From 1b5b61b25e77cf313d9443e4b6d0a7b8c1aa8543 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 1 Mar 2014 16:08:58 -0500 Subject: [PATCH 01/21] cleaned up code duplication Former-commit-id: 27896a50114fcee9f2aaeb21915b91b4a198f328 --- .../dependencycheck/analyzer/JarAnalyzer.java | 43 +++++-------------- 1 file changed, 11 insertions(+), 32 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index fd5316a56..1e974f6a7 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -604,38 +604,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer { addMatchingValues(classes, trimmedDescription, dependency.getProductEvidence()); } } - - //license - if (pom.getLicenses() != null) { - String license = null; - for (License lic : pom.getLicenses().getLicense()) { - String tmp = null; - if (lic.getName() != null) { - tmp = interpolateString(lic.getName(), pomProperties); - } - if (lic.getUrl() != null) { - if (tmp == null) { - tmp = interpolateString(lic.getUrl(), pomProperties); - } else { - tmp += ": " + interpolateString(lic.getUrl(), pomProperties); - } - } - if (tmp == null) { - continue; - } - if (HTML_DETECTION_PATTERN.matcher(tmp).find()) { - tmp = Jsoup.parse(tmp).text(); - } - if (license == null) { - license = tmp; - } else { - license += "\n" + tmp; - } - } - if (license != null) { - dependency.setLicense(license); - } - } + extractLicense(pom, pomProperties, dependency); return foundSomething; } @@ -1250,7 +1219,17 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer { addDescription(dependency, description, "pom", "description"); } } + extractLicense(pom, pomProperties, dependency); + } + /** + * Extracts the license information from the pom and adds it to the dependency. + * + * @param pom the pom object + * @param pomProperties the properties, used for string interpolation + * @param dependency the dependency to add license information too + */ + private void extractLicense(Model pom, Properties pomProperties, Dependency dependency) { //license if (pom.getLicenses() != null) { String license = null; From 3b3a940ee4a250405c4bf423dd40c99f8d17ef59 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 1 Mar 2014 16:09:14 -0500 Subject: [PATCH 02/21] minor code formating change Former-commit-id: 090e2a881a1977172bc16911c828cde86b417865 --- .../dependencycheck/taskdefs/DependencyCheckTask.java | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java index 2e65813ef..e71af47ce 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java @@ -779,14 +779,17 @@ public class DependencyCheckTask extends Task { showSummary(engine.getDependencies()); } } catch (IOException ex) { - Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "Unable to generate dependency-check report", ex); + Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, + "Unable to generate dependency-check report", ex); throw new BuildException("Unable to generate dependency-check report", ex); } catch (Exception ex) { - Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "An exception occurred; unable to continue task", ex); + Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, + "An exception occurred; unable to continue task", ex); throw new BuildException("An exception occurred; unable to continue task", ex); } } catch (DatabaseException ex) { - Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped"); + Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.SEVERE, + "Unable to connect to the dependency-check database; analysis has stopped"); Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "", ex); } finally { if (engine != null) { From d797abdb1f8ceb071ec70d91be016d154d5e5c8b Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 2 Mar 2014 12:25:50 -0500 Subject: [PATCH 03/21] removed unused argument from runScan Former-commit-id: 024f830175f347ae45146c4e536ca23d58325838 --- .../src/main/java/org/owasp/dependencycheck/App.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index 19de6fecf..f5447d524 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -83,7 +83,7 @@ public class App { cli.printVersionInfo(); } else if (cli.isRunScan()) { updateSettings(cli); - runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.getAdditionalZipExtensions()); + runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles()); } else { cli.printHelp(); } @@ -97,7 +97,7 @@ public class App { * @param applicationName the application name for the report * @param files the files/directories to scan */ - private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files, String extraExtensions) { + private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files) { Engine scanner = null; try { scanner = new Engine(); From 3f28b30e955e7f0b82805e1525d6f4efaa0d6649 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 2 Mar 2014 12:26:17 -0500 Subject: [PATCH 04/21] checkstyle fix Former-commit-id: ec2da0e3c262923552a219c6be3deb6004b3f154 --- .../org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index 17d67ea57..79935ac73 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -271,7 +271,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer { Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex); throw new AnalysisException("Archive file was not found.", ex); } - final String archiveExt = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(archive.getName()).toLowerCase(); + final String archiveExt = FileUtils.getFileExtension(archive.getName()).toLowerCase(); try { if (ZIPPABLES.contains(archiveExt)) { extractArchive(new ZipArchiveInputStream(new BufferedInputStream(fis)), destination, engine); @@ -279,7 +279,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer { extractArchive(new TarArchiveInputStream(new BufferedInputStream(fis)), destination, engine); } else if ("gz".equals(archiveExt) || "tgz".equals(archiveExt)) { final String uncompressedName = GzipUtils.getUncompressedFilename(archive.getName()); - final String uncompressedExt = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(uncompressedName).toLowerCase(); + final String uncompressedExt = FileUtils.getFileExtension(uncompressedName).toLowerCase(); if (engine.supportsExtension(uncompressedExt)) { decompressFile(new GzipCompressorInputStream(new BufferedInputStream(fis)), new File(destination, uncompressedName)); } @@ -323,7 +323,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer { } } else { final File file = new File(destination, entry.getName()); - final String ext = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(file.getName()); + final String ext = FileUtils.getFileExtension(file.getName()); if (engine.supportsExtension(ext)) { BufferedOutputStream bos = null; FileOutputStream fos; From 9d263f11e5409687eef3386c83c11933247e5d12 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 2 Mar 2014 12:26:56 -0500 Subject: [PATCH 05/21] fixed JavaDoc @link missing close curly bracket Former-commit-id: 632dd4de562a1036883103ce89df8f98ee5d8804 --- .../data/nuget/NuspecParseException.java | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java index 027bf4d00..ee8c94871 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java @@ -23,6 +23,7 @@ package org.owasp.dependencycheck.data.nuget; * @author colezlaw */ public class NuspecParseException extends Exception { + /** * The serialVersionUID */ @@ -31,20 +32,19 @@ public class NuspecParseException extends Exception { /** * Constructs a new exception with null as its detail message. * - * The cause is not initialized, and may subsequently be initialized by a call - * to {@link java.lang.Throwable#initCause(java.lang.Throwable)}. + * The cause is not initialized, and may subsequently be initialized by a call to + * {@link java.lang.Throwable#initCause(java.lang.Throwable)}. */ public NuspecParseException() { super(); } /** - * Constructs a new exception with the specified detail message. The cause is - * not initialized, and may subsequently be initialized by a call to - * {@link java.lang.Throwable#initCause(java.lang.Throwable). + * Constructs a new exception with the specified detail message. The cause is not initialized, and may subsequently + * be initialized by a call to {@link java.lang.Throwable#initCause(java.lang.Throwable)}. * - * @param message the detail message. The detail message is saved for later retrieval - * by the {@link java.lang.Throwable#getMessage()} method. + * @param message the detail message. The detail message is saved for later retrieval by the + * {@link java.lang.Throwable#getMessage()} method. */ public NuspecParseException(String message) { super(message); @@ -58,9 +58,8 @@ public class NuspecParseException extends Exception { * * @param message the detail message (whcih is saved for later retrieval by the * {@link java.lang.Throwable#getMessage()} method. - * @param cause the cause (which is saved for later retrieval by the - * {@link java.lang.Throwable#getCause()} method). (A null value is permitted, - * and indicates that the cause is nonexistent or unknown). + * @param cause the cause (which is saved for later retrieval by the {@link java.lang.Throwable#getCause()} method). + * (A null value is permitted, and indicates that the cause is nonexistent or unknown). */ public NuspecParseException(String message, Throwable cause) { super(message, cause); From 35223d5737af97d4a69a86327be0fb0e8236d66b Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 2 Mar 2014 12:27:26 -0500 Subject: [PATCH 06/21] checkstyle fix Former-commit-id: 5c79f2c38a40c6f339f8383cccdc86c2aa5e3cf4 --- .../owasp/dependencycheck/maven/DependencyCheckMojo.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java index 96d046af8..3068c39aa 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java @@ -279,6 +279,7 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR * Executes the Dependency-Check on the dependent libraries. * * @return the Engine used to scan the dependencies. + * @throws DatabaseException thrown if there is an exception connecting to the database */ private Engine executeDependencyCheck() throws DatabaseException { @@ -812,7 +813,8 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR checkForFailure(engine.getDependencies()); } } catch (DatabaseException ex) { - Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped"); + Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, + "Unable to connect to the dependency-check database; analysis has stopped"); Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINE, "", ex); } finally { if (engine != null) { @@ -847,7 +849,8 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR engine = executeDependencyCheck(); generateMavenSiteReport(engine, sink); } catch (DatabaseException ex) { - Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped"); + Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, + "Unable to connect to the dependency-check database; analysis has stopped"); Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINE, "", ex); } finally { if (engine != null) { From b3932ae8c5385a201b0d14953579cb3002c8439b Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 2 Mar 2014 18:16:12 -0500 Subject: [PATCH 07/21] added configuration for whether or not the nexus analyzer should use the configured proxy Former-commit-id: e604d6862b50d4177f6846111408fce64a3c09eb --- .../taskdefs/DependencyCheckTask.java | 23 +++++++++++++++++++ .../src/site/markdown/configuration.md | 1 + .../java/org/owasp/dependencycheck/App.java | 3 ++- .../owasp/dependencycheck/cli/CliParser.java | 23 +++++++++++++++++++ .../src/site/markdown/arguments.md | 1 + .../maven/DependencyCheckMojo.java | 7 ++++++ .../src/site/markdown/configuration.md | 1 + 7 files changed, 58 insertions(+), 1 deletion(-) diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java index e71af47ce..8c982fbfd 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java @@ -502,6 +502,28 @@ public class DependencyCheckTask extends Task { public void setNexusUrl(String nexusUrl) { this.nexusUrl = nexusUrl; } + /** + * Whether or not the defined proxy should be used when connecting to Nexus. + */ + private boolean nexusUsesProxy = true; + + /** + * Get the value of nexusUsesProxy + * + * @return the value of nexusUsesProxy + */ + public boolean isNexusUsesProxy() { + return nexusUsesProxy; + } + + /** + * Set the value of nexusUsesProxy + * + * @param nexusUsesProxy new value of nexusUsesProxy + */ + public void setNexusUsesProxy(boolean nexusUsesProxy) { + this.nexusUsesProxy = nexusUsesProxy; + } /** * The database driver name; such as org.h2.Driver. @@ -867,6 +889,7 @@ public class DependencyCheckTask extends Task { if (nexusUrl != null && !nexusUrl.isEmpty()) { Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl); } + Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy); if (databaseDriverName != null && !databaseDriverName.isEmpty()) { Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName); } diff --git a/dependency-check-ant/src/site/markdown/configuration.md b/dependency-check-ant/src/site/markdown/configuration.md index 3545b885b..48465e4b0 100644 --- a/dependency-check-ant/src/site/markdown/configuration.md +++ b/dependency-check-ant/src/site/markdown/configuration.md @@ -37,6 +37,7 @@ ProxyPassword | Defines the proxy password. | Optional | ConnectionTimeout | The connection timeout used when downloading data files from the Internet. | Optional | nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. | Optional | nexusUrl | The connection timeout used when downloading data files from the Internet. | Optional | +nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | Optional | true databaseDriverName | The name of the database driver. Example: org.h2.Driver. | Optional | databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | Optional | connectionString | The connection string used to connect to the database. | Optional | diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index f5447d524..9f7d04576 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -160,6 +160,7 @@ public class App { final String suppressionFile = cli.getSuppressionFile(); final boolean nexusDisabled = cli.isNexusDisabled(); final String nexusUrl = cli.getNexusUrl(); + final boolean nexusUsesProxy = cli.isNexusUsesProxy(); final String databaseDriverName = cli.getDatabaseDriverName(); final String databaseDriverPath = cli.getDatabaseDriverPath(); final String connectionString = cli.getConnectionString(); @@ -215,7 +216,7 @@ public class App { if (nexusUrl != null && !nexusUrl.isEmpty()) { Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl); } - + Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy); if (databaseDriverName != null && !databaseDriverName.isEmpty()) { Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName); } diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java index fa01d0c97..b5e06673c 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java @@ -204,6 +204,10 @@ public final class CliParser { .withDescription("The url to the Nexus Server.") .create(); + final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_URL) + .withDescription("Whether or not the configured proxy should be used when connecting to Nexus.") + .create(); + final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg() .withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS) .withDescription("A comma seperated list of additional extensions to be scanned as ZIP files " @@ -227,6 +231,7 @@ public final class CliParser { .addOption(suppressionFile) .addOption(disableNexusAnalyzer) .addOption(nexusUrl) + .addOption(nexusUsesProxy) .addOption(additionalZipExtensions); } @@ -342,6 +347,20 @@ public final class CliParser { } } + /** + * Returns true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false is + * returned. + * + * @return true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false + */ + public boolean isNexusUsesProxy() { + if (line == null || !line.hasOption(ArgumentName.NEXUS_USES_PROXY)) { + return true; + } else { + return Boolean.parseBoolean(line.getOptionValue(ArgumentName.NEXUS_USES_PROXY)); + } + } + /** * Displays the command line help message to the standard output. */ @@ -697,6 +716,10 @@ public final class CliParser { * The URL of the nexus server. */ public static final String NEXUS_URL = "nexus"; + /** + * Whether or not the defined proxy should be used when connecting to Nexus. + */ + public static final String NEXUS_USES_PROXY = "nexusUsesProxy"; /** * The CLI argument name for setting the connection string. */ diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md index 756999048..e16bab883 100644 --- a/dependency-check-cli/src/site/markdown/arguments.md +++ b/dependency-check-cli/src/site/markdown/arguments.md @@ -28,4 +28,5 @@ Short | Argument Name | Parameter | Description | Requirement | \-\-dbUser | \ | The username used to connect to the database. | Optional | \-\-disableNexus | | Disable the Nexus Analyzer. | Optional | \-\-nexus | \ | The url to the Nexus Server. | Optional + | \-\-nexusUsesProxy | \ | Whether or not the defined proxy should be used when connecting to Nexus. | Optional | \-\-zipExtensions | \ | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional \ No newline at end of file diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java index 3068c39aa..cec783ceb 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java @@ -198,6 +198,12 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"}) @Parameter(property = "nexusUrl", defaultValue = "", required = false) private String nexusUrl; + /** + * Whether or not the configured proxy is used to connect to Nexus. + */ + @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"}) + @Parameter(property = "nexusUsesProxy", defaultValue = "true", required = false) + private boolean nexusUsesProxy = true; /** * The database connection string. */ @@ -751,6 +757,7 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR if (nexusUrl != null && !nexusUrl.isEmpty()) { Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl); } + Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy); if (databaseDriverName != null && !databaseDriverName.isEmpty()) { Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName); } diff --git a/dependency-check-maven/src/site/markdown/configuration.md b/dependency-check-maven/src/site/markdown/configuration.md index da8a4f3c1..af3efb2f2 100644 --- a/dependency-check-maven/src/site/markdown/configuration.md +++ b/dependency-check-maven/src/site/markdown/configuration.md @@ -17,6 +17,7 @@ proxyUsername | Defines the proxy user name. | proxyPassword | Defines the proxy password. | nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. | nexusUrl | Defines the Nexus URL. | +nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true databaseDriverName | The name of the database driver. Example: org.h2.Driver. | databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | connectionString | The connection string used to connect to the database. | From d1ca951ffa78ddf9d1c681ad6b49d16295a77cf3 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 2 Mar 2014 18:26:58 -0500 Subject: [PATCH 08/21] updated to address issue #74 Former-commit-id: d562b1785a7f9b32dff7cd84351eed96c775fdcf --- src/site/markdown/suppression.md | 49 ++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/src/site/markdown/suppression.md b/src/site/markdown/suppression.md index c50e11196..5d10a6dc5 100644 --- a/src/site/markdown/suppression.md +++ b/src/site/markdown/suppression.md @@ -18,6 +18,55 @@ A sample suppression file would look like: ``` The above XML file will suppress the cpe:/a:apache:struts:2.0.0 from any file with the a matching SHA1 hash. +The following shows some other ways to suppress individual findings. Note the ways to select files using either +the sha1 hash or the filePath (the filePath can also be a regex). Additionally, there are several things that +can be suppressed - individual CPEs, individual CVEs, or all CVE entries below a specified CVSS score. The most common +would be suppressing CPEs based off of SHA1 hashes or filePath (regexes) - these entries can be generated using the +HTML version of the report. The other common scenario would be to ignore all CVEs below a certain CVSS threshold. + +```xml + + + + + c:\path\to\some.jar + cpe:/a:csv:csv:1.0 + + + + .*\btest\.jar + cpe:/a:jboss:jboss + + + + .*\btest\.jar + CVE-2013-1337 + + + + 384FAA82E193D4E4B0546059CA09572654BC3970 + CVE-2013-1337 + + + + 7 + + +``` + The full schema for suppression files can be found here: [suppression.xsd](https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/schema/suppression.xsd "Suppression Schema") Please see the appropriate configuration option in each interfaces configuration guide: From b2a817e17bca1d184ebeb13cda4884f5d1d7d3ae Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 2 Mar 2014 19:17:08 -0500 Subject: [PATCH 09/21] minor checkstyle patch Former-commit-id: d81d0e9418963d01964eb42aac21d10f1b756a3f --- .../owasp/dependencycheck/taskdefs/DependencyCheckTask.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java index 8c982fbfd..4d4e1822e 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java @@ -508,7 +508,7 @@ public class DependencyCheckTask extends Task { private boolean nexusUsesProxy = true; /** - * Get the value of nexusUsesProxy + * Get the value of nexusUsesProxy. * * @return the value of nexusUsesProxy */ @@ -517,7 +517,7 @@ public class DependencyCheckTask extends Task { } /** - * Set the value of nexusUsesProxy + * Set the value of nexusUsesProxy. * * @param nexusUsesProxy new value of nexusUsesProxy */ From 2cf3bca8decc54469ab02d035512d939f3782986 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 2 Mar 2014 19:23:04 -0500 Subject: [PATCH 10/21] updated documentation Former-commit-id: 026a64cd80c9870830dd11a37dcdeae0c6274659 --- .../src/site/markdown/configuration.md | 40 +++++++------- .../src/site/markdown/arguments.md | 54 +++++++++---------- 2 files changed, 47 insertions(+), 47 deletions(-) diff --git a/dependency-check-ant/src/site/markdown/configuration.md b/dependency-check-ant/src/site/markdown/configuration.md index 48465e4b0..ef16d1f18 100644 --- a/dependency-check-ant/src/site/markdown/configuration.md +++ b/dependency-check-ant/src/site/markdown/configuration.md @@ -22,28 +22,28 @@ The following table lists the configurable properties: Property | Description | Requirement | Default Value ----------------------|-------------|-------------|------------ -ApplicationName | The name of the application to use in the generated report. | Required | -ReportFormat | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional | -ReportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional | -FailBuildOn | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional | -AutoUpdate | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. The default value is true. | Optional | -DataDirectory | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional | -LogFile | The file path to write verbose logging information. | Optional | -SuppressionFile | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional | -ProxyUrl | Defines the proxy used to connect to the Internet. | Optional | -ProxyPort | Defines the port for the proxy. | Optional | -ProxyUsername | Defines the proxy user name. | Optional | -ProxyPassword | Defines the proxy password. | Optional | -ConnectionTimeout | The connection timeout used when downloading data files from the Internet. | Optional | -nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. | Optional | -nexusUrl | The connection timeout used when downloading data files from the Internet. | Optional | +ApplicationName | The name of the application to use in the generated report. | Required |   +ReportFormat | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional | HTML +ReportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional |   +FailBuildOn | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional | 11 +AutoUpdate | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. | Optional | true +DataDirectory | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional |   +LogFile | The file path to write verbose logging information. | Optional |   +SuppressionFile | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional |   +ProxyUrl | Defines the proxy used to connect to the Internet. | Optional |   +ProxyPort | Defines the port for the proxy. | Optional |   +ProxyUsername | Defines the proxy user name. | Optional |   +ProxyPassword | Defines the proxy password. | Optional |   +ConnectionTimeout | The connection timeout used when downloading data files from the Internet. | Optional |   +nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. | Optional |   +nexusUrl | The connection timeout used when downloading data files from the Internet. | Optional |   nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | Optional | true -databaseDriverName | The name of the database driver. Example: org.h2.Driver. | Optional | -databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | Optional | -connectionString | The connection string used to connect to the database. | Optional | +databaseDriverName | The name of the database driver. Example: org.h2.Driver. | Optional |   +databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | Optional |   +connectionString | The connection string used to connect to the database. | Optional |   databaseUser | The username used when connecting to the database. | Optional | dcuser -databasePassword | The password used when connecting to the database. | Optional | -zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional +databasePassword | The password used when connecting to the database. | Optional |   +zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional |   cveUrl12Modified | URL for the modified CVE 1.2 | Optional | http://nvd.nist.gov/download/nvdcve-modified.xml cveUrl20Modified | URL for the modified CVE 2.0 | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | Optional | http://nvd.nist.gov/download/nvdcve-%d.xml diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md index e16bab883..bee424390 100644 --- a/dependency-check-cli/src/site/markdown/arguments.md +++ b/dependency-check-cli/src/site/markdown/arguments.md @@ -3,30 +3,30 @@ Command Line Arguments The following table lists the command line arguments: -Short | Argument Name | Parameter | Description | Requirement --------|-----------------------|-------------|-------------|------------ - \-a | \-\-app | \ | The name of the application being scanned. This is a required argument. | - \-c | \-\-connectiontimeout | \ | The connection timeout (in milliseconds) to use when downloading resources. | Optional - \-d | \-\-data | \ | The location of the data directory used to store persistent data. This option should generally not be set. | Optional - \-f | \-\-format | \ | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. | - \-h | \-\-help | | Print the help message. | Optional - \-l | \-\-log | \ | The file path to write verbose logging information. | Optional - \-n | \-\-noupdate | | Disables the automatic updating of the CPE data. | Optional - \-o | \-\-out | \ | The folder to write reports to. This defaults to the current directory. | Optional - \-p | \-\-proxyport | \ | The proxy port to use when downloading resources. | Optional - | \-\-proxypass | \ | The proxy password to use when downloading resources. | Optional - | \-\-proxyuser | \ | The proxy username to use when downloading resources. | Optional - \-s | \-\-scan | \ | The path to scan \- this option can be specified multiple times. | - | \-\-suppression | \ | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional - \-u | \-\-proxyurl | \ | The proxy url to use when downloading resources. | Optional - \-v | \-\-version | | Print the version information. | Optional - | \-\-advancedHelp | | Print the advanced help message. | Optional - | \-\-connectionString | \ | The connection string to the database. | Optional - | \-\-dbDriverName | \ | The database driver name. | Optional - | \-\-dbDriverPath | \ | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | Optional - | \-\-dbPassword | \| The password for connecting to the database. | Optional - | \-\-dbUser | \ | The username used to connect to the database. | Optional - | \-\-disableNexus | | Disable the Nexus Analyzer. | Optional - | \-\-nexus | \ | The url to the Nexus Server. | Optional - | \-\-nexusUsesProxy | \ | Whether or not the defined proxy should be used when connecting to Nexus. | Optional - | \-\-zipExtensions | \ | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional \ No newline at end of file +Short | Argument Name | Parameter | Description | Requirement +-------|-----------------------|-----------------|-------------|------------ + \-a | \-\-app | \ | The name of the application being scanned. This is a required argument. | Required + \-c | \-\-connectiontimeout | \ | The connection timeout (in milliseconds) to use when downloading resources. | Optional + \-d | \-\-data | \ | The location of the data directory used to store persistent data. This option should generally not be set. | Optional + \-f | \-\-format | \ | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. | Required + \-h | \-\-help | | Print the help message. | Optional + \-l | \-\-log | \ | The file path to write verbose logging information. | Optional + \-n | \-\-noupdate | | Disables the automatic updating of the CPE data. | Optional + \-o | \-\-out | \ | The folder to write reports to. This defaults to the current directory. | Optional + \-p | \-\-proxyport | \ | The proxy port to use when downloading resources. | Optional + | \-\-proxypass | \ | The proxy password to use when downloading resources. | Optional + | \-\-proxyuser | \ | The proxy username to use when downloading resources. | Optional + \-s | \-\-scan | \ | The path to scan \- this option can be specified multiple times. | Required + | \-\-suppression | \ | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional + \-u | \-\-proxyurl | \ | The proxy url to use when downloading resources. | Optional + \-v | \-\-version | | Print the version information. | Optional + | \-\-advancedHelp | | Print the advanced help message. | Optional + | \-\-connectionString | \ | The connection string to the database. | Optional + | \-\-dbDriverName | \ | The database driver name. | Optional + | \-\-dbDriverPath | \ | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | Optional + | \-\-dbPassword | \ | The password for connecting to the database. | Optional + | \-\-dbUser | \ | The username used to connect to the database. | Optional + | \-\-disableNexus | | Disable the Nexus Analyzer. | Optional + | \-\-nexus | \ | The url to the Nexus Server. | Optional + | \-\-nexusUsesProxy | \ | Whether or not the defined proxy should be used when connecting to Nexus. | Optional + | \-\-zipExtensions | \ | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional \ No newline at end of file From fe0e2d5c2d22cef366fc17d033fc8409183024d9 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 05:41:55 -0500 Subject: [PATCH 11/21] corrected long option name for nexus uses proxy argument Former-commit-id: f8a8a902fb3fb9e3bdcaa875c7563078d798811f --- .../src/main/java/org/owasp/dependencycheck/cli/CliParser.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java index b5e06673c..b9fff985f 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java @@ -204,7 +204,7 @@ public final class CliParser { .withDescription("The url to the Nexus Server.") .create(); - final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_URL) + final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_USES_PROXY) .withDescription("Whether or not the configured proxy should be used when connecting to Nexus.") .create(); From c041ff66e2853cecbf7cb25b486a74601669dc1c Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 06:36:25 -0500 Subject: [PATCH 12/21] updated imports Former-commit-id: 44995cd7c14577d508a97e6ecb70f7edbad29a3a --- .../dependencycheck/analyzer/AssemblyAnalyzerTest.java | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java index eccdab7c9..1a8e915d9 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java @@ -17,15 +17,12 @@ */ package org.owasp.dependencycheck.analyzer; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; -import static org.junit.Assume.assumeFalse; - import java.io.File; import java.util.logging.Level; import java.util.logging.Logger; - import org.junit.After; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; import org.junit.Assume; import static org.junit.Assume.assumeFalse; import org.junit.Before; @@ -43,7 +40,7 @@ import org.owasp.dependencycheck.utils.Settings; * */ public class AssemblyAnalyzerTest { - + private static final Logger LOGGER = Logger.getLogger(AssemblyAnalyzerTest.class.getName()); AssemblyAnalyzer analyzer; From ecdc9a968db7dcc376245b189c60401ea28acf69 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 07:01:19 -0500 Subject: [PATCH 13/21] updated logging of properties Former-commit-id: 6472713deca91c5492cd9895af0257338ed2d847 --- .../owasp/dependencycheck/utils/Settings.java | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java index 2ef8d4f88..e973efdff 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -22,8 +22,11 @@ import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; +import java.io.PrintWriter; +import java.io.StringWriter; import java.io.UnsupportedEncodingException; import java.net.URLDecoder; +import java.util.Enumeration; import java.util.Properties; import java.util.logging.Level; import java.util.logging.Logger; @@ -35,6 +38,8 @@ import java.util.logging.Logger; */ public final class Settings { + private static final Logger LOGGER = Logger.getLogger(Settings.class.getName()); + /** * The collection of keys used within the properties file. */ @@ -204,6 +209,43 @@ public final class Settings { } } } + logProperties("Properties loaded", props); + } + + /** + * Logs the properties. This will not log any properties that contain 'password' in the key. + * + * @param header the header to print with the log message + * @param properties the properties to log + */ + private static void logProperties(String header, Properties properties) { + if (LOGGER.isLoggable(Level.FINE)) { + final StringWriter sw = new StringWriter(); + PrintWriter pw = null; + try { + pw = new PrintWriter(sw); + pw.format("%s:%n%n", header); + final Enumeration e = properties.propertyNames(); + while (e.hasMoreElements()) { + final String key = (String) e.nextElement(); + if (key.contains("password")) { + pw.format("%s='*****'%n", key); + } else { + final String value = properties.getProperty(key); + if (value != null) { + pw.format("%s='%s'%n", key, value); + } + } + } + pw.flush(); + LOGGER.fine(sw.toString()); + } finally { + if (pw != null) { + pw.close(); + } + } + + } } /** @@ -214,6 +256,9 @@ public final class Settings { */ public static void setString(String key, String value) { INSTANCE.props.setProperty(key, value); + if (LOGGER.isLoggable(Level.FINE)) { + LOGGER.fine(String.format("Setting: %s='%s'", key, value)); + } } /** @@ -228,6 +273,9 @@ public final class Settings { } else { INSTANCE.props.setProperty(key, Boolean.FALSE.toString()); } + if (LOGGER.isLoggable(Level.FINE)) { + LOGGER.fine(String.format("Setting: %s='%b'", key, value)); + } } /** @@ -268,6 +316,7 @@ public final class Settings { */ public static void mergeProperties(InputStream stream) throws IOException { INSTANCE.props.load(stream); + logProperties("Properties updated via merge", INSTANCE.props); } /** From c47b2f5b18fca555a1039a48b2a71c7fa9873c3e Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 