github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-17 17:21:53 +01:00
Code Issues Packages Projects Releases Wiki Activity

renamed modules and fixed errors with various lifecycle stages

Browse Source
This commit is contained in:
Jeremy Long
2018-01-25 06:54:01 -05:00
parent 3736161e39
commit 62a5db6b8b
740 changed files with 40 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
ant/src/main/assembly/release.xml Normal file
View File

@@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<assembly
xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2
http://maven.apache.org/xsd/assembly-1.1.2.xsd
"
>
<id>release</id>
<formats>
<format>zip</format>
</formats>
<includeBaseDirectory>false</includeBaseDirectory>
<!--fileSets>
<fileSet>
<outputDirectory>dependency-check</outputDirectory>
<directory>${project.build.directory}</directory>
<includes>
<include>dependency-check*.jar</include>
</includes>
</fileSet>
</fileSets-->
<files>
<file>
<source>${project.build.directory}/${project.artifactId}-${project.version}.jar</source>
<outputDirectory>dependency-check-ant</outputDirectory>
<destName>dependency-check-ant.jar</destName>
</file>
</files>
<dependencySets>
<dependencySet>
<outputDirectory>dependency-check-ant/lib</outputDirectory>
<scope>runtime</scope>
</dependencySet>
</dependencySets>
</assembly>

278
ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java Normal file
View File

@@ -0,0 +1,278 @@
/*
* This file is part of dependency-check-ant.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 The OWASP Foundation. All Rights Reserved.
*/
package org.owasp.dependencycheck.ant.logging;
import org.apache.tools.ant.Project;
import org.apache.tools.ant.Task;
import org.slf4j.helpers.FormattingTuple;
import org.slf4j.helpers.MarkerIgnoringBase;
import org.slf4j.helpers.MessageFormatter;
/**
* An instance of {@link org.slf4j.Logger} which simply calls the log method on
* the delegate Ant task.
*
* @author colezlaw
*/
public class AntLoggerAdapter extends MarkerIgnoringBase {
/**
* serialization UID.
*/
private static final long serialVersionUID = -1337;
/**
* A reference to the Ant task used for logging.
*/
private transient Task task;
/**
* Constructs an Ant Logger Adapter.
*
* @param task the Ant Task to use for logging
*/
public AntLoggerAdapter(Task task) {
super();
this.task = task;
}
/**
* Sets the current Ant task to use for logging.
*
* @param task the Ant task to use for logging
*/
public void setTask(Task task) {
this.task = task;
}
@Override
public boolean isTraceEnabled() {
// Might be a more efficient way to do this, but Ant doesn't enable or disable
// various levels globally - it just fires things at registered Listeners.
return true;
}
@Override
public void trace(String msg) {
if (task != null) {
task.log(msg, Project.MSG_VERBOSE);
}
}
@Override
public void trace(String format, Object arg) {
if (task != null) {
final FormattingTuple tp = MessageFormatter.format(format, arg);
task.log(tp.getMessage(), Project.MSG_VERBOSE);
}
}
@Override
public void trace(String format, Object arg1, Object arg2) {
if (task != null) {
final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
task.log(tp.getMessage(), Project.MSG_VERBOSE);
}
}
@Override
public void trace(String format, Object... arguments) {
if (task != null) {
final FormattingTuple tp = MessageFormatter.format(format, arguments);
task.log(tp.getMessage(), Project.MSG_VERBOSE);
}
}
@Override
public void trace(String msg, Throwable t) {
if (task != null) {
task.log(msg, t, Project.MSG_VERBOSE);
}
}
@Override
public boolean isDebugEnabled() {
return true;
}
@Override
public void debug(String msg) {
if (task != null) {
task.log(msg, Project.MSG_DEBUG);
}
}
@Override
public void debug(String format, Object arg) {
if (task != null) {
final FormattingTuple tp = MessageFormatter.format(format, arg);
task.log(tp.getMessage(), Project.MSG_DEBUG);
}
}
@Override
public void debug(String format, Object arg1, Object arg2) {
if (task != null) {
final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
task.log(tp.getMessage(), Project.MSG_DEBUG);
}
}
@Override
public void debug(String format, Object... arguments) {
if (task != null) {
final FormattingTuple tp = MessageFormatter.format(format, arguments);
task.log(tp.getMessage(), Project.MSG_DEBUG);
}
}
@Override
public void debug(String msg, Throwable t) {
if (task != null) {
task.log(msg, t, Project.MSG_DEBUG);
}
}
@Override
public boolean isInfoEnabled() {
return true;
}
@Override
public void info(String msg) {
if (task != null) {
task.log(msg, Project.MSG_INFO);
}
}
@Override
public void info(String format, Object arg) {
if (task != null) {
final FormattingTuple tp = MessageFormatter.format(format, arg);
task.log(tp.getMessage(), Project.MSG_INFO);
}
}
@Override
public void info(String format, Object arg1, Object arg2) {
if (task != null) {
final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
task.log(tp.getMessage(), Project.MSG_INFO);
}
}
@Override
public void info(String format, Object... arguments) {
if (task != null) {
final FormattingTuple tp = MessageFormatter.format(format, arguments);
task.log(tp.getMessage(), Project.MSG_INFO);
}
}
@Override
public void info(String msg, Throwable t) {
if (task != null) {
task.log(msg, t, Project.MSG_INFO);
}
}
@Override
public boolean isWarnEnabled() {
return true;
}
@Override
public void warn(String msg) {
if (task != null) {
task.log(msg, Project.MSG_WARN);
}
}
@Override
public void warn(String format, Object arg) {
if (task != null) {
final FormattingTuple tp = MessageFormatter.format(format, arg);
task.log(tp.getMessage(), Project.MSG_WARN);
}
}
@Override
public void warn(String format, Object... arguments) {
if (task != null) {
final FormattingTuple tp = MessageFormatter.format(format, arguments);
task.log(tp.getMessage(), Project.MSG_WARN);
}
}
@Override
public void warn(String format, Object arg1, Object arg2) {
if (task != null) {
final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
task.log(tp.getMessage(), Project.MSG_WARN);
}
}
@Override
public void warn(String msg, Throwable t) {
if (task != null) {
task.log(msg, t, Project.MSG_WARN);
}
}
@Override
public boolean isErrorEnabled() {
return true;
}
@Override
public void error(String msg) {
if (task != null) {
task.log(msg, Project.MSG_ERR);
}
}
@Override
public void error(String format, Object arg) {
if (task != null) {
final FormattingTuple tp = MessageFormatter.format(format, arg);
task.log(tp.getMessage(), Project.MSG_ERR);
}
}
@Override
public void error(String format, Object arg1, Object arg2) {
if (task != null) {
final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
task.log(tp.getMessage(), Project.MSG_ERR);
}
}
@Override
public void error(String format, Object... arguments) {
if (task != null) {
final FormattingTuple tp = MessageFormatter.format(format, arguments);
task.log(tp.getMessage(), Project.MSG_ERR);
}
}
@Override
public void error(String msg, Throwable t) {
if (task != null) {
task.log(msg, t, Project.MSG_ERR);
}
}
}

