github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-04-19 23:11:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'upmaster' into ruby-bundler

Browse Source
This commit is contained in:
Dale Visser
2015-09-14 17:14:20 -04:00
parent 837d4918f2 8c98da09f0
commit 39f13c6e5b
122 changed files with 974 additions and 10408 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -110,7 +110,7 @@ Copyright & License
Dependency-Check is Copyright (c) 2012-2015 Jeremy Long. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt] [notices] file for more information.

15
dependency-check-ant/NOTICE.txt
View File

@@ -1,9 +1,6 @@
-----------------------------
---begin dependency-check----
-----------------------------
dependency-check
OWASP dependency-check
Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
Copyright (c) 2012-2015 Jeremy Long. All Rights Reserved.
The licenses for the software listed below can be found in the META-INF/licenses/[dependency name].
@@ -19,11 +16,3 @@ An original copy of the license agreement can be found at: http://www.h2database
This product includes data from the Common Weakness Enumeration (CWE): http://cwe.mitre.org/
This product downloads and utilizes data from the National Vulnerability Database hosted by NIST: http://nvd.nist.gov/download.cfm
-----------------------------
---end dependency-check------
-----------------------------
Notices below are from dependent libraries and have been included via maven-shade-plugin.
-----------------------------

4
dependency-check-ant/README.md
View File

@@ -20,6 +20,6 @@ Copyright & License
Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
Dependency-Check-Ant makes use of other open source libraries. Please see the [NOTICE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-ant/blob/master/NOTICES.txt) file for more information.
Dependency-Check-Ant makes use of other open source libraries. Please see the [NOTICE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/dependency-check-ant/NOTICE.txt) file for more information.

40
dependency-check-ant/pom.xml
View File

@@ -192,28 +192,34 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<version>2.4.1</version>
<artifactId>maven-jar-plugin</artifactId>
<configuration>
<transformers>
<transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer" />
<transformer implementation="org.apache.maven.plugins.shade.resource.AppendingTransformer">
<resource>META-INF/NOTICE.txt</resource>
</transformer>
<transformer implementation="org.apache.maven.plugins.shade.resource.DontIncludeResourceTransformer">
<resource>META-INF/NOTICE</resource>
</transformer>
<transformer implementation="org.apache.maven.plugins.shade.resource.DontIncludeResourceTransformer">
<resource>META-INF/LICENSE</resource>
</transformer>
</transformers>
<archive>
<manifest>
<addClasspath>true</addClasspath>
<classpathPrefix>lib/</classpathPrefix>
</manifest>
</archive>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-assembly-plugin</artifactId>
<configuration>
<attach>false</attach> <!-- don't install/deploy this archive -->
</configuration>
<executions>
<execution>
<id>create-distribution</id>
<phase>package</phase>
<goals>
<goal>shade</goal>
<goal>single</goal>
</goals>
<configuration>
<descriptors>
<descriptor>src/main/assembly/release.xml</descriptor>
</descriptors>
</configuration>
</execution>
</executions>
</plugin>
@@ -221,9 +227,6 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<configuration>
<!--instrumentation>
<ignoreTrivial>true</ignoreTrivial>
</instrumentation-->
<check>
<branchRate>85</branchRate>
<lineRate>85</lineRate>
@@ -320,6 +323,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<dependency>
<groupId>org.apache.ant</groupId>
<artifactId>ant</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.ant</groupId>

15
dependency-check-ant/src/main/assembly/release.xml
View File

@@ -12,18 +12,25 @@
<format>zip</format>
</formats>
<includeBaseDirectory>false</includeBaseDirectory>
<fileSets>
<!--fileSets>
<fileSet>
<outputDirectory>/</outputDirectory>
<outputDirectory>dependency-check</outputDirectory>
<directory>${project.build.directory}</directory>
<includes>
<include>dependency-check*.jar</include>
</includes>
</fileSet>
</fileSets>
</fileSets-->
<files>
<file>
<source>${project.build.directory}/${project.artifactId}-${project.version}.jar</source>
<outputDirectory>dependency-check</outputDirectory>
<destName>dependency-check-ant.jar</destName>
</file>
</files>
<dependencySets>
<dependencySet>
<outputDirectory>/lib</outputDirectory>
<outputDirectory>dependency-check/lib</outputDirectory>
<scope>runtime</scope>
</dependencySet>
</dependencySets>

5
dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java
View File

@@ -30,6 +30,11 @@ import org.slf4j.helpers.MessageFormatter;
*/
public class AntLoggerAdapter extends MarkerIgnoringBase {
/**
* The serial version UID for serialization.
*/
private static final long serialVersionUID = 1L;
/**
* A reference to the Ant task used for logging.
*/

520
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java → dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
View File

@@ -19,11 +19,9 @@ package org.owasp.dependencycheck.taskdefs;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.util.List;
import org.apache.tools.ant.BuildException;
import org.apache.tools.ant.Project;
import org.apache.tools.ant.Task;
import org.apache.tools.ant.types.EnumeratedAttribute;
import org.apache.tools.ant.types.Reference;
import org.apache.tools.ant.types.Resource;
@@ -47,12 +45,8 @@ import org.slf4j.impl.StaticLoggerBinder;
*
* @author Jeremy Long
*/
public class DependencyCheckTask extends Task {
public class Check extends Update {
/**
* The properties file location.
*/
private static final String PROPERTIES_FILE = "task.properties";
/**
* System specific new line character.
*/
@@ -61,7 +55,7 @@ public class DependencyCheckTask extends Task {
/**
* Construct a new DependencyCheckTask.
*/
public DependencyCheckTask() {
public Check() {
super();
// Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
// core end up coming through this tasks logger
@@ -168,7 +162,7 @@ public class DependencyCheckTask extends Task {
this.applicationName = applicationName;
}
private String projectName = "Dependency-Check";
private String projectName = "dependency-check";
/**
* Get the value of projectName.
@@ -178,7 +172,7 @@ public class DependencyCheckTask extends Task {
public String getProjectName() {
if (applicationName != null) {
log("Configuration 'applicationName' has been deprecated, please use 'projectName' instead", Project.MSG_WARN);
if ("Dependency-Check".equals(projectName)) {
if ("dependency-check".equals(projectName)) {
projectName = applicationName;
}
}
@@ -194,28 +188,6 @@ public class DependencyCheckTask extends Task {
this.projectName = projectName;
}
/**
* The location of the data directory that contains
*/
private String dataDirectory = null;
/**
* Get the value of dataDirectory.
*
* @return the value of dataDirectory
*/
public String getDataDirectory() {
return dataDirectory;
}
/**
* Set the value of dataDirectory.
*
* @param dataDirectory new value of dataDirectory
*/
public void setDataDirectory(String dataDirectory) {
this.dataDirectory = dataDirectory;
}
/**
* Specifies the destination directory for the generated Dependency-Check report.
*/
@@ -330,139 +302,6 @@ public class DependencyCheckTask extends Task {
public void setReportFormat(ReportFormats reportFormat) {
this.reportFormat = reportFormat.getValue();
}
/**
* The Proxy Server.
*/
private String proxyServer;
/**
* Get the value of proxyServer.
*
* @return the value of proxyServer
*/
public String getProxyServer() {
return proxyServer;
}
/**
* Set the value of proxyServer.
*
* @param server new value of proxyServer
*/
public void setProxyServer(String server) {
this.proxyServer = server;
}
/**
* Get the value of proxyServer.
*
* @return the value of proxyServer
* @deprecated use {@link org.owasp.dependencycheck.taskdefs.DependencyCheckTask#getProxyServer()} instead
*/
@Deprecated
public String getProxyUrl() {
return proxyServer;
}
/**
* Set the value of proxyServer.
*
* @param proxyUrl new value of proxyServer
* @deprecated use {@link org.owasp.dependencycheck.taskdefs.DependencyCheckTask#setProxyServer(java.lang.String)} instead
*/
@Deprecated
public void setProxyUrl(String proxyUrl) {
log("A deprecated configuration option 'proxyUrl' was detected; use 'proxyServer' instead.", Project.MSG_WARN);
this.proxyServer = proxyUrl;
}
/**
* The Proxy Port.
*/
private String proxyPort;
/**
* Get the value of proxyPort.
*
* @return the value of proxyPort
*/
public String getProxyPort() {
return proxyPort;
}
/**
* Set the value of proxyPort.
*
* @param proxyPort new value of proxyPort
*/
public void setProxyPort(String proxyPort) {
this.proxyPort = proxyPort;
}
/**
* The Proxy username.
*/
private String proxyUsername;
/**
* Get the value of proxyUsername.
*
* @return the value of proxyUsername
*/
public String getProxyUsername() {
return proxyUsername;
}
/**
* Set the value of proxyUsername.
*
* @param proxyUsername new value of proxyUsername
*/
public void setProxyUsername(String proxyUsername) {
this.proxyUsername = proxyUsername;
}
/**
* The Proxy password.
*/
private String proxyPassword;
/**
* Get the value of proxyPassword.
*
* @return the value of proxyPassword
*/
public String getProxyPassword() {
return proxyPassword;
}
/**
* Set the value of proxyPassword.
*
* @param proxyPassword new value of proxyPassword
*/
public void setProxyPassword(String proxyPassword) {
this.proxyPassword = proxyPassword;
}
/**
* The Connection Timeout.
*/
private String connectionTimeout;
/**
* Get the value of connectionTimeout.
*
* @return the value of connectionTimeout
*/
public String getConnectionTimeout() {
return connectionTimeout;
}
/**
* Set the value of connectionTimeout.
*
* @param connectionTimeout new value of connectionTimeout
*/
public void setConnectionTimeout(String connectionTimeout) {
this.connectionTimeout = connectionTimeout;
}
/**
* The path to the suppression file.
*/
@@ -508,6 +347,20 @@ public class DependencyCheckTask extends Task {
this.showSummary = showSummary;
}
/**
* Whether or not the Jar Analyzer is enabled.
*/
private boolean jarAnalyzerEnabled = true;
/**
* Returns whether or not the analyzer is enabled.
*
* @return true if the analyzer is enabled
*/
public boolean isJarAnalyzerEnabled() {
return jarAnalyzerEnabled;
}
/**
* Sets whether or not the analyzer is enabled.
*
@@ -605,29 +458,6 @@ public class DependencyCheckTask extends Task {
this.centralAnalyzerEnabled = centralAnalyzerEnabled;
}
/**
* Whether or not the local copy of the NVD should be purged.
*/
private boolean purge = false;
/**
* Used to determine if the local copy of the NVD should be purged.
*
* @return true if the local copy of the NVD should be purged
*/
public boolean isPurge() {
return purge;
}
/**
* Set whether or not the local copy of the NVD should be purged.
*
* @param purge setting to true will cause the local copy of the NVD to be deleted.
*/
public void setPurge(boolean purge) {
this.purge = purge;
}
/**
* Whether or not the nexus analyzer is enabled.
*/
@@ -696,119 +526,6 @@ public class DependencyCheckTask extends Task {
this.nexusUsesProxy = nexusUsesProxy;
}
/**
* The database driver name; such as org.h2.Driver.
*/
private String databaseDriverName;
/**
* Get the value of databaseDriverName.
*
* @return the value of databaseDriverName
*/
public String getDatabaseDriverName() {
return databaseDriverName;
}
/**
* Set the value of databaseDriverName.
*
* @param databaseDriverName new value of databaseDriverName
*/
public void setDatabaseDriverName(String databaseDriverName) {
this.databaseDriverName = databaseDriverName;
}
/**
* The path to the database driver JAR file if it is not on the class path.
*/
private String databaseDriverPath;
/**
* Get the value of databaseDriverPath.
*
* @return the value of databaseDriverPath
*/
public String getDatabaseDriverPath() {
return databaseDriverPath;
}
/**
* Set the value of databaseDriverPath.
*
* @param databaseDriverPath new value of databaseDriverPath
*/
public void setDatabaseDriverPath(String databaseDriverPath) {
this.databaseDriverPath = databaseDriverPath;
}
/**
* The database connection string.
*/
private String connectionString;
/**
* Get the value of connectionString.
*
* @return the value of connectionString
*/
public String getConnectionString() {
return connectionString;
}
/**
* Set the value of connectionString.
*
* @param connectionString new value of connectionString
*/
public void setConnectionString(String connectionString) {
this.connectionString = connectionString;
}
/**
* The user name for connecting to the database.
*/
private String databaseUser;
/**
* Get the value of databaseUser.
*
* @return the value of databaseUser
*/
public String getDatabaseUser() {
return databaseUser;
}
/**
* Set the value of databaseUser.
*
* @param databaseUser new value of databaseUser
*/
public void setDatabaseUser(String databaseUser) {
this.databaseUser = databaseUser;
}
/**
* The password to use when connecting to the database.
*/
private String databasePassword;
/**
* Get the value of databasePassword.
*
* @return the value of databasePassword
*/
public String getDatabasePassword() {
return databasePassword;
}
/**
* Set the value of databasePassword.
*
* @param databasePassword new value of databasePassword
*/
public void setDatabasePassword(String databasePassword) {
this.databasePassword = databasePassword;
}
/**
* Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat like ZIP
* files.
@@ -833,97 +550,6 @@ public class DependencyCheckTask extends Task {
this.zipExtensions = zipExtensions;
}
/**
* The url for the modified NVD CVE (1.2 schema).
*/
private String cveUrl12Modified;
/**
* Get the value of cveUrl12Modified.
*
* @return the value of cveUrl12Modified
*/
public String getCveUrl12Modified() {
return cveUrl12Modified;
}
/**
* Set the value of cveUrl12Modified.
*
* @param cveUrl12Modified new value of cveUrl12Modified
*/
public void setCveUrl12Modified(String cveUrl12Modified) {
this.cveUrl12Modified = cveUrl12Modified;
}
/**
* The url for the modified NVD CVE (2.0 schema).
*/
private String cveUrl20Modified;
/**
* Get the value of cveUrl20Modified.
*
* @return the value of cveUrl20Modified
*/
public String getCveUrl20Modified() {
return cveUrl20Modified;
}
/**
* Set the value of cveUrl20Modified.
*
* @param cveUrl20Modified new value of cveUrl20Modified
*/
public void setCveUrl20Modified(String cveUrl20Modified) {
this.cveUrl20Modified = cveUrl20Modified;
}
/**
* Base Data Mirror URL for CVE 1.2.
*/
private String cveUrl12Base;
/**
* Get the value of cveUrl12Base.
*
* @return the value of cveUrl12Base
*/
public String getCveUrl12Base() {
return cveUrl12Base;
}
/**
* Set the value of cveUrl12Base.
*
* @param cveUrl12Base new value of cveUrl12Base
*/
public void setCveUrl12Base(String cveUrl12Base) {
this.cveUrl12Base = cveUrl12Base;
}
/**
* Data Mirror URL for CVE 2.0.
*/
private String cveUrl20Base;
/**
* Get the value of cveUrl20Base.
*
* @return the value of cveUrl20Base
*/
public String getCveUrl20Base() {
return cveUrl20Base;
}
/**
* Set the value of cveUrl20Base.
*
* @param cveUrl20Base new value of cveUrl20Base
*/
public void setCveUrl20Base(String cveUrl20Base) {
this.cveUrl20Base = cveUrl20Base;
}
/**
* The path to Mono for .NET assembly analysis on non-windows systems.
*/
@@ -952,28 +578,11 @@ public class DependencyCheckTask extends Task {
dealWithReferences();
validateConfiguration();
populateSettings();
if (purge) {
File db;
try {
db = new File(Settings.getDataDirectory(), "dc.h2.db");
if (db.exists()) {
if (db.delete()) {
log("Database file purged; local copy of the NVD has been removed", Project.MSG_INFO);
} else {
log(String.format("Unable to delete '%s'; please delete the file manually", db.getAbsolutePath()), Project.MSG_ERR);
}
} else {
log(String.format("Unable to purge database; the database file does not exists: %s", db.getAbsolutePath()), Project.MSG_ERR);
}
} catch (IOException ex) {
log("Unable to delete the database", Project.MSG_ERR);
}
}
Engine engine = null;
try {
engine = new Engine(DependencyCheckTask.class.getClassLoader());
//todo - should this be its own task?
if (updateOnly) {
engine = new Engine(Check.class.getClassLoader());
if (isUpdateOnly()) {
log("Deprecated 'UpdateOnly' property set; please use the UpdateTask instead", Project.MSG_WARN);
engine.doUpdates();
} else {
try {
@@ -1046,50 +655,11 @@ public class DependencyCheckTask extends Task {
* Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
* required to change the proxy server, port, and connection timeout.
*/
private void populateSettings() {
Settings.initialize();
InputStream taskProperties = null;
try {
taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
Settings.mergeProperties(taskProperties);
} catch (IOException ex) {
log("Unable to load the dependency-check ant task.properties file.", ex, Project.MSG_WARN);
} finally {
if (taskProperties != null) {
try {
taskProperties.close();
} catch (IOException ex) {
log("", ex, Project.MSG_DEBUG);
}
}
}
if (dataDirectory != null) {
Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
} else {
final File jarPath = new File(DependencyCheckTask.class.getProtectionDomain().getCodeSource().getLocation().getPath());
final File base = jarPath.getParentFile();
final String sub = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
final File dataDir = new File(base, sub);
Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
}
@Override
protected void populateSettings() {
super.populateSettings();
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
if (proxyServer != null && !proxyServer.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
}
if (proxyPort != null && !proxyPort.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
}
if (proxyUsername != null && !proxyUsername.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
}
if (proxyPassword != null && !proxyPassword.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
}
if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
}
if (suppressionFile != null && !suppressionFile.isEmpty()) {
Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
}
@@ -1117,34 +687,6 @@ public class DependencyCheckTask extends Task {
if (pathToMono != null && !pathToMono.isEmpty()) {
Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
}
if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
}
if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
}
if (connectionString != null && !connectionString.isEmpty()) {
Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
}
if (databaseUser != null && !databaseUser.isEmpty()) {
Settings.setString(Settings.KEYS.DB_USER, databaseUser);
}
if (databasePassword != null && !databasePassword.isEmpty()) {
Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
}
if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
}
if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
}
if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
}
if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
}
}
/**
@@ -1236,18 +778,4 @@ public class DependencyCheckTask extends Task {
return values;
}
}
/**
* Whether or not the Jar Analyzer is enabled.
*/
private boolean jarAnalyzerEnabled = true;
/**
* Returns whether or not the analyzer is enabled.
*
* @return true if the analyzer is enabled
*/
public boolean isJarAnalyzerEnabled() {
return jarAnalyzerEnabled;
}
}

127
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java Normal file
View File

