github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-16 00:33:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #271 from wmaintw/master

Browse Source 
Add ability to dependency-check-gradle plugin for customize CVE urls, report output directory and some bug fixing

Former-commit-id: bd78214d389ae52fab0c0280910469289d7b699c
This commit is contained in:
Jeremy Long
2015-07-09 06:02:17 -04:00
parent 07df8ecc02 5b2353e612
commit 58888ac389
8 changed files with 313 additions and 150 deletions
Download Patch File Download Diff File Expand all files Collapse all files

206
dependency-check-gradle/README.md
View File

@@ -15,9 +15,53 @@ Dependency-Check is a utility that attempts to detect publicly disclosed vulnera
Please refer to either one of the solution
#### Solution 1Bintray
#### Solution 1Install from Maven Central
```groovy
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'com.thoughtworks.tools:dependency-check:0.0.4'
}
}
```
apply plugin: 'dependency.check'
#### Solution 2Install from Gradle Plugin Portal
[dependency check gradle plugin on Gradle Plugin Portal](https://plugins.gradle.org/plugin/dependency.check)
**Build script snippet for new, incubating, plugin mechanism introduced in Gradle 2.1:**
```groovy
plugins {
id "dependency.check" version "0.0.4"
}
```
**Build script snippet for use in all Gradle versions:**
```groovy
buildscript {
repositories {
maven {
url "https://plugins.gradle.org/m2/"
}
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.4"
}
}
apply plugin: "dependency.check"
```
#### Solution 3Install from Bintray
```groovy
apply plugin: "dependency-check"
buildscript {
@@ -29,105 +73,12 @@ buildscript {
}
dependencies {
classpath(
'com.tools.security:dependency-check:0.0.3'
'com.tools.security:dependency-check:0.0.4'
)
}
}
```
#### Solution 2Gradle Plugin Portal
[dependency check gradle plugin on Gradle Plugin Portal](https://plugins.gradle.org/plugin/dependency.check)
**Build script snippet for new, incubating, plugin mechanism introduced in Gradle 2.1:**
```
// buildscript {
// ...
// }
plugins {
id "dependency.check" version "0.0.3"
}
// apply plugin: ...
```
**Build script snippet for use in all Gradle versions:**
```
buildscript {
repositories {
maven {
url "https://plugins.gradle.org/m2/"
}
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.3"
}
}
apply plugin: "dependency.check"
```
**If your project includes multiple sub-project, configure build script this way:**
```
buildscript {
repositories {
maven {
url "https://plugins.gradle.org/m2/"
}
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.3"
}
}
allprojects {
//other plugins you may use
//apply plugin: "java"
apply plugin: "dependency-check"
repositories {
mavenCentral()
}
}
```
or
```
buildscript {
repositories {
maven {
url "https://plugins.gradle.org/m2/"
}
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.3"
}
}
subprojects {
//other plugins you may use
//apply plugin: "java"
apply plugin: "dependency-check"
repositories {
mavenCentral()
}
}
```
In this way, the dependency check will be executed for all projects (including root project) or just sub projects.
#### Solution 3Maven Central
working in progress
### Step 2, Run gradle task
Once gradle plugin applied, run following gradle task to check the dependencies:
@@ -140,11 +91,18 @@ The reports will be generated automatically under `./reports` folder.
If your project includes multiple sub-projects, the report will be generated for each sub-project in different sub-directory.
### What if you are behind a proxy?
## FAQ
> **Questions List:**
> - What if I'm behind a proxy?
> - What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
> - How to customize the report directory?
### What if I'm behind a proxy?
Maybe you have to use proxy to access internet, in this case, you could configure proxy settings for this plugin:
```
```groovy
dependencyCheck {
proxyServer = "127.0.0.1" // required, the server name or IP address of the proxy
proxyPort = 3128 // required, the port number of the proxy
@@ -156,3 +114,57 @@ dependencyCheck {
// proxyPassword = "password"
}
```
### What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below:
(1) For all projects including root project:
```groovy
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.4"
}
}
allprojects {
apply plugin: "dependency-check"
}
```
(2) For all sub-projects:
```groovy
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.4"
}
}
subprojects {
apply plugin: "dependency-check"
}
```
In this way, the dependency check will be executed for all projects (including root project) or just sub projects.