56
ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerFactory.java Normal file
View File

@@ -0,0 +1,56 @@
/*
* This file is part of dependency-check-ant.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 The OWASP Foundation. All Rights Reserved.
*/
package org.owasp.dependencycheck.ant.logging;
import org.apache.tools.ant.Task;
import org.slf4j.ILoggerFactory;
import org.slf4j.Logger;
/**
* An implementation of {@link org.slf4j.ILoggerFactory} which always returns {@link AntLoggerAdapter} instances.
*
* @author colezlaw
*/
public class AntLoggerFactory implements ILoggerFactory {
/**
* A reference to the Ant logger Adapter.
*/
private final AntLoggerAdapter antLoggerAdapter;
/**
* Constructs a new Ant Logger Factory.
*
* @param task the Ant task to use for logging
*/
public AntLoggerFactory(Task task) {
super();
this.antLoggerAdapter = new AntLoggerAdapter(task);
}
/**
* Returns the Ant logger adapter.
*
* @param name ignored in this implementation
* @return the Ant logger adapter
*/
@Override
public Logger getLogger(String name) {
return antLoggerAdapter;
}
}

4
ant/src/main/java/org/owasp/dependencycheck/ant/logging/package-info.java Normal file
View File

@@ -0,0 +1,4 @@
/**
* This package includes the Ant task definitions.
*/
package org.owasp.dependencycheck.ant.logging;

1183
ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java Normal file
View File

File diff suppressed because it is too large Load Diff

174
ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java Normal file
View File

@@ -0,0 +1,174 @@
/*
* This file is part of dependency-check-ant.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.taskdefs;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import org.apache.tools.ant.BuildException;
import org.apache.tools.ant.Project;
import org.apache.tools.ant.Task;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.impl.StaticLoggerBinder;
/**
* An Ant task definition to execute dependency-check during an Ant build.
*
* @author Jeremy Long
*/
public class Purge extends Task {
/**
* The properties file location.
*/
private static final String PROPERTIES_FILE = "task.properties";
/**
* The configured settings.
*/
private Settings settings;
/**
* The location of the data directory that contains
*/
private String dataDirectory = null;
/**
* Indicates if dependency-check should fail the build if an exception
* occurs.
*/
private boolean failOnError = true;
/**
* Construct a new DependencyCheckTask.
*/
public Purge() {
super();
// Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
// core end up coming through this tasks logger
StaticLoggerBinder.getSingleton().setTask(this);
}
public Settings getSettings() {
return settings;
}
/**
* Get the value of dataDirectory.
*
* @return the value of dataDirectory
*/
public String getDataDirectory() {
return dataDirectory;
}
/**
* Set the value of dataDirectory.
*
* @param dataDirectory new value of dataDirectory
*/
public void setDataDirectory(String dataDirectory) {
this.dataDirectory = dataDirectory;
}
/**
* Get the value of failOnError.
*
* @return the value of failOnError
*/
public boolean isFailOnError() {
return failOnError;
}
/**
* Set the value of failOnError.
*
* @param failOnError new value of failOnError
*/
public void setFailOnError(boolean failOnError) {
this.failOnError = failOnError;
}
/**
* Executes the dependency-check purge to delete the existing local copy of
* the NVD CVE data.
*
* @throws BuildException thrown if there is a problem deleting the file(s)
*/
@Override
public void execute() throws BuildException {
populateSettings();
File db;
try {
db = new File(settings.getDataDirectory(), "dc.h2.db");
if (db.exists()) {
if (db.delete()) {
log("Database file purged; local copy of the NVD has been removed", Project.MSG_INFO);
} else {
final String msg = String.format("Unable to delete '%s'; please delete the file manually", db.getAbsolutePath());
if (this.failOnError) {
throw new BuildException(msg);
}
log(msg, Project.MSG_ERR);
}
} else {
final String msg = String.format("Unable to purge database; the database file does not exist: %s", db.getAbsolutePath());
if (this.failOnError) {
throw new BuildException(msg);
}
log(msg, Project.MSG_ERR);
}
} catch (IOException ex) {
final String msg = "Unable to delete the database";
if (this.failOnError) {
throw new BuildException(msg);
}
log(msg, Project.MSG_ERR);
} finally {
settings.cleanup(true);
}
}
/**
* Takes the properties supplied and updates the dependency-check settings.
* Additionally, this sets the system properties required to change the
* proxy server, port, and connection timeout.
*
* @throws BuildException thrown if the properties file cannot be read.
*/
protected void populateSettings() throws BuildException {
settings = new Settings();
try (InputStream taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE)) {
settings.mergeProperties(taskProperties);
} catch (IOException ex) {
final String msg = "Unable to load the dependency-check ant task.properties file.";
if (this.failOnError) {
throw new BuildException(msg, ex);
}
log(msg, ex, Project.MSG_WARN);
}
if (dataDirectory != null) {
settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
} else {
final File jarPath = new File(Purge.class.getProtectionDomain().getCodeSource().getLocation().getPath());
final File base = jarPath.getParentFile();
final String sub = settings.getString(Settings.KEYS.DATA_DIRECTORY);
final File dataDir = new File(base, sub);
settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
}
}
}

