diff --git a/dependency-check-ant/pom.xml b/dependency-check-ant/pom.xml
index 902c909fc..c20c39567 100644
--- a/dependency-check-ant/pom.xml
+++ b/dependency-check-ant/pom.xml
@@ -21,7 +21,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
org.owasp
dependency-check-parent
- 1.1.2-SNAPSHOT
+ 1.1.3-SNAPSHOT
dependency-check-ant
diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
index 2e65813ef..4d4e1822e 100644
--- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
+++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
@@ -502,6 +502,28 @@ public class DependencyCheckTask extends Task {
public void setNexusUrl(String nexusUrl) {
this.nexusUrl = nexusUrl;
}
+ /**
+ * Whether or not the defined proxy should be used when connecting to Nexus.
+ */
+ private boolean nexusUsesProxy = true;
+
+ /**
+ * Get the value of nexusUsesProxy.
+ *
+ * @return the value of nexusUsesProxy
+ */
+ public boolean isNexusUsesProxy() {
+ return nexusUsesProxy;
+ }
+
+ /**
+ * Set the value of nexusUsesProxy.
+ *
+ * @param nexusUsesProxy new value of nexusUsesProxy
+ */
+ public void setNexusUsesProxy(boolean nexusUsesProxy) {
+ this.nexusUsesProxy = nexusUsesProxy;
+ }
/**
* The database driver name; such as org.h2.Driver.
@@ -779,14 +801,17 @@ public class DependencyCheckTask extends Task {
showSummary(engine.getDependencies());
}
} catch (IOException ex) {
- Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "Unable to generate dependency-check report", ex);
+ Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE,
+ "Unable to generate dependency-check report", ex);
throw new BuildException("Unable to generate dependency-check report", ex);
} catch (Exception ex) {
- Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "An exception occurred; unable to continue task", ex);
+ Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE,
+ "An exception occurred; unable to continue task", ex);
throw new BuildException("An exception occurred; unable to continue task", ex);
}
} catch (DatabaseException ex) {
- Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
+ Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.SEVERE,
+ "Unable to connect to the dependency-check database; analysis has stopped");
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "", ex);
} finally {
if (engine != null) {
@@ -864,6 +889,7 @@ public class DependencyCheckTask extends Task {
if (nexusUrl != null && !nexusUrl.isEmpty()) {
Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
}
+ Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
}
diff --git a/dependency-check-ant/src/site/markdown/configuration.md b/dependency-check-ant/src/site/markdown/configuration.md
index 3545b885b..dc6b37583 100644
--- a/dependency-check-ant/src/site/markdown/configuration.md
+++ b/dependency-check-ant/src/site/markdown/configuration.md
@@ -22,27 +22,28 @@ The following table lists the configurable properties:
Property | Description | Requirement | Default Value
----------------------|-------------|-------------|------------
-ApplicationName | The name of the application to use in the generated report. | Required |
-ReportFormat | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional |
-ReportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional |
-FailBuildOn | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional |
-AutoUpdate | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. The default value is true. | Optional |
-DataDirectory | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional |
-LogFile | The file path to write verbose logging information. | Optional |
-SuppressionFile | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional |
-ProxyUrl | Defines the proxy used to connect to the Internet. | Optional |
-ProxyPort | Defines the port for the proxy. | Optional |
-ProxyUsername | Defines the proxy user name. | Optional |
-ProxyPassword | Defines the proxy password. | Optional |
-ConnectionTimeout | The connection timeout used when downloading data files from the Internet. | Optional |
-nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. | Optional |
-nexusUrl | The connection timeout used when downloading data files from the Internet. | Optional |
-databaseDriverName | The name of the database driver. Example: org.h2.Driver. | Optional |
-databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | Optional |
-connectionString | The connection string used to connect to the database. | Optional |
+applicationName | The name of the application to use in the generated report. | Required |
+reportFormat | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional | HTML
+reportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional |
+failBuildOn | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional | 11
+autoUpdate | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. | Optional | true
+dataDirectory | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional |
+logFile | The file path to write verbose logging information. | Optional |
