add the ability to enable/disable the NSP analyzer and updated the site documentation

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java

@@ -58,6 +58,11 @@ public class Check extends Update {
      * Whether or not the Node.js Analyzer is enabled.
      */
     private Boolean nodeAnalyzerEnabled;
+    /**
+     * Whether or not the NSP Analyzer is enabled.
+     */
+    private Boolean nspAnalyzerEnabled;
+    
     /**
      * Whether or not the Ruby Bundle Audit Analyzer is enabled.
      */
@@ -737,6 +742,22 @@ public class Check extends Update {
     public void setNodeAnalyzerEnabled(Boolean nodeAnalyzerEnabled) {
         this.nodeAnalyzerEnabled = nodeAnalyzerEnabled;
     }
+    /**
+     * Get the value of nspAnalyzerEnabled.
+     *
+     * @return the value of nspAnalyzerEnabled
+     */
+    public Boolean isNspAnalyzerEnabled() {
+        return nspAnalyzerEnabled;
+    }
+    /**
+     * Set the value of nspAnalyzerEnabled.
+     *
+     * @param nspAnalyzerEnabled new value of nspAnalyzerEnabled
+     */
+    public void setNspAnalyzerEnabled(Boolean nspAnalyzerEnabled) {
+        this.nspAnalyzerEnabled = nspAnalyzerEnabled;
+    }
 
     /**
      * Get the value of rubygemsAnalyzerEnabled.
@@ -1008,6 +1029,7 @@ public class Check extends Update {
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED, nspAnalyzerEnabled);
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);

dependency-check-ant/src/site/markdown/configuration.md

@@ -56,7 +56,7 @@ types that they support are detected - so specifically disabling them may not
 be needed.
 
 Property                      | Description                                                                                                | Default Value
-------------------------------|-----------------------------------------------------------------------------------|------------------
+------------------------------|------------------------------------------------------------------------------------------------------------|------------------
 archiveAnalyzerEnabled        | Sets whether the Archive Analyzer will be used.                                                            | true
 zipExtensions                 | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |  
 jarAnalyzer                   | Sets whether the Jar Analyzer will be used.                                                                | true
@@ -72,6 +72,7 @@ cmakeAnalyzerEnabled          | Sets whether the [experimental](../analyzers/ind
 autoconfAnalyzerEnabled       | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used.                 | true
 composerAnalyzerEnabled       | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used.   | true
 nodeAnalyzerEnabled           | Sets whether the [experimental](../analyzers/index.html) Node.js Analyzer should be used.                  | true
+nspAnalyzerEnabled            | Sets whether the NSP Analyzer should be used.                                                              | true
 nuspecAnalyzerEnabled         | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                  | true
 cocoapodsAnalyzerEnabled      | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used.                | true
 bundleAuditAnalyzerEnabled    | Sets whether the [experimental](../analyzers/index.html) Bundle Audit Analyzer should be used.             | true

dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -455,6 +455,7 @@ public class App {
         Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, !cli.isOpenSSLDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, !cli.isComposerDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, !cli.isNodeJsDisabled());
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED, !cli.isNspDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, !cli.isSwiftPackageAnalyzerDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, !cli.isCocoapodsAnalyzerDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, !cli.isRubyGemspecDisabled());

dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java

@@ -490,6 +490,8 @@ public final class CliParser {
                 .addOption(swiftPackageManagerAnalyzerEnabled)
                 .addOption(Option.builder().longOpt(ARGUMENT.DISABLE_NODE_JS)
                         .desc("Disable the Node.js Package Analyzer.").build())
+                .addOption(Option.builder().longOpt(ARGUMENT.DISABLE_NSP)
+                        .desc("Disable the NSP Package Analyzer.").build())
                 .addOption(nexusUrl)
                 .addOption(nexusUsesProxy)
                 .addOption(additionalZipExtensions)
@@ -733,6 +735,15 @@ public final class CliParser {
     public boolean isNodeJsDisabled() {
         return hasDisableOption(ARGUMENT.DISABLE_NODE_JS, Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED);
     }
+/**
+     * Returns true if the disableNSP command line argument was specified.
+     *
+     * @return true if the disableNSP command line argument was specified;
+     * otherwise false
+     */
+    public boolean isNspDisabled() {
+        return hasDisableOption(ARGUMENT.DISABLE_NSP, Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED);
+    }
 
     /**
      * Returns true if the disableCocoapodsAnalyzer command line argument was
@@ -1443,6 +1454,10 @@ public final class CliParser {
          * Disables the Node.js Package Analyzer.
          */
         public static final String DISABLE_NODE_JS = "disableNodeJS";
+        /**
+         * Disables the NSP Analyzer.
+         */
+        public static final String DISABLE_NSP = "disableNSP";
         /**
          * The URL of the nexus server.
          */

