github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-26 19:11:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into addMd5

Browse Source
This commit is contained in:
Jeremy Long
2017-10-25 06:13:30 -04:00
parent 765bfa0e1d 8ceaa04320
commit 644f4ca6c2
13 changed files with 92 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
Dockerfile
View File

@@ -6,23 +6,26 @@ ENV user=dependencycheck
ENV version_url=https://jeremylong.github.io/DependencyCheck/current.txt ENV version_url=https://jeremylong.github.io/DependencyCheck/current.txt
ENV download_url=https://dl.bintray.com/jeremy-long/owasp ENV download_url=https://dl.bintray.com/jeremy-long/owasp
RUN apt-get update && \ RUN apt-get update && \
apt-get install -y wget && \ apt-get install -y --no-install-recommends wget ruby mono-runtime && \
wget -O /tmp/current.txt ${version_url} && \ gem install bundle-audit && \
version=$(cat /tmp/current.txt) && \ gem cleanup
file="dependency-check-${version}-release.zip" && \
wget "$download_url/$file" && \
unzip ${file} && \
rm ${file} && \
mv dependency-check /usr/share/ && \
useradd -ms /bin/bash ${user} && \
chown -R ${user}:${user} /usr/share/dependency-check && \
mkdir /report && \
chown -R ${user}:${user} /report && \
apt-get remove --purge -y wget && \
apt-get autoremove -y && \
rm -rf /var/lib/apt/lists/*
RUN wget -O /tmp/current.txt ${version_url} && \
version=$(cat /tmp/current.txt) && \
file="dependency-check-${version}-release.zip" && \
wget "$download_url/$file" && \
unzip ${file} && \
rm ${file} && \
mv dependency-check /usr/share/ && \
useradd -ms /bin/bash ${user} && \
chown -R ${user}:${user} /usr/share/dependency-check && \
mkdir /report && \
chown -R ${user}:${user} /report && \
apt-get remove --purge -y wget && \
apt-get autoremove -y && \
rm -rf /var/lib/apt/lists/* /tmp/*
USER ${user} USER ${user}
VOLUME ["/src" "/usr/share/dependency-check/data" "/report"] VOLUME ["/src" "/usr/share/dependency-check/data" "/report"]

23
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
View File

@@ -178,6 +178,10 @@ public class Check extends Update {
* Whether experimental analyzers are enabled. * Whether experimental analyzers are enabled.
*/ */
private Boolean enableExperimental; private Boolean enableExperimental;
/**
* Whether retired analyzers are enabled.
*/
private Boolean enableRetired;
/** /**
* Whether or not the Jar Analyzer is enabled. * Whether or not the Jar Analyzer is enabled.
*/ */
@@ -529,6 +533,24 @@ public class Check extends Update {
this.enableExperimental = enableExperimental; this.enableExperimental = enableExperimental;
} }
/**
* Get the value of enableRetired.
*
* @return the value of enableRetired
*/
public Boolean isEnableRetired() {
return enableRetired;
}
/**
* Set the value of enableRetired.
*
* @param enableRetired new value of enableRetired
*/
public void setEnableRetired(Boolean enableRetired) {
this.enableRetired = enableRetired;
}
/** /**
* Returns whether or not the analyzer is enabled. * Returns whether or not the analyzer is enabled.
* *
@@ -1033,6 +1055,7 @@ public class Check extends Update {
getSettings().setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFiles.toArray(new String[suppressionFiles.size()])); getSettings().setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFiles.toArray(new String[suppressionFiles.size()]));
getSettings().setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile); getSettings().setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental); getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIRED_ENABLED, enableRetired);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled); getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled); getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled); getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);