51
ant/src/main/java/org/owasp/dependencycheck/taskdefs/SuppressionFile.java Normal file
View File

@@ -0,0 +1,51 @@
/*
* This file is part of dependency-check-ant.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2017 The OWASP Foundation. All Rights Reserved.
*/
package org.owasp.dependencycheck.taskdefs;
/**
* Class : {@link SuppressionFile} Responsibility : Models a suppression file
* nested XML element where the simple content is its location.
*
* @author Phillip Whittlesea
*/
public class SuppressionFile {
/**
* The path to the suppression file.
*/
private String path;
/**
* Sets the path to the suppression file.
*
* @param path the path to the suppression file
*/
public void setPath(String path) {
this.path = path;
}
/**
* Gets the path to the suppression file.
*
* @return the path
*/
public String getPath() {
return path;
}
}

438
ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java Normal file
View File

@@ -0,0 +1,438 @@
/*
* This file is part of dependency-check-ant.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.taskdefs;
import org.apache.tools.ant.BuildException;
import org.apache.tools.ant.Project;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.impl.StaticLoggerBinder;
/**
* An Ant task definition to execute dependency-check update. This will download
* the latest data from the National Vulnerability Database (NVD) and store a
* copy in the local database.
*
* @author Jeremy Long
*/
public class Update extends Purge {
/**
* The Proxy Server.
*/
private String proxyServer;
/**
* The Proxy Port.
*/
private String proxyPort;
/**
* The Proxy username.
*/
private String proxyUsername;
/**
* The Proxy password.
*/
private String proxyPassword;
/**
* The Connection Timeout.
*/
private String connectionTimeout;
/**
* The database driver name; such as org.h2.Driver.
*/
private String databaseDriverName;
/**
* The path to the database driver JAR file if it is not on the class path.
*/
private String databaseDriverPath;
/**
* The database connection string.
*/
private String connectionString;
/**
* The user name for connecting to the database.
*/
private String databaseUser;
/**
* The password to use when connecting to the database.
*/
private String databasePassword;
/**
* The url for the modified NVD CVE (1.2 schema).
*/
private String cveUrl12Modified;
/**
* Base Data Mirror URL for CVE 1.2.
*/
private String cveUrl12Base;
/**
* Data Mirror URL for CVE 2.0.
*/
private String cveUrl20Base;
/**
* The number of hours to wait before re-checking for updates.
*/
private Integer cveValidForHours;
/**
* The url for the modified NVD CVE (2.0 schema).
*/
private String cveUrl20Modified;
/**
* Construct a new UpdateTask.
*/
public Update() {
super();
// Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
// core end up coming through this tasks logger
StaticLoggerBinder.getSingleton().setTask(this);
}
/**
* Get the value of proxyServer.
*
* @return the value of proxyServer
*/
public String getProxyServer() {
return proxyServer;
}
/**
* Set the value of proxyServer.
*
* @param server new value of proxyServer
*/
public void setProxyServer(String server) {
this.proxyServer = server;
}
/**
* Get the value of proxyPort.
*
* @return the value of proxyPort
*/
public String getProxyPort() {
return proxyPort;
}
/**
* Set the value of proxyPort.
*
* @param proxyPort new value of proxyPort
*/
public void setProxyPort(String proxyPort) {
this.proxyPort = proxyPort;
}
/**
* Get the value of proxyUsername.
*
* @return the value of proxyUsername
*/
public String getProxyUsername() {
return proxyUsername;
}
/**
* Set the value of proxyUsername.
*
* @param proxyUsername new value of proxyUsername
*/
public void setProxyUsername(String proxyUsername) {
this.proxyUsername = proxyUsername;
}
/**
* Get the value of proxyPassword.
*
* @return the value of proxyPassword
*/
public String getProxyPassword() {
return proxyPassword;
}
/**
* Set the value of proxyPassword.
*
* @param proxyPassword new value of proxyPassword
*/
public void setProxyPassword(String proxyPassword) {
this.proxyPassword = proxyPassword;
}
/**
* Get the value of connectionTimeout.
*
* @return the value of connectionTimeout
*/
public String getConnectionTimeout() {
return connectionTimeout;
}
/**
* Set the value of connectionTimeout.
*
* @param connectionTimeout new value of connectionTimeout
*/
public void setConnectionTimeout(String connectionTimeout) {
this.connectionTimeout = connectionTimeout;
}
/**
* Get the value of databaseDriverName.
*
* @return the value of databaseDriverName
*/
public String getDatabaseDriverName() {
return databaseDriverName;
}
/**
* Set the value of databaseDriverName.
*
* @param databaseDriverName new value of databaseDriverName
*/
public void setDatabaseDriverName(String databaseDriverName) {
this.databaseDriverName = databaseDriverName;
}
/**
* Get the value of databaseDriverPath.
*
* @return the value of databaseDriverPath
*/
public String getDatabaseDriverPath() {
return databaseDriverPath;
}
/**
* Set the value of databaseDriverPath.
*
* @param databaseDriverPath new value of databaseDriverPath
*/
public void setDatabaseDriverPath(String databaseDriverPath) {
this.databaseDriverPath = databaseDriverPath;
}
/**
* Get the value of connectionString.
*
* @return the value of connectionString
*/
public String getConnectionString() {