dependency-check-cli/src/site/markdown/arguments.md

@@ -24,7 +24,7 @@ Short  | Argument Name   | Parameter       | Description | Requir
 Advanced Options
 ================
 Short  | Argument Name        | Parameter | Description                                     | Default Value
--------|-----------------------|-----------------|----------------------------------------------------------------------------------|-------------------
+-------|------------------------|-----------------|----------------------------------------------------------------------------------|-------------------
        | \-\-cveUrl12Modified   | \<url\>         | URL for the modified CVE 1.2                                                     | https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
        | \-\-cveUrl20Modified   | \<url\>         | URL for the modified CVE 2.0                                                     | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
        | \-\-cveUrl12Base       | \<url\>         | Base URL for each year's CVE 1.2, the %d will be replaced with the year          | https://nvd.nist.gov/download/nvdcve-%d.xml.gz
@@ -34,6 +34,7 @@ Short  | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Paramete
        | \-\-disablePyDist      |                 | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used.                      | false
        | \-\-disablePyPkg       |                 | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used.                           | false
        | \-\-disableNodeJS      |                 | Sets whether the [experimental](../analyzers/index.html) Node.js Package Analyzer will be used.                          | false
+       | \-\-disableNSP         |                 | Sets whether the NSP Analyzer will be used.                                                                              | false
        | \-\-disableRubygems    |                 | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used.                             | false
        | \-\-disableBundleAudit |                 | Sets whether the [experimental](../analyzers/index.html) Ruby Bundler Audit Analyzer will be used.                       | false
        | \-\-disableCocoapodsAnalyzer |           | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer will be used.                                | false

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java

@@ -269,6 +269,11 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      */
     @Parameter(property = "nodeAnalyzerEnabled", required = false)
     private Boolean nodeAnalyzerEnabled;
+    /**
+     * Sets whether or not the Node Security Project Analyzer should be used.
+     */
+    @Parameter(property = "nspAnalyzerEnabled", required = false)
+    private Boolean nspAnalyzerEnabled;
 
     /**
      * Whether or not the .NET Assembly Analyzer is enabled.
@@ -929,6 +934,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED, nspAnalyzerEnabled);
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, bundleAuditAnalyzerEnabled);
         Settings.setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath);
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, cocoapodsAnalyzerEnabled);

dependency-check-maven/src/site/markdown/configuration.md

@@ -56,6 +56,7 @@ cmakeAnalyzerEnabled          | Sets whether the [experimental](../analyzers/ind
 autoconfAnalyzerEnabled       | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used.                 | true
 composerAnalyzerEnabled       | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used.   | true
 nodeAnalyzerEnabled           | Sets whether the [experimental](../analyzers/index.html) Node.js Analyzer should be used.                  | true
+nspAnalyzerEnabled            | Sets whether the NSP Analyzer should be used.                                                              | true
 nuspecAnalyzerEnabled         | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                  | true
 cocoapodsAnalyzerEnabled      | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used.                | true
 bundleAuditAnalyzerEnabled    | Sets whether the [experimental](../analyzers/index.html) Bundle Audit Analyzer should be used.             | true

src/site/markdown/analyzers/index.md

@@ -9,6 +9,7 @@ to extract identification information from the files analyzed.
 | [Assembly](./assembly-analyzer.html) | .NET Assemblies (\*.exe, \*.dll) | Uses [GrokAssembly.exe](https://github.com/colezlaw/GrokAssembly), which requires .NET Framework or Mono runtime to be installed. |
 | [CMake](./cmake.html) | CMake project files (CMakeLists.txt) and scripts (\*.cmake) | Regex scan for project initialization and version setting commands. |
 | [Jar](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). |
+| [NSP](./nsp-analyzer.html) | [Node Security Project](https://nodesecurity.io) is used to analyze Node.js' `package.json` files for known vulnerable packages.|
 | [Nuspec](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. |
 | [OpenSSL](./openssl.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. |
 

src/site/markdown/analyzers/nsp-analyzer

@@ -0,0 +1,16 @@
+Node.js Analyzer
+================
+
+OWASP dependency-check includes a [Node Security Project (NSP)](https://nodesecurity.io)
+analyzer that will scan `package.json` files. The analyzer will filter the given
+package.json down to a specific white-list of allowed entries and submit the data
+to the NSP for analysis.
+
+This analyzer is enabled by default and requires that the machine performing the
+analysis can reach out to the Internet.
+
+White-list of entries sent to NSP include: name, version, engine, dependencies, 
+devDependencies, optionalDependencies, peerDependencies, bundleDependencies, and
+bundledDependencies
+
+Files Types Scanned: [package.json](https://docs.npmjs.com/files/package.json)

src/site/markdown/dependency-check-gradle/configuration.md

@@ -110,6 +110,7 @@ cmakeEnabled          | Sets whether or not the [experimental](../analyzers/inde
 autoconfEnabled       | Sets whether or not the [experimental](../analyzers/index.html) autoconf Analyzer should be used.                 | true
 composerEnabled       | Sets whether or not the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used.   | true
 nodeEnabled           | Sets whether or not the [experimental](../analyzers/index.html) Node.js Analyzer should be used.                  | true
+nspEnabled            | Sets whether the NSP Analyzer should be used.                                                                     | true
 cocoapodsEnabled      | Sets whether or not the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used.                | true
 swiftEnabled          | Sets whether or not the [experimental](../analyzers/index.html) Swift Package Manager Analyzer should be used.    | true
 bundleAuditEnabled    | Sets whether or not the [experimental](../analyzers/index.html) Ruby Bundle Audit Analyzer should be used.        | true