@@ -0,0 +1,127 @@
/*
* This file is part of dependency-check-ant.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.taskdefs;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import org.apache.tools.ant.BuildException;
import org.apache.tools.ant.Project;
import org.apache.tools.ant.Task;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.impl.StaticLoggerBinder;
/**
* An Ant task definition to execute dependency-check during an Ant build.
*
* @author Jeremy Long
*/
public class Purge extends Task {
/**
* The properties file location.
*/
private static final String PROPERTIES_FILE = "task.properties";
/**
* Construct a new DependencyCheckTask.
*/
public Purge() {
super();
// Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
// core end up coming through this tasks logger
StaticLoggerBinder.getSingleton().setTask(this);
}
/**
* The location of the data directory that contains
*/
private String dataDirectory = null;
/**
* Get the value of dataDirectory.
*
* @return the value of dataDirectory
*/
public String getDataDirectory() {
return dataDirectory;
}
/**
* Set the value of dataDirectory.
*
* @param dataDirectory new value of dataDirectory
*/
public void setDataDirectory(String dataDirectory) {
this.dataDirectory = dataDirectory;
}
@Override
public void execute() throws BuildException {
populateSettings();
File db;
try {
db = new File(Settings.getDataDirectory(), "dc.h2.db");
if (db.exists()) {
if (db.delete()) {
log("Database file purged; local copy of the NVD has been removed", Project.MSG_INFO);
} else {
log(String.format("Unable to delete '%s'; please delete the file manually", db.getAbsolutePath()), Project.MSG_ERR);
}
} else {
log(String.format("Unable to purge database; the database file does not exists: %s", db.getAbsolutePath()), Project.MSG_ERR);
}
} catch (IOException ex) {
log("Unable to delete the database", Project.MSG_ERR);
} finally {
Settings.cleanup(true);
}
}
/**
* Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
* required to change the proxy server, port, and connection timeout.
*/
protected void populateSettings() {
Settings.initialize();
InputStream taskProperties = null;
try {
taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
Settings.mergeProperties(taskProperties);
} catch (IOException ex) {
log("Unable to load the dependency-check ant task.properties file.", ex, Project.MSG_WARN);
} finally {
if (taskProperties != null) {
try {
taskProperties.close();
} catch (IOException ex) {
log("", ex, Project.MSG_DEBUG);
}
}
}
if (dataDirectory != null) {
Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
} else {
final File jarPath = new File(Purge.class.getProtectionDomain().getCodeSource().getLocation().getPath());
final File base = jarPath.getParentFile();
final String sub = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
final File dataDir = new File(base, sub);
Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
}
}
}

433
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java Normal file
View File

@@ -0,0 +1,433 @@
/*
* This file is part of dependency-check-ant.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.taskdefs;
import org.apache.tools.ant.BuildException;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.impl.StaticLoggerBinder;
/**
* An Ant task definition to execute dependency-check update. This will download the latest data from the National Vulnerability
* Database (NVD) and store a copy in the local database.
*
* @author Jeremy Long
*/
public class Update extends Purge {
/**
* Construct a new UpdateTask.
*/
public Update() {
super();
// Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
// core end up coming through this tasks logger
StaticLoggerBinder.getSingleton().setTask(this);
}
/**
* The Proxy Server.
*/
private String proxyServer;
/**
* Get the value of proxyServer.
*
* @return the value of proxyServer
*/
public String getProxyServer() {
return proxyServer;
}
/**
* Set the value of proxyServer.
*
* @param server new value of proxyServer
*/
public void setProxyServer(String server) {
this.proxyServer = server;
}
/**
* The Proxy Port.
*/
private String proxyPort;
/**
* Get the value of proxyPort.
*
* @return the value of proxyPort
*/
public String getProxyPort() {
return proxyPort;
}
/**
* Set the value of proxyPort.
*
* @param proxyPort new value of proxyPort
*/
public void setProxyPort(String proxyPort) {
this.proxyPort = proxyPort;
}
/**
* The Proxy username.
*/
private String proxyUsername;
/**
* Get the value of proxyUsername.
*
* @return the value of proxyUsername
*/
public String getProxyUsername() {
return proxyUsername;
}
/**
* Set the value of proxyUsername.
*
* @param proxyUsername new value of proxyUsername
*/
public void setProxyUsername(String proxyUsername) {
this.proxyUsername = proxyUsername;
}
/**
* The Proxy password.
*/
private String proxyPassword;
/**
* Get the value of proxyPassword.
*
* @return the value of proxyPassword
*/
public String getProxyPassword() {
return proxyPassword;
}
/**
* Set the value of proxyPassword.
*
* @param proxyPassword new value of proxyPassword
*/
public void setProxyPassword(String proxyPassword) {
this.proxyPassword = proxyPassword;
}
/**
* The Connection Timeout.
*/
private String connectionTimeout;
/**
* Get the value of connectionTimeout.
*
* @return the value of connectionTimeout
*/
public String getConnectionTimeout() {
return connectionTimeout;
}
/**
* Set the value of connectionTimeout.
*
* @param connectionTimeout new value of connectionTimeout
*/
public void setConnectionTimeout(String connectionTimeout) {
this.connectionTimeout = connectionTimeout;
}
/**
* The database driver name; such as org.h2.Driver.
*/
private String databaseDriverName;
/**
* Get the value of databaseDriverName.
*
* @return the value of databaseDriverName
*/
public String getDatabaseDriverName() {
return databaseDriverName;
}
/**
* Set the value of databaseDriverName.
*
* @param databaseDriverName new value of databaseDriverName
*/
public void setDatabaseDriverName(String databaseDriverName) {
this.databaseDriverName = databaseDriverName;
}
/**
* The path to the database driver JAR file if it is not on the class path.
*/
private String databaseDriverPath;
/**
* Get the value of databaseDriverPath.
*
* @return the value of databaseDriverPath
*/
public String getDatabaseDriverPath() {
return databaseDriverPath;
}
/**
* Set the value of databaseDriverPath.
*
* @param databaseDriverPath new value of databaseDriverPath
*/
public void setDatabaseDriverPath(String databaseDriverPath) {
this.databaseDriverPath = databaseDriverPath;
}
/**
* The database connection string.
*/
private String connectionString;
/**
* Get the value of connectionString.
*
* @return the value of connectionString
*/
public String getConnectionString() {
return connectionString;
}
/**
* Set the value of connectionString.
*
* @param connectionString new value of connectionString
*/
public void setConnectionString(String connectionString) {
this.connectionString = connectionString;
}
/**
* The user name for connecting to the database.
*/
private String databaseUser;
/**
* Get the value of databaseUser.
*
* @return the value of databaseUser
*/
public String getDatabaseUser() {
return databaseUser;
}
/**
* Set the value of databaseUser.
*
* @param databaseUser new value of databaseUser
*/
public void setDatabaseUser(String databaseUser) {
this.databaseUser = databaseUser;
}
/**
* The password to use when connecting to the database.
*/
private String databasePassword;
/**
* Get the value of databasePassword.
*
* @return the value of databasePassword
*/
public String getDatabasePassword() {
return databasePassword;
}
/**
* Set the value of databasePassword.
*
* @param databasePassword new value of databasePassword
*/
public void setDatabasePassword(String databasePassword) {
this.databasePassword = databasePassword;
}
/**
* The url for the modified NVD CVE (1.2 schema).
*/
private String cveUrl12Modified;
/**
* Get the value of cveUrl12Modified.
*
* @return the value of cveUrl12Modified
*/
public String getCveUrl12Modified() {
return cveUrl12Modified;
}
/**
* Set the value of cveUrl12Modified.
*
* @param cveUrl12Modified new value of cveUrl12Modified
*/
public void setCveUrl12Modified(String cveUrl12Modified) {
this.cveUrl12Modified = cveUrl12Modified;
}
/**
* The url for the modified NVD CVE (2.0 schema).
*/
private String cveUrl20Modified;
/**
* Get the value of cveUrl20Modified.
*
* @return the value of cveUrl20Modified
*/
public String getCveUrl20Modified() {
return cveUrl20Modified;
}
/**
* Set the value of cveUrl20Modified.
*
* @param cveUrl20Modified new value of cveUrl20Modified
*/
public void setCveUrl20Modified(String cveUrl20Modified) {
this.cveUrl20Modified = cveUrl20Modified;
}
/**
* Base Data Mirror URL for CVE 1.2.
*/
private String cveUrl12Base;
/**
* Get the value of cveUrl12Base.
*
* @return the value of cveUrl12Base
*/
public String getCveUrl12Base() {
return cveUrl12Base;
}
/**
* Set the value of cveUrl12Base.
*
* @param cveUrl12Base new value of cveUrl12Base
*/
public void setCveUrl12Base(String cveUrl12Base) {
this.cveUrl12Base = cveUrl12Base;
}
/**
* Data Mirror URL for CVE 2.0.
*/
private String cveUrl20Base;
/**
* Get the value of cveUrl20Base.
*
* @return the value of cveUrl20Base
*/
public String getCveUrl20Base() {
return cveUrl20Base;
}
/**
* Set the value of cveUrl20Base.
*
* @param cveUrl20Base new value of cveUrl20Base
*/
public void setCveUrl20Base(String cveUrl20Base) {
this.cveUrl20Base = cveUrl20Base;
}
/**
* Executes the update by initializing the settings, downloads the NVD XML data, and then processes the data storing it in the
* local database.
*
* @throws BuildException thrown if a connection to the local database cannot be made.
*/
@Override
public void execute() throws BuildException {
populateSettings();
Engine engine = null;
try {
engine = new Engine(Update.class.getClassLoader());
engine.doUpdates();
} catch (DatabaseException ex) {
throw new BuildException("Unable to connect to the dependency-check database; unable to update the NVD data", ex);
} finally {
Settings.cleanup(true);
if (engine != null) {
engine.cleanup();
}
}
}
/**
* Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
* required to change the proxy server, port, and connection timeout.
*/
@Override
protected void populateSettings() {
super.populateSettings();
if (proxyServer != null && !proxyServer.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
}
if (proxyPort != null && !proxyPort.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
}
if (proxyUsername != null && !proxyUsername.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
}
if (proxyPassword != null && !proxyPassword.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
}
if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
}
if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
}
if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
}
if (connectionString != null && !connectionString.isEmpty()) {
Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
}
if (databaseUser != null && !databaseUser.isEmpty()) {
Settings.setString(Settings.KEYS.DB_USER, databaseUser);
}
if (databasePassword != null && !databasePassword.isEmpty()) {
Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
}
if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
}
if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
}
if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
}
if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
}
}
}

3
dependency-check-ant/src/main/resources/dependency-check-taskdefs.properties Normal file
View File

@@ -0,0 +1,3 @@
dependency-check=org.owasp.dependencycheck.taskdefs.Check
dependency-check-purge=org.owasp.dependencycheck.taskdefs.Purge
dependency-check-update=org.owasp.dependencycheck.taskdefs.Update

2
dependency-check-ant/src/main/resources/task.properties
View File

@@ -1,2 +1,2 @@
# the path to the data directory
data.directory=dependency-check-data
data.directory=data

3
dependency-check-ant/src/main/resources/taskdefs.properties
View File

@@ -1,3 +0,0 @@
# define custom tasks here
dependencycheck=org.owasp.dependencycheck.taskdefs.DependencyCheckTask

19
dependency-check-ant/src/site/markdown/config-purge.md Normal file
View File

@@ -0,0 +1,19 @@
Configuration
====================
The dependency-check-purge task deletes the local copy of the NVD. This task
should rarely be used, if ever. This is included as a convenience method in
the rare circumstance that the local H2 database because corrupt.
```xml
<target name="dependency-check-purge" description="Dependency-Check purge">
<dependency-check-purge />
</target>
```
Configuration: dependency-check-purge Task
--------------------
The following properties can be set on the dependency-check-purge task.
Property | Description | Default Value
----------------------|----------------------------------------------------------------|------------------
dataDirectory | Data directory that is used to store the local copy of the NVD | data

44
dependency-check-ant/src/site/markdown/config-update.md Normal file
View File

@@ -0,0 +1,44 @@
Configuration
====================
The dependency-check-update task downloads and updates the local copy of the NVD.
There are several reasons that one may want to use this task; primarily, creating
an update that will be run only once a day or once every few days (but not greater
then 7 days) and then use the `autoUpdate="false"` setting on individual
dependency-check scans. See [Internet Access Required](https://jeremylong.github.io/DependencyCheck/data/index.html)
for more information on why this task would be used.
```xml
<target name="dependency-check-update" description="Dependency-Check Update">
<dependency-check-update />
</target>
```
Configuration: dependency-check-update Task
--------------------
The following properties can be set on the dependency-check task.
Property | Description | Default Value
----------------------|------------------------------------|------------------
proxyServer | The Proxy Server. | &nbsp;
proxyPort | The Proxy Port. | &nbsp;
proxyUsername | Defines the proxy user name. | &nbsp;
proxyPassword | Defines the proxy password. | &nbsp;
connectionTimeout | The URL Connection Timeout. | &nbsp;
Advanced Configuration
====================
The following properties can be configured in the plugin. However, they are less frequently changed. One exception
may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.
Property | Description | Default Value
---------------------|-------------------------------------------------------------------------------------------------------|------------------
cveUrl12Modified | URL for the modified CVE 1.2. | http://nvd.nist.gov/download/nvdcve-modified.xml
cveUrl20Modified | URL for the modified CVE 2.0. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml
cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
dataDirectory | Data directory that is used to store the local copy of the NVD. This should generally not be changed. | data
databaseDriverName | The name of the database driver. Example: org.h2.Driver. | &nbsp;
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp;
connectionString | The connection string used to connect to the database. | &nbsp;
databaseUser | The username used when connecting to the database. | &nbsp;
databasePassword | The password used when connecting to the database. | &nbsp;