3
dependency-check-ant/src/site/markdown/configuration.md
View File

@@ -45,6 +45,7 @@ proxyUsername | Defines the proxy user name.
proxyPassword | Defines the proxy password. |   proxyPassword | Defines the proxy password. |  
connectionTimeout | The URL Connection Timeout. |   connectionTimeout | The URL Connection Timeout. |  
enableExperimental | Enable the [experimental analyzers](../analyzers/index.html). If not enabled the experimental analyzers (see below) will not be loaded or used. | false enableExperimental | Enable the [experimental analyzers](../analyzers/index.html). If not enabled the experimental analyzers (see below) will not be loaded or used. | false
enableRetired | Enable the [retired analyzers](../analyzers/index.html). If not enabled the retired analyzers (see below) will not be loaded or used. | false
suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). |   suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). |  
The following nested elements can be set on the dependency-check task. The following nested elements can be set on the dependency-check task.
@@ -77,7 +78,7 @@ opensslAnalyzerEnabled | Sets whether the openssl Analyzer should be used
cmakeAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. | true cmakeAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. | true
autoconfAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. | true autoconfAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. | true
composerAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. | true composerAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. | true
nodeAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Node.js Analyzer should be used. | true nodeAnalyzerEnabled | Sets whether the [retired](../analyzers/index.html) Node.js Analyzer should be used. | true
nspAnalyzerEnabled | Sets whether the NSP Analyzer should be used. | true nspAnalyzerEnabled | Sets whether the NSP Analyzer should be used. | true
nuspecAnalyzerEnabled | Sets whether the .NET Nuget Nuspec Analyzer will be used. | true nuspecAnalyzerEnabled | Sets whether the .NET Nuget Nuspec Analyzer will be used. | true
cocoapodsAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. | true cocoapodsAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. | true

2
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -421,6 +421,7 @@ public class App {
final Integer cveValidForHours = cli.getCveValidForHours(); final Integer cveValidForHours = cli.getCveValidForHours();
final Boolean autoUpdate = cli.isAutoUpdate(); final Boolean autoUpdate = cli.isAutoUpdate();
final Boolean experimentalEnabled = cli.isExperimentalEnabled(); final Boolean experimentalEnabled = cli.isExperimentalEnabled();
final Boolean retiredEnabled = cli.isRetiredEnabled();
if (propertiesFile != null) { if (propertiesFile != null) {
try { try {
@@ -460,6 +461,7 @@ public class App {
//File Type Analyzer Settings //File Type Analyzer Settings
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, experimentalEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, experimentalEnabled);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIRED_ENABLED, retiredEnabled);
settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !cli.isJarDisabled()); settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !cli.isJarDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !cli.isArchiveDisabled()); settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !cli.isArchiveDisabled());

18
dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View File

@@ -301,6 +301,10 @@ public final class CliParser {
.desc("Enables the experimental analyzers.") .desc("Enables the experimental analyzers.")
.build(); .build();
final Option retiredEnabled = Option.builder().longOpt(ARGUMENT.RETIRED)
.desc("Enables the experimental analyzers.")
.build();
final Option failOnCVSS = Option.builder().argName("score").hasArg().longOpt(ARGUMENT.FAIL_ON_CVSS) final Option failOnCVSS = Option.builder().argName("score").hasArg().longOpt(ARGUMENT.FAIL_ON_CVSS)
.desc("Specifies if the build should be failed if a CVSS score above a specified level is identified. " .desc("Specifies if the build should be failed if a CVSS score above a specified level is identified. "
+ "The default is 11; since the CVSS scores are 0-10, by default the build will never fail.") + "The default is 11; since the CVSS scores are 0-10, by default the build will never fail.")
@@ -329,6 +333,7 @@ public final class CliParser {
.addOption(hintsFile) .addOption(hintsFile)
.addOption(cveValidForHours) .addOption(cveValidForHours)
.addOption(experimentalEnabled) .addOption(experimentalEnabled)
.addOption(retiredEnabled)
.addOption(failOnCVSS); .addOption(failOnCVSS);
} }
@@ -1188,6 +1193,15 @@ public final class CliParser {
return (line != null && line.hasOption(ARGUMENT.EXPERIMENTAL)) ? true : null; return (line != null && line.hasOption(ARGUMENT.EXPERIMENTAL)) ? true : null;
} }
/**
* Returns true if the retired analyzers are enabled.
*
* @return true if the retired analyzers are enabled; otherwise null
*/
public Boolean isRetiredEnabled() {
return (line != null && line.hasOption(ARGUMENT.RETIRED)) ? true : null;
}
/** /**
* Returns the CVSS value to fail on. * Returns the CVSS value to fail on.
* *
@@ -1521,6 +1535,10 @@ public final class CliParser {
* The CLI argument to enable the experimental analyzers. * The CLI argument to enable the experimental analyzers.
*/ */
private static final String EXPERIMENTAL = "enableExperimental"; private static final String EXPERIMENTAL = "enableExperimental";
/**
* The CLI argument to enable the retired analyzers.
*/
private static final String RETIRED = "enableRetired";
/** /**
* The CLI argument to enable the experimental analyzers. * The CLI argument to enable the experimental analyzers.
*/ */

5
dependency-check-cli/src/site/markdown/arguments.md
View File

@@ -20,6 +20,7 @@ Short | Argument Name   | Parameter | Description | Requir
\-v | \-\-version | | Print the version information. | Optional \-v | \-\-version | | Print the version information. | Optional
| \-\-cveValidForHours | \<hours\> | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | Optional | \-\-cveValidForHours | \<hours\> | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | Optional
| \-\-enableExperimental | | Enable the [experimental analyzers](../analyzers/index.html). If not set the analyzers marked as experimental below will not be loaded or used. | Optional | \-\-enableExperimental | | Enable the [experimental analyzers](../analyzers/index.html). If not set the analyzers marked as experimental below will not be loaded or used. | Optional
| \-\-enableRetired | | Enable the [retired analyzers](../analyzers/index.html). If not set the analyzers marked as retired below will not be loaded or used. | Optional
Advanced Options Advanced Options
================ ================
@@ -33,12 +34,12 @@ Short | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Paramete
| \-\-updateonly | | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | &nbsp; | \-\-updateonly | | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | &nbsp;
| \-\-disablePyDist | | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. | false | \-\-disablePyDist | | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. | false
| \-\-disablePyPkg | | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. | false | \-\-disablePyPkg | | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. | false
| \-\-disableNodeJS | | Sets whether the [experimental](../analyzers/index.html) Node.js Package Analyzer will be used. | false | \-\-disableNodeJS | | Sets whether the [retired](../analyzers/index.html) Node.js Package Analyzer will be used. | false
| \-\-disableNSP | | Sets whether the NSP Analyzer will be used. | false | \-\-disableNSP | | Sets whether the NSP Analyzer will be used. | false
| \-\-disableRubygems | | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. | false | \-\-disableRubygems | | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. | false
| \-\-disableBundleAudit | | Sets whether the [experimental](../analyzers/index.html) Ruby Bundler Audit Analyzer will be used. | false | \-\-disableBundleAudit | | Sets whether the [experimental](../analyzers/index.html) Ruby Bundler Audit Analyzer will be used. | false
| \-\-disableCocoapodsAnalyzer | | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer will be used. | false | \-\-disableCocoapodsAnalyzer | | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer will be used. | false
| \-\-disableSwiftPackageManagerAnalyzer | | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer will be used. | false | \-\-disableSwiftPackageManagerAnalyzer | | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer will be used. | false
| \-\-disableAutoconf | | Sets whether the [experimental](../analyzers/index.html) Autoconf Analyzer will be used. | false | \-\-disableAutoconf | | Sets whether the [experimental](../analyzers/index.html) Autoconf Analyzer will be used. | false
| \-\-disableOpenSSL | | Sets whether the OpenSSL Analyzer will be used. | false | \-\-disableOpenSSL | | Sets whether the OpenSSL Analyzer will be used. | false
| \-\-disableCmake | | Sets whether the [experimental](../analyzers/index.html) Cmake Analyzer will be disabled. | false | \-\-disableCmake | | Sets whether the [experimental](../analyzers/index.html) Cmake Analyzer will be disabled. | false

3
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
View File

@@ -24,16 +24,13 @@ import java.util.HashSet;
import java.util.Locale; import java.util.Locale;
import java.util.Set; import java.util.Set;
import org.apache.maven.plugin.MojoExecutionException; import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.MojoFailureException;
import org.apache.maven.plugins.annotations.LifecyclePhase; import org.apache.maven.plugins.annotations.LifecyclePhase;
import org.apache.maven.plugins.annotations.Mojo; import org.apache.maven.plugins.annotations.Mojo;
import org.apache.maven.plugins.annotations.Parameter; import org.apache.maven.plugins.annotations.Parameter;
import org.apache.maven.plugins.annotations.ResolutionScope; import org.apache.maven.plugins.annotations.ResolutionScope;
import org.apache.maven.project.MavenProject; import org.apache.maven.project.MavenProject;
import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.exception.ExceptionCollection; import org.owasp.dependencycheck.exception.ExceptionCollection;
import org.owasp.dependencycheck.exception.ReportException;
/** /**
* Maven Plugin that checks project dependencies and the dependencies of all * Maven Plugin that checks project dependencies and the dependencies of all