07:02:59 -0500 Subject: [PATCH 14/21] corrected spelling Former-commit-id: c40c47a6b198953b9ae4b5685ee08da5fcd7c0a5 --- .../data/update/StandardUpdate.java | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java index bca85e461..a9e34249b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java @@ -134,20 +134,20 @@ public class StandardUpdate { downloadExecutors.shutdownNow(); processExecutor.shutdownNow(); - Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during download", ex); - throw new UpdateException("The download was interupted", ex); + Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download", ex); + throw new UpdateException("The download was interrupted", ex); } catch (ExecutionException ex) { downloadExecutors.shutdownNow(); processExecutor.shutdownNow(); - Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during download execution", ex); - throw new UpdateException("The execution of the download was interupted", ex); + Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download execution", ex); + throw new UpdateException("The execution of the download was interrupted", ex); } if (task == null) { downloadExecutors.shutdownNow(); processExecutor.shutdownNow(); - Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during download"); - throw new UpdateException("The download was interupted; unable to complete the update"); + Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download"); + throw new UpdateException("The download was interrupted; unable to complete the update"); } else { processFutures.add(task); } @@ -161,7 +161,7 @@ public class StandardUpdate { } } catch (InterruptedException ex) { processExecutor.shutdownNow(); - Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during processing", ex); + Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during processing", ex); throw new UpdateException(ex); } catch (ExecutionException ex) { processExecutor.shutdownNow(); From 9bb630bae6ec6d83c6f318c8eb4daca5b566c2bd Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 07:05:24 -0500 Subject: [PATCH 15/21] minor update to logging statement Former-commit-id: bdf69f0747e0dbf4a368050df95b5650960420ad --- .../owasp/dependencycheck/data/update/StandardUpdate.java | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java index a9e34249b..2f090fa8c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java @@ -245,11 +245,8 @@ public class StandardUpdate { } } catch (NumberFormatException ex) { final String msg = "An invalid schema version or timestamp exists in the data.properties file."; - Logger - .getLogger(StandardUpdate.class - .getName()).log(Level.WARNING, msg); - Logger.getLogger(StandardUpdate.class - .getName()).log(Level.FINE, null, ex); + Logger.getLogger(StandardUpdate.class.getName()).log(Level.WARNING, msg); + Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "", ex); } } return updates; From c2b2b2698d696dd896069034d84086207ba8646e Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 07:12:58 -0500 Subject: [PATCH 16/21] updated pre-flight to correctly skip the proxy if configured to do so Former-commit-id: ee993ded2a19f2a7fbda3f93c8d53ece43c8b1d1 --- .../owasp/dependencycheck/data/nexus/NexusSearch.java | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java index b5f58856f..88baf7a31 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java @@ -22,6 +22,7 @@ import java.io.IOException; import java.net.HttpURLConnection; import java.net.URL; import java.net.URLConnection; +import java.util.logging.Level; import java.util.logging.Logger; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -151,17 +152,17 @@ public class NexusSearch { */ public boolean preflightRequest() { try { - final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(new URL(rootURL, "status")); + final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(new URL(rootURL, "status"), useProxy); conn.addRequestProperty("Accept", "application/xml"); conn.connect(); if (conn.getResponseCode() != 200) { - LOGGER.warning("Expected 200 result from Nexus, got " + conn.getResponseCode()); + LOGGER.log(Level.WARNING, "Expected 200 result from Nexus, got {0}", conn.getResponseCode()); return false; } final DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); final Document doc = builder.parse(conn.getInputStream()); - if (doc.getDocumentElement().getNodeName() != "status") { - LOGGER.warning("Expected root node name of status, got " + doc.getDocumentElement().getNodeName()); + if (!"status".equals(doc.getDocumentElement().getNodeName())) { + LOGGER.log(Level.WARNING, "Expected root node name of status, got {0}", doc.getDocumentElement().getNodeName()); return false; } } catch (Throwable e) { From 94a0c98bfe4ee603701936ebc92a9b8b0218f42b Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 07:32:43 -0500 Subject: [PATCH 17/21] added more javadoc Former-commit-id: 2befc7ec80f7ca2f8c7c25554b0b75e3e515eeb0 --- .../main/java/org/owasp/dependencycheck/utils/Settings.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java index e973efdff..753c5d2ca 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -38,6 +38,9 @@ import java.util.logging.Logger; */ public final class Settings { + /** + * The logger. + */ private static final Logger LOGGER = Logger.getLogger(Settings.class.getName()); /** From 3a7fd7d27156cb6077e6e2db24dfdde1059dabb7 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 07:37:33 -0500 Subject: [PATCH 18/21] minor update to formating Former-commit-id: 6bd182ef660034549b2be16b4a22574171351a8b --- .../src/site/markdown/configuration.