16
dependency-check-ant/src/site/markdown/configuration.md
View File

@@ -1,5 +1,11 @@
Configuration
====================
Once dependency-check-ant has been [installed](index.html) the defined tasks can be used.
* dependency-check - the primary task used to check the project dependencies. Configuration options are below.
* dependency-check-purge - deletes the local copy of the NVD; this should rarely be used (if ever). See the [purge configuration](config-purge.html) for more information.
* dependency-check-update - downloads and updates the local copy of the NVD. See the [update configuration](config-update.html) for more information.
To configure the dependency-check task you can add it to a target and include a
file based [resource collection](http://ant.apache.org/manual/Types/resources.html#collection)
such as a [FileSet](http://ant.apache.org/manual/Types/fileset.html), [DirSet](http://ant.apache.org/manual/Types/dirset.html),
@@ -19,14 +25,13 @@ the project's dependencies.
</target>
```
Configuration
====================
The following properties can be set on the dependency-check-maven plugin.
Configuration: dependency-check Task
--------------------
The following properties can be set on the dependency-check-update task.
Property | Description | Default Value
----------------------|------------------------------------|------------------
autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
updateOnly | If set to true only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | false
projectName | The name of the project being scanned. | Dependency-Check
reportOutputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
failBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11
@@ -70,10 +75,9 @@ cveUrl12Modified | URL for the modified CVE 1.2.
cveUrl20Modified | URL for the modified CVE 2.0. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml
cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
dataDirectory | Data directory to hold SQL CVEs contents. This should generally not be changed. | &nbsp;
dataDirectory | Data directory that is used to store the local copy of the NVD. This should generally not be changed. | data
databaseDriverName | The name of the database driver. Example: org.h2.Driver. | &nbsp;
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp;
connectionString | The connection string used to connect to the database. | &nbsp;
databaseUser | The username used when connecting to the database. | &nbsp;
databasePassword | The password used when connecting to the database. | &nbsp;
purge | Delete the local copy of the NVD. This is used to force a refresh of the data. | &nbsp;

28
dependency-check-ant/src/site/markdown/index.md.vm
View File

@@ -7,23 +7,25 @@ identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.
Installation
====================
Download dependency-check-ant from [bintray here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-${project.version}.jar).
To install dependency-check-ant place the dependency-check-ant-${project.version}.jar into
the lib directory of your Ant instalation directory. Once installed you can add
the taskdef to you build.xml and add the task to a new or existing target:
1. Download dependency-check-ant from [bintray here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-${project.version}-release.zip).
2. Unzip the archive
3. Add the taskdef to your build.xml:
```xml
<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask"/>
```
If you do not want to install dependency-check-ant into your ant's lib directory when you define the task def you
must add the classpath to the taskdef:
```xml
<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask">
<classpath path="[path]/[to]/dependency-check-ant-${project.version}.jar"/>
<!-- Set the value to the installation directory's path -->
<property name="dependency-check.home" value="C:/tools/dependency-check-ant"/>
<path id="dependency-check.path">
<pathelement location="${dependency-check.home}/dependency-check-ant.jar"/>
</path>
<taskdef resource="dependency-check-taskdefs.properties">
<classpath refid="dependency-check.path" />
</taskdef>
```
4. Use the defined taskdefs:
* [dependency-check](configuration.html) - the primary task used to check the project dependencies.
* [dependency-check-purge](config-purge.html) - deletes the local copy of the NVD; this should rarely be used (if ever).
* [dependency-check-update](config-update.html) - downloads and updates the local copy of the NVD.
It is important to understand that the first time this task is executed it may
take 10 minutes or more as it downloads and processes the data from the National

33
dependency-check-ant/src/site/markdown/usage.md.vm
View File

@@ -1,33 +0,0 @@
Usage
====================
First, add the dependency-check-ant taskdef to your build.xml (see the [installation guide](installation.html)):
```xml
<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask"/>
```
Or
```xml
<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask">
<classpath path="[path]/[to]/dependency-check-ant-${project.version}.jar"/>
</taskdef>
```
Next, add the task to a target of your choosing:
```xml
<target name="dependency-check" description="Dependency-Check Analysis">
<dependency-check applicationname="Hello World"
autoupdate="true"
reportoutputdirectory="${basedir}"
reportformat="HTML">
<fileset dir="lib">
<include name="**/*.jar"/>
</fileset>
</dependency-check>
</target>
```
See the [configuration guide](configuration.html) for more information.

1
dependency-check-ant/src/site/site.xml
View File

@@ -28,7 +28,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
</breadcrumbs>
<menu name="Getting Started">
<item name="Installation" href="installation.html"/>
<item name="Usage" href="usage.html"/>
<item name="Configuration" href="configuration.html"/>
</menu>
<menu ref="reports" />

2
dependency-check-ant/src/test/resources/build.xml
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<project name="Dependency-Check Test Build" default="test.fileset" basedir=".">
<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask" />
<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.Check" />
<target name="test.fileset">
<dependency-check

4
dependency-check-cli/README.md
View File

@@ -19,6 +19,6 @@ Copyright & License
Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
Dependency-Check Command Line makes use of other open source libraries. Please see the [NOTICE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/NOTICES.txt) file for more information.
Dependency-Check Command Line makes use of other open source libraries. Please see the [NOTICE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/dependency-check-cli/NOTICE.txt) file for more information.

10
dependency-check-cli/pom.xml
View File

@@ -235,5 +235,15 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
</dependency>
<dependency>
<groupId>org.apache.ant</groupId>
<artifactId>ant</artifactId>
<exclusions>
<exclusion>
<groupId>org.apache.ant</groupId>
<artifactId>ant-launcher</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
</project>

6
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -32,13 +32,12 @@ import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.org.apache.tools.ant.DirectoryScanner;
import org.apache.tools.ant.DirectoryScanner;
import org.owasp.dependencycheck.reporting.ReportGenerator;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import ch.qos.logback.core.FileAppender;
import java.util.logging.Level;
import org.slf4j.impl.StaticLoggerBinder;
/**
@@ -179,7 +178,8 @@ public class App {
//LOGGER.debug("baseDir: {}", baseDir);
//LOGGER.debug("include: {}", include);
scanner.setBasedir(baseDir);
scanner.setIncludes(include);
final String[] includes = {include};
scanner.setIncludes(includes);
scanner.setMaxLevelsOfSymlinks(symLinkDepth);
if (symLinkDepth <= 0) {
scanner.setFollowSymlinks(false);

1
dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View File

@@ -19,7 +19,6 @@ package org.owasp.dependencycheck;
import java.io.File;
import java.io.FileNotFoundException;
import java.util.logging.Level;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.CommandLineParser;

5
dependency-check-cli/src/main/java/org/owasp/dependencycheck/InvalidScanPathException.java
View File

@@ -24,6 +24,11 @@ package org.owasp.dependencycheck;
*/
class InvalidScanPathException extends Exception {
/**
* The serial version UID for serialization.
*/
private static final long serialVersionUID = 1L;
/**
* Creates a new InvalidScanPathException.
*/

4
dependency-check-core/README.md
View File

@@ -17,7 +17,7 @@ Copyright & License
Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt] [notices] file for more information.
@@ -25,4 +25,4 @@ Dependency-Check makes use of several other open source libraries. Please see th
[wiki]: https://github.com/jeremylong/DependencyCheck/wiki
[subscribe]: mailto:dependency-check+subscribe@googlegroups.com
[post]: mailto:dependency-check@googlegroups.com
[notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt
[notices]: https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/NOTICE.txt

7
dependency-check-core/pom.xml
View File

@@ -210,13 +210,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</systemProperties>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<compilerArgument>-Xlint:unchecked</compilerArgument>
</configuration>
</plugin>
</plugins>
</build>
<reporting>

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
View File

@@ -42,6 +42,7 @@ import java.util.EnumMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
/**
@@ -59,7 +60,7 @@ public class Engine implements FileFilter {
/**
* A Map of analyzers grouped by Analysis phase.
*/
private EnumMap<AnalysisPhase, List<Analyzer>> analyzers = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
private Map<AnalysisPhase, List<Analyzer>> analyzers = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
/**
* A Map of analyzers grouped by Analysis phase.
@@ -478,6 +479,7 @@ public class Engine implements FileFilter {
* @param file a file extension
* @return true or false depending on whether or not the file extension is supported
*/
@Override
public boolean accept(File file) {
if (file == null) {
return false;

21
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
View File

@@ -28,6 +28,7 @@ import org.apache.commons.compress.compressors.bzip2.BZip2CompressorInputStream;
import org.apache.commons.compress.compressors.bzip2.BZip2Utils;
import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream;
import org.apache.commons.compress.compressors.gzip.GzipUtils;
import org.apache.commons.compress.utils.IOUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.analyzer.exception.ArchiveExtractionException;
@@ -54,10 +55,6 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
* The logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(ArchiveAnalyzer.class);
/**
* The buffer size to use when extracting files from the archive.
*/
private static final int BUFFER_SIZE = 4096;
/**
* The count of directories created during analysis. This is used for creating temporary directories.
*/
@@ -385,7 +382,6 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
private static void extractAcceptedFile(ArchiveInputStream input, File file) throws AnalysisException {
LOGGER.debug("Extracting '{}'", file.getPath());
BufferedOutputStream bos = null;
FileOutputStream fos = null;
try {
final File parent = file.getParentFile();
@@ -396,13 +392,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
}
}
fos = new FileOutputStream(file);
bos = new BufferedOutputStream(fos, BUFFER_SIZE);
int count;
final byte[] data = new byte[BUFFER_SIZE];
while ((count = input.read(data, 0, BUFFER_SIZE)) != -1) {
bos.write(data, 0, count);
}
bos.flush();
IOUtils.copy(input, fos);
} catch (FileNotFoundException ex) {
LOGGER.debug("", ex);
final String msg = String.format("Unable to find file '%s'.", file.getName());
@@ -412,7 +402,6 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
throw new AnalysisException(msg, ex);
} finally {
close(bos);
close(fos);
}
}
@@ -429,11 +418,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
FileOutputStream out = null;
try {
out = new FileOutputStream(outputFile);
final byte[] buffer = new byte[BUFFER_SIZE];
int n; // = 0
while (-1 != (n = inputStream.read(buffer))) {
out.write(buffer, 0, n);
}
IOUtils.copy(inputStream, out);
} catch (FileNotFoundException ex) {
LOGGER.debug("", ex);
throw new ArchiveExtractionException(ex);

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
View File

@@ -147,7 +147,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
// First, see if there was an error
final String error = xpath.evaluate("/assembly/error", doc);
if (error != null && !"".equals(error)) {
if (error != null && !error.isEmpty()) {
throw new AnalysisException(error);
}
@@ -246,7 +246,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
final XPath xpath = XPathFactory.newInstance().newXPath();
final String error = xpath.evaluate("/assembly/error", doc);
if (p.waitFor() != 1 || error == null || "".equals(error)) {
if (p.waitFor() != 1 || error == null || error.isEmpty()) {
LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer, please see the log for more details.");
LOGGER.debug("GrokAssembly.exe is not working properly");
grokAssemblyExe = null;

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -339,7 +339,7 @@ public class CPEAnalyzer implements Analyzer {
final String cleanText = cleanseText(searchText);
if ("".equals(cleanText)) {
if (cleanText.isEmpty()) {
return false;
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
View File

@@ -75,6 +75,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
*
* @return the name of the analyzer.
*/
@Override
public String getName() {
return ANALYZER_NAME;
}
@@ -84,6 +85,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
*
* @return the phase that the analyzer is intended to run in.
*/
@Override
public AnalysisPhase getAnalysisPhase() {
return ANALYSIS_PHASE;
}

24
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -69,6 +69,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
*
* @return the name of the analyzer.
*/
@Override
public String getName() {
return ANALYZER_NAME;
}
@@ -78,6 +79,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
*
* @return the phase that the analyzer is intended to run in.
*/
@Override
public AnalysisPhase getAnalysisPhase() {
return ANALYSIS_PHASE;
}
@@ -378,18 +380,16 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
*/
private void addFalseNegativeCPEs(Dependency dependency) {
//TODO move this to the hint analyzer
final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
while (itr.hasNext()) {
final Identifier i = itr.next();
if ("cpe".equals(i.getType()) && i.getValue() != null
&& (i.getValue().startsWith("cpe:/a:oracle:opensso:")
|| i.getValue().startsWith("cpe:/a:oracle:opensso_enterprise:")
|| i.getValue().startsWith("cpe:/a:sun:opensso_enterprise:")
|| i.getValue().startsWith("cpe:/a:sun:opensso:"))) {
final String newCpe = String.format("cpe:/a:sun:opensso_enterprise:%s", i.getValue().substring(22));
final String newCpe2 = String.format("cpe:/a:oracle:opensso_enterprise:%s", i.getValue().substring(22));
final String newCpe3 = String.format("cpe:/a:sun:opensso:%s", i.getValue().substring(22));
final String newCpe4 = String.format("cpe:/a:oracle:opensso:%s", i.getValue().substring(22));
for (final Identifier identifier : dependency.getIdentifiers()) {
if ("cpe".equals(identifier.getType()) && identifier.getValue() != null
&& (identifier.getValue().startsWith("cpe:/a:oracle:opensso:")
|| identifier.getValue().startsWith("cpe:/a:oracle:opensso_enterprise:")
|| identifier.getValue().startsWith("cpe:/a:sun:opensso_enterprise:")
|| identifier.getValue().startsWith("cpe:/a:sun:opensso:"))) {
final String newCpe = String.format("cpe:/a:sun:opensso_enterprise:%s", identifier.getValue().substring(22));
final String newCpe2 = String.format("cpe:/a:oracle:opensso_enterprise:%s", identifier.getValue().substring(22));
final String newCpe3 = String.format("cpe:/a:sun:opensso:%s", identifier.getValue().substring(22));
final String newCpe4 = String.format("cpe:/a:oracle:opensso:%s", identifier.getValue().substring(22));
try {
dependency.addIdentifier("cpe",
newCpe,

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
View File

@@ -48,6 +48,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
*
* @return the name of the analyzer.
*/
@Override
public String getName() {
return ANALYZER_NAME;
}
@@ -57,6 +58,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
*
* @return the phase that the analyzer is intended to run in.
*/
@Override
public AnalysisPhase getAnalysisPhase() {
return ANALYSIS_PHASE;
}

17
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -17,7 +17,6 @@
*/
package org.owasp.dependencycheck.analyzer;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileFilter;
import java.io.FileOutputStream;
@@ -42,6 +41,7 @@ import java.util.jar.JarFile;
import java.util.jar.Manifest;
import java.util.regex.Pattern;
import java.util.zip.ZipEntry;
import org.apache.commons.compress.utils.IOUtils;
import org.jsoup.Jsoup;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -69,10 +69,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* The logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(JarAnalyzer.class);
/**
* The buffer size to use when extracting files from the archive.
*/
private static final int BUFFER_SIZE = 4096;
/**
* The count of directories created during analysis. This is used for creating temporary directories.
*/
@@ -198,6 +194,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
*
* @return the phase that the analyzer is intended to run in.
*/
@Override
public AnalysisPhase getAnalysisPhase() {
return ANALYSIS_PHASE;
}
@@ -396,26 +393,18 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
private Model extractPom(String path, JarFile jar, Dependency dependency) throws AnalysisException {
InputStream input = null;
FileOutputStream fos = null;
BufferedOutputStream bos = null;
final File tmpDir = getNextTempDirectory();
final File file = new File(tmpDir, "pom.xml");
try {
final ZipEntry entry = jar.getEntry(path);
input = jar.getInputStream(entry);
fos = new FileOutputStream(file);
bos = new BufferedOutputStream(fos, BUFFER_SIZE);
int count;
final byte[] data = new byte[BUFFER_SIZE];
while ((count = input.read(data, 0, BUFFER_SIZE)) != -1) {
bos.write(data, 0, count);
}
bos.flush();
IOUtils.copy(input, fos);
dependency.setActualFilePath(file.getAbsolutePath());
} catch (IOException ex) {
LOGGER.warn("An error occurred reading '{}' from '{}'.", path, dependency.getFilePath());
LOGGER.error("", ex);
} finally {
closeStream(bos);
closeStream(fos);
closeStream(input);
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
View File

@@ -116,7 +116,7 @@ public class CentralSearch {
if ("0".equals(numFound)) {
missing = true;
} else {
final ArrayList<MavenArtifact> result = new ArrayList<MavenArtifact>();
final List<MavenArtifact> result = new ArrayList<MavenArtifact>();
final NodeList docs = (NodeList) xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET);
for (int i = 0; i < docs.getLength(); i++) {
final String g = xpath.evaluate("./str[@name='g']", docs.item(i));

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
View File

@@ -151,7 +151,7 @@ public final class CpeMemoryIndex {
*/
@SuppressWarnings("unchecked")
private Analyzer createIndexingAnalyzer() {
final Map fieldAnalyzers = new HashMap();
final Map<String,Analyzer> fieldAnalyzers = new HashMap<String, Analyzer>();
fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer());
return new PerFieldAnalyzerWrapper(new FieldAnalyzer(LuceneUtils.CURRENT_VERSION), fieldAnalyzers);
}

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java
View File

@@ -24,6 +24,7 @@ import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.util.HashMap;
import java.util.Map;
/**
*
@@ -45,21 +46,21 @@ public final class CweDB {
/**
* A HashMap of the CWE data.
*/
private static final HashMap<String, String> CWE = loadData();
private static final Map<String, String> CWE = loadData();
/**
* Loads a HashMap containing the CWE data from a resource found in the jar.
*
* @return a HashMap of CWE data
*/
private static HashMap<String, String> loadData() {
private static Map<String, String> loadData() {
ObjectInputStream oin = null;
try {
final String filePath = "data/cwe.hashmap.serialized";
final InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath);
oin = new ObjectInputStream(input);
@SuppressWarnings("unchecked")
final HashMap<String, String> ret = (HashMap<String, String>) oin.readObject();
final Map<String, String> ret = (HashMap<String, String>) oin.readObject();
return ret;
} catch (ClassNotFoundException ex) {
LOGGER.warn("Unable to load CWE data. This should not be an issue.");

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
View File

@@ -132,10 +132,10 @@ public class NexusSearch {
"/org.sonatype.nexus.rest.model.NexusArtifact/pomLink",
doc);
final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version);
if (link != null && !"".equals(link)) {
if (link != null && !link.isEmpty()) {
ma.setArtifactUrl(link);
}
if (pomLink != null && !"".equals(pomLink)) {
if (pomLink != null && !pomLink.isEmpty()) {
ma.setPomUrl(pomLink);
}
return ma;

17
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -340,7 +340,6 @@ public class CveDB {
* @throws DatabaseException thrown if there is an exception retrieving data
*/
public List<Vulnerability> getVulnerabilities(String cpeStr) throws DatabaseException {
ResultSet rs = null;
final VulnerableSoftware cpe = new VulnerableSoftware();