+suppressionFile | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional |
+proxyUrl | Defines the proxy used to connect to the Internet. | Optional |
+proxyPort | Defines the port for the proxy. | Optional |
+proxyUsername | Defines the proxy user name. | Optional |
+proxyPassword | Defines the proxy password. | Optional |
+connectionTimeout | The connection timeout used when downloading data files from the Internet. | Optional |
+nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. | Optional |
+nexusUrl | The connection timeout used when downloading data files from the Internet. | Optional |
+nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | Optional | true
+databaseDriverName | The name of the database driver. Example: org.h2.Driver. | Optional |
+databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | Optional |
+connectionString | The connection string used to connect to the database. | Optional |
databaseUser | The username used when connecting to the database. | Optional | dcuser
-databasePassword | The password used when connecting to the database. | Optional |
-zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional
+databasePassword | The password used when connecting to the database. | Optional |
+zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional |
cveUrl12Modified | URL for the modified CVE 1.2 | Optional | http://nvd.nist.gov/download/nvdcve-modified.xml
cveUrl20Modified | URL for the modified CVE 2.0 | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | Optional | http://nvd.nist.gov/download/nvdcve-%d.xml
diff --git a/dependency-check-cli/pom.xml b/dependency-check-cli/pom.xml
index 3d4f1e0f9..89653be11 100644
--- a/dependency-check-cli/pom.xml
+++ b/dependency-check-cli/pom.xml
@@ -21,7 +21,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
org.owasp
dependency-check-parent
- 1.1.2-SNAPSHOT
+ 1.1.3-SNAPSHOT
dependency-check-cli
diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
index 19de6fecf..9f7d04576 100644
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
@@ -83,7 +83,7 @@ public class App {
cli.printVersionInfo();
} else if (cli.isRunScan()) {
updateSettings(cli);
- runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.getAdditionalZipExtensions());
+ runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles());
} else {
cli.printHelp();
}
@@ -97,7 +97,7 @@ public class App {
* @param applicationName the application name for the report
* @param files the files/directories to scan
*/
- private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files, String extraExtensions) {
+ private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files) {
Engine scanner = null;
try {
scanner = new Engine();
@@ -160,6 +160,7 @@ public class App {
final String suppressionFile = cli.getSuppressionFile();
final boolean nexusDisabled = cli.isNexusDisabled();
final String nexusUrl = cli.getNexusUrl();
+ final boolean nexusUsesProxy = cli.isNexusUsesProxy();
final String databaseDriverName = cli.getDatabaseDriverName();
final String databaseDriverPath = cli.getDatabaseDriverPath();
final String connectionString = cli.getConnectionString();
@@ -215,7 +216,7 @@ public class App {
if (nexusUrl != null && !nexusUrl.isEmpty()) {
Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
}
-
+ Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
}
diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java
index fa01d0c97..b9fff985f 100644
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java
@@ -204,6 +204,10 @@ public final class CliParser {
.withDescription("The url to the Nexus Server.")
.create();
+ final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_USES_PROXY)
+ .withDescription("Whether or not the configured proxy should be used when connecting to Nexus.")
+ .create();
+
final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg()
.withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS)
.withDescription("A comma seperated list of additional extensions to be scanned as ZIP files "
@@ -227,6 +231,7 @@ public final class CliParser {
.addOption(suppressionFile)
.addOption(disableNexusAnalyzer)
.addOption(nexusUrl)
+ .addOption(nexusUsesProxy)
.addOption(additionalZipExtensions);
}
@@ -342,6 +347,20 @@ public final class CliParser {
}
}
+ /**
+ * Returns true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false is
+ * returned.
+ *
+ * @return true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false
+ */
+ public boolean isNexusUsesProxy() {
+ if (line == null || !line.hasOption(ArgumentName.NEXUS_USES_PROXY)) {
+ return true;
+ } else {
+ return Boolean.parseBoolean(line.getOptionValue(ArgumentName.NEXUS_USES_PROXY));
+ }
+ }
+
/**
* Displays the command line help message to the standard output.
*/
@@ -697,6 +716,10 @@ public final class CliParser {
* The URL of the nexus server.
*/
public static final String NEXUS_URL = "nexus";
+ /**
+ * Whether or not the defined proxy should be used when connecting to Nexus.
