diff --git a/dependency-check-gradle/README.md b/dependency-check-gradle/README.md index a7f10a66d..242f75a07 100644 --- a/dependency-check-gradle/README.md +++ b/dependency-check-gradle/README.md @@ -15,9 +15,53 @@ Dependency-Check is a utility that attempts to detect publicly disclosed vulnera Please refer to either one of the solution -#### Solution 1,Bintray +#### Solution 1,Install from Maven Central +```groovy +buildscript { + repositories { + mavenCentral() + } + dependencies { + classpath 'com.thoughtworks.tools:dependency-check:0.0.4' + } +} ``` + +apply plugin: 'dependency.check' + +#### Solution 2,Install from Gradle Plugin Portal + +[dependency check gradle plugin on Gradle Plugin Portal](https://plugins.gradle.org/plugin/dependency.check) + +**Build script snippet for new, incubating, plugin mechanism introduced in Gradle 2.1:** + +```groovy +plugins { + id "dependency.check" version "0.0.4" +} +``` + +**Build script snippet for use in all Gradle versions:** + +```groovy +buildscript { + repositories { + maven { + url "https://plugins.gradle.org/m2/" + } + } + dependencies { + classpath "gradle.plugin.com.tools.security:dependency-check:0.0.4" + } +} + +apply plugin: "dependency.check" +``` + +#### Solution 3,Install from Bintray + +```groovy apply plugin: "dependency-check" buildscript { @@ -29,105 +73,12 @@ buildscript { } dependencies { classpath( - 'com.tools.security:dependency-check:0.0.3' + 'com.tools.security:dependency-check:0.0.4' ) } } ``` -#### Solution 2,Gradle Plugin Portal - -[dependency check gradle plugin on Gradle Plugin Portal](https://plugins.gradle.org/plugin/dependency.check) - -**Build script snippet for new, incubating, plugin mechanism introduced in Gradle 2.1:** - -``` -// buildscript { -// ... -// } - -plugins { - id "dependency.check" version "0.0.3" -} - -// apply plugin: ... -``` - -**Build script snippet for use in all Gradle versions:** - -``` -buildscript { - repositories { - maven { - url "https://plugins.gradle.org/m2/" - } - } - dependencies { - classpath "gradle.plugin.com.tools.security:dependency-check:0.0.3" - } -} - -apply plugin: "dependency.check" -``` - -**If your project includes multiple sub-project, configure build script this way:** - -``` -buildscript { - repositories { - maven { - url "https://plugins.gradle.org/m2/" - } - } - dependencies { - classpath "gradle.plugin.com.tools.security:dependency-check:0.0.3" - } -} - -allprojects { - //other plugins you may use - //apply plugin: "java" - - apply plugin: "dependency-check" - - repositories { - mavenCentral() - } -} -``` - -or - -``` -buildscript { - repositories { - maven { - url "https://plugins.gradle.org/m2/" - } - } - dependencies { - classpath "gradle.plugin.com.tools.security:dependency-check:0.0.3" - } -} - -subprojects { - //other plugins you may use - //apply plugin: "java" - - apply plugin: "dependency-check" - - repositories { - mavenCentral() - } -} -``` - -In this way, the dependency check will be executed for all projects (including root project) or just sub projects. - -#### Solution 3,Maven Central - -working in progress - ### Step 2, Run gradle task Once gradle plugin applied, run following gradle task to check the dependencies: @@ -140,11 +91,18 @@ The reports will be generated automatically under `./reports` folder. If your project includes multiple sub-projects, the report will be generated for each sub-project in different sub-directory. -### What if you are behind a proxy? +## FAQ + +> **Questions List:** +> - What if I'm behind a proxy? +> - What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project? +> - How to customize the report directory? + +### What if I'm behind a proxy? Maybe you have to use proxy to access internet, in this case, you could configure proxy settings for this plugin: -``` +```groovy dependencyCheck { proxyServer = "127.0.0.1" // required, the server name or IP address of the proxy proxyPort = 3128 // required, the port number of the proxy @@ -156,3 +114,57 @@ dependencyCheck { // proxyPassword = "password" } ``` + +### What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project? + +Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below: + +(1) For all projects including root project: + +```groovy +buildscript { + repositories { + mavenCentral() + } + dependencies { + classpath "gradle.plugin.com.tools.security:dependency-check:0.0.4" + } +} + +allprojects { + apply plugin: "dependency-check" +} +``` + +(2) For all sub-projects: + +```groovy +buildscript { + repositories { + mavenCentral() + } + dependencies { + classpath "gradle.plugin.com.tools.security:dependency-check:0.0.4" + } +} + +subprojects { + apply plugin: "dependency-check" +} +``` + +In this way, the dependency check will be executed for all projects (including root project) or just sub projects. + +### How to customize the report directory? + +By default, all reports will be placed under `./reports` folder, to change the default directory, just modify it in the configuration section like this: + +```groovy +subprojects { + apply plugin: "dependency-check" + + dependencyCheck { + outputDirectory = "./customized-path/security-report" + } +} +``` \ No newline at end of file diff --git a/dependency-check-gradle/build.gradle b/dependency-check-gradle/build.gradle index f841e8595..479dbdcec 100644 --- a/dependency-check-gradle/build.gradle +++ b/dependency-check-gradle/build.gradle @@ -35,6 +35,7 @@ plugins { apply plugin: 'idea' apply plugin: 'groovy' apply plugin: 'maven' +apply plugin: 'signing' apply plugin: "com.gradle.plugin-publish" repositories { @@ -50,56 +51,10 @@ dependencies { ) } -group = 'com.tools.security' -version = '0.0.3' +group = 'com.thoughtworks.tools' +version = '0.0.5' -//------------------------------- -// Local debug use only -// -uploadArchives { - repositories { - mavenDeployer { - repository(url: uri('../../../repo')) - } - } -} -//------------------------------- - -// publish to Bintray -plugindev { - pluginId = 'dependency.check' - pluginName = 'dependency-check' - pluginImplementationClass 'com.tools.security.plugin.DependencyCheckGradlePlugin' - pluginDescription 'This is dependency check gradle plugin.' - pluginLicenses 'Apache-2.0' - pluginTags 'dependency check', 'security' - authorId 'wmaintw' - authorName 'Wei Ma' - authorEmail 'wma@thoughtworks.com' - projectUrl 'https://github.com/wmaintw/DependencyCheck' - projectIssuesUrl 'https://github.com/wmaintw/DependencyCheck/issues' - projectVcsUrl 'git@github.com:wmaintw/DependencyCheck.git' - projectInceptionYear '2015' - done() -} - -bintray { - user = bintrayUser - key = bintrayUserKey - pkg.repo = bintrayRepo -} - -// publish to gradle plugin portal -pluginBundle { - website = 'https://github.com/wmaintw/DependencyCheck' - vcsUrl = 'git@github.com:wmaintw/DependencyCheck.git' - description = 'This is dependency check gradle plugin.' - tags = ['dependency check', 'security'] - - plugins { - dependencyCheckPlugin { - id = 'dependency.check' - displayName = 'dependency-check' - } - } -} \ No newline at end of file +apply from: 'conf/publish/local.gradle' +//apply from: 'conf/publish/maven.gradle' +apply from: 'conf/publish/gradlePluginsPortal.gradle' +apply from: 'conf/publish/bintray.gradle' // according to the documentation of plugindev, this line has to be placed and the very end of the build file \ No newline at end of file diff --git a/dependency-check-gradle/conf/publish/bintray.gradle b/dependency-check-gradle/conf/publish/bintray.gradle new file mode 100644 index 000000000..5dd533417 --- /dev/null +++ b/dependency-check-gradle/conf/publish/bintray.gradle @@ -0,0 +1,41 @@ +/* + * This file is part of dependency-check-gradle. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Wei Ma. All Rights Reserved. + */ + +// publish to Bintray +plugindev { + pluginId = 'dependency.check' + pluginName = 'dependency-check' + pluginImplementationClass 'com.tools.security.plugin.DependencyCheckGradlePlugin' + pluginDescription 'This is dependency check gradle plugin.' + pluginLicenses 'Apache-2.0' + pluginTags 'dependency check', 'security' + authorId 'wmaintw' + authorName 'Wei Ma' + authorEmail 'wma@thoughtworks.com' + projectUrl 'https://github.com/wmaintw/DependencyCheck' + projectIssuesUrl 'https://github.com/wmaintw/DependencyCheck/issues' + projectVcsUrl 'git@github.com:wmaintw/DependencyCheck.git' + projectInceptionYear '2015' + done() +} + +bintray { + user = bintrayUser + key = bintrayUserKey + pkg.repo = bintrayRepo +} \ No newline at end of file diff --git a/dependency-check-gradle/conf/publish/gradlePluginsPortal.gradle b/dependency-check-gradle/conf/publish/gradlePluginsPortal.gradle new file mode 100644 index 000000000..a27ad77ba --- /dev/null +++ b/dependency-check-gradle/conf/publish/gradlePluginsPortal.gradle @@ -0,0 +1,32 @@ +/* + * This file is part of dependency-check-gradle. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Wei Ma. All Rights Reserved. + */ + +// publish to gradle plugin portal +pluginBundle { + website = 'https://github.com/wmaintw/DependencyCheck' + vcsUrl = 'git@github.com:wmaintw/DependencyCheck.git' + description = 'This is dependency check gradle plugin.' + tags = ['dependency check', 'security'] + + plugins { + dependencyCheckPlugin { + id = 'dependency.check' + displayName = 'dependency-check' + } + } +} \ No newline at end of file diff --git a/dependency-check-gradle/conf/publish/local.gradle b/dependency-check-gradle/conf/publish/local.gradle new file mode 100644 index 000000000..00a6edd62 --- /dev/null +++ b/dependency-check-gradle/conf/publish/local.gradle @@ -0,0 +1,26 @@ +/* + * This file is part of dependency-check-gradle. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Wei Ma. All Rights Reserved. + */ + +//Local debug use only +uploadArchives { + repositories { + mavenDeployer { + repository(url: uri('../../../repo')) + } + } +} \ No newline at end of file diff --git a/dependency-check-gradle/conf/publish/maven.gradle b/dependency-check-gradle/conf/publish/maven.gradle new file mode 100644 index 000000000..5f9787387 --- /dev/null +++ b/dependency-check-gradle/conf/publish/maven.gradle @@ -0,0 +1,75 @@ +/* + * This file is part of dependency-check-gradle. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Wei Ma. All Rights Reserved. + */ + +//upload to maven central +uploadArchives { + repositories { + mavenDeployer { + beforeDeployment { MavenDeployment deployment -> signing.signPom(deployment) } + + repository(url: "https://oss.sonatype.org/service/local/staging/deploy/maven2/") { + authentication(userName: sonatypeUsername, password: sonatypePassword) + } + + snapshotRepository(url: "https://oss.sonatype.org/content/repositories/snapshots/") { + authentication(userName: sonatypeUsername, password: sonatypePassword) + } + + pom.project { + name 'Dependency Check Gradle Plugin' + packaging 'jar' + description 'Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies.' + url 'https://github.com/wmaintw/DependencyCheck/tree/master/dependency-check-gradle' + + scm { + connection 'git@github.com:wmaintw/DependencyCheck.git' + developerConnection 'git@github.com:wmaintw/DependencyCheck.git' + url 'https://github.com/wmaintw/DependencyCheck' + } + + licenses { + license { + name 'The Apache License, Version 2.0' + url 'http://www.apache.org/licenses/LICENSE-2.0.txt' + } + } + + developers { + developer { + id 'wmaintw' + name 'Wei Ma' + email 'wma@thoughtworks.com' + } + } + } + } + } +} + +task javadocJar(type: Jar) { + classifier = 'javadoc' + from javadoc +} + +artifacts { + archives javadocJar, sourcesJar +} + +signing { + sign configurations.archives +} \ No newline at end of file diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy index 53659cbbe..8e7a29ce3 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy @@ -23,4 +23,12 @@ class DependencyCheckConfigurationExtension { Integer proxyPort String proxyUsername = "" String proxyPassword = "" + + String cveUrl12Modified = "https://nvd.nist.gov/download/nvdcve-Modified.xml.gz" + String cveUrl20Modified = "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz" + Integer cveStartYear = 2002 + String cveUrl12Base = "https://nvd.nist.gov/download/nvdcve-%d.xml.gz" + String cveUrl20Base = "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz" + + String outputDirectory = "./reports" } diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy index f5d582194..7752dd767 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy @@ -52,6 +52,7 @@ class DependencyCheckTask extends DefaultTask { def initializeSettings() { Settings.initialize() overrideProxySetting() + overrideCveUrlSetting() } def verifyDependencies(engine) { @@ -76,7 +77,12 @@ class DependencyCheckTask extends DefaultTask { logger.lifecycle("Generating report for project ${currentProjectName}") def reportGenerator = new ReportGenerator(currentProjectName, engine.dependencies, engine.analyzers, new CveDB().databaseProperties) - reportGenerator.generateReports("./reports/${currentProjectName}", ReportGenerator.Format.ALL) + + reportGenerator.generateReports(generateReportDirectory(currentProjectName), ReportGenerator.Format.ALL) + } + + def generateReportDirectory(String currentProjectName) { + "${project.dependencyCheck.outputDirectory}/${currentProjectName}" } def overrideProxySetting() { @@ -101,4 +107,12 @@ class DependencyCheckTask extends DefaultTask { } }.flatten(); } + + def overrideCveUrlSetting() { + setString(Settings.KEYS.CVE_MODIFIED_20_URL, project.dependencyCheck.cveUrl20Modified) + setString(Settings.KEYS.CVE_MODIFIED_12_URL, project.dependencyCheck.cveUrl12Modified) + setString(Settings.KEYS.CVE_START_YEAR, "${project.dependencyCheck.cveStartYear}") + setString(Settings.KEYS.CVE_SCHEMA_2_0, project.dependencyCheck.cveUrl20Base) + setString(Settings.KEYS.CVE_SCHEMA_1_2, project.dependencyCheck.cveUrl12Base) + } }