try {
cpe.parseName(cpeStr);
@@ -350,7 +349,8 @@ public class CveDB {
final DependencyVersion detectedVersion = parseDependencyVersion(cpe);
final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
PreparedStatement ps;
PreparedStatement ps = null;
ResultSet rs = null;
try {
ps = getConnection().prepareStatement(statementBundle.getString("SELECT_CVE_FROM_SOFTWARE"));
ps.setString(1, cpe.getVendor());
@@ -384,12 +384,11 @@ public class CveDB {
v.setMatchedCPE(matchedCPE.getKey(), matchedCPE.getValue() ? "Y" : null);
vulnerabilities.add(v);
}
DBUtils.closeResultSet(rs);
DBUtils.closeStatement(ps);
} catch (SQLException ex) {
throw new DatabaseException("Exception retrieving vulnerability for " + cpeStr, ex);
} finally {
DBUtils.closeResultSet(rs);
DBUtils.closeStatement(ps);
}
return vulnerabilities;
}
@@ -490,7 +489,7 @@ public class CveDB {
deleteReferences = getConnection().prepareStatement(statementBundle.getString("DELETE_REFERENCE"));
deleteSoftware = getConnection().prepareStatement(statementBundle.getString("DELETE_SOFTWARE"));
updateVulnerability = getConnection().prepareStatement(statementBundle.getString("UPDATE_VULNERABILITY"));
final String ids[] = {"id"};
final String[] ids = {"id"};
insertVulnerability = getConnection().prepareStatement(statementBundle.getString("INSERT_VULNERABILITY"),
//Statement.RETURN_GENERATED_KEYS);
ids);
@@ -767,9 +766,9 @@ public class CveDB {
* @return a dependency version
*/
private DependencyVersion parseDependencyVersion(VulnerableSoftware cpe) {
DependencyVersion cpeVersion;
final DependencyVersion cpeVersion;
if (cpe.getVersion() != null && !cpe.getVersion().isEmpty()) {
String versionText;
final String versionText;
if (cpe.getUpdate() != null && !cpe.getUpdate().isEmpty()) {
versionText = String.format("%s.%s", cpe.getVersion(), cpe.getUpdate());
} else {
@@ -783,6 +782,8 @@ public class CveDB {
}
/**
* This method is only referenced in unused code.
*
* Deletes unused dictionary entries from the database.
*/
public void deleteUnusedCpe() {
@@ -798,6 +799,8 @@ public class CveDB {
}
/**
* This method is only referenced in unused code and will likely break on MySQL if ever used due to the MERGE statement.
*
* Merges CPE entries into the database.
*
* @param cpe the CPE identifier

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverShim.java
View File

@@ -115,7 +115,7 @@ class DriverShim implements Driver {
* @throws SQLFeatureNotSupportedException thrown if the feature is not supported
* @see java.sql.Driver#getParentLogger()
*/
//@Override
@Override
public java.util.logging.Logger getParentLogger() throws SQLFeatureNotSupportedException {
//return driver.getParentLogger();
Method m = null;

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java
View File

@@ -43,6 +43,9 @@ import org.slf4j.LoggerFactory;
import org.xml.sax.SAXException;
/**
*
* This class is currently unused and if enabled will likely not work on MySQL as the MERGE statement is used.
*
* The CpeUpdater is designed to download the CPE data file from NIST and import the data into the database. However, as this
* currently adds no beneficial data, compared to what is in the CPE data contained in the CVE data files, this class is not
* currently used. The code is being kept as a future update may utilize more data from the CPE xml files.

67
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
View File

@@ -28,7 +28,8 @@ import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import org.apache.commons.lang3.ObjectUtils;
import org.apache.commons.lang3.builder.EqualsBuilder;
import org.apache.commons.lang3.builder.HashCodeBuilder;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.utils.Checksum;
import org.slf4j.Logger;
@@ -43,6 +44,10 @@ import org.slf4j.LoggerFactory;
*/
public class Dependency implements Serializable, Comparable<Dependency> {
/**
* The serial version UID for serialization.
*/
private static final long serialVersionUID = 1L;
/**
* The logger.
*/
@@ -692,6 +697,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
* @param o a dependency to compare
* @return an integer representing the natural ordering
*/
@Override
public int compareTo(Dependency o) {
return this.getFilePath().compareToIgnoreCase(o.getFilePath());
}
@@ -708,21 +714,24 @@ public class Dependency implements Serializable, Comparable<Dependency> {
return false;
}
final Dependency other = (Dependency) obj;
return ObjectUtils.equals(this.actualFilePath, other.actualFilePath)
&& ObjectUtils.equals(this.filePath, other.filePath)
&& ObjectUtils.equals(this.fileName, other.fileName)
&& ObjectUtils.equals(this.md5sum, other.md5sum)
&& ObjectUtils.equals(this.sha1sum, other.sha1sum)
&& ObjectUtils.equals(this.identifiers, other.identifiers)
&& ObjectUtils.equals(this.vendorEvidence, other.vendorEvidence)
&& ObjectUtils.equals(this.productEvidence, other.productEvidence)
&& ObjectUtils.equals(this.versionEvidence, other.versionEvidence)
&& ObjectUtils.equals(this.description, other.description)
&& ObjectUtils.equals(this.license, other.license)
&& ObjectUtils.equals(this.vulnerabilities, other.vulnerabilities)
//&& ObjectUtils.equals(this.relatedDependencies, other.relatedDependencies)
&& ObjectUtils.equals(this.projectReferences, other.projectReferences)
&& ObjectUtils.equals(this.availableVersions, other.availableVersions);
return new EqualsBuilder()
.appendSuper(super.equals(obj))
.append(this.actualFilePath, other.actualFilePath)
.append(this.filePath, other.filePath)
.append(this.fileName, other.fileName)
.append(this.md5sum, other.md5sum)
.append(this.sha1sum, other.sha1sum)
.append(this.identifiers, other.identifiers)
.append(this.vendorEvidence, other.vendorEvidence)
.append(this.productEvidence, other.productEvidence)
.append(this.versionEvidence, other.versionEvidence)
.append(this.description, other.description)
.append(this.license, other.license)
.append(this.vulnerabilities, other.vulnerabilities)
//.append(this.relatedDependencies, other.relatedDependencies)
.append(this.projectReferences, other.projectReferences)
.append(this.availableVersions, other.availableVersions)
.isEquals();
}
/**
@@ -732,15 +741,23 @@ public class Dependency implements Serializable, Comparable<Dependency> {
*/
@Override
public int hashCode() {
int hash = MAGIC_HASH_INIT_VALUE;
for (Object field : new Object[]{this.actualFilePath, this.filePath, this.fileName, this.md5sum,
this.sha1sum, this.identifiers, this.vendorEvidence, this.productEvidence, this.versionEvidence,
this.description, this.license, this.vulnerabilities,
//this.relatedDependencies,
this.projectReferences, this.availableVersions}) {
hash = MAGIC_HASH_MULTIPLIER * hash + ObjectUtils.hashCode(field);
}
return hash;
return new HashCodeBuilder(MAGIC_HASH_INIT_VALUE, MAGIC_HASH_MULTIPLIER)
.append(actualFilePath)
.append(filePath)
.append(fileName)
.append(md5sum)
.append(sha1sum)
.append(identifiers)
.append(vendorEvidence)
.append(productEvidence)
.append(versionEvidence)
.append(description)
.append(license)
.append(vulnerabilities)
//.append(relatedDependencies)
.append(projectReferences)
.append(availableVersions)
.toHashCode();
}
/**

18
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
View File

@@ -19,6 +19,7 @@ package org.owasp.dependencycheck.dependency;
import org.apache.commons.lang3.ObjectUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.builder.HashCodeBuilder;
import java.io.Serializable;
@@ -29,6 +30,10 @@ import java.io.Serializable;
*/
public class Evidence implements Serializable, Comparable<Evidence> {
/**
* The serial version UID for serialization.
*/
private static final long serialVersionUID = 1L;
/**
* Used as starting point for generating the value in {@link #hashCode()}.
*/
@@ -194,12 +199,12 @@ public class Evidence implements Serializable, Comparable<Evidence> {
*/
@Override
public int hashCode() {
int hash = MAGIC_HASH_INIT_VALUE;
hash = MAGIC_HASH_MULTIPLIER * hash + ObjectUtils.hashCode(StringUtils.lowerCase(this.name));
hash = MAGIC_HASH_MULTIPLIER * hash + ObjectUtils.hashCode(StringUtils.lowerCase(this.source));
hash = MAGIC_HASH_MULTIPLIER * hash + ObjectUtils.hashCode(StringUtils.lowerCase(this.value));
hash = MAGIC_HASH_MULTIPLIER * hash + ObjectUtils.hashCode(this.confidence);
return hash;
return new HashCodeBuilder(MAGIC_HASH_INIT_VALUE, MAGIC_HASH_MULTIPLIER)
.append(StringUtils.lowerCase(name))
.append(StringUtils.lowerCase(source))
.append(StringUtils.lowerCase(value))
.append(confidence)
.toHashCode();
}
/**
@@ -230,6 +235,7 @@ public class Evidence implements Serializable, Comparable<Evidence> {
* @param o the evidence being compared
* @return an integer indicating the ordering of the two objects
*/
@Override
public int compareTo(Evidence o) {
if (o == null) {
return 1;

10
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
View File

@@ -39,6 +39,10 @@ import org.slf4j.LoggerFactory;
*/
public class EvidenceCollection implements Serializable, Iterable<Evidence> {
/**
* The serial version UID for serialization.
*/
private static final long serialVersionUID = 1L;
/**
* The logger.
*/
@@ -47,6 +51,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
* Used to iterate over highest confidence evidence contained in the collection.
*/
private static final Filter<Evidence> HIGHEST_CONFIDENCE = new Filter<Evidence>() {
@Override
public boolean passes(Evidence evidence) {
return evidence.getConfidence() == Confidence.HIGHEST;
}
@@ -55,6 +60,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
* Used to iterate over high confidence evidence contained in the collection.
*/
private static final Filter<Evidence> HIGH_CONFIDENCE = new Filter<Evidence>() {
@Override
public boolean passes(Evidence evidence) {
return evidence.getConfidence() == Confidence.HIGH;
}
@@ -63,6 +69,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
* Used to iterate over medium confidence evidence contained in the collection.
*/
private static final Filter<Evidence> MEDIUM_CONFIDENCE = new Filter<Evidence>() {
@Override
public boolean passes(Evidence evidence) {
return evidence.getConfidence() == Confidence.MEDIUM;
}
@@ -71,6 +78,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
* Used to iterate over low confidence evidence contained in the collection.
*/
private static final Filter<Evidence> LOW_CONFIDENCE = new Filter<Evidence>() {
@Override
public boolean passes(Evidence evidence) {
return evidence.getConfidence() == Confidence.LOW;
}
@@ -79,6 +87,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
* Used to iterate over evidence that has was used (aka read) from the collection.
*/
private static final Filter<Evidence> EVIDENCE_USED = new Filter<Evidence>() {
@Override
public boolean passes(Evidence evidence) {
return evidence.isUsed();
}
@@ -218,6 +227,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
*
* @return an Iterator<Evidence>.
*/
@Override
public Iterator<Evidence> iterator() {
return list.iterator();
}

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java
View File

@@ -25,6 +25,11 @@ import java.io.Serializable;
*/
public class Identifier implements Serializable, Comparable<Identifier> {
/**
* The serial version UID for serialization.
*/
private static final long serialVersionUID = 1L;
/**
* Default constructor. Should only be used for automatic class
* creation as is the case with many XML parsers (for the parsing
@@ -216,6 +221,7 @@ public class Identifier implements Serializable, Comparable<Identifier> {
* @param o the object being compared
* @return an integer indicating the ordering
*/
@Override
public int compareTo(Identifier o) {
if (o == null) {
return -1;

1
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java
View File

@@ -133,6 +133,7 @@ public class Reference implements Serializable, Comparable<Reference> {
* @param o the Reference being compared
* @return an integer indicating the ordering of the two objects
*/
@Override
public int compareTo(Reference o) {
if (source.equals(o.source)) {
if (name.equals(o.name)) {

1
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
View File

@@ -390,6 +390,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
* @return a negative integer, zero, or a positive integer as this object is less than, equal to, or greater than
* the specified vulnerability
*/
@Override
public int compareTo(Vulnerability v) {
return v.getName().compareTo(this.getName());
}

1
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerabilityComparator.java
View File

@@ -39,6 +39,7 @@ public class VulnerabilityComparator implements Comparator<Vulnerability>, Seria
* @param o2 a second vulnerability
* @return the comparison
*/
@Override
public int compare(Vulnerability o1, Vulnerability o2) {
return o2.getName().compareTo(o1.getName());
}

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/VelocityLoggerRedirect.java
View File

@@ -46,6 +46,7 @@ public class VelocityLoggerRedirect implements LogChute {
*
* @param rsvc the RuntimeServices
*/
@Override
public void init(RuntimeServices rsvc) {
// do nothing
}
@@ -57,6 +58,7 @@ public class VelocityLoggerRedirect implements LogChute {
* @param level the logging level
* @param message the message to be logged
*/
@Override
public void log(int level, String message) {
switch (level) {
case TRACE_ID:
@@ -87,6 +89,7 @@ public class VelocityLoggerRedirect implements LogChute {
* @param message the message to be logged
* @param t a throwable to log
*/
@Override
public void log(int level, String message, Throwable t) {
switch (level) {
case TRACE_ID:
@@ -115,6 +118,7 @@ public class VelocityLoggerRedirect implements LogChute {
* @param level the logging level
* @return true
*/
@Override
public boolean isLevelEnabled(int level) {
return true;
}

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
View File

@@ -86,7 +86,7 @@ public class SuppressionHandler extends DefaultHandler {
/**
* The current node text being extracted from the element.
*/
private StringBuffer currentText;
private StringBuilder currentText;
/**
* Handles the start element event.
@@ -100,7 +100,7 @@ public class SuppressionHandler extends DefaultHandler {
@Override
public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
currentAttributes = attributes;
currentText = new StringBuffer();
currentText = new StringBuilder();
if (SUPPRESS.equals(qName)) {
rule = new SuppressionRule();
final String base = currentAttributes.getValue("base");

5
dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParseException.java
View File

@@ -26,6 +26,11 @@ import java.io.IOException;
*/
public class SuppressionParseException extends IOException {
/**
* The serial version UID for serialization.
*/
private static final long serialVersionUID = 1L;
/**
* Creates a new SuppressionParseException.
*/

5
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java
View File

@@ -37,7 +37,7 @@ import org.apache.commons.lang3.StringUtils;
*
* @author Jeremy Long
*/
public class DependencyVersion implements Iterable, Comparable<DependencyVersion> {
public class DependencyVersion implements Iterable<String>, Comparable<DependencyVersion> {
/**
* Constructor for a empty DependencyVersion.
@@ -103,7 +103,8 @@ public class DependencyVersion implements Iterable, Comparable<DependencyVersion
*
* @return an iterator for the version parts
*/
public Iterator iterator() {
@Override
public Iterator<String> iterator() {
return versionParts.iterator();
}

37
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java
View File

@@ -18,7 +18,6 @@
package org.owasp.dependencycheck.utils;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.Closeable;
import java.io.File;
import java.io.FileInputStream;
@@ -26,13 +25,13 @@ import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.FilenameFilter;
import java.io.IOException;
import java.io.InputStream;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
import org.apache.commons.compress.archivers.ArchiveEntry;
import org.apache.commons.compress.archivers.ArchiveInputStream;
import org.apache.commons.compress.archivers.zip.ZipArchiveInputStream;
import org.apache.commons.compress.utils.IOUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.analyzer.exception.ArchiveExtractionException;
@@ -50,10 +49,6 @@ public final class ExtractionUtil {
* The logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(ExtractionUtil.class);
/**
* The buffer size to use when extracting files from the archive.
*/
private static final int BUFFER_SIZE = 4096;
/**
* Private constructor for a utility class.
@@ -108,12 +103,10 @@ public final class ExtractionUtil {
} else {
final File file = new File(extractTo, entry.getName());
if (engine == null || engine.accept(file)) {
BufferedOutputStream bos = null;
FileOutputStream fos;
FileOutputStream fos = null;
try {
fos = new FileOutputStream(file);
bos = new BufferedOutputStream(fos, BUFFER_SIZE);
transferUsingBuffer(zis, bos);
IOUtils.copy(zis, fos);
} catch (FileNotFoundException ex) {
LOGGER.debug("", ex);
final String msg = String.format("Unable to find file '%s'.", file.getName());
@@ -123,7 +116,7 @@ public final class ExtractionUtil {
final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
throw new ExtractionException(msg, ex);
} finally {
closeStream(bos);
closeStream(fos);
}
}
}
@@ -225,13 +218,11 @@ public final class ExtractionUtil {
if (filter.accept(file.getParentFile(), file.getName())) {
LOGGER.debug("Extracting '{}'",
file.getPath());
BufferedOutputStream bos = null;
FileOutputStream fos = null;
try {
createParentFile(file);
fos = new FileOutputStream(file);
bos = new BufferedOutputStream(fos, BUFFER_SIZE);
transferUsingBuffer(input, bos);
IOUtils.copy(input, fos);
} catch (FileNotFoundException ex) {
LOGGER.debug("", ex);
final String msg = String.format("Unable to find file '%s'.",
@@ -244,29 +235,11 @@ public final class ExtractionUtil {
file.getName());
throw new ExtractionException(msg, ex);
} finally {
closeStream(bos);
closeStream(fos);
}
}
}
/**
* Transfers data from one stream to another using a buffer.
*
* @param input the input stream
* @param bos the output stream
* @throws IOException thrown if there is an error reading/writing to the streams
*/
private static void transferUsingBuffer(InputStream input,
BufferedOutputStream bos) throws IOException {
int count;
final byte[] data = new byte[BUFFER_SIZE];
while ((count = input.read(data, 0, BUFFER_SIZE)) != -1) {
bos.write(data, 0, count);
}
bos.flush();
}
/**
* Closes the stream.
*

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Filter.java
View File

@@ -23,6 +23,7 @@ public abstract class Filter<T> {
public Iterable<T> filter(final Iterable<T> iterable) {
return new Iterable<T>() {
@Override
public Iterator<T> iterator() {
return filter(iterable.iterator());
}
@@ -39,10 +40,12 @@ public abstract class Filter<T> {
toNext();
}
@Override
public boolean hasNext() {
return next != null;
}
@Override
public T next() {
if (next == null) {
throw new NoSuchElementException();
@@ -52,6 +55,7 @@ public abstract class Filter<T> {
return returnValue;
}
@Override
public void remove() {
throw new UnsupportedOperationException();
}

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java
View File

@@ -100,7 +100,7 @@ public class PomHandler extends DefaultHandler {
/**
* The current node text being extracted from the element.
*/
private StringBuffer currentText;
private StringBuilder currentText;
/**
* Handles the start element event.
@@ -113,7 +113,7 @@ public class PomHandler extends DefaultHandler {
*/
@Override
public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
currentText = new StringBuffer();
currentText = new StringBuilder();
stack.push(qName);
if (LICENSE.equals(qName)) {
license = new License();

5
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParseException.java
View File

@@ -26,6 +26,11 @@ import java.io.IOException;
*/
public class PomParseException extends IOException {
/**
* The serial version UID for serialization.
*/
private static final long serialVersionUID = 1L;
/**
* Creates a new SuppressionParseException.
*/

1
dependency-check-core/src/main/resources/data/dbStatements.properties
View File

@@ -35,5 +35,6 @@ INSERT_PROPERTY=INSERT INTO properties (id, value) VALUES (?, ?)
UPDATE_PROPERTY=UPDATE properties SET value = ? WHERE id = ?
DELETE_PROPERTY=DELETE FROM properties WHERE id = ?
#the following two statements are unused and are only referenecd in dead code
DELETE_UNUSED_DICT_CPE=DELETE FROM cpeEntry WHERE dictionaryEntry=true AND id NOT IN (SELECT cpeEntryId FROM software)
ADD_DICT_CPE=MERGE INTO cpeEntry (cpe, vendor, product, dictionaryEntry) KEY(cpe) VALUES(?,?,?,true)

7
dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
View File

@@ -56,6 +56,13 @@
<cpe>cpe:/a:oracle:glassfish</cpe>
<cpe>cpe:/a:oracle:oracle_client</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives on glassfish
]]></notes>
<gav regex="true">org\.glassfish:.*(json|faces).*</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives on the grizzly-framework

1
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java
View File

@@ -52,6 +52,7 @@ public class CMakeAnalyzerTest extends BaseDBTestCase {
*
* @throws Exception if there is a problem
*/
@Override
@Before
public void setUp() throws Exception {
super.setUp();

6
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerIntegrationTest.java
View File

@@ -17,14 +17,8 @@
*/
package org.owasp.dependencycheck.analyzer;
import java.io.File;
import static org.junit.Assert.assertEquals;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.Settings;
/**
*

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
View File

@@ -23,8 +23,6 @@ import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import java.io.File;
import java.util.HashSet;