return connectionString;
}
/**
* Set the value of connectionString.
*
* @param connectionString new value of connectionString
*/
public void setConnectionString(String connectionString) {
this.connectionString = connectionString;
}
/**
* Get the value of databaseUser.
*
* @return the value of databaseUser
*/
public String getDatabaseUser() {
return databaseUser;
}
/**
* Set the value of databaseUser.
*
* @param databaseUser new value of databaseUser
*/
public void setDatabaseUser(String databaseUser) {
this.databaseUser = databaseUser;
}
/**
* Get the value of databasePassword.
*
* @return the value of databasePassword
*/
public String getDatabasePassword() {
return databasePassword;
}
/**
* Set the value of databasePassword.
*
* @param databasePassword new value of databasePassword
*/
public void setDatabasePassword(String databasePassword) {
this.databasePassword = databasePassword;
}
/**
* Get the value of cveUrl12Modified.
*
* @return the value of cveUrl12Modified
*/
public String getCveUrl12Modified() {
return cveUrl12Modified;
}
/**
* Set the value of cveUrl12Modified.
*
* @param cveUrl12Modified new value of cveUrl12Modified
*/
public void setCveUrl12Modified(String cveUrl12Modified) {
this.cveUrl12Modified = cveUrl12Modified;
}
/**
* Get the value of cveUrl20Modified.
*
* @return the value of cveUrl20Modified
*/
public String getCveUrl20Modified() {
return cveUrl20Modified;
}
/**
* Set the value of cveUrl20Modified.
*
* @param cveUrl20Modified new value of cveUrl20Modified
*/
public void setCveUrl20Modified(String cveUrl20Modified) {
this.cveUrl20Modified = cveUrl20Modified;
}
/**
* Get the value of cveUrl12Base.
*
* @return the value of cveUrl12Base
*/
public String getCveUrl12Base() {
return cveUrl12Base;
}
/**
* Set the value of cveUrl12Base.
*
* @param cveUrl12Base new value of cveUrl12Base
*/
public void setCveUrl12Base(String cveUrl12Base) {
this.cveUrl12Base = cveUrl12Base;
}
/**
* Get the value of cveUrl20Base.
*
* @return the value of cveUrl20Base
*/
public String getCveUrl20Base() {
return cveUrl20Base;
}
/**
* Set the value of cveUrl20Base.
*
* @param cveUrl20Base new value of cveUrl20Base
*/
public void setCveUrl20Base(String cveUrl20Base) {
this.cveUrl20Base = cveUrl20Base;
}
/**
* Get the value of cveValidForHours.
*
* @return the value of cveValidForHours
*/
public Integer getCveValidForHours() {
return cveValidForHours;
}
/**
* Set the value of cveValidForHours.
*
* @param cveValidForHours new value of cveValidForHours
*/
public void setCveValidForHours(Integer cveValidForHours) {
this.cveValidForHours = cveValidForHours;
}
/**
* Executes the update by initializing the settings, downloads the NVD XML
* data, and then processes the data storing it in the local database.
*
* @throws BuildException thrown if a connection to the local database
* cannot be made.
*/
@Override
public void execute() throws BuildException {
populateSettings();
try (Engine engine = new Engine(Update.class.getClassLoader(), getSettings())) {
try {
engine.doUpdates();
} catch (UpdateException ex) {
if (this.isFailOnError()) {
throw new BuildException(ex);
}
log(ex.getMessage(), Project.MSG_ERR);
}
} catch (DatabaseException ex) {
final String msg = "Unable to connect to the dependency-check database; unable to update the NVD data";
if (this.isFailOnError()) {
throw new BuildException(msg, ex);
}
log(msg, Project.MSG_ERR);
}
}
/**
* Takes the properties supplied and updates the dependency-check settings.
* Additionally, this sets the system properties required to change the
* proxy server, port, and connection timeout.
*
* @throws BuildException thrown when an invalid setting is configured.
*/
@Override
protected void populateSettings() throws BuildException {
super.populateSettings();
getSettings().setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
getSettings().setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
getSettings().setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUsername);
getSettings().setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
getSettings().setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
getSettings().setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
getSettings().setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
getSettings().setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
getSettings().setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
getSettings().setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
getSettings().setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
getSettings().setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
getSettings().setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
getSettings().setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
if (cveValidForHours != null) {
if (cveValidForHours >= 0) {
getSettings().setInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
} else {
throw new BuildException("Invalid setting: `cpeValidForHours` must be 0 or greater");
}
}
}
}

4
ant/src/main/java/org/owasp/dependencycheck/taskdefs/package-info.java Normal file
View File

@@ -0,0 +1,4 @@
/**
* This package includes the a slf4j logging implementation that wraps the Ant logger.
*/
package org.owasp.dependencycheck.taskdefs;

113
ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java Normal file
View File

