From a86ff9dfd145231c0a12bda9d6a478f6397ef239 Mon Sep 17 00:00:00 2001 From: ma wei Date: Tue, 2 Jun 2015 14:03:03 +0800 Subject: [PATCH 01/12] Add ability for user to configure CVE url in gradle build file Former-commit-id: 186b03ff55c9cab1c7bd788e5ea5ba1f8e79241e --- .../DependencyCheckConfigurationExtension.groovy | 6 ++++++ .../com/tools/security/tasks/DependencyCheckTask.groovy | 9 +++++++++ 2 files changed, 15 insertions(+) diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy index 53659cbbe..0a9f220fb 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy @@ -23,4 +23,10 @@ class DependencyCheckConfigurationExtension { Integer proxyPort String proxyUsername = "" String proxyPassword = "" + + String cveUrl12Modified = "https://nvd.nist.gov/download/nvdcve-Modified.xml.gz" + String cveUrl20Modified = "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz" + Integer cveStartYear = 2002 + String cveUrl12Base = "https://nvd.nist.gov/download/nvdcve-%d.xml.gz" + String cveUrl20Base = "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz" } diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy index f5d582194..6413a89fe 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy @@ -52,6 +52,7 @@ class DependencyCheckTask extends DefaultTask { def initializeSettings() { Settings.initialize() overrideProxySetting() + overrideCveUrlSetting() } def verifyDependencies(engine) { @@ -101,4 +102,12 @@ class DependencyCheckTask extends DefaultTask { } }.flatten(); } + + def overrideCveUrlSetting() { + setString(Settings.KEYS.CVE_MODIFIED_20_URL, project.dependencyCheck.cveUrl20Modified) + setString(Settings.KEYS.CVE_MODIFIED_12_URL, project.dependencyCheck.cveUrl12Modified) + setString(Settings.KEYS.CVE_START_YEAR, "${project.dependencyCheck.cveStartYear}") + setString(Settings.KEYS.CVE_SCHEMA_2_0, project.dependencyCheck.cveUrl20Base) + setString(Settings.KEYS.CVE_SCHEMA_1_2, project.dependencyCheck.cveUrl12Base) + } } From 6e281e0b66a4fe136c9ffc2ce149c777d7c9f403 Mon Sep 17 00:00:00 2001 From: ma wei Date: Tue, 2 Jun 2015 14:14:06 +0800 Subject: [PATCH 02/12] Add gradle task to publish this plugin to Maven Central Former-commit-id: dc5bfcbc382d7eb5f227c655214560082c8b9633 --- dependency-check-gradle/build.gradle | 64 +++++++++++++++++++++++++++- 1 file changed, 62 insertions(+), 2 deletions(-) diff --git a/dependency-check-gradle/build.gradle b/dependency-check-gradle/build.gradle index 416626d8d..8efc63090 100644 --- a/dependency-check-gradle/build.gradle +++ b/dependency-check-gradle/build.gradle @@ -35,6 +35,7 @@ plugins { apply plugin: 'idea' apply plugin: 'groovy' apply plugin: 'maven' +apply plugin: 'signing' apply plugin: "com.gradle.plugin-publish" repositories { @@ -56,14 +57,73 @@ version = '0.0.3' //------------------------------- // Local debug use only // +//uploadArchives { +// repositories { +// mavenDeployer { +// repository(url: uri('../../../repo')) +// } +// } +//} +//------------------------------- + + +// upload to maven central uploadArchives { repositories { mavenDeployer { - repository(url: uri('../../../repo')) + beforeDeployment { MavenDeployment deployment -> signing.signPom(deployment) } + + repository(url: "https://oss.sonatype.org/service/local/staging/deploy/maven2/") { + authentication(userName: sonatypeUsername, password: sonatypePassword) + } + + snapshotRepository(url: "https://oss.sonatype.org/content/repositories/snapshots/") { + authentication(userName: sonatypeUsername, password: sonatypePassword) + } + + pom.project { + name 'Dependency Check Gradle Plugin' + packaging 'jar' + description 'Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies.' + url 'https://github.com/wmaintw/DependencyCheck/tree/master/dependency-check-gradle' + + scm { + connection 'git@github.com:wmaintw/DependencyCheck.git' + developerConnection 'git@github.com:wmaintw/DependencyCheck.git' + url 'https://github.com/wmaintw/DependencyCheck' + } + + licenses { + license { + name 'The Apache License, Version 2.0' + url 'http://www.apache.org/licenses/LICENSE-2.0.txt' + } + } + + developers { + developer { + id 'wmaintw' + name 'Wei Ma' + email 'wma@thoughtworks.com' + } + } + } } } } -//------------------------------- + +task javadocJar(type: Jar) { + classifier = 'javadoc' + from javadoc +} + +artifacts { + archives javadocJar, sourcesJar +} + +signing { + sign configurations.archives +} // publish to Bintray plugindev { From 4e41187bf310011e2017255f490bc2881bee8ebb Mon Sep 17 00:00:00 2001 From: ma wei Date: Sat, 6 Jun 2015 10:28:52 +0800 Subject: [PATCH 03/12] Modify version to 0.0.4, changed the GroupId in order to release to MavenCentral Former-commit-id: 7f57d17742215afcf3a9e2b4aa82e93d7444439e --- dependency-check-gradle/build.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dependency-check-gradle/build.gradle b/dependency-check-gradle/build.gradle index 8efc63090..d756ae679 100644 --- a/dependency-check-gradle/build.gradle +++ b/dependency-check-gradle/build.gradle @@ -51,8 +51,8 @@ dependencies { ) } -group = 'com.tools.security' -version = '0.0.3' +group = 'com.thoughtworks.tools' +version = '0.0.4' //------------------------------- // Local debug use only From 5e66f70cf0bee94ee886970ee1cda2b86ab7b93e Mon Sep 17 00:00:00 2001 From: ma wei Date: Sat, 6 Jun 2015 10:29:50 +0800 Subject: [PATCH 04/12] Update README, add usage for install plugin from MavenCentral Former-commit-id: 26c9119b6eeb042e46f9855a2c51c48a0675419b --- dependency-check-gradle/README.md | 181 ++++++++++++++---------------- 1 file changed, 85 insertions(+), 96 deletions(-) diff --git a/dependency-check-gradle/README.md b/dependency-check-gradle/README.md index a7f10a66d..f8734466c 100644 --- a/dependency-check-gradle/README.md +++ b/dependency-check-gradle/README.md @@ -15,7 +15,49 @@ Dependency-Check is a utility that attempts to detect publicly disclosed vulnera Please refer to either one of the solution -#### Solution 1,Bintray +#### Solution 1,Install from Maven Central + +buildscript { + repositories { + mavenCentral() + } + dependencies { + classpath 'com.thoughtworks.tools:dependency-check:0.0.4' + } +} + +apply plugin: 'dependency.check' + +#### Solution 2,Install from Gradle Plugin Portal + +[dependency check gradle plugin on Gradle Plugin Portal](https://plugins.gradle.org/plugin/dependency.check) + +**Build script snippet for new, incubating, plugin mechanism introduced in Gradle 2.1:** + +``` +plugins { + id "dependency.check" version "0.0.4" +} +``` + +**Build script snippet for use in all Gradle versions:** + +``` +buildscript { + repositories { + maven { + url "https://plugins.gradle.org/m2/" + } + } + dependencies { + classpath "gradle.plugin.com.tools.security:dependency-check:0.0.4" + } +} + +apply plugin: "dependency.check" +``` + +#### Solution 3,Install from Bintray ``` apply plugin: "dependency-check" @@ -29,105 +71,12 @@ buildscript { } dependencies { classpath( - 'com.tools.security:dependency-check:0.0.3' + 'com.tools.security:dependency-check:0.0.4' ) } } ``` -#### Solution 2,Gradle Plugin Portal - -[dependency check gradle plugin on Gradle Plugin Portal](https://plugins.gradle.org/plugin/dependency.check) - -**Build script snippet for new, incubating, plugin mechanism introduced in Gradle 2.1:** - -``` -// buildscript { -// ... -// } - -plugins { - id "dependency.check" version "0.0.3" -} - -// apply plugin: ... -``` - -**Build script snippet for use in all Gradle versions:** - -``` -buildscript { - repositories { - maven { - url "https://plugins.gradle.org/m2/" - } - } - dependencies { - classpath "gradle.plugin.com.tools.security:dependency-check:0.0.3" - } -} - -apply plugin: "dependency.check" -``` - -**If your project includes multiple sub-project, configure build script this way:** - -``` -buildscript { - repositories { - maven { - url "https://plugins.gradle.org/m2/" - } - } - dependencies { - classpath "gradle.plugin.com.tools.security:dependency-check:0.0.3" - } -} - -allprojects { - //other plugins you may use - //apply plugin: "java" - - apply plugin: "dependency-check" - - repositories { - mavenCentral() - } -} -``` - -or - -``` -buildscript { - repositories { - maven { - url "https://plugins.gradle.org/m2/" - } - } - dependencies { - classpath "gradle.plugin.com.tools.security:dependency-check:0.0.3" - } -} - -subprojects { - //other plugins you may use - //apply plugin: "java" - - apply plugin: "dependency-check" - - repositories { - mavenCentral() - } -} -``` - -In this way, the dependency check will be executed for all projects (including root project) or just sub projects. - -#### Solution 3,Maven Central - -working in progress - ### Step 2, Run gradle task Once gradle plugin applied, run following gradle task to check the dependencies: @@ -140,7 +89,9 @@ The reports will be generated automatically under `./reports` folder. If your project includes multiple sub-projects, the report will be generated for each sub-project in different sub-directory. -### What if you are behind a proxy? +### FAQ + +## What if I'm behind a proxy? Maybe you have to use proxy to access internet, in this case, you could configure proxy settings for this plugin: @@ -156,3 +107,41 @@ dependencyCheck { // proxyPassword = "password" } ``` + +## What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?** + +Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below: + +(1) For all projects including root project: +``` +buildscript { + repositories { + mavenCentral() + } + dependencies { + classpath "gradle.plugin.com.tools.security:dependency-check:0.0.4" + } +} + +allprojects { + apply plugin: "dependency-check" +} +``` + +(2) For all sub-projects: +``` +buildscript { + repositories { + mavenCentral() + } + dependencies { + classpath "gradle.plugin.com.tools.security:dependency-check:0.0.4" + } +} + +subprojects { + apply plugin: "dependency-check" +} +``` + +In this way, the dependency check will be executed for all projects (including root project) or just sub projects. \ No newline at end of file From 28c2db9edc47f62a2f9ee5ae68a3c30962934267 Mon Sep 17 00:00:00 2001 From: ma wei Date: Sat, 6 Jun 2015 10:32:02 +0800 Subject: [PATCH 05/12] adjust format in README Former-commit-id: 6a905bf23bec0f939974d83d53941a54d0dd851a --- dependency-check-gradle/README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/dependency-check-gradle/README.md b/dependency-check-gradle/README.md index f8734466c..f3b322e90 100644 --- a/dependency-check-gradle/README.md +++ b/dependency-check-gradle/README.md @@ -17,6 +17,7 @@ Please refer to either one of the solution #### Solution 1,Install from Maven Central +```groovy buildscript { repositories { mavenCentral() @@ -25,6 +26,7 @@ buildscript { classpath 'com.thoughtworks.tools:dependency-check:0.0.4' } } +``` apply plugin: 'dependency.check' @@ -89,9 +91,9 @@ The reports will be generated automatically under `./reports` folder. If your project includes multiple sub-projects, the report will be generated for each sub-project in different sub-directory. -### FAQ +## FAQ -## What if I'm behind a proxy? +### What if I'm behind a proxy? Maybe you have to use proxy to access internet, in this case, you could configure proxy settings for this plugin: @@ -108,7 +110,7 @@ dependencyCheck { } ``` -## What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?** +### What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?** Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below: From 80276d5e4dbf59bd2641b7127d45757b56109383 Mon Sep 17 00:00:00 2001 From: ma wei Date: Sat, 6 Jun 2015 10:33:43 +0800 Subject: [PATCH 06/12] adjust format in README Former-commit-id: 7bcc077020394df43130bcd35d60cf1063b6c815 --- dependency-check-gradle/README.