import java.util.Set;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;

27
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/cpe/IndexEntryTest.java
View File

@@ -17,39 +17,14 @@
*/
package org.owasp.dependencycheck.data.cpe;
import junit.framework.TestCase;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
/**
*
* @author Jeremy Long
*/
public class IndexEntryTest extends TestCase {
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
@Override
public void setUp() throws Exception {
super.setUp();
}
@After
@Override
public void tearDown() throws Exception {
super.tearDown();
}
public class IndexEntryTest {
/**
* Test of setName method, of class IndexEntry.

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilterTest.java
View File

@@ -47,11 +47,13 @@ public class TokenPairConcatenatingFilterTest extends BaseTokenStreamTestCase {
public static void tearDownClass() {
}
@Override
@Before
public void setUp() throws Exception {
super.setUp();
}
@Override
@After
public void tearDown() throws Exception {
super.tearDown();

1
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParserTest.java
View File

@@ -18,7 +18,6 @@
package org.owasp.dependencycheck.data.nuget;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.InputStream;
import java.io.PrintStream;
import static org.junit.Assert.assertEquals;

3
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java
View File

@@ -19,6 +19,7 @@ package org.owasp.dependencycheck.data.nvdcve;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;
import org.junit.Assert;
@@ -121,7 +122,7 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
@Test
public void testGetMatchingSoftware() throws Exception {
CveDB instance = null;
HashMap<String, Boolean> versions = new HashMap<String, Boolean>();
Map<String, Boolean> versions = new HashMap<String, Boolean>();
DependencyVersion identifiedVersion = new DependencyVersion("1.0.1o");
versions.put("cpe:/a:openssl:openssl:1.0.1e", Boolean.FALSE);
try {

5
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/CpeUpdaterIntegrationTest.java
View File

@@ -15,12 +15,7 @@
*/
package org.owasp.dependencycheck.data.update;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import static org.junit.Assert.*;
import org.owasp.dependencycheck.BaseTest;
/**

31
dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionRuleTest.java
View File

@@ -20,13 +20,9 @@ package org.owasp.dependencycheck.suppression;
import java.io.File;
import java.util.ArrayList;
import java.util.List;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.dependency.Dependency;
@@ -40,25 +36,6 @@ import org.owasp.dependencycheck.dependency.Vulnerability;
*/
public class SuppressionRuleTest {
public SuppressionRuleTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
//<editor-fold defaultstate="collapsed" desc="Stupid tests of properties">
/**
* Test of FilePath property, of class SuppressionRule.
@@ -91,7 +68,7 @@ public class SuppressionRuleTest {
@Test
public void testCpe() {
SuppressionRule instance = new SuppressionRule();
ArrayList<PropertyType> cpe = new ArrayList<PropertyType>();
List<PropertyType> cpe = new ArrayList<PropertyType>();
instance.setCpe(cpe);
assertFalse(instance.hasCpe());
PropertyType pt = new PropertyType();
@@ -109,7 +86,7 @@ public class SuppressionRuleTest {
@Test
public void testGetCvssBelow() {
SuppressionRule instance = new SuppressionRule();
ArrayList<Float> cvss = new ArrayList<Float>();
List<Float> cvss = new ArrayList<Float>();
instance.setCvssBelow(cvss);
assertFalse(instance.hasCvssBelow());
instance.addCvssBelow(0.7f);
@@ -124,7 +101,7 @@ public class SuppressionRuleTest {
@Test
public void testCwe() {
SuppressionRule instance = new SuppressionRule();
ArrayList<String> cwe = new ArrayList<String>();
List<String> cwe = new ArrayList<String>();
instance.setCwe(cwe);
assertFalse(instance.hasCwe());
instance.addCwe("2");
@@ -139,7 +116,7 @@ public class SuppressionRuleTest {
@Test
public void testCve() {
SuppressionRule instance = new SuppressionRule();
ArrayList<String> cve = new ArrayList<String>();
List<String> cve = new ArrayList<String>();
instance.setCve(cve);
assertFalse(instance.hasCve());
instance.addCve("CVE-2013-1337");

28
dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java
View File

@@ -20,13 +20,9 @@ package org.owasp.dependencycheck.utils;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
/**
@@ -35,25 +31,6 @@ import org.junit.Test;
*/
public class DependencyVersionTest {
public DependencyVersionTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
/**
* Test of parseVersion method, of class DependencyVersion.
*/
@@ -73,6 +50,7 @@ public class DependencyVersionTest {
assertEquals(2, parts.size());
assertEquals("x6", parts.get(0));
assertEquals("0", parts.get(1));
// TODO(code review): should this be here/do something?
//assertEquals("0", parts.get(2));
}
@@ -84,6 +62,7 @@ public class DependencyVersionTest {
public void testIterator() {
DependencyVersion instance = new DependencyVersion("1.2.3");
Iterator result = instance.iterator();
assertTrue(result.hasNext());
int count = 1;
while (result.hasNext()) {
String v = (String) result.next();
@@ -155,7 +134,6 @@ public class DependencyVersionTest {
public void testCompareTo() {
DependencyVersion instance = new DependencyVersion("1.2.3");
DependencyVersion version = new DependencyVersion("1.2.3");
int expResult = 0;
assertEquals(0, instance.compareTo(version));
version = new DependencyVersion("1.1");
assertEquals(1, instance.compareTo(version));
@@ -204,7 +182,7 @@ public class DependencyVersionTest {
DependencyVersion instance = new DependencyVersion();
List<String> versionParts = Arrays.asList("1", "1", "1");
instance.setVersionParts(versionParts);
List<String> expResult = Arrays.asList("1", "1", "1");;
List<String> expResult = Arrays.asList("1", "1", "1");
List<String> result = instance.getVersionParts();
assertEquals(expResult, result);
}

1
dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/FilterTest.java
View File

@@ -64,6 +64,7 @@ public class FilterTest {
}
private static final Filter<String> TEST_FILTER
= new Filter<String>() {
@Override
public boolean passes(String str) {
return str.contains("keep");
}

5
dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/ModelTest.java
View File

@@ -18,10 +18,7 @@ package org.owasp.dependencycheck.xml.pom;
import java.util.ArrayList;
import java.util.List;
import java.util.Properties;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import static org.junit.Assert.*;

28
dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/PomUtilsTest.java
View File

@@ -15,18 +15,11 @@
*/
package org.owasp.dependencycheck.xml.pom;
import org.owasp.dependencycheck.xml.pom.PomUtils;
import java.io.File;
import javax.xml.transform.sax.SAXSource;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import static org.junit.Assert.*;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.xml.pom.Model;
/**
*
@@ -34,25 +27,6 @@ import org.owasp.dependencycheck.xml.pom.Model;
*/
public class PomUtilsTest {
public PomUtilsTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
/**
* Test of readPom method, of class PomUtils.
*/

6
dependency-check-maven/README.md
View File

@@ -3,7 +3,7 @@ Dependency-Check-Maven
Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven/usage.html).
Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html).
Mailing List
-
@@ -17,10 +17,10 @@ Copyright & License
Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt] [notices] file for more information.
[subscribe]: mailto:dependency-check+subscribe@googlegroups.com
[post]: mailto:dependency-check@googlegroups.com
[notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt
[notices]: https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/dependency-check-maven/NOTICE.txt

5
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
View File

@@ -69,7 +69,8 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
for (MavenProject current : getReactorProjects()) {
final File dataFile = getDataFile(current);
if (dataFile == null) { //dc was never run on this project. write the ser to the target.
getLog().error(String.format("Module '%s' did not execute dependency-check; an attempt will be made to perform the check but dependencies may be missed resulting in false negatives.", current.getName()));
getLog().error(String.format("Module '%s' did not execute dependency-check; an attempt will be made to perform "
+ "the check but dependencies may be missed resulting in false negatives.", current.getName()));
generateDataFile(engine, current);
}
}
@@ -262,6 +263,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
* @param locale the location
* @return the report name
*/
@Override
public String getName(Locale locale) {
return "dependency-check:aggregate";
}
@@ -272,6 +274,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
* @param locale The Locale to get the description for
* @return the description
*/
@Override
public String getDescription(Locale locale) {
return "Generates an aggregate report of all child Maven projects providing details on any "
+ "published vulnerabilities within project dependencies. This report is a best "

3
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View File

@@ -352,6 +352,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
* @throws MavenReportException if a maven report exception occurs
* @deprecated use {@link #generate(org.apache.maven.doxia.sink.Sink, java.util.Locale)} instead.
*/
@Override
@Deprecated
public final void generate(@SuppressWarnings("deprecation") org.codehaus.doxia.sink.Sink sink, Locale locale) throws MavenReportException {
generate((Sink) sink, locale);
@@ -519,6 +520,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
*
* @return the output name
*/
@Override
public String getOutputName() {
if ("HTML".equalsIgnoreCase(this.format) || "ALL".equalsIgnoreCase(this.format)) {
return "dependency-check-report";
@@ -537,6 +539,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
*
* @return the category name
*/
@Override
public String getCategoryName() {
return MavenReport.CATEGORY_PROJECT_REPORTS;
}

2
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java
View File

@@ -95,6 +95,7 @@ public class CheckMojo extends BaseDependencyCheckMojo {
* @param locale the location
* @return the report name
*/
@Override
public String getName(Locale locale) {
return "dependency-check";
}
@@ -105,6 +106,7 @@ public class CheckMojo extends BaseDependencyCheckMojo {
* @param locale The Locale to get the description for
* @return the description
*/
@Override
public String getDescription(Locale locale) {
return "Generates a report providing details on any published vulnerabilities within project dependencies. "
+ "This report is a best effort and may contain false positives and false negatives.";

2
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java
View File

@@ -89,6 +89,7 @@ public class PurgeMojo extends BaseDependencyCheckMojo {
* @param locale the location
* @return the report name
*/
@Override
public String getName(Locale locale) {
return "dependency-check-purge";
}
@@ -99,6 +100,7 @@ public class PurgeMojo extends BaseDependencyCheckMojo {
* @param locale The Locale to get the description for
* @return the description
*/
@Override
public String getDescription(Locale locale) {
return "Purges the local cache of the NVD dataT.";
}

2
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/UpdateMojo.java
View File

@@ -78,6 +78,7 @@ public class UpdateMojo extends BaseDependencyCheckMojo {
* @param locale the location
* @return the report name
*/
@Override
public String getName(Locale locale) {
return "dependency-check-update";
}
@@ -88,6 +89,7 @@ public class UpdateMojo extends BaseDependencyCheckMojo {
* @param locale The Locale to get the description for
* @return the description
*/
@Override
public String getDescription(Locale locale) {
return "Updates the local cache of the NVD data from NIST.";
}

5
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java
View File

@@ -28,6 +28,11 @@ import org.slf4j.helpers.MessageFormatter;
*/
public class MavenLoggerAdapter extends MarkerIgnoringBase {
/**
* The serial version UID for serialization.
*/
private static final long serialVersionUID = 1L;
/**
* A reference to the Maven log.
*/

6
dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java
View File

@@ -28,7 +28,9 @@ import org.slf4j.spi.LoggerFactoryBinder;
*
* @author colezlaw
*/
//CSOFF: FinalClass
public class StaticLoggerBinder implements LoggerFactoryBinder {
//CSON: FinalClass
/**
* The unique instance of this class
@@ -64,7 +66,11 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
* with each release.
*/
// to avoid constant folding by the compiler, this field must *not* be final
//CSOFF: StaticVariableName
//CSOFF: VisibilityModifier
public static String REQUESTED_API_VERSION = "1.7.12"; // final
//CSON: VisibilityModifier
//CSON: StaticVariableName
/**
* The logger factory class string.

5
dependency-check-utils/pom.xml
View File

@@ -155,5 +155,10 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<artifactId>logback-classic</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.google.code.findbugs</groupId>
<artifactId>annotations</artifactId>
<scope>provided</scope>
</dependency>
</dependencies>
</project>

153
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/BuildException.java
View File

@@ -1,153 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.owasp.dependencycheck.org.apache.tools.ant;
/**
* Signals an error condition during a build
*/
public class BuildException extends RuntimeException {
private static final long serialVersionUID = -5419014565354664240L;
/** Location in the build file where the exception occurred */
private Location location = Location.UNKNOWN_LOCATION;
/**
* Constructs a build exception with no descriptive information.
*/
public BuildException() {
super();
}
/**
* Constructs an exception with the given descriptive message.
*
* @param message A description of or information about the exception.
* Should not be <code>null</code>.
*/
public BuildException(String message) {
super(message);
}
/**
* Constructs an exception with the given message and exception as
* a root cause.
*
* @param message A description of or information about the exception.
* Should not be <code>null</code> unless a cause is specified.
* @param cause The exception that might have caused this one.
* May be <code>null</code>.
*/
public BuildException(String message, Throwable cause) {
super(message, cause);
}
/**
* Constructs an exception with the given message and exception as
* a root cause and a location in a file.
*
* @param msg A description of or information about the exception.
* Should not be <code>null</code> unless a cause is specified.
* @param cause The exception that might have caused this one.
* May be <code>null</code>.
* @param location The location in the project file where the error
* occurred. Must not be <code>null</code>.
*/
public BuildException(String msg, Throwable cause, Location location) {
this(msg, cause);
this.location = location;
}
/**
* Constructs an exception with the given exception as a root cause.
*
* @param cause The exception that might have caused this one.
* Should not be <code>null</code>.
*/
public BuildException(Throwable cause) {
super(cause);
}
/**
* Constructs an exception with the given descriptive message and a
* location in a file.
*
* @param message A description of or information about the exception.
* Should not be <code>null</code>.
* @param location The location in the project file where the error
* occurred. Must not be <code>null</code>.
*/
public BuildException(String message, Location location) {
super(message);
this.location = location;
}
/**
* Constructs an exception with the given exception as
* a root cause and a location in a file.
*
* @param cause The exception that might have caused this one.
* Should not be <code>null</code>.
* @param location The location in the project file where the error
* occurred. Must not be <code>null</code>.
*/
public BuildException(Throwable cause, Location location) {
this(cause);
this.location = location;
}
/**
* Returns the nested exception, if any.
*
* @return the nested exception, or <code>null</code> if no
* exception is associated with this one
* @deprecated Use {@link #getCause} instead.
*/
public Throwable getException() {
return getCause();
}
/**
* Returns the location of the error and the error message.
*
* @return the location of the error and the error message
*/
public String toString() {
return location.toString() + getMessage();
}
/**
* Sets the file location where the error occurred.
*
* @param location The file location where the error occurred.
* Must not be <code>null</code>.
*/
public void setLocation(Location location) {
this.location = location;
}
/**
* Returns the file location where the error occurred.
*
* @return the file location where the error occurred.
*/
public Location getLocation() {
return location;
}
}

1816
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/DirectoryScanner.java
View File

File diff suppressed because it is too large Load Diff

158
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/FileScanner.java
View File

@@ -1,158 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.owasp.dependencycheck.org.apache.tools.ant;
import java.io.File;
/**
* An interface used to describe the actions required of any type of
* directory scanner.
*
*/
public interface FileScanner {
/**
* Adds default exclusions to the current exclusions set.
*/
void addDefaultExcludes();
/**
* Returns the base directory to be scanned.
* This is the directory which is scanned recursively.
*
* @return the base directory to be scanned
*/
File getBasedir();
/**
* Returns the names of the directories which matched at least one of the
* include patterns and at least one of the exclude patterns.
* The names are relative to the base directory.
*
* @return the names of the directories which matched at least one of the
* include patterns and at least one of the exclude patterns.
*/
String[] getExcludedDirectories();
/**
* Returns the names of the files which matched at least one of the
* include patterns and at least one of the exclude patterns.
* The names are relative to the base directory.
*
* @return the names of the files which matched at least one of the
* include patterns and at least one of the exclude patterns.
*
*/
String[] getExcludedFiles();
/**
* Returns the names of the directories which matched at least one of the
* include patterns and none of the exclude patterns.
* The names are relative to the base directory.
*
* @return the names of the directories which matched at least one of the
* include patterns and none of the exclude patterns.
*/
String[] getIncludedDirectories();
/**
* Returns the names of the files which matched at least one of the
* include patterns and none of the exclude patterns.
* The names are relative to the base directory.
*
* @return the names of the files which matched at least one of the
* include patterns and none of the exclude patterns.
*/
String[] getIncludedFiles();
/**
* Returns the names of the directories which matched none of the include
* patterns. The names are relative to the base directory.
*
* @return the names of the directories which matched none of the include
* patterns.
*/
String[] getNotIncludedDirectories();
/**
* Returns the names of the files which matched none of the include
* patterns. The names are relative to the base directory.
*
* @return the names of the files which matched none of the include
* patterns.
*/
String[] getNotIncludedFiles();
/**
* Scans the base directory for files which match at least one include
* pattern and don't match any exclude patterns.
*
* @exception IllegalStateException if the base directory was set
* incorrectly (i.e. if it is <code>null</code>, doesn't exist,
* or isn't a directory).
*/
void scan() throws IllegalStateException;
/**
* Sets the base directory to be scanned. This is the directory which is
* scanned recursively. All '/' and '\' characters should be replaced by
* <code>File.separatorChar</code>, so the separator used need not match
* <code>File.separatorChar</code>.
*
* @param basedir The base directory to scan.
* Must not be <code>null</code>.
*/
void setBasedir(String basedir);
/**
* Sets the base directory to be scanned. This is the directory which is
* scanned recursively.
*
* @param basedir The base directory for scanning.
* Should not be <code>null</code>.
*/
void setBasedir(File basedir);
/**
* Sets the list of exclude patterns to use.
*
* @param excludes A list of exclude patterns.
* May be <code>null</code>, indicating that no files
* should be excluded. If a non-<code>null</code> list is
* given, all elements must be non-<code>null</code>.
*/
void setExcludes(String[] excludes);
/**
* Sets the list of include patterns to use.
*
* @param includes A list of include patterns.
* May be <code>null</code>, indicating that all files
* should be included. If a non-<code>null</code>
* list is given, all elements must be
* non-<code>null</code>.
*/
void setIncludes(String[] includes);
/**
* Sets whether or not the file system should be regarded as case sensitive.
*
* @param isCaseSensitive whether or not the file system should be
* regarded as a case sensitive one
*/
void setCaseSensitive(boolean isCaseSensitive);
}

178
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/Location.java
View File

@@ -1,178 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.owasp.dependencycheck.org.apache.tools.ant;
import java.io.Serializable;
import org.owasp.dependencycheck.org.apache.tools.ant.util.FileUtils;
import org.xml.sax.Locator;
/**
* Stores the location of a piece of text within a file (file name,
* line number and column number). Note that the column number is
* currently ignored.
*
*/
public class Location implements Serializable {
private static final long serialVersionUID = 1L;
/** Name of the file. */
private final String fileName;
/** Line number within the file. */
private final int lineNumber;
/** Column number within the file. */
private final int columnNumber;
/** Location to use when one is needed but no information is available */
public static final Location UNKNOWN_LOCATION = new Location();
private static final FileUtils FILE_UTILS = FileUtils.getFileUtils();
/**
* Creates an "unknown" location.
*/
private Location() {
this(null, 0, 0);
}
/**
* Creates a location consisting of a file name but no line number or
* column number.
*
* @param fileName The name of the file. May be <code>null</code>,
* in which case the location is equivalent to
* {@link #UNKNOWN_LOCATION UNKNOWN_LOCATION}.
*/
public Location(String fileName) {
this(fileName, 0, 0);
}
/**
* Creates a location from the SAX locator using the system ID as
* the filename.
*
* @param loc Must not be <code>null</code>.
*
* @since Ant 1.6
*/
public Location(Locator loc) {
this(loc.getSystemId(), loc.getLineNumber(), loc.getColumnNumber());
}
/**
* Creates a location consisting of a file name, line number and
* column number.
*
* @param fileName The name of the file. May be <code>null</code>,
* in which case the location is equivalent to
* {@link #UNKNOWN_LOCATION UNKNOWN_LOCATION}.
*
* @param lineNumber Line number within the file. Use 0 for unknown
* positions within a file.
* @param columnNumber Column number within the line.
*/
public Location(String fileName, int lineNumber, int columnNumber) {
if (fileName != null && fileName.startsWith("file:")) {
this.fileName = FILE_UTILS.fromURI(fileName);
} else {
this.fileName = fileName;
}
this.lineNumber = lineNumber;
this.columnNumber = columnNumber;
}
/**
* @return the filename portion of the location
* @since Ant 1.6
*/
public String getFileName() {
return fileName;
}
/**
* @return the line number
* @since Ant 1.6
*/
public int getLineNumber() {
return lineNumber;
}
/**
* @return the column number
* @since Ant 1.7
*/
public int getColumnNumber() {
return columnNumber;
}
/**
* Returns the file name, line number, a colon and a trailing space.
* An error message can be appended easily. For unknown locations, an
* empty string is returned.
*
* @return a String of the form <code>"fileName:lineNumber: "</code>
* if both file name and line number are known,
* <code>"fileName: "</code> if only the file name is known,
* and the empty string for unknown locations.
*/
public String toString() {
StringBuffer buf = new StringBuffer();
if (fileName != null) {
buf.append(fileName);
if (lineNumber != 0) {
buf.append(":");
buf.append(lineNumber);
}
buf.append(": ");
}
return buf.toString();
}
/**
* Equality operation.
* @param other the object to compare to.
* @return true if the other object contains the same information
* as this object.
* @since Ant 1.6.3
*/
public boolean equals(Object other) {
if (this == other) {
return true;
}
if (other == null) {
return false;
}
if (!(other.getClass() == getClass())) {
return false;
}
return toString().equals(other.toString());
}
/**
* Hash operation.
* @return a hash code value for this location.
* @since Ant 1.6.3
*/
public int hashCode() {
return toString().hashCode();
}
}

165
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/PathTokenizer.java
View File

@@ -1,165 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.owasp.dependencycheck.org.apache.tools.ant;
import java.io.File;
import java.util.NoSuchElementException;
import java.util.StringTokenizer;
import org.owasp.dependencycheck.org.apache.tools.ant.taskdefs.condition.Os;
/**
* A Path tokenizer takes a path and returns the components that make up
* that path.
*
* The path can use path separators of either ':' or ';' and file separators
* of either '/' or '\'.
*
*/
public class PathTokenizer {
/**
* A tokenizer to break the string up based on the ':' or ';' separators.
*/
private StringTokenizer tokenizer;
/**
* A String which stores any path components which have been read ahead
* due to DOS filesystem compensation.
*/
private String lookahead = null;
/**
* A boolean that determines if we are running on Novell NetWare, which
* exhibits slightly different path name characteristics (multi-character
* volume / drive names)
*/
private boolean onNetWare = Os.isFamily("netware");
/**
* Flag to indicate whether or not we are running on a platform with a
* DOS style filesystem
*/
private boolean dosStyleFilesystem;
/**
* Constructs a path tokenizer for the specified path.
*
* @param path The path to tokenize. Must not be <code>null</code>.
*/
public PathTokenizer(String path) {
if (onNetWare) {
// For NetWare, use the boolean=true mode, so we can use delimiter
// information to make a better decision later.
tokenizer = new StringTokenizer(path, ":;", true);
} else {
// on Windows and Unix, we can ignore delimiters and still have
// enough information to tokenize correctly.
tokenizer = new StringTokenizer(path, ":;", false);
}
dosStyleFilesystem = File.pathSeparatorChar == ';';
}
/**
* Tests if there are more path elements available from this tokenizer's
* path. If this method returns <code>true</code>, then a subsequent call
* to nextToken will successfully return a token.
*
* @return <code>true</code> if and only if there is at least one token
* in the string after the current position; <code>false</code> otherwise.
*/
public boolean hasMoreTokens() {
if (lookahead != null) {
return true;
}
return tokenizer.hasMoreTokens();
}
/**
* Returns the next path element from this tokenizer.
*
* @return the next path element from this tokenizer.
*
* @exception NoSuchElementException if there are no more elements in this
* tokenizer's path.
*/
public String nextToken() throws NoSuchElementException {
String token = null;
if (lookahead != null) {
token = lookahead;
lookahead = null;
} else {
token = tokenizer.nextToken().trim();
}
if (!onNetWare) {
if (token.length() == 1 && Character.isLetter(token.charAt(0))
&& dosStyleFilesystem
&& tokenizer.hasMoreTokens()) {
// we are on a dos style system so this path could be a drive
// spec. We look at the next token
String nextToken = tokenizer.nextToken().trim();
if (nextToken.startsWith("\\") || nextToken.startsWith("/")) {
// we know we are on a DOS style platform and the next path
// starts with a slash or backslash, so we know this is a
// drive spec
token += ":" + nextToken;
} else {
// store the token just read for next time
lookahead = nextToken;
}
}
} else {
// we are on NetWare, tokenizing is handled a little differently,
// due to the fact that NetWare has multiple-character volume names.
if (token.equals(File.pathSeparator) || token.equals(":")) {
// ignore ";" and get the next token
token = tokenizer.nextToken().trim();
}
if (tokenizer.hasMoreTokens()) {
// this path could be a drive spec, so look at the next token
String nextToken = tokenizer.nextToken().trim();
// make sure we aren't going to get the path separator next
if (!nextToken.equals(File.pathSeparator)) {
if (nextToken.equals(":")) {
if (!token.startsWith("/") && !token.startsWith("\\")
&& !token.startsWith(".")
&& !token.startsWith("..")) {
// it indeed is a drive spec, get the next bit
String oneMore = tokenizer.nextToken().trim();
if (!oneMore.equals(File.pathSeparator)) {
token += ":" + oneMore;
} else {
token += ":";
lookahead = oneMore;
}
}
// implicit else: ignore the ':' since we have either a
// UNIX or a relative path
} else {
// store the token just read for next time
lookahead = nextToken;
}
}
}
}
return token;
}
}

161
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/ProjectComponent.java
View File

@@ -1,161 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.owasp.dependencycheck.org.apache.tools.ant;
/**
* Base class for components of a project, including tasks and data types. Provides common facilities.
*
*/
public abstract class ProjectComponent implements Cloneable {
// // CheckStyle:VisibilityModifier OFF - bc
// /**
// * Project object of this component.
// * @deprecated since 1.6.x.
// * You should not be directly accessing this variable directly.
// * You should access project object via the getProject()
// * or setProject() accessor/mutators.
// */
// protected Project project;
/**
* Location within the build file of this task definition.
*
* @deprecated since 1.6.x. You should not be accessing this variable directly. Please use the
* {@link #getLocation()} method.
*/
protected Location location = Location.UNKNOWN_LOCATION;
/**
* Description of this component, if any.
*
* @deprecated since 1.6.x. You should not be accessing this variable directly.
*/
protected String description;
// CheckStyle:VisibilityModifier ON
/**
* Sole constructor.
*/
public ProjectComponent() {
}
// /**
// * Sets the project object of this component. This method is used by
// * Project when a component is added to it so that the component has
// * access to the functions of the project. It should not be used
// * for any other purpose.
// *
// * @param project Project in whose scope this component belongs.
// * Must not be <code>null</code>.
// */
// public void setProject(Project project) {
// this.project = project;
// }
//
// /**
// * Returns the project to which this component belongs.
// *
// * @return the components's project.
// */
// public Project getProject() {
// return project;
// }
/**
* Returns the file/location where this task was defined.
*
* @return the file/location where this task was defined. Should not return <code>null</code>.
* Location.UNKNOWN_LOCATION is used for unknown locations.
*
* @see Location#UNKNOWN_LOCATION
*/
public Location getLocation() {
return location;
}
/**
* Sets the file/location where this task was defined.
*
* @param location The file/location where this task was defined. Should not be <code>null</code>--use
* Location.UNKNOWN_LOCATION if the location isn't known.
*
* @see Location#UNKNOWN_LOCATION
*/
public void setLocation(Location location) {
this.location = location;
}
/**
* Sets a description of the current action. This may be used for logging purposes.
*
* @param desc Description of the current action. May be <code>null</code>, indicating that no description is
* available.
*
*/
public void setDescription(String desc) {
description = desc;
}
/**
* Returns the description of the current action.
*
* @return the description of the current action, or <code>null</code> if no description is available.
*/
public String getDescription() {
return description;
}
/**
* Logs a message with the default (INFO) priority.
*
* @param msg The message to be logged. Should not be <code>null</code>.
*/
public void log(String msg) {
// log(msg, Project.MSG_INFO);
}
/**
* Logs a message with the given priority.
*
* @param msg The message to be logged. Should not be <code>null</code>.
* @param msgLevel the message priority at which this message is to be logged.
*/
public void log(String msg, int msgLevel) {
// if (getProject() != null) {
// getProject().log(msg, msgLevel);
// } else {
// // 'reasonable' default, if the component is used without
// // a Project ( for example as a standalone Bean ).
// // Most ant components can be used this way.
// if (msgLevel <= Project.MSG_INFO) {
// System.err.println(msg);
// }
// }
}
/**
* @since Ant 1.7
* @return a shallow copy of this projectcomponent.
* @throws CloneNotSupportedException does not happen, but is declared to allow subclasses to do so.
*/
public Object clone() throws CloneNotSupportedException {
ProjectComponent pc = (ProjectComponent) super.clone();
pc.setLocation(getLocation());
//pc.setProject(getProject());
return pc;
}
}

530
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/launch/Locator.java
View File

@@ -1,530 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.owasp.dependencycheck.org.apache.tools.ant.launch;
import java.net.MalformedURLException;
import java.net.URL;
import java.io.File;
import java.io.FilenameFilter;
import java.io.ByteArrayOutputStream;
import java.io.UnsupportedEncodingException;
import java.text.CharacterIterator;
import java.text.StringCharacterIterator;
import java.util.Locale;
import org.owasp.dependencycheck.org.apache.tools.ant.util.FileUtils;
// CheckStyle:LineLengthCheck OFF - urls are long!
/**
* The Locator is a utility class which is used to find certain items
* in the environment.
*
* It is used at boot time in the launcher, and cannot make use of any of Ant's other classes.
*
* This is a surprisingly brittle piece of code, and has had lots of bugs filed against it.
* {@link <a href="http://issues.apache.org/bugzilla/show_bug.cgi?id=42275">running ant off a network share can cause Ant to fail</a>}
* {@link <a href="http://issues.apache.org/bugzilla/show_bug.cgi?id=8031">use File.toURI().toURL().toExternalForm()</a>}
* {@link <a href="http://issues.apache.org/bugzilla/show_bug.cgi?id=42222">Locator implementation not encoding URI strings properly: spaces in paths</a>}
* It also breaks Eclipse 3.3 Betas
* {@link <a href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=183283">Exception if installation path has spaces</a>}
*
* Be very careful when making changes to this class, as a break will upset a lot of people.
* @since Ant 1.6
*/
// CheckStyle:LineLengthCheck ON - urls are long!
public final class Locator {
private static final int NIBBLE = 4;
private static final int NIBBLE_MASK = 0xF;
private static final int ASCII_SIZE = 128;
private static final int BYTE_SIZE = 256;
private static final int WORD = 16;
private static final int SPACE = 0x20;
private static final int DEL = 0x7F;
/**
* encoding used to represent URIs
*/
public static final String URI_ENCODING = "UTF-8";
// stolen from org.apache.xerces.impl.XMLEntityManager#getUserDir()
// of the Xerces-J team
// which ASCII characters need to be escaped
private static boolean[] gNeedEscaping = new boolean[ASCII_SIZE];
// the first hex character if a character needs to be escaped
private static char[] gAfterEscaping1 = new char[ASCII_SIZE];
// the second hex character if a character needs to be escaped
private static char[] gAfterEscaping2 = new char[ASCII_SIZE];
private static char[] gHexChs = {'0', '1', '2', '3', '4', '5', '6', '7',
'8', '9', 'A', 'B', 'C', 'D', 'E', 'F'};
/** Error string used when an invalid uri is seen */
public static final String ERROR_NOT_FILE_URI
= "Can only handle valid file: URIs, not ";
// initialize the above 3 arrays
static {
for (int i = 0; i < SPACE; i++) {
gNeedEscaping[i] = true;
gAfterEscaping1[i] = gHexChs[i >> NIBBLE];
gAfterEscaping2[i] = gHexChs[i & NIBBLE_MASK];
}
gNeedEscaping[DEL] = true;
gAfterEscaping1[DEL] = '7';
gAfterEscaping2[DEL] = 'F';
char[] escChs = {' ', '<', '>', '#', '%', '"', '{', '}',
'|', '\\', '^', '~', '[', ']', '`'};
int len = escChs.length;
char ch;
for (int i = 0; i < len; i++) {
ch = escChs[i];
gNeedEscaping[ch] = true;
gAfterEscaping1[ch] = gHexChs[ch >> NIBBLE];
gAfterEscaping2[ch] = gHexChs[ch & NIBBLE_MASK];
}
}
/**
* Not instantiable
*/
private Locator() {
}
/**
* Find the directory or jar file the class has been loaded from.
*
* @param c the class whose location is required.
* @return the file or jar with the class or null if we cannot
* determine the location.
*
* @since Ant 1.6
*/
public static File getClassSource(Class<?> c) {
String classResource = c.getName().replace('.', '/') + ".class";
return getResourceSource(c.getClassLoader(), classResource);
}
/**
* Find the directory or jar a given resource has been loaded from.
*
* @param c the classloader to be consulted for the source.
* @param resource the resource whose location is required.
*
* @return the file with the resource source or null if
* we cannot determine the location.
*
* @since Ant 1.6
*/
public static File getResourceSource(ClassLoader c, String resource) {
if (c == null) {
c = Locator.class.getClassLoader();
}
URL url = null;
if (c == null) {
url = ClassLoader.getSystemResource(resource);
} else {
url = c.getResource(resource);
}
if (url != null) {
String u = url.toString();
try {
if (u.startsWith("jar:file:")) {
return new File(fromJarURI(u));
} else if (u.startsWith("file:")) {
int tail = u.indexOf(resource);
String dirName = u.substring(0, tail);
return new File(fromURI(dirName));
}
} catch (IllegalArgumentException e) {
//unable to determine the URI for reasons unknown.
return null;
}
}
return null;
}
/**
* Constructs a file path from a <code>file:</code> URI.
*
* <p>Will be an absolute path if the given URI is absolute.</p>
*
* <p>Prior to Java 1.4,<!-- TODO is JDK version actually relevant? -->
* swallows '%' that are not followed by two characters.</p>
*
* See <a href="http://www.w3.org/TR/xml11/#dt-sysid">dt-sysid</a>
* which makes some mention of how
* characters not supported by URI Reference syntax should be escaped.
*
* @param uri the URI designating a file in the local filesystem.
* @return the local file system path for the file.
* @throws IllegalArgumentException if the URI is malformed or not a legal file: URL
* @since Ant 1.6
*/
public static String fromURI(String uri) {
return fromURIJava13(uri);
// #buzilla8031: first try Java 1.4.
// TODO should use java.net.URI now that we can rely on 1.4...
// but check for UNC-related regressions, e.g. #42275
// (and remember that \\server\share\file -> file:////server/share/file
// rather than -> file://server/share/file as it should;
// fixed only in JDK 7's java.nio.file.Path.toUri)
// return fromUriJava14(uri);
}
/**
* Java1.4+ code to extract the path from the URI.
* @param uri
* @return null if a conversion was not possible
*/
/* currently unused:
private static String fromUriJava14(String uri) {
// Also check for properly formed URIs. Ant formerly recommended using
// nonsense URIs such as "file:./foo.xml" in XML includes. You shouldn't
// do that (just "foo.xml" is correct) but for compatibility we special-case
// things when the path is not absolute, and fall back to the old parsing behavior.
if (uri.startsWith("file:/")) {
try {
File f = new File(URI.create(encodeURI(uri)));
//bug #42227 forgot to decode before returning
return decodeUri(f.getAbsolutePath());
} catch (IllegalArgumentException e) {
// Bad URI, pass this on.
// no, this is downgraded to a warning after various
// JRE bugs surfaced. Hand off
// to our built in code on a failure
//throw new IllegalArgumentException(
// "Bad URI " + uri + ":" + e.getMessage(), e);
e.printStackTrace();
} catch (Exception e) {
// Unexpected exception? Should not happen.
e.printStackTrace();
}
}
return null;
}
*/
/**
* @param uri uri to expand
* @return the decoded URI
* @since Ant1.7.1
*/
private static String fromURIJava13(String uri) {
// Fallback method for Java 1.3 or earlier.
URL url = null;
try {
url = new URL(uri);
} catch (MalformedURLException emYouEarlEx) {
// Ignore malformed exception
}
if (url == null || !("file".equals(url.getProtocol()))) {
throw new IllegalArgumentException(ERROR_NOT_FILE_URI + uri);
}
StringBuffer buf = new StringBuffer(url.getHost());
if (buf.length() > 0) {
buf.insert(0, File.separatorChar).insert(0, File.separatorChar);
}
String file = url.getFile();
int queryPos = file.indexOf('?');
buf.append((queryPos < 0) ? file : file.substring(0, queryPos));
uri = buf.toString().replace('/', File.separatorChar);
if (File.pathSeparatorChar == ';' && uri.startsWith("\\") && uri.length() > 2
&& Character.isLetter(uri.charAt(1)) && uri.lastIndexOf(':') > -1) {
uri = uri.substring(1);
}
String path = null;
try {
path = decodeUri(uri);
//consider adding the current directory. This is not done when
//the path is a UNC name
String cwd = System.getProperty("user.dir");
int posi = cwd.indexOf(':');
boolean pathStartsWithFileSeparator = path.startsWith(File.separator);
boolean pathStartsWithUNC = path.startsWith("" + File.separator + File.separator);
if ((posi > 0) && pathStartsWithFileSeparator && !pathStartsWithUNC) {
path = cwd.substring(0, posi + 1) + path;
}
} catch (UnsupportedEncodingException exc) {
// not sure whether this is clean, but this method is
// declared not to throw exceptions.
throw new IllegalStateException(
"Could not convert URI " + uri + " to path: "
+ exc.getMessage());
}
return path;
}
/**
* Crack a JAR URI.
* This method is public for testing; we may delete it without any warning -it is not part of Ant's stable API.
* @param uri uri to expand; contains jar: somewhere in it
* @return the decoded URI
* @since Ant1.7.1
*/
public static String fromJarURI(String uri) {
int pling = uri.indexOf("!/");
String jarName = uri.substring("jar:".length(), pling);
return fromURI(jarName);
}
/**
* Decodes an Uri with % characters.
* The URI is escaped
* @param uri String with the uri possibly containing % characters.
* @return The decoded Uri
* @throws UnsupportedEncodingException if UTF-8 is not available
* @since Ant 1.7
*/
public static String decodeUri(String uri) throws UnsupportedEncodingException {
if (uri.indexOf('%') == -1) {
return uri;
}
ByteArrayOutputStream sb = new ByteArrayOutputStream(uri.length());
CharacterIterator iter = new StringCharacterIterator(uri);
for (char c = iter.first(); c != CharacterIterator.DONE;
c = iter.next()) {
if (c == '%') {
char c1 = iter.next();
if (c1 != CharacterIterator.DONE) {
int i1 = Character.digit(c1, WORD);
char c2 = iter.next();
if (c2 != CharacterIterator.DONE) {
int i2 = Character.digit(c2, WORD);
sb.write((char) ((i1 << NIBBLE) + i2));
}
}
} else if (c >= 0x0000 && c < 0x0080) {
sb.write(c);
} else { // #50543
byte[] bytes = String.valueOf(c).getBytes(URI_ENCODING);
sb.write(bytes, 0, bytes.length);
}
}
return sb.toString(URI_ENCODING);
}
/**
* Encodes an Uri with % characters.
* The URI is escaped
* @param path String to encode.
* @return The encoded string, according to URI norms
* @throws UnsupportedEncodingException if UTF-8 is not available
* @since Ant 1.7
*/
public static String encodeURI(String path) throws UnsupportedEncodingException {
int i = 0;
int len = path.length();
int ch = 0;
StringBuffer sb = null;
for (; i < len; i++) {
ch = path.charAt(i);
// if it's not an ASCII character, break here, and use UTF-8 encoding
if (ch >= ASCII_SIZE) {
break;
}
if (gNeedEscaping[ch]) {
if (sb == null) {
sb = new StringBuffer(path.substring(0, i));
}
sb.append('%');
sb.append(gAfterEscaping1[ch]);
sb.append(gAfterEscaping2[ch]);
// record the fact that it's escaped
} else if (sb != null) {
sb.append((char) ch);
}
}
// we saw some non-ascii character
if (i < len) {
if (sb == null) {
sb = new StringBuffer(path.substring(0, i));
}
// get UTF-8 bytes for the remaining sub-string
byte[] bytes = null;
byte b;
bytes = path.substring(i).getBytes(URI_ENCODING);
len = bytes.length;
// for each byte
for (i = 0; i < len; i++) {
b = bytes[i];
// for non-ascii character: make it positive, then escape
if (b < 0) {
ch = b + BYTE_SIZE;
sb.append('%');
sb.append(gHexChs[ch >> NIBBLE]);
sb.append(gHexChs[ch & NIBBLE_MASK]);
} else if (gNeedEscaping[b]) {
sb.append('%');
sb.append(gAfterEscaping1[b]);
sb.append(gAfterEscaping2[b]);
} else {
sb.append((char) b);
}
}
}
return sb == null ? path : sb.toString();
}
/**
* Convert a File to a URL.
* File.toURL() does not encode characters like #.
* File.toURI() has been introduced in java 1.4, so
* Ant cannot use it (except by reflection) <!-- TODO no longer true -->
* FileUtils.toURI() cannot be used by Locator.java
* Implemented this way.
* File.toURL() adds file: and changes '\' to '/' for dos OSes
* encodeURI converts characters like ' ' and '#' to %DD
* @param file the file to convert
* @return URL the converted File
* @throws MalformedURLException on error
* @deprecated since 1.9, use {@link FileUtils#getFileURL(File)}
*/
@Deprecated
public static URL fileToURL(File file)
throws MalformedURLException {
return new URL(file.toURI().toASCIIString());
}
/**
* Get the File necessary to load the Sun compiler tools. If the classes
* are available to this class, then no additional URL is required and
* null is returned. This may be because the classes are explicitly in the
* class path or provided by the JVM directly.
*
* @return the tools jar as a File if required, null otherwise.
*/
public static File getToolsJar() {
// firstly check if the tools jar is already in the classpath
boolean toolsJarAvailable = false;
try {
// just check whether this throws an exception
Class.forName("com.sun.tools.javac.Main");
toolsJarAvailable = true;
} catch (Exception e) {
try {
Class.forName("sun.tools.javac.Main");
toolsJarAvailable = true;
} catch (Exception e2) {
// ignore
}
}
if (toolsJarAvailable) {
return null;
}
// couldn't find compiler - try to find tools.jar
// based on java.home setting
String libToolsJar
= File.separator + "lib" + File.separator + "tools.jar";
String javaHome = System.getProperty("java.home");
File toolsJar = new File(javaHome + libToolsJar);
if (toolsJar.exists()) {
// Found in java.home as given
return toolsJar;
}
if (javaHome.toLowerCase(Locale.ENGLISH).endsWith(File.separator + "jre")) {
javaHome = javaHome.substring(
0, javaHome.length() - "/jre".length());
toolsJar = new File(javaHome + libToolsJar);
}
if (!toolsJar.exists()) {
System.out.println("Unable to locate tools.jar. "
+ "Expected to find it in " + toolsJar.getPath());
return null;
}
return toolsJar;
}
/**
* Get an array of URLs representing all of the jar files in the
* given location. If the location is a file, it is returned as the only
* element of the array. If the location is a directory, it is scanned for
* jar files.
*
* @param location the location to scan for Jars.
*
* @return an array of URLs for all jars in the given location.
*
* @exception MalformedURLException if the URLs for the jars cannot be
* formed.
*/
public static URL[] getLocationURLs(File location)
throws MalformedURLException {
return getLocationURLs(location, new String[]{".jar"});
}
/**
* Get an array of URLs representing all of the files of a given set of
* extensions in the given location. If the location is a file, it is
* returned as the only element of the array. If the location is a
* directory, it is scanned for matching files.
*
* @param location the location to scan for files.
* @param extensions an array of extension that are to match in the
* directory search.
*
* @return an array of URLs of matching files.
* @exception MalformedURLException if the URLs for the files cannot be
* formed.
*/
public static URL[] getLocationURLs(File location,
final String[] extensions)
throws MalformedURLException {
URL[] urls = new URL[0];
if (!location.exists()) {
return urls;
}
if (!location.isDirectory()) {
urls = new URL[1];
String path = location.getPath();
String littlePath = path.toLowerCase(Locale.ENGLISH);
for (int i = 0; i < extensions.length; ++i) {
if (littlePath.endsWith(extensions[i])) {
urls[0] = fileToURL(location);
break;
}
}
return urls;
}
File[] matches = location.listFiles(
new FilenameFilter() {
public boolean accept(File dir, String name) {
String littleName = name.toLowerCase(Locale.ENGLISH);
for (int i = 0; i < extensions.length; ++i) {
if (littleName.endsWith(extensions[i])) {
return true;
}
}
return false;
}
});
urls = new URL[matches.length];
for (int i = 0; i < matches.length; ++i) {
urls[i] = fileToURL(matches[i]);
}
return urls;
}
}

6
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/launch/package-info.java
View File

@@ -1,6 +0,0 @@
/**
* This is a copy of classes within Apache Ant. The DirectoryScanner is needed by dependency-check. However, we did not want to
* make Ant a dependency. As such, a few files were copied and slightly modified to remove any references to the Ant Project
* class.
*/
package org.owasp.dependencycheck.org.apache.tools.ant.launch;

6
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/package-info.java
View File

@@ -1,6 +0,0 @@
/**
* This is a copy of classes within Apache Ant. The DirectoryScanner is needed by dependency-check. However, we did not want to
* make Ant a dependency. As such, a few files were copied and slightly modified to remove any references to the Ant Project
* class.
*/
package org.owasp.dependencycheck.org.apache.tools.ant;

35
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/taskdefs/condition/Condition.java
View File

@@ -1,35 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.owasp.dependencycheck.org.apache.tools.ant.taskdefs.condition;
import org.owasp.dependencycheck.org.apache.tools.ant.BuildException;
/**
* Interface for conditions to use inside the &lt;condition&gt; task.
*
*/
public interface Condition {
/**
* Is this condition true?
* @return true if the condition is true
* @exception BuildException if an error occurs
*/
boolean eval() throws BuildException;
}

321
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/taskdefs/condition/Os.java
View File

@@ -1,321 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.owasp.dependencycheck.org.apache.tools.ant.taskdefs.condition;
import java.util.Locale;
import org.owasp.dependencycheck.org.apache.tools.ant.BuildException;
/**
* Condition that tests the OS type.
*
* @since Ant 1.4
*/
public class Os implements Condition {
private static final String OS_NAME =
System.getProperty("os.name").toLowerCase(Locale.ENGLISH);
private static final String OS_ARCH =
System.getProperty("os.arch").toLowerCase(Locale.ENGLISH);
private static final String OS_VERSION =
System.getProperty("os.version").toLowerCase(Locale.ENGLISH);
private static final String PATH_SEP =
System.getProperty("path.separator");
/**
* OS family to look for
*/
private String family;
/**
* Name of OS
*/
private String name;
/**
* version of OS
*/
private String version;
/**
* OS architecture
*/
private String arch;
/**
* OS family that can be tested for. {@value}
*/
public static final String FAMILY_WINDOWS = "windows";
/**
* OS family that can be tested for. {@value}
*/
public static final String FAMILY_9X = "win9x";
/**
* OS family that can be tested for. {@value}
*/
public static final String FAMILY_NT = "winnt";
/**
* OS family that can be tested for. {@value}
*/
public static final String FAMILY_OS2 = "os/2";
/**
* OS family that can be tested for. {@value}
*/
public static final String FAMILY_NETWARE = "netware";
/**
* OS family that can be tested for. {@value}
*/
public static final String FAMILY_DOS = "dos";
/**
* OS family that can be tested for. {@value}
*/
public static final String FAMILY_MAC = "mac";
/**
* OS family that can be tested for. {@value}
*/
public static final String FAMILY_TANDEM = "tandem";
/**
* OS family that can be tested for. {@value}
*/
public static final String FAMILY_UNIX = "unix";
/**
* OS family that can be tested for. {@value}
*/
public static final String FAMILY_VMS = "openvms";
/**
* OS family that can be tested for. {@value}
*/
public static final String FAMILY_ZOS = "z/os";
/** OS family that can be tested for. {@value} */
public static final String FAMILY_OS400 = "os/400";
/**
* OpenJDK is reported to call MacOS X "Darwin"
* @see https://issues.apache.org/bugzilla/show_bug.cgi?id=44889
* @see https://issues.apache.org/jira/browse/HADOOP-3318
*/
private static final String DARWIN = "darwin";
/**
* Default constructor
*
*/
public Os() {
//default
}
/**
* Constructor that sets the family attribute
* @param family a String value
*/
public Os(String family) {
setFamily(family);
}
/**
* Sets the desired OS family type
*
* @param f The OS family type desired<br>
* Possible values:<br>
* <ul>
* <li>dos</li>
* <li>mac</li>
* <li>netware</li>
* <li>os/2</li>
* <li>tandem</li>
* <li>unix</li>
* <li>windows</li>
* <li>win9x</li>
* <li>z/os</li>
* <li>os/400</li>
* </ul>
*/
public void setFamily(String f) {
family = f.toLowerCase(Locale.ENGLISH);
}
/**
* Sets the desired OS name
*
* @param name The OS name
*/
public void setName(String name) {
this.name = name.toLowerCase(Locale.ENGLISH);
}
/**
* Sets the desired OS architecture
*
* @param arch The OS architecture
*/
public void setArch(String arch) {
this.arch = arch.toLowerCase(Locale.ENGLISH);
}
/**
* Sets the desired OS version
*
* @param version The OS version
*/
public void setVersion(String version) {
this.version = version.toLowerCase(Locale.ENGLISH);
}
/**
* Determines if the OS on which Ant is executing matches the type of
* that set in setFamily.
* @return true if the os matches.
* @throws BuildException if there is an error.
* @see Os#setFamily(String)
*/
public boolean eval() throws BuildException {
return isOs(family, name, arch, version);
}
/**
* Determines if the OS on which Ant is executing matches the
* given OS family.
* @param family the family to check for
* @return true if the OS matches
* @since 1.5
*/
public static boolean isFamily(String family) {
return isOs(family, null, null, null);
}
/**
* Determines if the OS on which Ant is executing matches the
* given OS name.
*
* @param name the OS name to check for
* @return true if the OS matches
* @since 1.7
*/
public static boolean isName(String name) {
return isOs(null, name, null, null);
}
/**
* Determines if the OS on which Ant is executing matches the
* given OS architecture.
*
* @param arch the OS architecture to check for
* @return true if the OS matches
* @since 1.7
*/
public static boolean isArch(String arch) {
return isOs(null, null, arch, null);
}
/**
* Determines if the OS on which Ant is executing matches the
* given OS version.
*
* @param version the OS version to check for
* @return true if the OS matches
* @since 1.7
*/
public static boolean isVersion(String version) {
return isOs(null, null, null, version);
}
/**
* Determines if the OS on which Ant is executing matches the
* given OS family, name, architecture and version
*
* @param family The OS family
* @param name The OS name
* @param arch The OS architecture
* @param version The OS version
* @return true if the OS matches
* @since 1.7
*/
public static boolean isOs(String family, String name, String arch,
String version) {
boolean retValue = false;
if (family != null || name != null || arch != null
|| version != null) {
boolean isFamily = true;
boolean isName = true;
boolean isArch = true;
boolean isVersion = true;
if (family != null) {
//windows probing logic relies on the word 'windows' in
//the OS
boolean isWindows = OS_NAME.indexOf(FAMILY_WINDOWS) > -1;
boolean is9x = false;
boolean isNT = false;
if (isWindows) {
//there are only four 9x platforms that we look for
is9x = (OS_NAME.indexOf("95") >= 0
|| OS_NAME.indexOf("98") >= 0
|| OS_NAME.indexOf("me") >= 0
//wince isn't really 9x, but crippled enough to
//be a muchness. Ant doesnt run on CE, anyway.
|| OS_NAME.indexOf("ce") >= 0);
isNT = !is9x;
}
if (family.equals(FAMILY_WINDOWS)) {
isFamily = isWindows;
} else if (family.equals(FAMILY_9X)) {
isFamily = isWindows && is9x;
} else if (family.equals(FAMILY_NT)) {
isFamily = isWindows && isNT;
} else if (family.equals(FAMILY_OS2)) {
isFamily = OS_NAME.indexOf(FAMILY_OS2) > -1;
} else if (family.equals(FAMILY_NETWARE)) {
isFamily = OS_NAME.indexOf(FAMILY_NETWARE) > -1;
} else if (family.equals(FAMILY_DOS)) {
isFamily = PATH_SEP.equals(";") && !isFamily(FAMILY_NETWARE);
} else if (family.equals(FAMILY_MAC)) {
isFamily = OS_NAME.indexOf(FAMILY_MAC) > -1
|| OS_NAME.indexOf(DARWIN) > -1;
} else if (family.equals(FAMILY_TANDEM)) {
isFamily = OS_NAME.indexOf("nonstop_kernel") > -1;
} else if (family.equals(FAMILY_UNIX)) {
isFamily = PATH_SEP.equals(":")
&& !isFamily(FAMILY_VMS)
&& (!isFamily(FAMILY_MAC) || OS_NAME.endsWith("x")
|| OS_NAME.indexOf(DARWIN) > -1);
} else if (family.equals(FAMILY_ZOS)) {
isFamily = OS_NAME.indexOf(FAMILY_ZOS) > -1
|| OS_NAME.indexOf("os/390") > -1;
} else if (family.equals(FAMILY_OS400)) {
isFamily = OS_NAME.indexOf(FAMILY_OS400) > -1;
} else if (family.equals(FAMILY_VMS)) {
isFamily = OS_NAME.indexOf(FAMILY_VMS) > -1;
} else {
throw new BuildException(
"Don\'t know how to detect os family \""
+ family + "\"");
}
}
if (name != null) {
isName = name.equals(OS_NAME);
}
if (arch != null) {
isArch = arch.equals(OS_ARCH);
}
if (version != null) {
isVersion = version.equals(OS_VERSION);
}
retValue = isFamily && isName && isArch && isVersion;
}
return retValue;
}
}

6
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/taskdefs/condition/package-info.java
View File

@@ -1,6 +0,0 @@
/**
* This is a copy of classes within Apache Ant. The DirectoryScanner is needed by dependency-check. However, we did not want to
* make Ant a dependency. As such, a few files were copied and slightly modified to remove any references to the Ant Project
* class.
*/
package org.owasp.dependencycheck.org.apache.tools.ant.taskdefs.condition;

353
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/types/DataType.java
View File

@@ -1,353 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.owasp.dependencycheck.org.apache.tools.ant.types;
import org.owasp.dependencycheck.org.apache.tools.ant.BuildException;
import org.owasp.dependencycheck.org.apache.tools.ant.ProjectComponent;
/**
* Base class for those classes that can appear inside the build file as stand alone data types.
*
* <p>
* This class handles the common description attribute and provides a default implementation for reference handling and
* checking for circular references that is appropriate for types that can not be nested inside elements of the same
* type (i.e. &lt;patternset&gt; but not &lt;path&gt;).</p>
*
*/
public abstract class DataType extends ProjectComponent implements Cloneable {
// CheckStyle:VisibilityModifier OFF
/**
* Value to the refid attribute.
*
* @deprecated since 1.7. The user should not be directly referencing variable. Please use {@link #getRefid}
* instead.
*/
protected Reference ref;
/**
* Are we sure we don't hold circular references?
*
* <p>
* Subclasses are responsible for setting this value to false if we'd need to investigate this condition (usually
* because a child element has been added that is a subclass of DataType).</p>
*
* @deprecated since 1.7. The user should not be directly referencing variable. Please use {@link #setChecked} or
* {@link #isChecked} instead.
*/
protected boolean checked = true;
// CheckStyle:VisibilityModifier ON
/**
* Has the refid attribute of this element been set?
*
* @return true if the refid attribute has been set
*/
public boolean isReference() {
return ref != null;
}
/**
* Set the value of the refid attribute.
*
* <p>
* Subclasses may need to check whether any other attributes have been set as well or child elements have been
* created and thus override this method. if they do the must call <code>super.setRefid</code>.</p>
*
* @param ref the reference to use
*/
public void setRefid(final Reference ref) {
this.ref = ref;
checked = false;
}
// /**
// * Gets as descriptive as possible a name used for this datatype instance.
// *
// * @return <code>String</code> name.
// */
// protected String getDataTypeName() {
// return ComponentHelper.getElementName(getProject(), this, true);
// }
// /**
// * Convenience method.
// * @since Ant 1.7
// */
// protected void dieOnCircularReference() {
// dieOnCircularReference(getProject());
// }
//
// /**
// * Convenience method.
// * @param p the Ant Project instance against which to resolve references.
// * @since Ant 1.7
// */
// protected void dieOnCircularReference(Project p) {
// if (checked || !isReference()) {
// return;
// }
// dieOnCircularReference(new IdentityStack<Object>(this), p);
// }
//
// /**
// * Check to see whether any DataType we hold references to is
// * included in the Stack (which holds all DataType instances that
// * directly or indirectly reference this instance, including this
// * instance itself).
// *
// * <p>If one is included, throw a BuildException created by {@link
// * #circularReference circularReference}.</p>
// *
// * <p>This implementation is appropriate only for a DataType that
// * cannot hold other DataTypes as children.</p>
// *
// * <p>The general contract of this method is that it shouldn't do
// * anything if {@link #checked <code>checked</code>} is true and
// * set it to true on exit.</p>
// * @param stack the stack of references to check.
// * @param project the project to use to dereference the references.
// * @throws BuildException on error.
// */
// protected void dieOnCircularReference(final Stack<Object> stack,
// final Project project)
// throws BuildException {
//
// if (checked || !isReference()) {
// return;
// }
// Object o = ref.getReferencedObject(project);
//
// if (o instanceof DataType) {
// IdentityStack<Object> id = IdentityStack.getInstance(stack);
//
// if (id.contains(o)) {
// throw circularReference();
// } else {
// id.push(o);
// ((DataType) o).dieOnCircularReference(id, project);
// id.pop();
// }
// }
// checked = true;
// }
// /**
// * Allow DataTypes outside org.apache.tools.ant.types to indirectly call dieOnCircularReference on nested DataTypes.
// *
// * @param dt the DataType to check.
// * @param stk the stack of references to check.
// * @param p the project to use to dereference the references.
// * @throws BuildException on error.
// * @since Ant 1.7
// */
// public static void invokeCircularReferenceCheck(DataType dt, Stack<Object> stk,
// Project p) {
// dt.dieOnCircularReference(stk, p);
// }
//
// /**
// * Allow DataTypes outside org.apache.tools.ant.types to indirectly call dieOnCircularReference on nested DataTypes.
// *
// * <p>
// * Pushes dt on the stack, runs dieOnCircularReference and pops it again.</p>
// *
// * @param dt the DataType to check.
// * @param stk the stack of references to check.
// * @param p the project to use to dereference the references.
// * @throws BuildException on error.
// * @since Ant 1.8.0
// */
// public static void pushAndInvokeCircularReferenceCheck(DataType dt,
// Stack<Object> stk,
// Project p) {
// stk.push(dt);
// dt.dieOnCircularReference(stk, p);
// stk.pop();
// }
// /**
// * Performs the check for circular references and returns the referenced object.
// *
// * @return the dereferenced object.
// * @throws BuildException if the reference is invalid (circular ref, wrong class, etc).
// * @since Ant 1.7
// */
// protected Object getCheckedRef() {
// return getCheckedRef(getProject());
// }
//
// /**
// * Performs the check for circular references and returns the referenced object.
// *
// * @param p the Ant Project instance against which to resolve references.
// * @return the dereferenced object.
// * @throws BuildException if the reference is invalid (circular ref, wrong class, etc).
// * @since Ant 1.7
// */
// protected Object getCheckedRef(Project p) {
// return getCheckedRef(getClass(), getDataTypeName(), p);
// }
//
// /**
// * Performs the check for circular references and returns the referenced object.
// *
// * @param requiredClass the class that this reference should be a subclass of.
// * @param dataTypeName the name of the datatype that the reference should be (error message use only).
// * @return the dereferenced object.
// * @throws BuildException if the reference is invalid (circular ref, wrong class, etc).
// */
// protected <T> T getCheckedRef(final Class<T> requiredClass,
// final String dataTypeName) {
// return getCheckedRef(requiredClass, dataTypeName, getProject());
// }
//
// /**
// * Performs the check for circular references and returns the referenced object. This version allows the fallback
// * Project instance to be specified.
// *
// * @param requiredClass the class that this reference should be a subclass of.
// * @param dataTypeName the name of the datatype that the reference should be (error message use only).
// * @param project the fallback Project instance for dereferencing.
// * @return the dereferenced object.
// * @throws BuildException if the reference is invalid (circular ref, wrong class, etc), or if <code>project</code>
// * is <code>null</code>.
// * @since Ant 1.7
// */
// protected <T> T getCheckedRef(final Class<T> requiredClass,
// final String dataTypeName, final Project project) {
// if (project == null) {
// throw new BuildException("No Project specified");
// }
// dieOnCircularReference(project);
// Object o = ref.getReferencedObject(project);
// if (!(requiredClass.isAssignableFrom(o.getClass()))) {
// log("Class " + o.getClass() + " is not a subclass of " + requiredClass,
// Project.MSG_VERBOSE);
// String msg = ref.getRefId() + " doesn\'t denote a " + dataTypeName;
// throw new BuildException(msg);
// }
// @SuppressWarnings("unchecked")
// final T result = (T) o;
// return result;
// }
/**
* Creates an exception that indicates that refid has to be the only attribute if it is set.
*
* @return the exception to throw
*/
protected BuildException tooManyAttributes() {
return new BuildException("You must not specify more than one "
+ "attribute when using refid");
}
/**
* Creates an exception that indicates that this XML element must not have child elements if the refid attribute is
* set.
*
* @return the exception to throw
*/
protected BuildException noChildrenAllowed() {
return new BuildException("You must not specify nested elements "
+ "when using refid");
}
/**
* Creates an exception that indicates the user has generated a loop of data types referencing each other.
*
* @return the exception to throw
*/
protected BuildException circularReference() {
return new BuildException("This data type contains a circular "
+ "reference.");
}
/**
* The flag that is used to indicate that circular references have been checked.
*
* @return true if circular references have been checked
*/
protected boolean isChecked() {
return checked;
}
/**
* Set the flag that is used to indicate that circular references have been checked.
*
* @param checked if true, if circular references have been checked
*/
protected void setChecked(final boolean checked) {
this.checked = checked;
}
/**
* get the reference set on this object
*
* @return the reference or null
*/
public Reference getRefid() {
return ref;
}
/**
* check that it is ok to set attributes, i.e that no reference is defined
*
* @since Ant 1.6
* @throws BuildException if not allowed
*/
protected void checkAttributesAllowed() {
if (isReference()) {
throw tooManyAttributes();
}
}
/**
* check that it is ok to add children, i.e that no reference is defined
*
* @since Ant 1.6
* @throws BuildException if not allowed
*/
protected void checkChildrenAllowed() {
if (isReference()) {
throw noChildrenAllowed();
}
}
/**
* Basic DataType toString().
*
* @return this DataType formatted as a String.
*/
public String toString() {
String d = getDescription();
//return d == null ? getDataTypeName() : getDataTypeName() + " " + d;
return d == null ? "DataType" : d;
}
/**
* @since Ant 1.7
* @return a shallow copy of this DataType.
* @throws CloneNotSupportedException if there is a problem.
*/
public Object clone() throws CloneNotSupportedException {
DataType dt = (DataType) super.clone();
dt.setDescription(getDescription());
if (getRefid() != null) {
dt.setRefid(getRefid());
}
dt.setChecked(isChecked());
return dt;
}
}

126
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/types/Reference.java
View File

@@ -1,126 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.owasp.dependencycheck.org.apache.tools.ant.types;
/**
* Class to hold a reference to another object in the project.
*
*/
public class Reference {
private String refid;
//private Project project;
/**
* Create a reference.
*
* @deprecated since 1.7. Please use {@link Reference#Reference(Project,String)} instead.
*/
public Reference() {
}
/**
* Create a reference to a named ID.
*
* @param id the name of this reference
* @deprecated since 1.7. Please use {@link Reference#Reference(Project,String)} instead.
*/
public Reference(String id) {
setRefId(id);
}
//
// /**
// * Create a reference to a named ID in a particular project.
// * @param p the project this reference is associated with
// * @param id the name of this reference
// * @since Ant 1.6.3
// */
// public Reference(Project p, String id) {
// setRefId(id);
// setProject(p);
// }
/**
* Set the reference id. Should not normally be necessary; use {@link Reference#Reference(Project, String)}.
*
* @param id the reference id to use
*/
public void setRefId(String id) {
refid = id;
}
/**
* Get the reference id of this reference.
*
* @return the reference id
*/
public String getRefId() {
return refid;
}
// /**
// * Set the associated project. Should not normally be necessary;
// * use {@link Reference#Reference(Project,String)}.
// * @param p the project to use
// * @since Ant 1.6.3
// */
// public void setProject(Project p) {
// this.project = p;
// }
//
// /**
// * Get the associated project, if any; may be null.
// * @return the associated project
// * @since Ant 1.6.3
// */
// public Project getProject() {
// return project;
// }
// /**
// * Resolve the reference, using the associated project if
// * it set, otherwise use the passed in project.
// * @param fallback the fallback project to use if the project attribute of
// * reference is not set.
// * @return the dereferenced object.
// * @throws BuildException if the reference cannot be dereferenced.
// */
// public Object getReferencedObject(Project fallback) throws BuildException {
// if (refid == null) {
// throw new BuildException("No reference specified");
// }
//
// Object o = project == null ? fallback.getReference(refid) : project.getReference(refid);
// if (o == null) {
// throw new BuildException("Reference " + refid + " not found.");
// }
// return o;
// }
// /**
// * Resolve the reference, looking in the associated project.
// * @see Project#getReference
// * @return the dereferenced object.
// * @throws BuildException if the project is null or the reference cannot be dereferenced
// * @since Ant 1.6.3
// */
// public Object getReferencedObject() throws BuildException {
// if (project == null) {
// throw new BuildException("No project set on reference to " + refid);
// }
// return getReferencedObject(project);
// }
}

462
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/types/Resource.java
View File

@@ -1,462 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.owasp.dependencycheck.org.apache.tools.ant.types;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.util.Iterator;
import java.util.NoSuchElementException;
import org.owasp.dependencycheck.org.apache.tools.ant.types.resources.FileProvider;
/**
* Describes a "File-like" resource (File, ZipEntry, etc.).
*
* This class is meant to be used by classes needing to record path and date/time information about a file, a zip entry
* or some similar resource (URL, archive in a version control repository, ...).
*
* @since Ant 1.5.2
* @see org.apache.tools.ant.types.resources.Touchable
*/
public class Resource extends DataType implements Comparable<Resource>, ResourceCollection {
/**
* Constant unknown size
*/
public static final long UNKNOWN_SIZE = -1;
/**
* Constant unknown datetime for getLastModified
*/
public static final long UNKNOWN_DATETIME = 0L;
/**
* Magic number
*/
protected static final int MAGIC = getMagicNumber("Resource".getBytes());
private static final int NULL_NAME = getMagicNumber("null name".getBytes());
/**
* Create a "magic number" for use in hashCode calculations.
*
* @param seed byte[] to seed with.
* @return a magic number as int.
*/
protected static int getMagicNumber(byte[] seed) {
return new BigInteger(seed).intValue();
}
private String name = null;
private Boolean exists = null;
private Long lastmodified = null;
private Boolean directory = null;
private Long size = null;
/**
* Default constructor.
*/
public Resource() {
}
/**
* Only sets the name.
*
* <p>
* This is a dummy, used for not existing resources.</p>
*
* @param name relative path of the resource. Expects &quot;/&quot; to be used as the directory separator.
*/
public Resource(String name) {
this(name, false, 0, false);
}
/**
* Sets the name, lastmodified flag, and exists flag.
*
* @param name relative path of the resource. Expects &quot;/&quot; to be used as the directory separator.
* @param exists if true, this resource exists.
* @param lastmodified the last modification time of this resource.
*/
public Resource(String name, boolean exists, long lastmodified) {
this(name, exists, lastmodified, false);
}
/**
* Sets the name, lastmodified flag, exists flag, and directory flag.
*
* @param name relative path of the resource. Expects &quot;/&quot; to be used as the directory separator.
* @param exists if true the resource exists
* @param lastmodified the last modification time of the resource
* @param directory if true, this resource is a directory
*/
public Resource(String name, boolean exists, long lastmodified, boolean directory) {
this(name, exists, lastmodified, directory, UNKNOWN_SIZE);
}
/**
* Sets the name, lastmodified flag, exists flag, directory flag, and size.
*
* @param name relative path of the resource. Expects &quot;/&quot; to be used as the directory separator.
* @param exists if true the resource exists
* @param lastmodified the last modification time of the resource
* @param directory if true, this resource is a directory
* @param size the size of this resource.
*/
public Resource(String name, boolean exists, long lastmodified, boolean directory, long size) {
this.name = name;
setName(name);
setExists(exists);
setLastModified(lastmodified);
setDirectory(directory);
setSize(size);
}
/**
* Name attribute will contain the path of a file relative to the root directory of its fileset or the recorded path
* of a zip entry.
*
* <p>
* example for a file with fullpath /var/opt/adm/resource.txt in a file set with root dir /var/opt it will be
* adm/resource.txt.</p>
*
* <p>
* &quot;/&quot; will be used as the directory separator.</p>
*
* @return the name of this resource.
*/
public String getName() {
//return isReference() ? ((Resource) getCheckedRef()).getName() : name;
return name;
}
/**
* Set the name of this Resource.
*
* @param name relative path of the resource. Expects &quot;/&quot; to be used as the directory separator.
*/
public void setName(String name) {
checkAttributesAllowed();
this.name = name;
}
/**
* The exists attribute tells whether a resource exists.
*
* @return true if this resource exists.
*/
public boolean isExists() {
// if (isReference()) {
// return ((Resource) getCheckedRef()).isExists();
// }
//default true:
return exists == null || exists.booleanValue();
}
/**
* Set the exists attribute.
*
* @param exists if true, this resource exists.
*/
public void setExists(boolean exists) {
checkAttributesAllowed();
this.exists = exists ? Boolean.TRUE : Boolean.FALSE;
}
/**
* Tells the modification time in milliseconds since 01.01.1970 (the "epoch").
*
* @return the modification time, if that is meaningful (e.g. for a file resource which exists); 0 if the resource
* does not exist, to mirror the behavior of {@link java.io.File#lastModified}; or 0 if the notion of modification
* time is meaningless for this class of resource (e.g. an inline string)
*/
public long getLastModified() {
// if (isReference()) {
// return ((Resource) getCheckedRef()).getLastModified();
// }
if (!isExists() || lastmodified == null) {
return UNKNOWN_DATETIME;
}
long result = lastmodified.longValue();
return result < UNKNOWN_DATETIME ? UNKNOWN_DATETIME : result;
}
/**
* Set the last modification attribute.
*
* @param lastmodified the modification time in milliseconds since 01.01.1970.
*/
public void setLastModified(long lastmodified) {
checkAttributesAllowed();
this.lastmodified = new Long(lastmodified);
}
/**
* Tells if the resource is a directory.
*
* @return boolean flag indicating if the resource is a directory.
*/
public boolean isDirectory() {
// if (isReference()) {
// return ((Resource) getCheckedRef()).isDirectory();
// }
//default false:
return directory != null && directory.booleanValue();
}
/**
* Set the directory attribute.
*
* @param directory if true, this resource is a directory.
*/
public void setDirectory(boolean directory) {
checkAttributesAllowed();
this.directory = directory ? Boolean.TRUE : Boolean.FALSE;
}
/**
* Set the size of this Resource.
*
* @param size the size, as a long.
* @since Ant 1.6.3
*/
public void setSize(long size) {
checkAttributesAllowed();
this.size = new Long(size > UNKNOWN_SIZE ? size : UNKNOWN_SIZE);
}
/**
* Get the size of this Resource.
*
* @return the size, as a long, 0 if the Resource does not exist (for compatibility with java.io.File), or
* UNKNOWN_SIZE if not known.
* @since Ant 1.6.3
*/
public long getSize() {
// if (isReference()) {
// return ((Resource) getCheckedRef()).getSize();
// }
return isExists()
? (size != null ? size.longValue() : UNKNOWN_SIZE)
: 0L;
}
/**
* Clone this Resource.
*
* @return copy of this.
*/
public Object clone() {
try {
return super.clone();
} catch (CloneNotSupportedException e) {
throw new UnsupportedOperationException(
"CloneNotSupportedException for a Resource caught. "
+ "Derived classes must support cloning.");
}
}
/**
* Delegates to a comparison of names.
*
* @param other the object to compare to.
* @return a negative integer, zero, or a positive integer as this Resource is less than, equal to, or greater than
* the specified Resource.
* @since Ant 1.6
*/
public int compareTo(Resource other) {
// if (isReference()) {
// return ((Resource) getCheckedRef()).compareTo(other);
// }
return toString().compareTo(other.toString());
}
/**
* Implement basic Resource equality.
*
* @param other the object to check against.
* @return true if the specified Object is equal to this Resource.
* @since Ant 1.7
*/
public boolean equals(Object other) {
// if (isReference()) {
// return getCheckedRef().equals(other);
// }
return other != null && other.getClass().equals(getClass())
&& compareTo((Resource) other) == 0;
}
/**
* Get the hash code for this Resource.
*
* @return hash code as int.
* @since Ant 1.7
*/
public int hashCode() {
// if (isReference()) {
// return getCheckedRef().hashCode();
// }
String name = getName();
return MAGIC * (name == null ? NULL_NAME : name.hashCode());
}
/**
* Get an InputStream for the Resource.
*
* @return an InputStream containing this Resource's content.
* @throws IOException if unable to provide the content of this Resource as a stream.
* @throws UnsupportedOperationException if InputStreams are not supported for this Resource type.
* @since Ant 1.7
*/
public InputStream getInputStream() throws IOException {
// if (isReference()) {
// return ((Resource) getCheckedRef()).getInputStream();
// }
throw new UnsupportedOperationException();
}
/**
* Get an OutputStream for the Resource.
*
* @return an OutputStream to which content can be written.
* @throws IOException if unable to provide the content of this Resource as a stream.
* @throws UnsupportedOperationException if OutputStreams are not supported for this Resource type.
* @since Ant 1.7
*/
public OutputStream getOutputStream() throws IOException {
// if (isReference()) {
// return ((Resource) getCheckedRef()).getOutputStream();
// }
throw new UnsupportedOperationException();
}
/**
* Fulfill the ResourceCollection contract.
*
* @return an Iterator of Resources.
* @since Ant 1.7
*/
public Iterator<Resource> iterator() {
//return isReference() ? ((Resource) getCheckedRef()).iterator()
// : new Iterator<Resource>() {
return new Iterator<Resource>() {
private boolean done = false;
public boolean hasNext() {
return !done;
}
public Resource next() {
if (done) {
throw new NoSuchElementException();
}
done = true;
return Resource.this;
}
public void remove() {
throw new UnsupportedOperationException();
}
};
}
/**
* Fulfill the ResourceCollection contract.
*
* @return the size of this ResourceCollection.
* @since Ant 1.7
*/
public int size() {
//return isReference() ? ((Resource) getCheckedRef()).size() : 1;
return 1;
}
/**
* Fulfill the ResourceCollection contract.
*
* @return whether this Resource is a FileProvider.
* @since Ant 1.7
*/
public boolean isFilesystemOnly() {
// return (isReference() && ((Resource) getCheckedRef()).isFilesystemOnly())
// || this.as(FileProvider.class) != null;
return this.as(FileProvider.class) != null;
}
/**
* Get the string representation of this Resource.
*
* @return this Resource formatted as a String.
* @since Ant 1.7
*/
public String toString() {
// if (isReference()) {
// return getCheckedRef().toString();
// }
String n = getName();
return n == null ? "(anonymous)" : n;
}
/**
* Get a long String representation of this Resource. This typically should be the value of <code>toString()</code>
* prefixed by a type description.
*
* @return this Resource formatted as a long String.
* @since Ant 1.7
*/
public final String toLongString() {
// return isReference() ? ((Resource) getCheckedRef()).toLongString()
// : getDataTypeName() + " \"" + toString() + '"';
return toString();
}
/**
* Overrides the base version.
*
* @param r the Reference to set.
*/
public void setRefid(Reference r) {
if (name != null
|| exists != null
|| lastmodified != null
|| directory != null
|| size != null) {
throw tooManyAttributes();
}
super.setRefid(r);
}
/**
* Returns a view of this resource that implements the interface given as the argument or null if there is no such
* view.
*
* <p>
* This allows extension interfaces to be added to resources without growing the number of permutations of
* interfaces decorators/adapters need to implement.</p>
*
* <p>
* This implementation of the method will return the current instance itself if it can be assigned to the given
* class.</p>
*
* @since Ant 1.8.0
*/
public <T> T as(Class<T> clazz) {
return clazz.isAssignableFrom(getClass()) ? clazz.cast(this) : null;
}
}

50
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/types/ResourceCollection.java
View File

@@ -1,50 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.owasp.dependencycheck.org.apache.tools.ant.types;
import java.util.Iterator;
import org.owasp.dependencycheck.org.apache.tools.ant.types.resources.FileProvider;
/**
* Interface describing a collection of Resources.
* @since Ant 1.7
*/
public interface ResourceCollection extends Iterable<Resource> {
/**
* Gets the contents of this collection.
* @return all resources in the collection
*/
Iterator<Resource> iterator();
/**
* Learn the number of contained Resources.
* @return number of elements as int.
*/
int size();
/**
* Indicate whether this ResourceCollection is composed entirely of
* Resources accessible via local filesystem conventions. If true,
* all resources returned from this collection should
* respond with a {@link FileProvider} when asked via {@link Resource#as}.
* @return whether this is a filesystem-only resource collection.
*/
boolean isFilesystemOnly();
}

38
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/types/ResourceFactory.java
View File

@@ -1,38 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.owasp.dependencycheck.org.apache.tools.ant.types;
/**
* this interface should be implemented by classes (Scanners) needing
* to deliver information about resources.
*
* @since Ant 1.5.2
*/
public interface ResourceFactory {
/**
* Query a resource (file, zipentry, ...) by name
*
* @param name relative path of the resource about which
* information is sought. Expects &quot;/&quot; to be used as the
* directory separator.
* @return instance of Resource; the exists attribute of Resource
* will tell whether the sought resource exists
*/
Resource getResource(String name);
}

6
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/types/package-info.java
View File

@@ -1,6 +0,0 @@
/**
* This is a copy of classes within Apache Ant. The DirectoryScanner is needed by dependency-check. However, we did not want to
* make Ant a dependency. As such, a few files were copied and slightly modified to remove any references to the Ant Project
* class.
*/
package org.owasp.dependencycheck.org.apache.tools.ant.types;

35
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/types/resources/Appendable.java
View File

@@ -1,35 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.owasp.dependencycheck.org.apache.tools.ant.types.resources;
import java.io.IOException;
import java.io.OutputStream;
/**
* Interface to be implemented by "appendable" resources.
* @since Ant 1.8
*/
public interface Appendable {
/**
* Get an appending OutputStream.
* @return OutputStream
* @throws IOException if anything goes wrong
*/
OutputStream getAppendOutputStream() throws IOException;
}

36
dependency-check-utils/src/main/java/org/owasp/dependencycheck/org/apache/tools/ant/types/resources/FileProvider.java
View File

@@ -1,36 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.owasp.dependencycheck.org.apache.tools.ant.types.resources;
import java.io.File;
/**
* This is an interface that resources that can provide a file should implement.
* This is a refactoring of {@link FileResource}, to allow other resources
* to act as sources of files (and to make components that only support
* file-based resources from only support FileResource resources.
* @since Ant 1.8
*/
public interface FileProvider {
/**
* Get the file represented by this Resource.
* @return the file.
*/
File getFile();
}

Some files were not shown because too many files have changed in this diff Show More