@@ -0,0 +1,113 @@
/*
* This file is part of dependency-check-ant.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 The OWASP Foundation. All Rights Reserved.
*/
package org.slf4j.impl;
import org.apache.tools.ant.Task;
import org.owasp.dependencycheck.ant.logging.AntLoggerFactory;
import org.slf4j.ILoggerFactory;
import org.slf4j.spi.LoggerFactoryBinder;
/**
* The binding of org.slf4j.LoggerFactory class with an actual instance of
* org.slf4j.ILoggerFactory is performed using information returned by this
* class.
*
* @author colezlaw
*/
//CSOFF: FinalClass
public class StaticLoggerBinder implements LoggerFactoryBinder {
//CSON: FinalClass
/**
* The unique instance of this class
*/
private static final StaticLoggerBinder SINGLETON = new StaticLoggerBinder();
/**
* Ant tasks have the log method we actually want to call. So we hang onto
* the task as a delegate
*/
private Task task = null;
/**
* Return the singleton of this class.
*
* @return the StaticLoggerBinder singleton
*/
public static StaticLoggerBinder getSingleton() {
return SINGLETON;
}
/**
* Set the Task which will this is to log through.
*
* @param task the task through which to log
*/
public void setTask(Task task) {
this.task = task;
loggerFactory = new AntLoggerFactory(task);
}
/**
* Declare the version of the SLF4J API this implementation is compiled
* against. The value of this filed is usually modified with each release.
*/
// to avoid constant folding by the compiler, this field must *not* be final
//CSOFF: StaticVariableName
//CSOFF: VisibilityModifier
public static String REQUESTED_API_VERSION = "1.7.12"; // final
//CSON: VisibilityModifier
//CSON: StaticVariableName
/**
* The logger factory class string.
*/
private static final String LOGGER_FACTORY_CLASS = AntLoggerFactory.class.getName();
/**
* The ILoggerFactory instance returned by the {@link #getLoggerFactory}
* method should always be the smae object
*/
private ILoggerFactory loggerFactory;
/**
* Constructs a new static logger binder.
*/
private StaticLoggerBinder() {
loggerFactory = new AntLoggerFactory(task);
}
/**
* Returns the logger factory.
*
* @return the logger factory
*/
@Override
public ILoggerFactory getLoggerFactory() {
return loggerFactory;
}
/**
* Returns the logger factory class string.
*
* @return the logger factory class string
*/
@Override
public String getLoggerFactoryClassStr() {
return LOGGER_FACTORY_CLASS;
}
}

4
ant/src/main/java/org/slf4j/impl/package-info.java Normal file
View File

@@ -0,0 +1,4 @@
/**
* This package contains the static binder for the slf4j-ant logger.
*/
package org.slf4j.impl;

202
ant/src/main/resources/META-INF/licenses/ant/LICENSE.txt Normal file
View File

@@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

3
ant/src/main/resources/dependency-check-taskdefs.properties Normal file
View File

@@ -0,0 +1,3 @@
dependency-check=org.owasp.dependencycheck.taskdefs.Check
dependency-check-purge=org.owasp.dependencycheck.taskdefs.Purge
dependency-check-update=org.owasp.dependencycheck.taskdefs.Update

2
ant/src/main/resources/task.properties Normal file
View File

@@ -0,0 +1,2 @@
# the path to the data directory
data.directory=data/3.0

20
ant/src/site/markdown/config-purge.md Normal file
View File

@@ -0,0 +1,20 @@
Configuration
====================
The dependency-check-purge task deletes the local copy of the NVD. This task
should rarely be used, if ever. This is included as a convenience method in
the rare circumstance that the local H2 database becomes corrupt.
```xml
<target name="dependency-check-purge" description="Dependency-Check purge">
<dependency-check-purge />
</target>
```
Configuration: dependency-check-purge Task
--------------------
The following properties can be set on the dependency-check-purge task.
Property | Description | Default Value
----------------------|------------------------------------------------------------------------|------------------
dataDirectory | Data directory that is used to store the local copy of the NVD | data
failOnError | Whether the build should fail if there is an error executing the purge | true

45
ant/src/site/markdown/config-update.md Normal file
View File

@@ -0,0 +1,45 @@
Configuration
====================
The dependency-check-update task downloads and updates the local copy of the NVD.
There are several reasons that one may want to use this task; primarily, creating
an update that will be run only once a day or once every few days (but not greater
than 7 days) and then use the `autoUpdate="false"` setting on individual
dependency-check scans. See [Internet Access Required](https://jeremylong.github.io/DependencyCheck/data/index.html)
for more information on why this task would be used.
```xml
<target name="dependency-check-update" description="Dependency-Check Update">
<dependency-check-update />
</target>
```
Configuration: dependency-check-update Task
--------------------
The following properties can be set on the dependency-check task.
Property | Description | Default Value
----------------------|------------------------------------|------------------
proxyServer | The Proxy Server. | &nbsp;
proxyPort | The Proxy Port. | &nbsp;
proxyUsername | Defines the proxy user name. | &nbsp;
proxyPassword | Defines the proxy password. | &nbsp;
connectionTimeout | The URL Connection Timeout. | &nbsp;
failOnError | Whether the build should fail if there is an error executing the update | true
Advanced Configuration
====================
The following properties can be configured in the plugin. However, they are less frequently changed. One exception
may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.
Property | Description | Default Value
---------------------|-------------------------------------------------------------------------------------------------------|------------------
cveUrl12Modified | URL for the modified CVE 1.2. | https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
cveUrl20Modified | URL for the modified CVE 2.0. | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | https://nvd.nist.gov/download/nvdcve-%d.xml.gz
cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
dataDirectory | Data directory that is used to store the local copy of the NVD. This should generally not be changed. | data
databaseDriverName | The name of the database driver. Example: org.h2.Driver. | &nbsp;
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp;
connectionString | The connection string used to connect to the database. | &nbsp;
databaseUser | The username used when connecting to the database. | &nbsp;
databasePassword | The password used when connecting to the database. | &nbsp;

