From 6ec931fcd767fc263df0543a942604d8943c181d Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 15 Feb 2014 08:32:20 -0500 Subject: [PATCH] updates to resolve issue #71 - added configuration for cve urls to the ant task Former-commit-id: d30b9b01f9af8392e1e8a2493a7c8951d088241f --- .../taskdefs/DependencyCheckTask.java | 104 ++++++++++++++++++ .../src/site/markdown/configuration.md | 50 +++++---- 2 files changed, 130 insertions(+), 24 deletions(-) diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java index 28a186c5c..83d85d0fe 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java @@ -640,6 +640,98 @@ public class DependencyCheckTask extends Task { this.zipExtensions = zipExtensions; } + /** + * The url for the modified NVD CVE (1.2 schema). + */ + private String cveUrl12Modified; + + /** + * Get the value of cveUrl12Modified. + * + * @return the value of cveUrl12Modified + */ + public String getCveUrl12Modified() { + return cveUrl12Modified; + } + + /** + * Set the value of cveUrl12Modified. + * + * @param cveUrl12Modified new value of cveUrl12Modified + */ + public void setCveUrl12Modified(String cveUrl12Modified) { + this.cveUrl12Modified = cveUrl12Modified; + } + + /** + * The url for the modified NVD CVE (2.0 schema). + */ + private String cveUrl20Modified; + + /** + * Get the value of cveUrl20Modified. + * + * @return the value of cveUrl20Modified + */ + public String getCveUrl20Modified() { + return cveUrl20Modified; + } + + /** + * Set the value of cveUrl20Modified. + * + * @param cveUrl20Modified new value of cveUrl20Modified + */ + public void setCveUrl20Modified(String cveUrl20Modified) { + this.cveUrl20Modified = cveUrl20Modified; + } + + /** + * Base Data Mirror URL for CVE 1.2. + */ + private String cveUrl12Base; + + /** + * Get the value of cveUrl12Base. + * + * @return the value of cveUrl12Base + */ + public String getCveUrl12Base() { + return cveUrl12Base; + } + + /** + * Set the value of cveUrl12Base. + * + * @param cveUrl12Base new value of cveUrl12Base + */ + public void setCveUrl12Base(String cveUrl12Base) { + this.cveUrl12Base = cveUrl12Base; + } + + /** + * Data Mirror URL for CVE 2.0. + */ + private String cveUrl20Base; + + /** + * Get the value of cveUrl20Base. + * + * @return the value of cveUrl20Base + */ + public String getCveUrl20Base() { + return cveUrl20Base; + } + + /** + * Set the value of cveUrl20Base. + * + * @param cveUrl20Base new value of cveUrl20Base + */ + public void setCveUrl20Base(String cveUrl20Base) { + this.cveUrl20Base = cveUrl20Base; + } + @Override public void execute() throws BuildException { final InputStream in = DependencyCheckTask.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE); @@ -780,6 +872,18 @@ public class DependencyCheckTask extends Task { if (zipExtensions != null && !zipExtensions.isEmpty()) { Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions); } + if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) { + Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified); + } + if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) { + Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified); + } + if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) { + Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base); + } + if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) { + Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base); + } } /** diff --git a/dependency-check-ant/src/site/markdown/configuration.md b/dependency-check-ant/src/site/markdown/configuration.md index e4dc678ad..3545b885b 100644 --- a/dependency-check-ant/src/site/markdown/configuration.md +++ b/dependency-check-ant/src/site/markdown/configuration.md @@ -20,28 +20,30 @@ the project's dependencies. ``` The following table lists the configurable properties: -Property | Description | Requirement -----------------------|-------------|--------- -ApplicationName | The name of the application to use in the generated report. | Required -ReportFormat | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional -ReportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional -FailBuildOn | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional -AutoUpdate | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. The default value is true. | Optional -DataDirectory | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional -LogFile | The file path to write verbose logging information. | Optional -SuppressionFile | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional -ProxyUrl | Defines the proxy used to connect to the Internet. | Optional -ProxyPort | Defines the port for the proxy. | Optional -ProxyUsername | Defines the proxy user name. | Optional -ProxyPassword | Defines the proxy password. | Optional -ConnectionTimeout | The connection timeout used when downloading data files from the Internet. | Optional -nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. | Optional -nexusUrl | The connection timeout used when downloading data files from the Internet. | Optional -databaseDriverName | The name of the database driver. Example: org.h2.Driver. | Optional -databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | Optional -connectionString | The connection string used to connect to the database. | Optional -databaseUser | The username used when connecting to the database. | Optional -databasePassword | The password used when connecting to the database. | Optional +Property | Description | Requirement | Default Value +----------------------|-------------|-------------|------------ +ApplicationName | The name of the application to use in the generated report. | Required | +ReportFormat | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional | +ReportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional | +FailBuildOn | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional | +AutoUpdate | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. The default value is true. | Optional | +DataDirectory | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional | +LogFile | The file path to write verbose logging information. | Optional | +SuppressionFile | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional | +ProxyUrl | Defines the proxy used to connect to the Internet. | Optional | +ProxyPort | Defines the port for the proxy. | Optional | +ProxyUsername | Defines the proxy user name. | Optional | +ProxyPassword | Defines the proxy password. | Optional | +ConnectionTimeout | The connection timeout used when downloading data files from the Internet. | Optional | +nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. | Optional | +nexusUrl | The connection timeout used when downloading data files from the Internet. | Optional | +databaseDriverName | The name of the database driver. Example: org.h2.Driver. | Optional | +databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | Optional | +connectionString | The connection string used to connect to the database. | Optional | +databaseUser | The username used when connecting to the database. | Optional | dcuser +databasePassword | The password used when connecting to the database. | Optional | zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional - - +cveUrl12Modified | URL for the modified CVE 1.2 | Optional | http://nvd.nist.gov/download/nvdcve-modified.xml +cveUrl20Modified | URL for the modified CVE 2.0 | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml +cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | Optional | http://nvd.nist.gov/download/nvdcve-%d.xml +cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml