diff --git a/README.md b/README.md index 5f09b24ab..fab943828 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Current Releases ------------- ### Jenkins Plugin -For instructions on the use of the Jenkins plugin please see the [Jenkins dependency-check page](http://wiki.jenkins-ci.org/x/CwDgAQ). +For instructions on the use of the Jenkins plugin please see the [OWASP Dependency-Check Plugin page](https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin). ### Command Line @@ -37,7 +37,7 @@ $ dependency-check --app Testing --out . --scan [path to jar files to be scanned ### Maven Plugin -More detailed instructions can be found on the [dependency-check-maven github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven/usage.html). +More detailed instructions can be found on the [dependency-check-maven github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven). The plugin can be configured using the following: ```xml @@ -66,7 +66,7 @@ The plugin can be configured using the following: ### Ant Task -For instructions on the use of the Ant Task, please see the [dependency-check-ant github page](http://jeremylong.github.io/DependencyCheck/dependency-check-ant/installation.html). +For instructions on the use of the Ant Task, please see the [dependency-check-ant github page](http://jeremylong.github.io/DependencyCheck/dependency-check-ant). Development Usage ------------- diff --git a/dependency-check-ant/pom.xml b/dependency-check-ant/pom.xml index dd5473d17..7e7208aef 100644 --- a/dependency-check-ant/pom.xml +++ b/dependency-check-ant/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.3.0 + 1.3.1-SNAPSHOT dependency-check-ant diff --git a/dependency-check-cli/pom.xml b/dependency-check-cli/pom.xml index 3d3231738..c76f50b72 100644 --- a/dependency-check-cli/pom.xml +++ b/dependency-check-cli/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.3.0 + 1.3.1-SNAPSHOT dependency-check-cli diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md index 15a1248cc..123571643 100644 --- a/dependency-check-cli/src/site/markdown/arguments.md +++ b/dependency-check-cli/src/site/markdown/arguments.md @@ -13,7 +13,7 @@ Short | Argument Name   | Parameter | Description | Requir \-f | \-\-format | \ | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. | Required \-l | \-\-log | \ | The file path to write verbose logging information. | Optional \-n | \-\-noupdate | | Disables the automatic updating of the CPE data. | Optional - | \-\-suppression | \ | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional + | \-\-suppression | \ | The file path to the suppression XML file; used to suppress [false positives](../general/suppression.html). | Optional \-h | \-\-help | | Print the help message. | Optional | \-\-advancedHelp | | Print the advanced help message. | Optional \-v | \-\-version | | Print the version information. | Optional diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml index 9086dfde3..4276d35e9 100644 --- a/dependency-check-core/pom.xml +++ b/dependency-check-core/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.3.0 + 1.3.1-SNAPSHOT dependency-check-core @@ -123,6 +123,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. test-jar + + + **/*.class + + diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java index d25ad57de..291c011bc 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java @@ -173,10 +173,10 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer { } } else { // copy, alter and set in case some other thread is iterating over - final List deps = new ArrayList( + final List dependencies = new ArrayList( engine.getDependencies()); - deps.remove(dependency); - engine.setDependencies(deps); + dependencies.remove(dependency); + engine.setDependencies(dependencies); } } @@ -225,7 +225,7 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer { contents = FileUtils.readFileToString(actualFile).trim(); } catch (IOException e) { throw new AnalysisException( - "Problem occured while reading dependency file.", e); + "Problem occurred while reading dependency file.", e); } return contents; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java index ff2064d91..c89aaed6f 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java @@ -53,7 +53,7 @@ import org.owasp.dependencycheck.utils.UrlStringUtils; public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { /** - * Name of egg metatdata files to analyze. + * Name of egg metadata files to analyze. */ private static final String PKG_INFO = "PKG-INFO"; @@ -269,10 +269,8 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { * * @param dependency the dependency being analyzed * @param file a reference to the manifest/properties file - * @throws AnalysisException thrown when there is an error */ - private static void collectWheelMetadata(Dependency dependency, File file) - throws AnalysisException { + private static void collectWheelMetadata(Dependency dependency, File file) { final InternetHeaders headers = getManifestProperties(file); addPropertyToEvidence(headers, dependency.getVersionEvidence(), "Version", Confidence.HIGHEST); @@ -352,7 +350,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Retrieves the next temporary destingation directory for extracting an archive. + * Retrieves the next temporary destination directory for extracting an archive. * * @return a directory * @throws AnalysisException thrown if unable to create temporary directory diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java index 8f909614b..f5d27e981 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java @@ -28,13 +28,10 @@ import org.owasp.dependencycheck.dependency.EvidenceCollection; import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.utils.UrlStringUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import java.io.File; import java.io.FileFilter; import java.io.IOException; -import java.net.MalformedURLException; import java.util.ArrayList; import java.util.List; import java.util.regex.Matcher; @@ -53,12 +50,6 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { private static final int REGEX_OPTIONS = Pattern.DOTALL | Pattern.CASE_INSENSITIVE; - /** - * The logger. - */ - private static final Logger LOGGER = LoggerFactory - .getLogger(PythonPackageAnalyzer.class); - /** * Filename extensions for files to be analyzed. */ @@ -173,7 +164,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { * Analyzes python packages and adds evidence to the dependency. * * @param dependency the dependency being analyzed - * @param engine the engine being used to perform the scan + * @param engine the engine being used to perform the scan * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency */ @Override @@ -184,8 +175,8 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { final String parentName = parent.getName(); boolean found = false; if (INIT_PY_FILTER.accept(file)) { - for (final File sourcefile : parent.listFiles(PY_FILTER)) { - found |= analyzeFileContents(dependency, sourcefile); + for (final File sourceFile : parent.listFiles(PY_FILTER)) { + found |= analyzeFileContents(dependency, sourceFile); } } if (found) { @@ -194,10 +185,10 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { "PackageName", parentName, Confidence.MEDIUM); } else { // copy, alter and set in case some other thread is iterating over - final List deps = new ArrayList( + final List dependencies = new ArrayList( engine.getDependencies()); - deps.remove(dependency); - engine.setDependencies(deps); + dependencies.remove(dependency); + engine.setDependencies(dependencies); } } @@ -206,7 +197,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { * __summary__, __uri__, __url__, __home*page__, __author__, and their all caps equivalents. * * @param dependency the dependency being analyzed - * @param file the file name to analyze + * @param file the file name to analyze * @return whether evidence was found * @throws AnalysisException thrown if there is an unrecoverable error */ @@ -238,14 +229,10 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { .getVendorEvidence(); found |= gatherEvidence(AUTHOR_PATTERN, contents, source, vendorEvidence, "SourceAuthor", Confidence.MEDIUM); - try { - found |= gatherHomePageEvidence(URI_PATTERN, vendorEvidence, - source, "URL", contents); - found |= gatherHomePageEvidence(HOMEPAGE_PATTERN, - vendorEvidence, source, "HomePage", contents); - } catch (MalformedURLException e) { - LOGGER.warn(e.getMessage()); - } + found |= gatherHomePageEvidence(URI_PATTERN, vendorEvidence, + source, "URL", contents); + found |= gatherHomePageEvidence(HOMEPAGE_PATTERN, + vendorEvidence, source, "HomePage", contents); } return found; } @@ -254,15 +241,15 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { * Adds summary information to the dependency * * @param dependency the dependency being analyzed - * @param pattern the pattern used to perform analysis - * @param group the group from the pattern that indicates the data to use - * @param contents the data being analyzed - * @param source the source name to use when recording the evidence - * @param key the key name to use when recording the evidence + * @param pattern the pattern used to perform analysis + * @param group the group from the pattern that indicates the data to use + * @param contents the data being analyzed + * @param source the source name to use when recording the evidence + * @param key the key name to use when recording the evidence * @return true if evidence was collected; otherwise false */ private boolean addSummaryInfo(Dependency dependency, Pattern pattern, - int group, String contents, String source, String key) { + int group, String contents, String source, String key) { final Matcher matcher = pattern.matcher(contents); final boolean found = matcher.find(); if (found) { @@ -275,17 +262,16 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { /** * Collects evidence from the home page URL. * - * @param pattern the pattern to match + * @param pattern the pattern to match * @param evidence the evidence collection to add the evidence to - * @param source the source of the evidence - * @param name the name of the evidence + * @param source the source of the evidence + * @param name the name of the evidence * @param contents the home page URL * @return true if evidence was collected; otherwise false - * @throws MalformedURLException thrown if the URL is malformed */ private boolean gatherHomePageEvidence(Pattern pattern, - EvidenceCollection evidence, String source, String name, - String contents) throws MalformedURLException { + EvidenceCollection evidence, String source, String name, + String contents) { final Matcher matcher = pattern.matcher(contents); boolean found = false; if (matcher.find()) { @@ -299,19 +285,19 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Gather evidence from a Python source file usin the given string assignment regex pattern. + * Gather evidence from a Python source file using the given string assignment regex pattern. * - * @param pattern to scan contents with - * @param contents of Python source file - * @param source for storing evidence - * @param evidence to store evidence in - * @param name of evidence + * @param pattern to scan contents with + * @param contents of Python source file + * @param source for storing evidence + * @param evidence to store evidence in + * @param name of evidence * @param confidence in evidence * @return whether evidence was found */ private boolean gatherEvidence(Pattern pattern, String contents, - String source, EvidenceCollection evidence, String name, - Confidence confidence) { + String source, EvidenceCollection evidence, String name, + Confidence confidence) { final Matcher matcher = pattern.matcher(contents); final boolean found = matcher.find(); if (found) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index dd2f5bb26..26a6d1b56 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -720,7 +720,7 @@ public class Dependency implements Serializable, Comparable { && ObjectUtils.equals(this.description, other.description) && ObjectUtils.equals(this.license, other.license) && ObjectUtils.equals(this.vulnerabilities, other.vulnerabilities) - && ObjectUtils.equals(this.relatedDependencies, other.relatedDependencies) + //&& ObjectUtils.equals(this.relatedDependencies, other.relatedDependencies) && ObjectUtils.equals(this.projectReferences, other.projectReferences) && ObjectUtils.equals(this.availableVersions, other.availableVersions); } @@ -735,8 +735,9 @@ public class Dependency implements Serializable, Comparable { int hash = MAGIC_HASH_INIT_VALUE; for (Object field : new Object[]{this.actualFilePath, this.filePath, this.fileName, this.md5sum, this.sha1sum, this.identifiers, this.vendorEvidence, this.productEvidence, this.versionEvidence, - this.description, this.license, this.vulnerabilities, this.relatedDependencies, this.projectReferences, - this.availableVersions}) { + this.description, this.license, this.vulnerabilities, + //this.relatedDependencies, + this.projectReferences, this.availableVersions}) { hash = MAGIC_HASH_MULTIPLIER * hash + ObjectUtils.hashCode(field); } return hash; diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml index 40ae34dc0..98ad6a000 100644 --- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml +++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml @@ -17,6 +17,7 @@ cpe:/a:mod_security:mod_security cpe:/a:springsource:spring_framework cpe:/a:vmware:springsource_spring_framework + cpe:/a:pivotal:spring_framework
Press CTR-C to copy XML [help]
-
+
@@ -591,6 +591,7 @@ arising out of or in connection with the use of this tool, the analysis performe #else $enc.html($id.value) #end + #set($cpeSort=0) #if ($cpeIdConf == "") #set($cpeIdConf=$id.confidence) #set($cpeSort=$id.confidence.ordinal()) @@ -602,11 +603,15 @@ arising out of or in connection with the use of this tool, the analysis performe #end #end + #if ($mavenlink=="") + + #else #if( $mavenlink.url ) - ##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here... + ##yes, we are HTML Encoding the href. This is okay. We can't URL encode as we have to trust the analyzer here... $enc.html($mavenlink.value) #elseif ($mavenlink.value) $enc.html($mavenlink.value) + #end #end #set($cveImpact=-1) #foreach($vuln in $dependency.getVulnerabilities()) diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java index c5fcc289e..f0ee9f7ac 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java @@ -39,10 +39,10 @@ public class OpenSSLAnalyzerTest extends BaseTest { /** * The package analyzer to test. */ - OpenSSLAnalyzer analyzer; + private OpenSSLAnalyzer analyzer; /** - * Setup the PtyhonPackageAnalyzer. + * Setup the {@link OpenSSLAnalyzer}. * * @throws Exception if there is a problem */ diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java index ded6cb20b..954d02274 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java @@ -40,7 +40,7 @@ public class PythonDistributionAnalyzerTest extends BaseTest { /** * The analyzer to test. */ - PythonDistributionAnalyzer analyzer; + private PythonDistributionAnalyzer analyzer; /** * Correctly setup the analyzer for testing. diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java index b132c2ec8..82bb3af09 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java @@ -40,10 +40,10 @@ public class PythonPackageAnalyzerTest extends BaseTest { /** * The package analyzer to test. */ - PythonPackageAnalyzer analyzer; + private PythonPackageAnalyzer analyzer; /** - * Setup the PtyhonPackageAnalyzer. + * Setup the {@link PythonPackageAnalyzer}. * * @throws Exception if there is a problem */ @@ -85,14 +85,9 @@ public class PythonPackageAnalyzerTest extends BaseTest { @Test public void testAnalyzeSourceMetadata() throws AnalysisException { - eggtestAssertions(this, - "python/eggtest/__init__.py"); - } - - public void eggtestAssertions(Object context, final String resource) throws AnalysisException { boolean found = false; final Dependency result = new Dependency(BaseTest.getResourceAsFile( - context, resource)); + this, "python/eggtest/__init__.py")); analyzer.analyze(result, null); assertTrue("Expected vendor evidence to contain \"example\".", result .getVendorEvidence().toString().contains("example")); @@ -104,4 +99,5 @@ public class PythonPackageAnalyzerTest extends BaseTest { } assertTrue("Version 0.0.1 not found in EggTest dependency.", found); } + } diff --git a/dependency-check-gradle/pom.xml b/dependency-check-gradle/pom.xml index e6c206b24..8bfaa9197 100644 --- a/dependency-check-gradle/pom.xml +++ b/dependency-check-gradle/pom.xml @@ -22,11 +22,11 @@ Copyright (c) 2015 Wei Ma. All Rights Reserved. org.owasp dependency-check-parent - 1.3.0 + 1.3.1-SNAPSHOT dependency-check-gradle - 0.0.5 + 0.0.6 pom diff --git a/dependency-check-jenkins/pom.xml b/dependency-check-jenkins/pom.xml index a3b420bbe..7816728b6 100644 --- a/dependency-check-jenkins/pom.xml +++ b/dependency-check-jenkins/pom.xml @@ -3,7 +3,7 @@ org.owasp dependency-check-parent - 1.3.0 + 1.3.1-SNAPSHOT dependency-check-jenkins Dependency-Check Jenkins Plugin diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml index add74999c..c9de29a1f 100644 --- a/dependency-check-maven/pom.xml +++ b/dependency-check-maven/pom.xml @@ -22,7 +22,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.3.0 + 1.3.1-SNAPSHOT dependency-check-maven diff --git a/dependency-check-maven/src/site/markdown/configuration.md b/dependency-check-maven/src/site/markdown/configuration.md index 7f767f0c3..afe2e9e99 100644 --- a/dependency-check-maven/src/site/markdown/configuration.md +++ b/dependency-check-maven/src/site/markdown/configuration.md @@ -18,7 +18,7 @@ autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is ena outputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target' failBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11 format | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML -suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) |   +suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html) |   skipTestScope | Should be skip analysis for artifacts with Test Scope | true skipProvidedScope | Should be skip analysis for artifacts with Provided Scope | false skipRuntimeScope | Should be skip analysis for artifacts with Runtime Scope | false diff --git a/dependency-check-utils/pom.xml b/dependency-check-utils/pom.xml index cf5d49168..21ce57bdd 100644 --- a/dependency-check-utils/pom.xml +++ b/dependency-check-utils/pom.xml @@ -21,7 +21,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.3.0 + 1.3.1-SNAPSHOT dependency-check-utils diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index e8da13f70..7cb006aeb 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -31,6 +31,7 @@ import java.io.UnsupportedEncodingException; import java.net.URLDecoder; import java.util.Enumeration; import java.util.Properties; +import java.util.logging.Level; /** * A simple settings container that wraps the dependencycheck.properties file. @@ -364,6 +365,14 @@ public final class Settings { public static void cleanup(boolean deleteTemporary) { if (deleteTemporary && tempDirectory != null && tempDirectory.exists()) { FileUtils.delete(tempDirectory); + if (tempDirectory.exists()) { + try { + Thread.sleep(2000); + } catch (InterruptedException ex) { + //ignore + } + FileUtils.delete(tempDirectory); + } } try { localSettings.remove(); diff --git a/pom.xml b/pom.xml index b433f9a36..2c712d053 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long org.owasp dependency-check-parent - 1.3.0 + 1.3.1-SNAPSHOT pom