+ */
+ public static final String NEXUS_USES_PROXY = "nexusUsesProxy";
/**
* The CLI argument name for setting the connection string.
*/
diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md
index 756999048..bee424390 100644
--- a/dependency-check-cli/src/site/markdown/arguments.md
+++ b/dependency-check-cli/src/site/markdown/arguments.md
@@ -3,29 +3,30 @@ Command Line Arguments
The following table lists the command line arguments:
-Short | Argument Name | Parameter | Description | Requirement
--------|-----------------------|-------------|-------------|------------
- \-a | \-\-app | \ | The name of the application being scanned. This is a required argument. |
- \-c | \-\-connectiontimeout | \ | The connection timeout (in milliseconds) to use when downloading resources. | Optional
- \-d | \-\-data | \ | The location of the data directory used to store persistent data. This option should generally not be set. | Optional
- \-f | \-\-format | \ | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. |
- \-h | \-\-help | | Print the help message. | Optional
- \-l | \-\-log | \ | The file path to write verbose logging information. | Optional
- \-n | \-\-noupdate | | Disables the automatic updating of the CPE data. | Optional
- \-o | \-\-out | \ | The folder to write reports to. This defaults to the current directory. | Optional
- \-p | \-\-proxyport | \ | The proxy port to use when downloading resources. | Optional
- | \-\-proxypass | \ | The proxy password to use when downloading resources. | Optional
- | \-\-proxyuser | \ | The proxy username to use when downloading resources. | Optional
- \-s | \-\-scan | \ | The path to scan \- this option can be specified multiple times. |
- | \-\-suppression | \ | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional
- \-u | \-\-proxyurl | \ | The proxy url to use when downloading resources. | Optional
- \-v | \-\-version | | Print the version information. | Optional
- | \-\-advancedHelp | | Print the advanced help message. | Optional
- | \-\-connectionString | \ | The connection string to the database. | Optional
- | \-\-dbDriverName | \ | The database driver name. | Optional
- | \-\-dbDriverPath | \ | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | Optional
- | \-\-dbPassword | \| The password for connecting to the database. | Optional
- | \-\-dbUser | \ | The username used to connect to the database. | Optional
- | \-\-disableNexus | | Disable the Nexus Analyzer. | Optional
- | \-\-nexus | \ | The url to the Nexus Server. | Optional
- | \-\-zipExtensions | \ | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional
\ No newline at end of file
+Short | Argument Name | Parameter | Description | Requirement
+-------|-----------------------|-----------------|-------------|------------
+ \-a | \-\-app | \ | The name of the application being scanned. This is a required argument. | Required
+ \-c | \-\-connectiontimeout | \ | The connection timeout (in milliseconds) to use when downloading resources. | Optional
+ \-d | \-\-data | \ | The location of the data directory used to store persistent data. This option should generally not be set. | Optional
+ \-f | \-\-format | \ | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. | Required
+ \-h | \-\-help | | Print the help message. | Optional
+ \-l | \-\-log | \ | The file path to write verbose logging information. | Optional
+ \-n | \-\-noupdate | | Disables the automatic updating of the CPE data. | Optional
+ \-o | \-\-out | \ | The folder to write reports to. This defaults to the current directory. | Optional
+ \-p | \-\-proxyport | \ | The proxy port to use when downloading resources. | Optional
+ | \-\-proxypass | \ | The proxy password to use when downloading resources. | Optional
+ | \-\-proxyuser | \ | The proxy username to use when downloading resources. | Optional
+ \-s | \-\-scan | \ | The path to scan \- this option can be specified multiple times. | Required
+ | \-\-suppression | \ | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional
+ \-u | \-\-proxyurl | \ | The proxy url to use when downloading resources. | Optional
+ \-v | \-\-version | | Print the version information. | Optional
+ | \-\-advancedHelp | | Print the advanced help message. | Optional
+ | \-\-connectionString | \ | The connection string to the database. | Optional
+ | \-\-dbDriverName | \ | The database driver name. | Optional
+ | \-\-dbDriverPath | \ | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | Optional
+ | \-\-dbPassword | \ | The password for connecting to the database. | Optional
+ | \-\-dbUser | \ | The username used to connect to the database. | Optional
+ | \-\-disableNexus | | Disable the Nexus Analyzer. | Optional
+ | \-\-nexus | \ | The url to the Nexus Server. | Optional
+ | \-\-nexusUsesProxy | \ | Whether or not the defined proxy should be used when connecting to Nexus. | Optional
+ | \-\-zipExtensions | \ | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional
\ No newline at end of file
diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml
index 43a572ced..6ab67e6b7 100644
--- a/dependency-check-core/pom.xml
+++ b/dependency-check-core/pom.xml
@@ -21,7 +21,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
org.owasp
dependency-check-parent
- 1.1.2-SNAPSHOT
+ 1.1.3-SNAPSHOT
dependency-check-core
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
index 17d67ea57..79935ac73 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
@@ -271,7 +271,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
throw new AnalysisException("Archive file was not found.", ex);
}
- final String archiveExt = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(archive.getName()).toLowerCase();
+ final String archiveExt = FileUtils.getFileExtension(archive.getName()).toLowerCase();
try {
if (ZIPPABLES.contains(archiveExt)) {
extractArchive(new ZipArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
@@ -279,7 +279,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
extractArchive(new TarArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
} else if ("gz".equals(archiveExt) || "tgz".equals(archiveExt)) {
final String uncompressedName = GzipUtils.getUncompressedFilename(archive.getName());
- final String uncompressedExt = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(uncompressedName).toLowerCase();
+ final String uncompressedExt = FileUtils.getFileExtension(uncompressedName).toLowerCase();
if (engine.supportsExtension(uncompressedExt)) {
decompressFile(new GzipCompressorInputStream(new BufferedInputStream(fis)), new File(destination, uncompressedName));
}
@@ -323,7 +323,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
}
} else {
final File file = new File(destination, entry.getName());
- final String ext = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(file.getName());
+ final String ext = FileUtils.getFileExtension(file.getName());
if (engine.supportsExtension(ext)) {
BufferedOutputStream bos = null;
FileOutputStream fos;
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
index fd5316a56..1e974f6a7 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
@@ -604,38 +604,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
addMatchingValues(classes, trimmedDescription, dependency.getProductEvidence());
}
}
-
- //license
- if (pom.getLicenses() != null) {
- String license = null;
- for (License lic : pom.getLicenses().getLicense()) {
- String tmp = null;
- if (lic.getName() != null) {
- tmp = interpolateString(lic.getName(), pomProperties);
- }
- if (lic.getUrl() != null) {
- if (tmp == null) {
- tmp = interpolateString(lic.getUrl(), pomProperties);
- } else {
- tmp += ": " + interpolateString(lic.getUrl(), pomProperties);
- }
- }
- if (tmp == null) {
- continue;
- }
- if (HTML_DETECTION_PATTERN.matcher(tmp).find()) {
- tmp = Jsoup.parse(tmp).text();
- }
- if (license == null) {
- license = tmp;
- } else {
- license += "\n" + tmp;
- }
- }
- if (license != null) {
- dependency.setLicense(license);
- }
- }
+ extractLicense(pom, pomProperties, dependency);
return foundSomething;
}
@@ -1250,7 +1219,17 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
addDescription(dependency, description, "pom", "description");
}
}
+ extractLicense(pom, pomProperties, dependency);
+ }
+ /**
+ * Extracts the license information from the pom and adds it to the dependency.
+ *
+ * @param pom the pom object
+ * @param pomProperties the properties, used for string interpolation
+ * @param dependency the dependency to add license information too
+ */
+ private void extractLicense(Model pom, Properties pomProperties, Dependency dependency) {
//license
if (pom.getLicenses() != null) {
String license = null;
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
index b5f58856f..88baf7a31 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
@@ -22,6 +22,7 @@ import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLConnection;
+import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@@ -151,17 +152,17 @@ public class NexusSearch {
*/
public boolean preflightRequest() {
try {
- final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(new URL(rootURL, "status"));
+ final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(new URL(rootURL, "status"), useProxy);
conn.addRequestProperty("Accept", "application/xml");
conn.connect();
if (conn.getResponseCode() != 200) {
- LOGGER.warning("Expected 200 result from Nexus, got " + conn.getResponseCode());
+ LOGGER.log(Level.WARNING, "Expected 200 result from Nexus, got {0}", conn.getResponseCode());
return false;
}
final DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
final Document doc = builder.parse(conn.getInputStream());
- if (doc.getDocumentElement().getNodeName() != "status") {
- LOGGER.warning("Expected root node name of status, got " + doc.getDocumentElement().getNodeName());
+ if (!"status".equals(doc.getDocumentElement().getNodeName())) {
+ LOGGER.log(Level.WARNING, "Expected root node name of status, got {0}", doc.getDocumentElement().getNodeName());
return false;
}
} catch (Throwable e) {
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java
index 027bf4d00..ee8c94871 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java
@@ -23,6 +23,7 @@ package org.owasp.dependencycheck.data.nuget;
* @author colezlaw
*/
public class NuspecParseException extends Exception {
+
/**
* The serialVersionUID
*/
@@ -31,20 +32,19 @@ public class NuspecParseException extends Exception {
/**
* Constructs a new exception with null as its detail message.
*
- * The cause is not initialized, and may subsequently be initialized by a call
- * to {@link java.lang.Throwable#initCause(java.lang.Throwable)}.
+ * The cause is not initialized, and may subsequently be initialized by a call to
+ * {@link java.lang.Throwable#initCause(java.lang.Throwable)}.
*/
public NuspecParseException() {
super();
}
/**
- * Constructs a new exception with the specified detail message. The cause is
- * not initialized, and may subsequently be initialized by a call to
- * {@link java.lang.Throwable#initCause(java.lang.Throwable).
+ * Constructs a new exception with the specified detail message. The cause is not initialized, and may subsequently
+ * be initialized by a call to {@link java.lang.Throwable#initCause(java.lang.Throwable)}.
*
- * @param message the detail message. The detail message is saved for later retrieval
- * by the {@link java.lang.Throwable#getMessage()} method.
+ * @param message the detail message. The detail message is saved for later retrieval by the
+ * {@link java.lang.Throwable#getMessage()} method.
*/
public NuspecParseException(String message) {
super(message);
@@ -58,9 +58,8 @@ public class NuspecParseException extends Exception {
*
* @param message the detail message (whcih is saved for later retrieval by the
* {@link java.lang.Throwable#getMessage()} method.
- * @param cause the cause (which is saved for later retrieval by the
- * {@link java.lang.Throwable#getCause()} method). (A null value is permitted,
- * and indicates that the cause is nonexistent or unknown).
+ * @param cause the cause (which is saved for later retrieval by the {@link java.lang.Throwable#getCause()} method).
+ * (A null value is permitted, and indicates that the cause is nonexistent or unknown).
*/
public NuspecParseException(String message, Throwable cause) {
super(message, cause);
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java
index bca85e461..2f090fa8c 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java
@@ -134,20 +134,20 @@ public class StandardUpdate {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
- Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during download", ex);
- throw new UpdateException("The download was interupted", ex);
+ Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download", ex);
+ throw new UpdateException("The download was interrupted", ex);
} catch (ExecutionException ex) {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
- Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during download execution", ex);
- throw new UpdateException("The execution of the download was interupted", ex);
+ Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download execution", ex);
+ throw new UpdateException("The execution of the download was interrupted", ex);
}
if (task == null) {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
- Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during download");
- throw new UpdateException("The download was interupted; unable to complete the update");
+ Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download");
+ throw new UpdateException("The download was interrupted; unable to complete the update");
} else {
processFutures.add(task);
}
@@ -161,7 +161,7 @@ public class StandardUpdate {
}
} catch (InterruptedException ex) {
processExecutor.shutdownNow();
- Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during processing", ex);
+ Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during processing", ex);
throw new UpdateException(ex);
} catch (ExecutionException ex) {
processExecutor.shutdownNow();
@@ -245,11 +245,8 @@ public class StandardUpdate {
}
} catch (NumberFormatException ex) {
final String msg = "An invalid schema version or timestamp exists in the data.properties file.";
- Logger
- .getLogger(StandardUpdate.class
- .getName()).log(Level.WARNING, msg);
- Logger.getLogger(StandardUpdate.class
- .getName()).log(Level.FINE, null, ex);
+ Logger.getLogger(StandardUpdate.class.getName()).log(Level.WARNING, msg);
+ Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "", ex);
}
}
return updates;
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java
index 2ef8d4f88..753c5d2ca 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java
@@ -22,8 +22,11 @@ import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
+import java.io.PrintWriter;
+import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
+import java.util.Enumeration;
import java.util.Properties;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -35,6 +38,11 @@ import java.util.logging.Logger;
*/
public final class Settings {
+ /**
+ * The logger.
+ */
+ private static final Logger LOGGER = Logger.getLogger(Settings.class.getName());
+
/**
* The collection of keys used within the properties file.
*/
@@ -204,6 +212,43 @@ public final class Settings {
}
}
}
+ logProperties("Properties loaded", props);
+ }
+
+ /**
+ * Logs the properties. This will not log any properties that contain 'password' in the key.
+ *
+ * @param header the header to print with the log message
+ * @param properties the properties to log
+ */
+ private static void logProperties(String header, Properties properties) {
+ if (LOGGER.isLoggable(Level.FINE)) {
+ final StringWriter sw = new StringWriter();
+ PrintWriter pw = null;
+ try {
+ pw = new PrintWriter(sw);
+ pw.format("%s:%n%n", header);
+ final Enumeration e = properties.propertyNames();
+ while (e.hasMoreElements()) {
+ final String key = (String) e.nextElement();
+ if (key.contains("password")) {
+ pw.format("%s='*****'%n", key);
+ } else {
+ final String value = properties.getProperty(key);
+ if (value != null) {
+ pw.format("%s='%s'%n", key, value);
+ }
+ }
+ }
+ pw.flush();
+ LOGGER.fine(sw.toString());
+ } finally {
+ if (pw != null) {
+ pw.close();
+ }
+ }
+
+ }
}
/**
@@ -214,6 +259,9 @@ public final class Settings {
*/
public static void setString(String key, String value) {
INSTANCE.props.setProperty(key, value);
+ if (LOGGER.isLoggable(Level.FINE)) {
+ LOGGER.fine(String.format("Setting: %s='%s'", key, value));
+ }
}
/**
@@ -228,6 +276,9 @@ public final class Settings {
} else {
INSTANCE.props.setProperty(key, Boolean.FALSE.toString());
}
+ if (LOGGER.isLoggable(Level.FINE)) {
+ LOGGER.fine(String.format("Setting: %s='%b'", key, value));
+ }
}
/**
@@ -268,6 +319,7 @@ public final class Settings {
*/
public static void mergeProperties(InputStream stream) throws IOException {
INSTANCE.props.load(stream);
+ logProperties("Properties updated via merge", INSTANCE.props);
}
/**
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
index eccdab7c9..1a8e915d9 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
@@ -17,15 +17,12 @@
*/
package org.owasp.dependencycheck.analyzer;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assume.assumeFalse;
-
import java.io.File;
import java.util.logging.Level;
import java.util.logging.Logger;
-
import org.junit.After;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
import org.junit.Assume;
import static org.junit.Assume.assumeFalse;
import org.junit.Before;
@@ -43,7 +40,7 @@ import org.owasp.dependencycheck.utils.Settings;
*
*/
public class AssemblyAnalyzerTest {
-
+
private static final Logger LOGGER = Logger.getLogger(AssemblyAnalyzerTest.class.getName());
AssemblyAnalyzer analyzer;
diff --git a/dependency-check-jenkins/pom.xml b/dependency-check-jenkins/pom.xml
index 426e0aaa3..a87c5596a 100644
--- a/dependency-check-jenkins/pom.xml
+++ b/dependency-check-jenkins/pom.xml
@@ -6,7 +6,7 @@
org.owasp
dependency-check-parent
- 1.1.2-SNAPSHOT
+ 1.1.3-SNAPSHOT
org.owasp
diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml
index 3a7b11ae5..038fd549d 100644
--- a/dependency-check-maven/pom.xml
+++ b/dependency-check-maven/pom.xml
@@ -23,7 +23,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
org.owasp
dependency-check-parent
- 1.1.2-SNAPSHOT
+ 1.1.3-SNAPSHOT
dependency-check-maven
diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java
index 96d046af8..cec783ceb 100644
--- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java
+++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java
@@ -198,6 +198,12 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
@SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "nexusUrl", defaultValue = "", required = false)
private String nexusUrl;
+ /**
+ * Whether or not the configured proxy is used to connect to Nexus.