107
ant/src/site/markdown/configuration.md Normal file
View File

@@ -0,0 +1,107 @@
Configuration
====================
Once dependency-check-ant has been [installed](index.html) the defined tasks can be used.
* dependency-check - the primary task used to check the project dependencies. Configuration options are below.
* dependency-check-purge - deletes the local copy of the NVD; this should rarely be used (if ever). See the [purge configuration](config-purge.html) for more information.
* dependency-check-update - downloads and updates the local copy of the NVD. See the [update configuration](config-update.html) for more information.
To configure the dependency-check task you can add it to a target and include a
file based [resource collection](http://ant.apache.org/manual/Types/resources.html#collection)
such as a [FileSet](http://ant.apache.org/manual/Types/fileset.html), [DirSet](http://ant.apache.org/manual/Types/dirset.html),
or [FileList](http://ant.apache.org/manual/Types/filelist.html) that includes
the project's dependencies.
```xml
<target name="dependency-check" description="Dependency-Check Analysis">
<dependency-check projectname="Hello World"
reportoutputdirectory="${basedir}"
reportformat="ALL">
<suppressionfile path="${basedir}/path/to/suppression.xml" />
<fileset dir="lib">
<include name="**/*.jar"/>
</fileset>
</dependency-check>
</target>
```
Configuration: dependency-check Task
--------------------
The following properties can be set on the dependency-check task.
Property | Description | Default Value
----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------
autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
cveValidForHours | Sets the number of hours to wait before checking for new updates from the NVD | 4
failBuildOnCVSS | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11
failOnError | Whether the build should fail if there is an error executing the dependency-check analysis | true
projectName | The name of the project being scanned. | Dependency-Check
reportFormat | The report format to be generated (HTML, XML, CSV, JSON, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
reportOutputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
hintsFile | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html) | &nbsp;
proxyServer | The Proxy Server; see the [proxy configuration](../data/proxy.html) page for more information. | &nbsp;
proxyPort | The Proxy Port. | &nbsp;
proxyUsername | Defines the proxy user name. | &nbsp;
proxyPassword | Defines the proxy password. | &nbsp;
connectionTimeout | The URL Connection Timeout. | &nbsp;
enableExperimental | Enable the [experimental analyzers](../analyzers/index.html). If not enabled the experimental analyzers (see below) will not be loaded or used. | false
enableRetired | Enable the [retired analyzers](../analyzers/index.html). If not enabled the retired analyzers (see below) will not be loaded or used. | false
suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). | &nbsp;
The following nested elements can be set on the dependency-check task.
Element | Property | Description | Default Value
------------------|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------
suppressionFile | path | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). Element can be specified multiple times. | &nbsp;
Analyzer Configuration
====================
The following properties are used to configure the various file type analyzers.
These properties can be used to turn off specific analyzers if it is not needed.
Note, that specific analyzers will automatically disable themselves if no file
types that they support are detected - so specifically disabling them may not
be needed.
Property | Description | Default Value
------------------------------|------------------------------------------------------------------------------------------------------------|------------------
archiveAnalyzerEnabled | Sets whether the Archive Analyzer will be used. | true
zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
jarAnalyzer | Sets whether the Jar Analyzer will be used. | true
centralAnalyzerEnabled | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below). | true
nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true
nexusUrl | Defines the Nexus web service endpoint (example http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. | &nbsp;
nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true
pyDistributionAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. | true
pyPackageAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. | true
rubygemsAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. | true
opensslAnalyzerEnabled | Sets whether the openssl Analyzer should be used. | true
cmakeAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. | true
autoconfAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. | true
composerAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. | true
nodeAnalyzerEnabled | Sets whether the [retired](../analyzers/index.html) Node.js Analyzer should be used. | true
nspAnalyzerEnabled | Sets whether the NSP Analyzer should be used. | true
nuspecAnalyzerEnabled | Sets whether the .NET Nuget Nuspec Analyzer will be used. | true
cocoapodsAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. | true
bundleAuditAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Bundle Audit Analyzer should be used. | true
bundleAuditPath | Sets the path to the bundle audit executable; only used if bundle audit analyzer is enabled and experimental analyzers are enabled. | &nbsp;
swiftPackageManagerAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Switft Package Analyzer should be used. | true
assemblyAnalyzerEnabled | Sets whether the .NET Assembly Analyzer should be used. | true
pathToMono | The path to Mono for .NET assembly analysis on non-windows systems. | &nbsp;
Advanced Configuration
====================
The following properties can be configured in the plugin. However, they are less frequently changed. One exception
may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.
Property | Description | Default Value
---------------------|--------------------------------------------------------------------------|------------------
cveUrl12Modified | URL for the modified CVE 1.2. | http://nvd.nist.gov/download/nvdcve-modified.xml
cveUrl20Modified | URL for the modified CVE 2.0. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml
cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
dataDirectory | Data directory that is used to store the local copy of the NVD. This should generally not be changed. | data
databaseDriverName | The name of the database driver. Example: org.h2.Driver. | &nbsp;
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp;
connectionString | The connection string used to connect to the database. | &nbsp;
databaseUser | The username used when connecting to the database. | &nbsp;
databasePassword | The password used when connecting to the database. | &nbsp;

38
ant/src/site/markdown/index.md.vm Normal file
View File

@@ -0,0 +1,38 @@
About
====================
OWASP dependency-check-ant is an Ant Task that uses dependency-check-core to detect publicly
disclosed vulnerabilities associated with the project's dependencies. The task will
generate a report listing the dependency, any identified Common Platform Enumeration (CPE)
identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.
Installation
====================
1. Download dependency-check-ant from [bintray here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-${project.version}-release.zip).
2. Unzip the archive
3. Add the taskdef to your build.xml:
```xml
<!-- Set the value to the installation directory's path -->
<property name="dependency-check.home" value="C:/tools/dependency-check-ant"/>
<path id="dependency-check.path">
<pathelement location="${dependency-check.home}/dependency-check-ant.jar"/>
<fileset dir="${dependency-check.home}/lib">
<include name="*.jar"/>
</fileset>
</path>
<taskdef resource="dependency-check-taskdefs.properties">
<classpath refid="dependency-check.path" />
</taskdef>
```
4. Use the defined taskdefs:
* [dependency-check](configuration.html) - the primary task used to check the project dependencies.
* [dependency-check-purge](config-purge.html) - deletes the local copy of the NVD; this should rarely be used (if ever).
* [dependency-check-update](config-update.html) - downloads and updates the local copy of the NVD.
It is important to understand that the first time this task is executed it may
take 10 minutes or more as it downloads and processes the data from the National
Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov
After the first batch download, as long as the task is executed at least once every
seven days the update will only take a few seconds.