7
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View File

@@ -184,6 +184,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
@SuppressWarnings("CanBeFinal") @SuppressWarnings("CanBeFinal")
@Parameter(property = "enableExperimental") @Parameter(property = "enableExperimental")
private Boolean enableExperimental; private Boolean enableExperimental;
/**
* Sets whether retired analyzers are enabled. Default is false.
*/
@SuppressWarnings("CanBeFinal")
@Parameter(property = "enableRetired")
private Boolean enableRetired;
/** /**
* Generate aggregate reports in multi-module projects. * Generate aggregate reports in multi-module projects.
* *
@@ -1117,6 +1123,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate); settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIRED_ENABLED, enableRetired);
if (externalReport != null) { if (externalReport != null) {
getLog().warn("The 'externalReport' option was set; this configuration option has been removed. " getLog().warn("The 'externalReport' option was set; this configuration option has been removed. "

6
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java
View File

@@ -20,16 +20,12 @@ package org.owasp.dependencycheck.maven;
import java.util.Locale; import java.util.Locale;
import org.apache.maven.artifact.Artifact; import org.apache.maven.artifact.Artifact;
import org.apache.maven.plugin.MojoExecutionException; import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.MojoFailureException;
import org.apache.maven.plugins.annotations.LifecyclePhase; import org.apache.maven.plugins.annotations.LifecyclePhase;
import org.apache.maven.plugins.annotations.Mojo; import org.apache.maven.plugins.annotations.Mojo;
import org.apache.maven.plugins.annotations.Parameter; import org.apache.maven.plugins.annotations.Parameter;
import org.apache.maven.plugins.annotations.ResolutionScope; import org.apache.maven.plugins.annotations.ResolutionScope;
import org.apache.maven.project.MavenProject;
import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.exception.ExceptionCollection; import org.owasp.dependencycheck.exception.ExceptionCollection;
import org.owasp.dependencycheck.exception.ReportException;
/** /**
* Maven Plugin that checks the project dependencies to see if they have any * Maven Plugin that checks the project dependencies to see if they have any
@@ -95,7 +91,7 @@ public class CheckMojo extends BaseDependencyCheckMojo {
return "Generates a report providing details on any published vulnerabilities within project dependencies. " return "Generates a report providing details on any published vulnerabilities within project dependencies. "
+ "This report is a best effort and may contain false positives and false negatives."; + "This report is a best effort and may contain false positives and false negatives.";
} }
/** /**
* Scans the dependencies of the project. * Scans the dependencies of the project.
* *

3
dependency-check-maven/src/site/markdown/configuration.md
View File

@@ -32,6 +32,7 @@ skipArtifactType | A regular expression used to filter/skip artifact
suppressionFiles | The file paths to the XML suppression files \- used to suppress [false positives](../general/suppression.html). | &nbsp; suppressionFiles | The file paths to the XML suppression files \- used to suppress [false positives](../general/suppression.html). | &nbsp;
hintsFile | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html). | &nbsp; hintsFile | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html). | &nbsp;
enableExperimental | Enable the [experimental analyzers](../analyzers/index.html). If not enabled the experimental analyzers (see below) will not be loaded or used. | false enableExperimental | Enable the [experimental analyzers](../analyzers/index.html). If not enabled the experimental analyzers (see below) will not be loaded or used. | false
enableRetired | Enable the [retired analyzers](../analyzers/index.html). If not enabled the retired analyzers (see below) will not be loaded or used. | false
Analyzer Configuration Analyzer Configuration
==================== ====================
@@ -57,7 +58,7 @@ opensslAnalyzerEnabled | Sets whether the openssl Analyzer should be used
cmakeAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. | true cmakeAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. | true
autoconfAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. | true autoconfAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. | true
composerAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. | true composerAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. | true
nodeAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Node.js Analyzer should be used. | true nodeAnalyzerEnabled | Sets whether the [retired](../analyzers/index.html) Node.js Analyzer should be used. | true
nspAnalyzerEnabled | Sets whether the NSP Analyzer should be used. | true nspAnalyzerEnabled | Sets whether the NSP Analyzer should be used. | true
nuspecAnalyzerEnabled | Sets whether the .NET Nuget Nuspec Analyzer will be used. | true nuspecAnalyzerEnabled | Sets whether the .NET Nuget Nuspec Analyzer will be used. | true
cocoapodsAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. | true cocoapodsAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. | true