### How to customize the report directory?
By default, all reports will be placed under `./reports` folder, to change the default directory, just modify it in the configuration section like this:
```groovy
subprojects {
apply plugin: "dependency-check"
dependencyCheck {
outputDirectory = "./customized-path/security-report"
}
}
```

59
dependency-check-gradle/build.gradle
View File

@@ -35,6 +35,7 @@ plugins {
apply plugin: 'idea'
apply plugin: 'groovy'
apply plugin: 'maven'
apply plugin: 'signing'
apply plugin: "com.gradle.plugin-publish"
repositories {
@@ -50,56 +51,10 @@ dependencies {
)
}
group = 'com.tools.security'
version = '0.0.3'
group = 'com.thoughtworks.tools'
version = '0.0.5'
//-------------------------------
// Local debug use only
//
uploadArchives {
repositories {
mavenDeployer {
repository(url: uri('../../../repo'))
}
}
}
//-------------------------------
// publish to Bintray
plugindev {
pluginId = 'dependency.check'
pluginName = 'dependency-check'
pluginImplementationClass 'com.tools.security.plugin.DependencyCheckGradlePlugin'
pluginDescription 'This is dependency check gradle plugin.'
pluginLicenses 'Apache-2.0'
pluginTags 'dependency check', 'security'
authorId 'wmaintw'
authorName 'Wei Ma'
authorEmail 'wma@thoughtworks.com'
projectUrl 'https://github.com/wmaintw/DependencyCheck'
projectIssuesUrl 'https://github.com/wmaintw/DependencyCheck/issues'
projectVcsUrl 'git@github.com:wmaintw/DependencyCheck.git'
projectInceptionYear '2015'
done()
}
bintray {
user = bintrayUser
key = bintrayUserKey
pkg.repo = bintrayRepo
}
// publish to gradle plugin portal
pluginBundle {
website = 'https://github.com/wmaintw/DependencyCheck'
vcsUrl = 'git@github.com:wmaintw/DependencyCheck.git'
description = 'This is dependency check gradle plugin.'
tags = ['dependency check', 'security']
plugins {
dependencyCheckPlugin {
id = 'dependency.check'
displayName = 'dependency-check'
}
}
}
apply from: 'conf/publish/local.gradle'
//apply from: 'conf/publish/maven.gradle'
apply from: 'conf/publish/gradlePluginsPortal.gradle'
apply from: 'conf/publish/bintray.gradle' // according to the documentation of plugindev, this line has to be placed and the very end of the build file

41
dependency-check-gradle/conf/publish/bintray.gradle Normal file
View File

@@ -0,0 +1,41 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
*/
// publish to Bintray
plugindev {
pluginId = 'dependency.check'
pluginName = 'dependency-check'
pluginImplementationClass 'com.tools.security.plugin.DependencyCheckGradlePlugin'
pluginDescription 'This is dependency check gradle plugin.'
pluginLicenses 'Apache-2.0'
pluginTags 'dependency check', 'security'
authorId 'wmaintw'
authorName 'Wei Ma'
authorEmail 'wma@thoughtworks.com'
projectUrl 'https://github.com/wmaintw/DependencyCheck'
projectIssuesUrl 'https://github.com/wmaintw/DependencyCheck/issues'
projectVcsUrl 'git@github.com:wmaintw/DependencyCheck.git'
projectInceptionYear '2015'
done()
}
bintray {
user = bintrayUser
key = bintrayUserKey
pkg.repo = bintrayRepo
}

32
dependency-check-gradle/conf/publish/gradlePluginsPortal.gradle Normal file
View File

@@ -0,0 +1,32 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
*/
// publish to gradle plugin portal
pluginBundle {
website = 'https://github.com/wmaintw/DependencyCheck'
vcsUrl = 'git@github.com:wmaintw/DependencyCheck.git'
description = 'This is dependency check gradle plugin.'