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/dependency-check-gradle/README.md b/dependency-check-gradle/README.md index f3b322e90..19af23fcd 100644 --- a/dependency-check-gradle/README.md +++ b/dependency-check-gradle/README.md @@ -36,7 +36,7 @@ apply plugin: 'dependency.check' **Build script snippet for new, incubating, plugin mechanism introduced in Gradle 2.1:** -``` +```groovy plugins { id "dependency.check" version "0.0.4" } @@ -44,7 +44,7 @@ plugins { **Build script snippet for use in all Gradle versions:** -``` +```groovy buildscript { repositories { maven { @@ -61,7 +61,7 @@ apply plugin: "dependency.check" #### Solution 3,Install from Bintray -``` +```groovy apply plugin: "dependency-check" buildscript { @@ -97,7 +97,7 @@ If your project includes multiple sub-projects, the report will be generated for Maybe you have to use proxy to access internet, in this case, you could configure proxy settings for this plugin: -``` +```groovy dependencyCheck { proxyServer = "127.0.0.1" // required, the server name or IP address of the proxy proxyPort = 3128 // required, the port number of the proxy @@ -110,12 +110,13 @@ dependencyCheck { } ``` -### What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?** +### What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project? Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below: (1) For all projects including root project: -``` + +```groovy buildscript { repositories { mavenCentral() @@ -131,7 +132,8 @@ allprojects { ``` (2) For all sub-projects: -``` + +```groovy buildscript { repositories { mavenCentral() From aa927e9168dc1bcca25bf17361162574af2420d2 Mon Sep 17 00:00:00 2001 From: ma wei Date: Thu, 11 Jun 2015 10:11:07 +0800 Subject: [PATCH 07/12] refactor the build.gradle file, extract publish tasks to separated gradle file Former-commit-id: 539b8d16917a8a60e07a7f1466ce9ad0c84ca94e --- dependency-check-gradle/build.gradle | 113 +----------------- .../conf/publish/bintray.gradle | 23 ++++ .../conf/publish/gradlePluginsPortal.gradle | 14 +++ .../conf/publish/local.gradle | 8 ++ .../conf/publish/maven.gradle | 57 +++++++++ 5 files changed, 106 insertions(+), 109 deletions(-) create mode 100644 dependency-check-gradle/conf/publish/bintray.gradle create mode 100644 dependency-check-gradle/conf/publish/gradlePluginsPortal.gradle create mode 100644 dependency-check-gradle/conf/publish/local.gradle create mode 100644 dependency-check-gradle/conf/publish/maven.gradle diff --git a/dependency-check-gradle/build.gradle b/dependency-check-gradle/build.gradle index d756ae679..9176ae9b8 100644 --- a/dependency-check-gradle/build.gradle +++ b/dependency-check-gradle/build.gradle @@ -54,112 +54,7 @@ dependencies { group = 'com.thoughtworks.tools' version = '0.0.4' -//------------------------------- -// Local debug use only -// -//uploadArchives { -// repositories { -// mavenDeployer { -// repository(url: uri('../../../repo')) -// } -// } -//} -//------------------------------- - - -// upload to maven central -uploadArchives { - repositories { - mavenDeployer { - beforeDeployment { MavenDeployment deployment -> signing.signPom(deployment) } - - repository(url: "https://oss.sonatype.org/service/local/staging/deploy/maven2/") { - authentication(userName: sonatypeUsername, password: sonatypePassword) - } - - snapshotRepository(url: "https://oss.sonatype.org/content/repositories/snapshots/") { - authentication(userName: sonatypeUsername, password: sonatypePassword) - } - - pom.project { - name 'Dependency Check Gradle Plugin' - packaging 'jar' - description 'Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies.' - url 'https://github.com/wmaintw/DependencyCheck/tree/master/dependency-check-gradle' - - scm { - connection 'git@github.com:wmaintw/DependencyCheck.git' - developerConnection 'git@github.com:wmaintw/DependencyCheck.git' - url 'https://github.com/wmaintw/DependencyCheck' - } - - licenses { - license { - name 'The Apache License, Version 2.0' - url 'http://www.apache.org/licenses/LICENSE-2.0.txt' - } - } - - developers { - developer { - id 'wmaintw' - name 'Wei Ma' - email 'wma@thoughtworks.com' - } - } - } - } - } -} - -task javadocJar(type: Jar) { - classifier = 'javadoc' - from javadoc -} - -artifacts { - archives javadocJar, sourcesJar -} - -signing { - sign configurations.archives -} - -// publish to Bintray -plugindev { - pluginId = 'dependency.check' - pluginName = 'dependency-check' - pluginImplementationClass 'com.tools.security.plugin.DependencyCheckGradlePlugin' - pluginDescription 