11
src/site/markdown/analyzers/index.md
View File

@@ -32,3 +32,14 @@ several teams have found them useful in their current state.
| [Python](./python.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (\*.whl, \*.egg, \*.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. | | [Python](./python.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (\*.whl, \*.egg, \*.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. |
| [Ruby Gemspec](./ruby-gemspec.html) | Ruby makefiles (Rakefile); Ruby Gemspec files (\*.gemspec) | Regex scan Gemspec initialization blocks for metadata. | | [Ruby Gemspec](./ruby-gemspec.html) | Ruby makefiles (Rakefile); Ruby Gemspec files (\*.gemspec) | Regex scan Gemspec initialization blocks for metadata. |
| [SWIFT](./swift.html) | SWIFT Package Manager's `Package.swift` | Extracts dependency information from swift package file. | | [SWIFT](./swift.html) | SWIFT Package Manager's `Package.swift` | Extracts dependency information from swift package file. |
Retired Analyzers
----------------------
The following analyzers can be enabled by enabling the _retired_ configuration
option; see the documentation for the CLI, Ant, Maven, etc. for more information.
These analyzers have been retired due to the higher false positive and
false negative rates.
| Analyzer | File Types Scanned | Analysis Method |
| -------- | ------------------ | --------------- |
| [Node.js](./nodejs.html) | NPM package specification files (package.json) | Parse JSON format for metadata. |

9
src/site/markdown/analyzers/nodejs.md
View File

@@ -1,9 +1,8 @@
Node.js Analyzer Node.js Analyzer
================ ================
*Experimental*: This analyzer is considered experimental. While this analyzer may *Retired*: This analyzer has been retired due to an extremely high false positive
be useful and provide valid results more testing must be completed to ensure that rate.
the false negative/false positive rates are acceptable.
OWASP dependency-check includes an analyzer that will scan [Node Package Manager](https://www.npmjs.com/) OWASP dependency-check includes an analyzer that will scan [Node Package Manager](https://www.npmjs.com/)
package specification files. The analyzer will collect as much information as package specification files. The analyzer will collect as much information as
@@ -12,8 +11,4 @@ as evidence and is grouped into vendor, product, and version buckets. Other
analyzers later use this evidence to identify any Common Platform Enumeration analyzers later use this evidence to identify any Common Platform Enumeration
(CPE) identifiers that apply. (CPE) identifiers that apply.
*Note*: Consider using [Retire.js](http://retirejs.github.io/retire.js/) or the
Node Security Project auditing tool, [nsp](https://nodesecurity.io/tools) instead
of, or in addition to OWASP dependency-check to analyze Node.js packages.
Files Types Scanned: [package.json](https://docs.npmjs.com/files/package.json) Files Types Scanned: [package.json](https://docs.npmjs.com/files/package.json)

3
src/site/markdown/dependency-check-gradle/configuration.md
View File

@@ -121,12 +121,13 @@ analyzers | pathToMono | The path to Mono for .NET assembly analys
analyzers | cmakeEnabled | Sets whether or not the [experimental](../analyzers/index.html) CMake Analyzer should be used. | true analyzers | cmakeEnabled | Sets whether or not the [experimental](../analyzers/index.html) CMake Analyzer should be used. | true
analyzers | autoconfEnabled | Sets whether or not the [experimental](../analyzers/index.html) autoconf Analyzer should be used. | true analyzers | autoconfEnabled | Sets whether or not the [experimental](../analyzers/index.html) autoconf Analyzer should be used. | true
analyzers | composerEnabled | Sets whether or not the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. | true analyzers | composerEnabled | Sets whether or not the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. | true
analyzers | nodeEnabled | Sets whether or not the [experimental](../analyzers/index.html) Node.js Analyzer should be used. | true analyzers | nodeEnabled | Sets whether or not the [retired](../analyzers/index.html) Node.js Analyzer should be used. | true
analyzers | nspEnabled | Sets whether the NSP Analyzer should be used. | true analyzers | nspEnabled | Sets whether the NSP Analyzer should be used. | true
analyzers | cocoapodsEnabled | Sets whether or not the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. | true analyzers | cocoapodsEnabled | Sets whether or not the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. | true
analyzers | swiftEnabled | Sets whether or not the [experimental](../analyzers/index.html) Swift Package Manager Analyzer should be used. | true analyzers | swiftEnabled | Sets whether or not the [experimental](../analyzers/index.html) Swift Package Manager Analyzer should be used. | true
analyzers | bundleAuditEnabled | Sets whether or not the [experimental](../analyzers/index.html) Ruby Bundle Audit Analyzer should be used. | true analyzers | bundleAuditEnabled | Sets whether or not the [experimental](../analyzers/index.html) Ruby Bundle Audit Analyzer should be used. | true
analyzers | pathToBundleAudit | The path to bundle audit. | &nbsp; analyzers | pathToBundleAudit | The path to bundle audit. | &nbsp;
analyzers | retiredEnabled | Sets whether the [retired analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used | false
#### Example #### Example
```groovy ```groovy