sh +++ b/src/site/resources/general/dep-check-date.sh @@ -1,7 +1,7 @@ #!/bin/sh CLI_LOCATION=~/.local/dependency-check-1.2.11 CLI_SCRIPT=$CLI_LOCATION/bin/dependency-check.sh -NVD_PATH=$1/`date -I -d $2` +NVD_PATH=$1/$(date -I -d $2) NVD=file://$NVD_PATH shift 2 # We've used the first two params. The rest go to CLI_SCRIPT. $CLI_SCRIPT --cveUrl20Base $NVD/nvdcve-2.0-%d.xml.gz \ diff --git a/src/site/resources/general/nvd_download.sh b/src/site/resources/general/nvd_download.sh index 5af32b5b9..062cd8e4f 100755 --- a/src/site/resources/general/nvd_download.sh +++ b/src/site/resources/general/nvd_download.sh @@ -1,5 +1,5 @@ #!/bin/sh -NVD_ROOT=$1/`date -I` +NVD_ROOT=$1/$(date -I) JAR_PATH=$2/nist-data-mirror-1.0.0.jar java -jar $JAR_PATH $NVD_ROOT rm $NVD_ROOT/*.xml # D-C works directly with .gz files anyway. \ No newline at end of file