'This is dependency check gradle plugin.' - pluginLicenses 'Apache-2.0' - pluginTags 'dependency check', 'security' - authorId 'wmaintw' - authorName 'Wei Ma' - authorEmail 'wma@thoughtworks.com' - projectUrl 'https://github.com/wmaintw/DependencyCheck' - projectIssuesUrl 'https://github.com/wmaintw/DependencyCheck/issues' - projectVcsUrl 'git@github.com:wmaintw/DependencyCheck.git' - projectInceptionYear '2015' - done() -} - -bintray { - user = bintrayUser - key = bintrayUserKey - pkg.repo = bintrayRepo -} - -// publish to gradle plugin portal -pluginBundle { - website = 'https://github.com/wmaintw/DependencyCheck' - vcsUrl = 'git@github.com:wmaintw/DependencyCheck.git' - description = 'This is dependency check gradle plugin.' - tags = ['dependency check', 'security'] - - plugins { - dependencyCheckPlugin { - id = 'dependency.check' - displayName = 'dependency-check' - } - } -} \ No newline at end of file +apply from: 'conf/publish/local.gradle' +//apply from: 'conf/publish/maven.gradle' +apply from: 'conf/publish/gradlePluginsPortal.gradle' +apply from: 'conf/publish/bintray.gradle' // according to the documentation of plugindev, this line has to be placed and the very end of the build file \ No newline at end of file diff --git a/dependency-check-gradle/conf/publish/bintray.gradle b/dependency-check-gradle/conf/publish/bintray.gradle new file mode 100644 index 000000000..ba8f0ad6a --- /dev/null +++ b/dependency-check-gradle/conf/publish/bintray.gradle @@ -0,0 +1,23 @@ +// publish to Bintray +plugindev { + pluginId = 'dependency.check' + pluginName = 'dependency-check' + pluginImplementationClass 'com.tools.security.plugin.DependencyCheckGradlePlugin' + pluginDescription 'This is dependency check gradle plugin.' + pluginLicenses 'Apache-2.0' + pluginTags 'dependency check', 'security' + authorId 'wmaintw' + authorName 'Wei Ma' + authorEmail 'wma@thoughtworks.com' + projectUrl 'https://github.com/wmaintw/DependencyCheck' + projectIssuesUrl 'https://github.com/wmaintw/DependencyCheck/issues' + projectVcsUrl 'git@github.com:wmaintw/DependencyCheck.git' + projectInceptionYear '2015' + done() +} + +bintray { + user = bintrayUser + key = bintrayUserKey + pkg.repo = bintrayRepo +} \ No newline at end of file diff --git a/dependency-check-gradle/conf/publish/gradlePluginsPortal.gradle b/dependency-check-gradle/conf/publish/gradlePluginsPortal.gradle new file mode 100644 index 000000000..198ca9a76 --- /dev/null +++ b/dependency-check-gradle/conf/publish/gradlePluginsPortal.gradle @@ -0,0 +1,14 @@ +// publish to gradle plugin portal +pluginBundle { + website = 'https://github.com/wmaintw/DependencyCheck' + vcsUrl = 'git@github.com:wmaintw/DependencyCheck.git' + description = 'This is dependency check gradle plugin.' + tags = ['dependency check', 'security'] + + plugins { + dependencyCheckPlugin { + id = 'dependency.check' + displayName = 'dependency-check' + } + } +} \ No newline at end of file diff --git a/dependency-check-gradle/conf/publish/local.gradle b/dependency-check-gradle/conf/publish/local.gradle new file mode 100644 index 000000000..e9b2f9d9a --- /dev/null +++ b/dependency-check-gradle/conf/publish/local.gradle @@ -0,0 +1,8 @@ +//Local debug use only +uploadArchives { + repositories { + mavenDeployer { + repository(url: uri('../../../repo')) + } + } +} \ No newline at end of file diff --git a/dependency-check-gradle/conf/publish/maven.gradle b/dependency-check-gradle/conf/publish/maven.gradle new file mode 100644 index 000000000..ea83a7c5e --- /dev/null +++ b/dependency-check-gradle/conf/publish/maven.gradle @@ -0,0 +1,57 @@ +//upload to maven central +uploadArchives { + repositories { + mavenDeployer { + beforeDeployment { MavenDeployment deployment -> signing.signPom(deployment) } + + repository(url: "https://oss.sonatype.org/service/local/staging/deploy/maven2/") { + authentication(userName: sonatypeUsername, password: sonatypePassword) + } + + snapshotRepository(url: "https://oss.sonatype.org/content/repositories/snapshots/") { + authentication(userName: sonatypeUsername, password: sonatypePassword) + } + + pom.project { + name 'Dependency Check Gradle Plugin' + packaging 'jar' + description 'Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies.' + url 'https://github.com/wmaintw/DependencyCheck/tree/master/dependency-check-gradle' + + scm { + connection 'git@github.com:wmaintw/DependencyCheck.git' + developerConnection 'git@github.com:wmaintw/DependencyCheck.git' + url 'https://github.com/wmaintw/DependencyCheck' + } + + licenses { + license { + name 'The Apache License, Version 2.0' + url 'http://www.apache.org/licenses/LICENSE-2.0.txt' + } + } + + developers { + developer { + id 'wmaintw' + name 'Wei Ma' + email 'wma@thoughtworks.com' + } + } + } + } + } +} + +task javadocJar(type: Jar) { + classifier = 'javadoc' + from javadoc +} + +artifacts { + archives javadocJar, sourcesJar +} + +signing { + sign configurations.archives +} \ No newline at end of file From e537ce155edb7b5b8d4d3fa5867581091e2dc0f0 Mon Sep 17 00:00:00 2001 From: ma wei Date: Tue, 7 Jul 2015 13:45:21 +0800 Subject: [PATCH 08/12] upgrade the version of dependency check utils Former-commit-id: 34ef2d92888cf2e108cc0759fd1ba04fb795abe3 --- dependency-check-gradle/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-gradle/build.gradle b/dependency-check-gradle/build.gradle index 9176ae9b8..8ecbcffc1 100644 --- a/dependency-check-gradle/build.gradle +++ b/dependency-check-gradle/build.gradle @@ -47,7 +47,7 @@ dependencies { localGroovy(), gradleApi(), 'org.owasp:dependency-check-core:1.2.11', - 'org.owasp:dependency-check-utils:1.2.10' + 'org.owasp:dependency-check-utils:1.2.11' ) } From b8a32eb0866729befc85c53d55dbef28a3aced8a Mon Sep 17 00:00:00 2001 From: ma wei Date: Tue, 7 Jul 2015 13:45:55 +0800 Subject: [PATCH 09/12] add ability for customize report output directory Former-commit-id: fdf53b2768ecd38f16de676ddd35e63fcd1cfad0 --- .../extension/DependencyCheckConfigurationExtension.groovy | 2 ++ .../com/tools/security/tasks/DependencyCheckTask.groovy | 7 ++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy index 0a9f220fb..8e7a29ce3 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy @@ -29,4 +29,6 @@ class DependencyCheckConfigurationExtension { Integer cveStartYear = 2002 String cveUrl12Base = "https://nvd.nist.gov/download/nvdcve-%d.xml.gz" String cveUrl20Base = "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz" + + String outputDirectory = "./reports" } diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy index 6413a89fe..7752dd767 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy @@ -77,7 +77,12 @@ class DependencyCheckTask extends DefaultTask { logger.lifecycle("Generating report for project ${currentProjectName}") def reportGenerator = new ReportGenerator(currentProjectName, engine.dependencies, engine.analyzers, new CveDB().databaseProperties) - reportGenerator.generateReports("./reports/${currentProjectName}", ReportGenerator.Format.ALL) + + reportGenerator.generateReports(generateReportDirectory(currentProjectName), ReportGenerator.Format.ALL) + } + + def generateReportDirectory(String currentProjectName) { + "${project.dependencyCheck.outputDirectory}/${currentProjectName}" } def overrideProxySetting() { From ed3c806869be7631d3e740ad589ff08df50632aa Mon Sep 17 00:00:00 2001 From: ma wei Date: Tue, 7 Jul 2015 13:57:15 +0800 Subject: [PATCH 10/12] update the version of dependency-check-gradle to 0.0.5 Former-commit-id: facbe13d3bd077b5540e8c20d6b3b1bb3d1b4e3f --- dependency-check-gradle/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-gradle/build.gradle b/dependency-check-gradle/build.gradle index 8ecbcffc1..479dbdcec 100644 --- a/dependency-check-gradle/build.gradle +++ b/dependency-check-gradle/build.gradle @@ -52,7 +52,7 @@ dependencies { } group = 'com.thoughtworks.tools' -version = '0.0.4' +version = '0.0.5' apply from: 'conf/publish/local.gradle' //apply from: 'conf/publish/maven.gradle' From fed5d3efc0fc930a037b1c5dac8d2df1471f7f79 Mon Sep 17 00:00:00 2001 From: ma wei Date: Tue, 7 Jul 2015 14:08:48 +0800 Subject: [PATCH 11/12] add