+ */
+ @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
+ @Parameter(property = "nexusUsesProxy", defaultValue = "true", required = false)
+ private boolean nexusUsesProxy = true;
/**
* The database connection string.
*/
@@ -279,6 +285,7 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
* Executes the Dependency-Check on the dependent libraries.
*
* @return the Engine used to scan the dependencies.
+ * @throws DatabaseException thrown if there is an exception connecting to the database
*/
private Engine executeDependencyCheck() throws DatabaseException {
@@ -750,6 +757,7 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
if (nexusUrl != null && !nexusUrl.isEmpty()) {
Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
}
+ Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
}
@@ -812,7 +820,8 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
checkForFailure(engine.getDependencies());
}
} catch (DatabaseException ex) {
- Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
+ Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE,
+ "Unable to connect to the dependency-check database; analysis has stopped");
Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINE, "", ex);
} finally {
if (engine != null) {
@@ -847,7 +856,8 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
engine = executeDependencyCheck();
generateMavenSiteReport(engine, sink);
} catch (DatabaseException ex) {
- Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
+ Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE,
+ "Unable to connect to the dependency-check database; analysis has stopped");
Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINE, "", ex);
} finally {
if (engine != null) {
diff --git a/dependency-check-maven/src/site/markdown/configuration.md b/dependency-check-maven/src/site/markdown/configuration.md
index da8a4f3c1..af3efb2f2 100644
--- a/dependency-check-maven/src/site/markdown/configuration.md
+++ b/dependency-check-maven/src/site/markdown/configuration.md
@@ -17,6 +17,7 @@ proxyUsername | Defines the proxy user name. |
proxyPassword | Defines the proxy password. |
nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. |
nexusUrl | Defines the Nexus URL. |
+nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true
databaseDriverName | The name of the database driver. Example: org.h2.Driver. |
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |
connectionString | The connection string used to connect to the database. |
diff --git a/pom.xml b/pom.xml
index 02bc9c735..0e8c4458d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
org.owasp
dependency-check-parent
- 1.1.2-SNAPSHOT
+ 1.1.3-SNAPSHOT
pom
diff --git a/src/site/markdown/suppression.md b/src/site/markdown/suppression.md
index c50e11196..5d10a6dc5 100644
--- a/src/site/markdown/suppression.md
+++ b/src/site/markdown/suppression.md
@@ -18,6 +18,55 @@ A sample suppression file would look like:
```
The above XML file will suppress the cpe:/a:apache:struts:2.0.0 from any file with the a matching SHA1 hash.
+The following shows some other ways to suppress individual findings. Note the ways to select files using either
+the sha1 hash or the filePath (the filePath can also be a regex). Additionally, there are several things that
+can be suppressed - individual CPEs, individual CVEs, or all CVE entries below a specified CVSS score. The most common
+would be suppressing CPEs based off of SHA1 hashes or filePath (regexes) - these entries can be generated using the
+HTML version of the report. The other common scenario would be to ignore all CVEs below a certain CVSS threshold.
+
+```xml
+
+
+
+
+ c:\path\to\some.jar
+ cpe:/a:csv:csv:1.0
+
+
+
+ .*\btest\.jar
+ cpe:/a:jboss:jboss
+
+
+
+ .*\btest\.jar
+ CVE-2013-1337
+
+
+
+ 384FAA82E193D4E4B0546059CA09572654BC3970
+ CVE-2013-1337
+
+
+
+ 7
+
+
+```
+
The full schema for suppression files can be found here: [suppression.xsd](https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/schema/suppression.xsd "Suppression Schema")
Please see the appropriate configuration option in each interfaces configuration guide:
diff --git a/src/site/site.xml b/src/site/site.xml
index 0c29f2b5c..3b6db2c00 100644
--- a/src/site/site.xml
+++ b/src/site/site.xml
@@ -50,7 +50,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
title="built with maven"
alt="built with maven"
img="http://jeremylong.github.io/DependencyCheck/images/logos/maven-feather.png"/>
-