1
ant/src/site/resources/images/dc-ant.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

35
ant/src/site/site.xml Normal file
View File

@@ -0,0 +1,35 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!--
This file is part of dependency-check-ant.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Copyright (c) 2013 Jeremy Long. All Rights Reserved.
-->
<project name="dependency-check-ant">
<bannerLeft>
<name>OWASP dependency-check-ant</name>
<alt>OWASP dependency-check-ant</alt>
<src>./images/dc-ant.svg</src>
</bannerLeft>
<body>
<breadcrumbs>
<item name="dependency-check" href="../index.html"/>
</breadcrumbs>
<menu name="Getting Started">
<item name="Installation" href="index.html"/>
<item name="Configuration" href="configuration.html"/>
</menu>
<menu ref="reports" />
</body>
</project>

171
ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java Normal file
View File

@@ -0,0 +1,171 @@
/*
* This file is part of dependency-check-ant.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.taskdefs;
import java.io.File;
import org.apache.tools.ant.BuildException;
import org.apache.tools.ant.BuildFileRule;
import org.apache.tools.ant.types.LogLevel;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.owasp.dependencycheck.BaseDBTestCase;
import static org.junit.Assert.assertTrue;
/**
*
* @author Jeremy Long
*/
public class DependencyCheckTaskTest extends BaseDBTestCase {
@Rule
public BuildFileRule buildFileRule = new BuildFileRule();
@Rule
public ExpectedException expectedException = ExpectedException.none();
@Before
@Override
public void setUp() throws Exception {
super.setUp();
final String buildFile = this.getClass().getClassLoader().getResource("build.xml").getPath();
buildFileRule.configureProject(buildFile, LogLevel.VERBOSE.getLevel());
}
/**
* Test of addFileSet method, of class DependencyCheckTask.
*/
@Test
public void testAddFileSet() throws Exception {
File report = new File("target/dependency-check-report.html");
if (report.exists() && !report.delete()) {
throw new Exception("Unable to delete 'target/dependency-check-report.html' prior to test.");
}
buildFileRule.executeTarget("test.fileset");
assertTrue("DependencyCheck report was not generated", report.exists());
}
/**
* Test of addFileList method, of class DependencyCheckTask.
*
* @throws Exception
*/
@Test
public void testAddFileList() throws Exception {
File report = new File("target/dependency-check-report.xml");
if (report.exists()) {
if (!report.delete()) {
throw new Exception("Unable to delete 'target/DependencyCheck-Report.xml' prior to test.");
}
}
buildFileRule.executeTarget("test.filelist");
assertTrue("DependencyCheck report was not generated", report.exists());
}
/**
* Test of addDirSet method, of class DependencyCheckTask.
*
* @throws Exception
*/
@Test
public void testAddDirSet() throws Exception {
File report = new File("target/dependency-check-vulnerability.html");
if (report.exists()) {
if (!report.delete()) {
throw new Exception("Unable to delete 'target/DependencyCheck-Vulnerability.html' prior to test.");
}
}
buildFileRule.executeTarget("test.dirset");
assertTrue("DependencyCheck report was not generated", report.exists());
}
/**
* Test of getFailBuildOnCVSS method, of class DependencyCheckTask.
*/
@Test
public void testGetFailBuildOnCVSS() {
expectedException.expect(BuildException.class);
buildFileRule.executeTarget("failCVSS");
}
/**
* Test the DependencyCheckTask where a CVE is suppressed.
*/
@Test
public void testSuppressingCVE() {
// GIVEN an ant task with a vulnerability
final String antTaskName = "suppression";
// WHEN executing the ant task
buildFileRule.executeTarget(antTaskName);
System.out.println("----------------------------------------------------------");
System.out.println("----------------------------------------------------------");
System.out.println("----------------------------------------------------------");
System.out.println("----------------------------------------------------------");
System.out.println(buildFileRule.getError());
System.out.println("----------------------------------------------------------");
System.out.println("----------------------------------------------------------");
System.out.println(buildFileRule.getFullLog());
System.out.println("----------------------------------------------------------");
System.out.println("----------------------------------------------------------");
System.out.println("----------------------------------------------------------");
System.out.println("----------------------------------------------------------");
// THEN the ant task executed without error
final File report = new File("target/suppression-report.html");
assertTrue("Expected the DependencyCheck report to be generated", report.exists());
}
/**
* Test the DependencyCheckTask deprecated suppression property throws an
* exception with a warning.
*/
@Test
public void testSuppressingSingle() {
// GIVEN an ant task with a vulnerability using the legacy property
final String antTaskName = "suppression-single";
// WHEN executing the ant task
buildFileRule.executeTarget(antTaskName);
// THEN the ant task executed without error
final File report = new File("target/suppression-single-report.html");
assertTrue("Expected the DependencyCheck report to be generated", report.exists());
}
/**
* Test the DependencyCheckTask deprecated suppression property throws an
* exception with a warning.
*/
@Test
public void testSuppressingMultiple() {
// GIVEN an ant task with a vulnerability using multiple was to configure the suppression file
final String antTaskName = "suppression-multiple";
// WHEN executing the ant task
buildFileRule.executeTarget(antTaskName);
// THEN the ant task executed without error
final File report = new File("target/suppression-multiple-report.html");
assertTrue("Expected the DependencyCheck report to be generated", report.exists());
}
}

117
ant/src/test/resources/build.xml Normal file
View File

@@ -0,0 +1,117 @@
<?xml version="1.0" encoding="UTF-8"?>
<project name="Dependency-Check Test Build" default="test.fileset" basedir=".">
<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.Check" />
<target name="test.fileset">
<dependency-check
applicationName="My Project"
reportOutputDirectory="${project.build.directory}"
autoupdate="false"
reportFormat="HTML">
<!-- Scan a single file -->
<fileset dir="${project.build.directory}/test-classes/jars">
<include name="axis-1.4.jar"/>
</fileset>
<!-- Scan for all jar/war/ear in the webroot dir and all sub directories -->
<fileset dir="${project.build.directory}/test-classes/webroot">
<include name="**/*.jar"/>
<include name="**/*.war"/>
<include name="**/*.ear"/>
</fileset>
</dependency-check>
</target>
<target name="test.filelist">
<dependency-check
applicationName="My Project"
reportOutputDirectory="${project.build.directory}"
autoupdate="false"
reportFormat="XML">
<!-- Scan specific files -->
<filelist
dir="${project.build.directory}/test-classes/list"
files="jetty-6.1.0.jar,org.mortbay.jetty.jar"/>
</dependency-check>
</target>
<target name="test.dirset">
<dependency-check
applicationName="My Project"
reportOutputDirectory="${project.build.directory}"
autoupdate="false"
reportFormat="VULN">
<!-- Scan a specific directory -->
<dirset dir="${project.build.directory}/test-classes">
<include name="lib"/>
</dirset>
</dependency-check>
</target>
<target name="formatBAD">
<dependency-check
applicationName="test formatBAD"
reportOutputDirectory="${project.build.directory}"
autoupdate="false"
reportFormat="BAD">
</dependency-check>
</target>
<target name="failCVSS">
<dependency-check
applicationName="test failCVSS"
reportOutputDirectory="${project.build.directory}"
reportFormat="XML"
autoupdate="false"
failBuildOnCVSS="3">
<fileset dir="${project.build.directory}/test-classes/jars">
<include name="axis-1.4.jar"/>
</fileset>
</dependency-check>
</target>
<target name="suppression">
<dependency-check
applicationName="test suppression"
reportOutputDirectory="${project.build.directory}/suppression-report.html"
autoupdate="false"
failBuildOnCVSS="3">
<suppressionfile path="${project.build.directory}/test-classes/test-suppression1.xml" />
<suppressionfile path="${project.build.directory}/test-classes/test-suppression2.xml" />
<fileset dir="${project.build.directory}/test-classes/jars">
<include name="axis-1.4.jar"/>
</fileset>
<filelist
dir="${project.build.directory}/test-classes/list"
files="jetty-6.1.0.jar,org.mortbay.jetty.jar"/>
</dependency-check>
</target>
<target name="suppression-single">
<dependency-check
applicationName="test suppression"
reportOutputDirectory="${project.build.directory}/suppression-single-report.html"
autoupdate="false"
failBuildOnCVSS="3"
suppressionFile="${project.build.directory}/test-classes/test-suppression.xml">
<fileset dir="${project.build.directory}/test-classes/jars">
<include name="axis-1.4.jar"/>
</fileset>
</dependency-check>
</target>
<target name="suppression-multiple">
<dependency-check
applicationName="test suppression"
reportOutputDirectory="${project.build.directory}/suppression-multiple-report.html"
autoupdate="false"
failBuildOnCVSS="3"
suppressionFile="${project.build.directory}/test-classes/test-suppression1.xml">
<suppressionfile path="${project.build.directory}/test-classes/test-suppression2.xml"/>
<fileset dir="${project.build.directory}/test-classes/jars">
<include name="axis-1.4.jar"/>
</fileset>
</dependency-check>
</target>
</project>

48
ant/src/test/resources/test-suppression.xml Normal file
View File

@@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is part of dependency-check-core.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Copyright (c) 2017 The OWASP Foundation. All Rights Reserved.
-->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<notes><![CDATA[
file name: axis-1.4.jar
]]></notes>
<gav regex="true">^org\.apache\.axis:axis:.*$</gav>
<cpe>cpe:/a:apache:axis</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: org.mortbay.jetty.jar
]]></notes>
<gav regex="true">^jetty:org\.mortbay\.jetty:.*$</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: org.mortbay.jetty.jar
]]></notes>
<gav regex="true">^jetty:org\.mortbay\.jetty:.*$</gav>
<cpe>cpe:/a:mortbay:jetty</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: org.mortbay.jetty.jar
]]></notes>
<gav regex="true">^jetty:org\.mortbay\.jetty:.*$</gav>
<cpe>cpe:/a:mortbay_jetty:jetty</cpe>
</suppress>
</suppressions>

27
ant/src/test/resources/test-suppression1.xml Normal file
View File

@@ -0,0 +1,27 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is part of dependency-check-core.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Copyright (c) 2017 The OWASP Foundation. All Rights Reserved.
-->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<notes><![CDATA[
file name: axis-1.4.jar
]]></notes>
<gav regex="true">^org\.apache\.axis:axis:.*$</gav>
<cpe>cpe:/a:apache:axis</cpe>
</suppress>
</suppressions>

41
ant/src/test/resources/test-suppression2.xml Normal file
View File

@@ -0,0 +1,41 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is part of dependency-check-core.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Copyright (c) 2017 The OWASP Foundation. All Rights Reserved.
-->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<notes><![CDATA[
file name: org.mortbay.jetty.jar
]]></notes>
<gav regex="true">^jetty:org\.mortbay\.jetty:.*$</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: org.mortbay.jetty.jar
]]></notes>
<gav regex="true">^jetty:org\.mortbay\.jetty:.*$</gav>
<cpe>cpe:/a:mortbay:jetty</cpe>
</suppress>
<suppress>
<notes><![CDATA[
file name: org.mortbay.jetty.jar
]]></notes>
<gav regex="true">^jetty:org\.mortbay\.jetty:.*$</gav>
<cpe>cpe:/a:mortbay_jetty:jetty</cpe>
</suppress>
</suppressions>