tags = ['dependency check', 'security']
plugins {
dependencyCheckPlugin {
id = 'dependency.check'
displayName = 'dependency-check'
}
}
}

26
dependency-check-gradle/conf/publish/local.gradle Normal file
View File

@@ -0,0 +1,26 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
*/
//Local debug use only
uploadArchives {
repositories {
mavenDeployer {
repository(url: uri('../../../repo'))
}
}
}

75
dependency-check-gradle/conf/publish/maven.gradle Normal file
View File

@@ -0,0 +1,75 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
*/
//upload to maven central
uploadArchives {
repositories {
mavenDeployer {
beforeDeployment { MavenDeployment deployment -> signing.signPom(deployment) }
repository(url: "https://oss.sonatype.org/service/local/staging/deploy/maven2/") {
authentication(userName: sonatypeUsername, password: sonatypePassword)
}
snapshotRepository(url: "https://oss.sonatype.org/content/repositories/snapshots/") {
authentication(userName: sonatypeUsername, password: sonatypePassword)
}
pom.project {
name 'Dependency Check Gradle Plugin'
packaging 'jar'
description 'Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies.'
url 'https://github.com/wmaintw/DependencyCheck/tree/master/dependency-check-gradle'
scm {
connection 'git@github.com:wmaintw/DependencyCheck.git'
developerConnection 'git@github.com:wmaintw/DependencyCheck.git'
url 'https://github.com/wmaintw/DependencyCheck'
}
licenses {
license {
name 'The Apache License, Version 2.0'
url 'http://www.apache.org/licenses/LICENSE-2.0.txt'
}
}
developers {
developer {
id 'wmaintw'
name 'Wei Ma'
email 'wma@thoughtworks.com'
}
}
}
}
}
}
task javadocJar(type: Jar) {
classifier = 'javadoc'
from javadoc
}
artifacts {
archives javadocJar, sourcesJar
}
signing {
sign configurations.archives
}

8
dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy
View File

@@ -23,4 +23,12 @@ class DependencyCheckConfigurationExtension {
Integer proxyPort
String proxyUsername = ""
String proxyPassword = ""
String cveUrl12Modified = "https://nvd.nist.gov/download/nvdcve-Modified.xml.gz"
String cveUrl20Modified = "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz"
Integer cveStartYear = 2002
String cveUrl12Base = "https://nvd.nist.gov/download/nvdcve-%d.xml.gz"
String cveUrl20Base = "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz"
String outputDirectory = "./reports"
}

16
dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy
View File

@@ -52,6 +52,7 @@ class DependencyCheckTask extends DefaultTask {
def initializeSettings() {
Settings.initialize()
overrideProxySetting()
overrideCveUrlSetting()
}
def verifyDependencies(engine) {
@@ -76,7 +77,12 @@ class DependencyCheckTask extends DefaultTask {
logger.lifecycle("Generating report for project ${currentProjectName}")
def reportGenerator = new ReportGenerator(currentProjectName, engine.dependencies, engine.analyzers,
new CveDB().databaseProperties)
reportGenerator.generateReports("./reports/${currentProjectName}", ReportGenerator.Format.ALL)
reportGenerator.generateReports(generateReportDirectory(currentProjectName), ReportGenerator.Format.ALL)
}
def generateReportDirectory(String currentProjectName) {
"${project.dependencyCheck.outputDirectory}/${currentProjectName}"
}
def overrideProxySetting() {
@@ -101,4 +107,12 @@ class DependencyCheckTask extends DefaultTask {
}
}.flatten();
}
def overrideCveUrlSetting() {
setString(Settings.KEYS.CVE_MODIFIED_20_URL, project.dependencyCheck.cveUrl20Modified)
setString(Settings.KEYS.CVE_MODIFIED_12_URL, project.dependencyCheck.cveUrl12Modified)
setString(Settings.KEYS.CVE_START_YEAR, "${project.dependencyCheck.cveStartYear}")
setString(Settings.KEYS.CVE_SCHEMA_2_0, project.dependencyCheck.cveUrl20Base)
setString(Settings.KEYS.CVE_SCHEMA_1_2, project.dependencyCheck.cveUrl12Base)
}
}