read-me info about customize report output directory Former-commit-id: be8ba701e31f0c90fd686e90ebbf752b96665521 --- dependency-check-gradle/README.md | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/dependency-check-gradle/README.md b/dependency-check-gradle/README.md index 19af23fcd..242f75a07 100644 --- a/dependency-check-gradle/README.md +++ b/dependency-check-gradle/README.md @@ -93,6 +93,11 @@ If your project includes multiple sub-projects, the report will be generated for ## FAQ +> **Questions List:** +> - What if I'm behind a proxy? +> - What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project? +> - How to customize the report directory? + ### What if I'm behind a proxy? Maybe you have to use proxy to access internet, in this case, you could configure proxy settings for this plugin: @@ -148,4 +153,18 @@ subprojects { } ``` -In this way, the dependency check will be executed for all projects (including root project) or just sub projects. \ No newline at end of file +In this way, the dependency check will be executed for all projects (including root project) or just sub projects. + +### How to customize the report directory? + +By default, all reports will be placed under `./reports` folder, to change the default directory, just modify it in the configuration section like this: + +```groovy +subprojects { + apply plugin: "dependency-check" + + dependencyCheck { + outputDirectory = "./customized-path/security-report" + } +} +``` \ No newline at end of file From 5b2353e612c0dcbb25acb1453204a7e9e5e30517 Mon Sep 17 00:00:00 2001 From: ma wei Date: Thu, 9 Jul 2015 10:20:12 +0800 Subject: [PATCH 12/12] add license information for these gradle script files Former-commit-id: 1ecf5c52dc82e1fd55172385f303dc5022bad801 --- .../conf/publish/bintray.gradle | 18 ++++++++++++++++++ .../conf/publish/gradlePluginsPortal.gradle | 18 ++++++++++++++++++ .../conf/publish/local.gradle | 18 ++++++++++++++++++ .../conf/publish/maven.gradle | 18 ++++++++++++++++++ 4 files changed, 72 insertions(+) diff --git a/dependency-check-gradle/conf/publish/bintray.gradle b/dependency-check-gradle/conf/publish/bintray.gradle index ba8f0ad6a..5dd533417 100644 --- a/dependency-check-gradle/conf/publish/bintray.gradle +++ b/dependency-check-gradle/conf/publish/bintray.gradle @@ -1,3 +1,21 @@ +/* + * This file is part of dependency-check-gradle. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Wei Ma. All Rights Reserved. + */ + // publish to Bintray plugindev { pluginId = 'dependency.check' diff --git a/dependency-check-gradle/conf/publish/gradlePluginsPortal.gradle b/dependency-check-gradle/conf/publish/gradlePluginsPortal.gradle index 198ca9a76..a27ad77ba 100644 --- a/dependency-check-gradle/conf/publish/gradlePluginsPortal.gradle +++ b/dependency-check-gradle/conf/publish/gradlePluginsPortal.gradle @@ -1,3 +1,21 @@ +/* + * This file is part of dependency-check-gradle. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Wei Ma. All Rights Reserved. + */ + // publish to gradle plugin portal pluginBundle { website = 'https://github.com/wmaintw/DependencyCheck' diff --git a/dependency-check-gradle/conf/publish/local.gradle b/dependency-check-gradle/conf/publish/local.gradle index e9b2f9d9a..00a6edd62 100644 --- a/dependency-check-gradle/conf/publish/local.gradle +++ b/dependency-check-gradle/conf/publish/local.gradle @@ -1,3 +1,21 @@ +/* + * This file is part of dependency-check-gradle. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Wei Ma. All Rights Reserved. + */ + //Local debug use only uploadArchives { repositories { diff --git a/dependency-check-gradle/conf/publish/maven.gradle b/dependency-check-gradle/conf/publish/maven.gradle index ea83a7c5e..5f9787387 100644 --- a/dependency-check-gradle/conf/publish/maven.gradle +++ b/dependency-check-gradle/conf/publish/maven.gradle @@ -1,3 +1,21 @@ +/* + * This file is part of dependency-check-gradle. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Wei Ma. All Rights Reserved. + */ + //upload to maven central uploadArchives { repositories {