Ruby Analyzer: Added bundle-audit analyzer. So far just launches if available and logs the output.

2026-01-18 17:47:05 +01:00 · 2015-08-18 16:59:39 -04:00
parent 88569cb369
commit 5c32ecd8e1
6 changed files with 220 additions and 4 deletions
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
@@ -27,6 +27,7 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 import org.apache.commons.cli.ParseException;
+import org.apache.commons.lang.StringUtils;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
@@ -354,6 +355,10 @@ public class App {
        if (pathToMono != null && !pathToMono.isEmpty()) {
            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
        }
+        String pathToBundleAudit = cli.getPathToBundleAudit();
+        if (!StringUtils.isEmpty(pathToBundleAudit)){
+            Settings.setString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, pathToBundleAudit);
+        }
        if (cveBase12 != null && !cveBase12.isEmpty()) {
            Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveBase12);
            Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveBase20);
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
@@ -328,6 +328,10 @@ public final class CliParser {
                .withDescription("The path to Mono for .NET Assembly analysis on non-windows systems.")
                .create();

+        final Option pathToBundleAudit = OptionBuilder.withArgName("path").hasArg()
+                .withLongOpt(ARGUMENT.PATH_TO_BUNDLE_AUDIT)
+                .withDescription("The path to bundle-audit for Gem bundle analysis.").create();
+
        final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ARGUMENT.CONNECTION_TIMEOUT)
                .withDescription("The connection timeout (in milliseconds) to use when downloading resources.")
                .create(ARGUMENT.CONNECTION_TIMEOUT_SHORT);
@@ -426,7 +430,8 @@ public final class CliParser {
                .addOption(nexusUrl)
                .addOption(nexusUsesProxy)
                .addOption(additionalZipExtensions)
-                .addOption(pathToMono);
+                .addOption(pathToMono)
+                .addOption(pathToBundleAudit);
    }

    /**
@@ -690,6 +695,15 @@ public final class CliParser {
        return line.getOptionValue(ARGUMENT.PATH_TO_MONO);
    }

+    /**
+     * Returns the path to bundle-audit for Ruby bundle analysis.
+     *
+     * @return the path to Mono
+     */
+    public String getPathToBundleAudit() {
+        return line.getOptionValue(ARGUMENT.PATH_TO_BUNDLE_AUDIT);
+    }
+
    /**
     * Returns the output format specified on the command line. Defaults to HTML if no format was specified.
     *
@@ -1160,5 +1174,9 @@ public final class CliParser {
         * Exclude path argument.
         */
        public static final String EXCLUDE = "exclude";
+        /**
+         * The CLI argument name for setting the path to bundle-audit for Ruby bundle analysis.
+         */
+        public static final String PATH_TO_BUNDLE_AUDIT = "bundleAudit";
    }
 }