Merge branch 'master' of https://github.com/wmaintw/DependencyCheck into wmaintw-master

Former-commit-id: 2974aad3031a4b5746f735640f9fdee430e5b709

dependency-check-gradle/.gitignore

@@ -0,0 +1,12 @@
+.idea/
+.gradle
+
+*.iml
+*.ipr
+*.iws
+
+out/
+build/
+
+gradle-app.setting
+gradle.properties

dependency-check-gradle/README.md

@@ -0,0 +1,158 @@
+Dependency-Check-Gradle
+=========
+
+**Working in progress**
+
+This is a DependencyCheck gradle plugin designed for project which use Gradle as build script.
+
+Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
+
+=========
+
+## Usage
+
+### Step 1, Apply dependency check gradle plugin
+
+Please refer to either one of the solution
+
+#### Solution 1，Bintray
+
+```
+apply plugin: "dependency-check"
+
+buildscript {
+    repositories {
+        maven {
+            url 'http://dl.bintray.com/wei/maven'
+        }
+        mavenCentral()
+    }
+    dependencies {
+        classpath(
+                'com.tools.security:dependency-check:0.0.3'
+        )
+    }
+}
+```
+
+#### Solution 2，Gradle Plugin Portal
+
+[dependency check gradle plugin on Gradle Plugin Portal](https://plugins.gradle.org/plugin/dependency.check)
+
+**Build script snippet for new, incubating, plugin mechanism introduced in Gradle 2.1:**
+
+```
+// buildscript {
+//     ...
+// }
+
+plugins {
+    id "dependency.check" version "0.0.3"
+}
+
+// apply plugin: ...
+```
+
+**Build script snippet for use in all Gradle versions:**
+
+```
+buildscript {
+  repositories {
+    maven {
+      url "https://plugins.gradle.org/m2/"
+    }
+  }
+  dependencies {
+    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.3"
+  }
+}
+
+apply plugin: "dependency.check"
+```
+
+**If your project includes multiple sub-project, configure build script this way:**
+
+```
+buildscript {
+  repositories {
+    maven {
+      url "https://plugins.gradle.org/m2/"
+    }
+  }
+  dependencies {
+    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.3"
+  }
+}
+
+allprojects {
+    //other plugins you may use
+    //apply plugin: "java"
+
+    apply plugin: "dependency-check"
+
+    repositories {
+        mavenCentral()
+    }
+}
+```
+
+or
+
+```
+buildscript {
+  repositories {
+    maven {
+      url "https://plugins.gradle.org/m2/"
+    }
+  }
+  dependencies {
+    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.3"
+  }
+}
+
+subprojects {
+    //other plugins you may use
+    //apply plugin: "java"
+
+    apply plugin: "dependency-check"
+
+    repositories {
+        mavenCentral()
+    }
+}
+```
+
+In this way, the dependency check will be executed for all projects (including root project) or just sub projects.
+
+#### Solution 3，Maven Central
+
+working in progress
+
+### Step 2, Run gradle task
+
+Once gradle plugin applied, run following gradle task to check the dependencies:
+
+```
+gradle dependencyCheck
+```
+
+The reports will be generated automatically under `./reports` folder.
+
+If your project includes multiple sub-projects, the report will be generated for each sub-project in different sub-directory.
+
+### What if you are behind a proxy?
+
+Maybe you have to use proxy to access internet, in this case, you could configure proxy settings for this plugin:
+
+```
+dependencyCheck {
+    proxyServer = "127.0.0.1"      // required, the server name or IP address of the proxy
+    proxyPort = 3128               // required, the port number of the proxy
+
+    // optional, the proxy server might require username
+    // proxyUsername = "username"
+
+    // optional, the proxy server might require password
+    // proxyPassword = "password"
+}
+```

dependency-check-gradle/build.gradle

@@ -0,0 +1,87 @@
+buildscript {
+    repositories {
+        maven {
+            url "https://plugins.gradle.org/m2/"
+        }
+    }
+
+    dependencies {
+        classpath "com.gradle.publish:plugin-publish-plugin:0.9.0"
+    }
+}
+
+plugins {
+    id 'nu.studer.plugindev' version '1.0.3'
+}
+
+apply plugin: 'idea'
+apply plugin: 'groovy'
+apply plugin: 'maven'
+apply plugin: "com.gradle.plugin-publish"
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+    compile(
+            localGroovy(),
+            gradleApi(),
+            'org.owasp:dependency-check-core:1.2.11',
+            'org.owasp:dependency-check-utils:1.2.10'
+    )
+}
+
+group = 'com.tools.security'
+version = '0.0.3'
+
+//-------------------------------
+// Local debug use only
+//
+uploadArchives {
+    repositories {
+        mavenDeployer {
+            repository(url: uri('../../../repo'))
+        }
+    }
+}
+//-------------------------------
+
+// publish to Bintray
+plugindev {
+    pluginId = 'dependency.check'
+    pluginName = 'dependency-check'
+    pluginImplementationClass 'com.tools.security.plugin.DependencyCheckGradlePlugin'
+    pluginDescription 'This is dependency check gradle plugin.'
+    pluginLicenses 'Apache-2.0'
+    pluginTags 'dependency check', 'security'
+    authorId 'wmaintw'
+    authorName 'Wei Ma'
+    authorEmail 'wma@thoughtworks.com'
+    projectUrl 'https://github.com/wmaintw/DependencyCheck'
+    projectIssuesUrl 'https://github.com/wmaintw/DependencyCheck/issues'
+    projectVcsUrl 'git@github.com:wmaintw/DependencyCheck.git'
+    projectInceptionYear '2015'
+    done()
+}
+
+bintray {
+    user = bintrayUser
+    key = bintrayUserKey
+    pkg.repo = bintrayRepo
+}
+
+// publish to gradle plugin portal
+pluginBundle {
+    website = 'https://github.com/wmaintw/DependencyCheck'
+    vcsUrl = 'git@github.com:wmaintw/DependencyCheck.git'
+    description = 'This is dependency check gradle plugin.'
+    tags = ['dependency check', 'security']
+
+    plugins {
+        dependencyCheckPlugin {
+            id = 'dependency.check'
+            displayName = 'dependency-check'
+        }
+    }
+}

dependency-check-gradle/gradlew

@@ -0,0 +1,164 @@
+#!/usr/bin/env bash
+
+##############################################################################
+##
+##  Gradle start up script for UN*X
+##
+##############################################################################
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS=""
+
+APP_NAME="Gradle"
+APP_BASE_NAME=`basename "$0"`
+
+# Use the maximum available, or set MAX_FD != -1 to use that value.
+MAX_FD="maximum"
+
+warn ( ) {
+    echo "$*"
+}
+
+die ( ) {
+    echo
+    echo "$*"
+    echo
+    exit 1
+}
+
+# OS specific support (must be 'true' or 'false').
+cygwin=false
+msys=false
+darwin=false
+case "`uname`" in
+  CYGWIN* )
+    cygwin=true
+    ;;
+  Darwin* )
+    darwin=true
+    ;;
+  MINGW* )
+    msys=true
+    ;;
+esac
+
+# For Cygwin, ensure paths are in UNIX format before anything is touched.
+if $cygwin ; then
+    [ -n "$JAVA_HOME" ] && JAVA_HOME=`cygpath --unix "$JAVA_HOME"`
+fi
+
+# Attempt to set APP_HOME
+# Resolve links: $0 may be a link
+PRG="$0"
+# Need this for relative symlinks.
+while [ -h "$PRG" ] ; do
+    ls=`ls -ld "$PRG"`
+    link=`expr "$ls" : '.*-> \(.*\)$'`
+    if expr "$link" : '/.*' > /dev/null; then
+        PRG="$link"
+    else
+        PRG=`dirname "$PRG"`"/$link"
+    fi
+done
+SAVED="`pwd`"
+cd "`dirname \"$PRG\"`/" >&-
+APP_HOME="`pwd -P`"
+cd "$SAVED" >&-
+
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
+
+# Determine the Java command to use to start the JVM.
+if [ -n "$JAVA_HOME" ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+        # IBM's JDK on AIX uses strange locations for the executables
+        JAVACMD="$JAVA_HOME/jre/sh/java"
+    else
+        JAVACMD="$JAVA_HOME/bin/java"
+    fi
+    if [ ! -x "$JAVACMD" ] ; then
+        die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+else
+    JAVACMD="java"
+    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+fi
+
+# Increase the maximum file descriptors if we can.
+if [ "$cygwin" = "false" -a "$darwin" = "false" ] ; then
+    MAX_FD_LIMIT=`ulimit -H -n`
+    if [ $? -eq 0 ] ; then
+        if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
+            MAX_FD="$MAX_FD_LIMIT"
+        fi
+        ulimit -n $MAX_FD
+        if [ $? -ne 0 ] ; then
+            warn "Could not set maximum file descriptor limit: $MAX_FD"
+        fi
+    else
+        warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
+    fi
+fi
+
+# For Darwin, add options to specify how the application appears in the dock
+if $darwin; then
+    GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
+fi
+
+# For Cygwin, switch paths to Windows format before running java
+if $cygwin ; then
+    APP_HOME=`cygpath --path --mixed "$APP_HOME"`
+    CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
+
+    # We build the pattern for arguments to be converted via cygpath
+    ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
+    SEP=""
+    for dir in $ROOTDIRSRAW ; do
+        ROOTDIRS="$ROOTDIRS$SEP$dir"
+        SEP="|"
+    done
+    OURCYGPATTERN="(^($ROOTDIRS))"
+    # Add a user-defined pattern to the cygpath arguments
+    if [ "$GRADLE_CYGPATTERN" != "" ] ; then
+        OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
+    fi
+    # Now convert the arguments - kludge to limit ourselves to /bin/sh
+    i=0
+    for arg in "$@" ; do
+        CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
+        CHECK2=`echo "$arg"|egrep -c "^-"`                                 ### Determine if an option
+
+        if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then                    ### Added a condition
+            eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
+        else
+            eval `echo args$i`="\"$arg\""
+        fi
+        i=$((i+1))
+    done
+    case $i in
+        (0) set -- ;;
+        (1) set -- "$args0" ;;
+        (2) set -- "$args0" "$args1" ;;
+        (3) set -- "$args0" "$args1" "$args2" ;;
+        (4) set -- "$args0" "$args1" "$args2" "$args3" ;;
+        (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
+        (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
+        (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
+        (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
+        (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
+    esac
+fi
+
+# Split up the JVM_OPTS And GRADLE_OPTS values into an array, following the shell quoting and substitution rules
+function splitJvmOpts() {
+    JVM_OPTS=("$@")
+}
+eval splitJvmOpts $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS
+JVM_OPTS[${#JVM_OPTS[*]}]="-Dorg.gradle.appname=$APP_BASE_NAME"
+
+exec "$JAVACMD" "${JVM_OPTS[@]}" -classpath "$CLASSPATH" org.gradle.wrapper.GradleWrapperMain "$@"

dependency-check-gradle/gradlew.bat

@@ -0,0 +1,90 @@
+@if "%DEBUG%" == "" @echo off
+@rem ##########################################################################
+@rem
+@rem  Gradle startup script for Windows
+@rem
+@rem ##########################################################################
+
+@rem Set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" setlocal
+
+@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+set DEFAULT_JVM_OPTS=
+
+set DIRNAME=%~dp0
+if "%DIRNAME%" == "" set DIRNAME=.
+set APP_BASE_NAME=%~n0
+set APP_HOME=%DIRNAME%
+
+@rem Find java.exe
+if defined JAVA_HOME goto findJavaFromJavaHome
+
+set JAVA_EXE=java.exe
+%JAVA_EXE% -version >NUL 2>&1
+if "%ERRORLEVEL%" == "0" goto init
+
+echo.
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:findJavaFromJavaHome
+set JAVA_HOME=%JAVA_HOME:"=%
+set JAVA_EXE=%JAVA_HOME%/bin/java.exe
+
+if exist "%JAVA_EXE%" goto init
+
+echo.
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:init
+@rem Get command-line arguments, handling Windowz variants
+
+if not "%OS%" == "Windows_NT" goto win9xME_args
+if "%@eval[2+2]" == "4" goto 4NT_args
+
+:win9xME_args
+@rem Slurp the command line arguments.
+set CMD_LINE_ARGS=
+set _SKIP=2
+
+:win9xME_args_slurp
+if "x%~1" == "x" goto execute
+
+set CMD_LINE_ARGS=%*
+goto execute
+
+:4NT_args
+@rem Get arguments from the 4NT Shell from JP Software
+set CMD_LINE_ARGS=%$
+
+:execute
+@rem Setup the command line
+
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
+
+@rem Execute Gradle
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
+
+:end
+@rem End local scope for the variables with windows NT shell
+if "%ERRORLEVEL%"=="0" goto mainEnd
+
+:fail
+rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
+rem the _cmd.exe /c_ return code!
+if  not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
+exit /b 1
+
+:mainEnd
+if "%OS%"=="Windows_NT" endlocal
+
+:omega

dependency-check-gradle/pom.xml

@@ -0,0 +1,35 @@
+<!--
+This file is part of dependency-check-maven.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <url>http://maven.apache.org</url>
+
+    <parent>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-parent</artifactId>
+        <version>1.2.11-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>dependency-check-gradle</artifactId>
+    <packaging>jar</packaging>
+
+    <name>Dependency-Check Gradle Plugin</name>
+    <description>dependency-check-gradle is a Gradle Plugin that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The plugin will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description>
+    <inceptionYear>2015</inceptionYear>
+
+</project>

dependency-check-gradle/settings.gradle

@@ -0,0 +1 @@
+rootProject.name = 'dependency-check'

dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy

@@ -0,0 +1,8 @@
+package com.tools.security.extension
+
+class DependencyCheckConfigurationExtension {
+    String proxyServer
+    Integer proxyPort
+    String proxyUsername = ""
+    String proxyPassword = ""
+}

dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy

@@ -0,0 +1,23 @@
+package com.tools.security.plugin
+
+import com.tools.security.extension.DependencyCheckConfigurationExtension
+import com.tools.security.tasks.DependencyCheckTask
+import org.gradle.api.Plugin
+import org.gradle.api.Project
+
+class DependencyCheckGradlePlugin implements Plugin<Project> {
+
+    @Override
+    void apply(Project project) {
+        initializeConfigurations(project)
+        registerTasks(project)
+    }
+
+    def initializeConfigurations(Project project) {
+        project.extensions.create("dependencyCheck", DependencyCheckConfigurationExtension)
+    }
+
+    def registerTasks(Project project) {
+        project.tasks.create("dependencyCheck", DependencyCheckTask)
+    }
+}

dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy

@@ -0,0 +1,86 @@
+package com.tools.security.tasks
+
+import org.gradle.api.DefaultTask
+import org.gradle.api.artifacts.Configuration
+import org.gradle.api.artifacts.ResolvedArtifact
+import org.gradle.api.tasks.TaskAction
+import org.owasp.dependencycheck.Engine
+import org.owasp.dependencycheck.data.nvdcve.CveDB
+import org.owasp.dependencycheck.dependency.Dependency
+import org.owasp.dependencycheck.reporting.ReportGenerator
+import org.owasp.dependencycheck.utils.Settings
+
+import static org.owasp.dependencycheck.utils.Settings.setString
+
+class DependencyCheckTask extends DefaultTask {
+
+    def currentProjectName = project.getName()
+
+    @TaskAction
+    def check() {
+        initializeSettings()
+        def engine = initializeEngine()
+
+        verifyDependencies(engine)
+        analyzeDependencies(engine)
+        retrieveVulnerabilities(engine)
+        generateReport(engine)
+    }
+
+    private Engine initializeEngine() {
+        new Engine()
+    }
+
+    def initializeSettings() {
+        Settings.initialize()
+        overrideProxySetting()
+    }
+
+    def verifyDependencies(engine) {
+        logger.lifecycle("Verifying dependencies for project ${currentProjectName}")
+        getAllDependencies(project).each { engine.scan(it) }
+    }
+
+    def analyzeDependencies(Engine engine) {
+        logger.lifecycle("Checking for updates and analyzing vulnerabilities for dependencies")
+        engine.analyzeDependencies()
+    }
+
+    def retrieveVulnerabilities(Engine engine) {
+        def vulnerabilities = engine.getDependencies().collect { Dependency dependency ->
+            dependency.getVulnerabilities()
+        }.flatten()
+
+        logger.lifecycle("Found ${vulnerabilities.size()} vulnerabilities in project ${currentProjectName}")
+    }
+
+    def generateReport(Engine engine) {
+        logger.lifecycle("Generating report for project ${currentProjectName}")
+        def reportGenerator = new ReportGenerator(currentProjectName, engine.dependencies, engine.analyzers,
+                new CveDB().databaseProperties)
+        reportGenerator.generateReports("./reports/${currentProjectName}", ReportGenerator.Format.ALL)
+    }
+
+    def overrideProxySetting() {
+        if (isProxySettingExist()) {
+            logger.lifecycle("Using proxy ${project.dependencyCheck.proxyServer}:${project.dependencyCheck.proxyPort}")
+
+            setString(Settings.KEYS.PROXY_SERVER, project.dependencyCheck.proxyServer)
+            setString(Settings.KEYS.PROXY_PORT, "${project.dependencyCheck.proxyPort}")
+            setString(Settings.KEYS.PROXY_USERNAME, project.dependencyCheck.proxyUsername)
+            setString(Settings.KEYS.PROXY_PASSWORD, project.dependencyCheck.proxyPassword)
+        }
+    }
+
+    def isProxySettingExist() {
+        project.dependencyCheck.proxyServer != null && project.dependencyCheck.proxyPort != null
+    }
+
+    def getAllDependencies(project) {
+        return project.getConfigurations().collect { Configuration configuration ->
+            configuration.getResolvedConfiguration().getResolvedArtifacts().collect { ResolvedArtifact artifact ->
+                artifact.getFile()
+            }
+        }.flatten();
+    }
+}

dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency-check.properties

@@ -0,0 +1 @@
+implementation-class=com.tools.security.plugin.DependencyCheckGradlePlugin

pom.xml

@@ -28,6 +28,7 @@ Copyright (c) 2012 - Jeremy Long
         <module>dependency-check-cli</module>
         <module>dependency-check-ant</module>
         <module>dependency-check-maven</module>
+        <module>dependency-check-gradle</module>
         <module>dependency-check-jenkins</module>
         <module>dependency-check-utils</module>
     </modules>