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/dependency-check-ant/src/site/markdown/configuration.md b/dependency-check-ant/src/site/markdown/configuration.md index ef16d1f18..dc6b37583 100644 --- a/dependency-check-ant/src/site/markdown/configuration.md +++ b/dependency-check-ant/src/site/markdown/configuration.md @@ -22,19 +22,19 @@ The following table lists the configurable properties: Property | Description | Requirement | Default Value ----------------------|-------------|-------------|------------ -ApplicationName | The name of the application to use in the generated report. | Required |   -ReportFormat | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional | HTML -ReportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional |   -FailBuildOn | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional | 11 -AutoUpdate | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. | Optional | true -DataDirectory | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional |   -LogFile | The file path to write verbose logging information. | Optional |   -SuppressionFile | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional |   -ProxyUrl | Defines the proxy used to connect to the Internet. | Optional |   -ProxyPort | Defines the port for the proxy. | Optional |   -ProxyUsername | Defines the proxy user name. | Optional |   -ProxyPassword | Defines the proxy password. | Optional |   -ConnectionTimeout | The connection timeout used when downloading data files from the Internet. | Optional |   +applicationName | The name of the application to use in the generated report. | Required |   +reportFormat | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional | HTML +reportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional |   +failBuildOn | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional | 11 +autoUpdate | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. | Optional | true +dataDirectory | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional |   +logFile | The file path to write verbose logging information. | Optional |   +suppressionFile | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional |   +proxyUrl | Defines the proxy used to connect to the Internet. | Optional |   +proxyPort | Defines the port for the proxy. | Optional |   +proxyUsername | Defines the proxy user name. | Optional |   +proxyPassword | Defines the proxy password. | Optional |   +connectionTimeout | The connection timeout used when downloading data files from the Internet. | Optional |   nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. | Optional |   nexusUrl | The connection timeout used when downloading data files from the Internet. | Optional |   nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | Optional | true From 00ae54b4b247fb0ea1a43daa16acf619e7c031a1 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 08:51:17 -0500 Subject: [PATCH 19/21] version 1.1.2 Former-commit-id: 63c1f372e6d093b3d3fa08a0eab102d9422f78c4 --- dependency-check-ant/pom.xml | 2 +- dependency-check-cli/pom.xml | 2 +- dependency-check-core/pom.xml | 2 +- dependency-check-jenkins/pom.xml | 2 +- dependency-check-maven/pom.xml | 2 +- pom.xml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/dependency-check-ant/pom.xml b/dependency-check-ant/pom.xml index 902c909fc..a0fe78293 100644 --- a/dependency-check-ant/pom.xml +++ b/dependency-check-ant/pom.xml @@ -21,7 +21,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.1.2-SNAPSHOT + 1.1.2 dependency-check-ant diff --git a/dependency-check-cli/pom.xml b/dependency-check-cli/pom.xml index 3d4f1e0f9..109481ce1 100644 --- a/dependency-check-cli/pom.xml +++ b/dependency-check-cli/pom.xml @@ -21,7 +21,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.1.2-SNAPSHOT + 1.1.2 dependency-check-cli diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml index 43a572ced..043cf842a 100644 --- a/dependency-check-core/pom.xml +++ b/dependency-check-core/pom.xml @@ -21,7 +21,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.1.2-SNAPSHOT + 1.1.2 dependency-check-core diff --git a/dependency-check-jenkins/pom.xml b/dependency-check-jenkins/pom.xml index 426e0aaa3..e535f56ad 100644 --- a/dependency-check-jenkins/pom.xml +++ b/dependency-check-jenkins/pom.xml @@ -6,7 +6,7 @@ org.owasp dependency-check-parent - 1.1.2-SNAPSHOT + 1.1.2 org.owasp diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml index 3a7b11ae5..7c90bff90 100644 --- a/dependency-check-maven/pom.xml +++ b/dependency-check-maven/pom.xml @@ -23,7 +23,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.1.2-SNAPSHOT + 1.1.2 dependency-check-maven diff --git a/pom.xml b/pom.xml index 02bc9c735..0ced51246 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long org.owasp dependency-check-parent - 1.1.2-SNAPSHOT + 1.1.2 pom From 4379ea63f0741fd32b4e730c771956094c550446 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 19:54:46 -0500 Subject: [PATCH 20/21] corrected intellij idea link Former-commit-id: be7f327b6641d0819a55f93c3aefe016deca557b --- src/site/site.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/site/site.xml b/src/site/site.xml index 0c29f2b5c..3b6db2c00 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -50,7 +50,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. title="built with maven" alt="built with maven" img="http://jeremylong.github.io/DependencyCheck/images/logos/maven-feather.png"/> - From 76e8c66b1bfdcbff1f0d543e65b5223188456c56 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 4 Mar 2014 07:33:27 -0500 Subject: [PATCH 21/21] updated version to 1.1.3-SNAPSHOT Former-commit-id: 62657e41c409c474918d0c6ac1d1f505e072a682 --- dependency-check-ant/pom.xml | 2 +- dependency-check-cli/pom.xml | 2 +- dependency-check-core/pom.xml | 2 +- dependency-check-jenkins/pom.xml | 2 +- dependency-check-maven/pom.xml | 2 +- pom.xml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/dependency-check-ant/pom.xml b/dependency-check-ant/pom.xml index a0fe78293..c20c39567 100644 --- a/dependency-check-ant/pom.xml +++ b/dependency-check-ant/pom.xml @@ -21,7 +21,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.1.2 + 1.1.3-SNAPSHOT dependency-check-ant diff --git a/dependency-check-cli/pom.xml b/dependency-check-cli/pom.xml index 109481ce1..89653be11 100644 --- a/dependency-check-cli/pom.xml +++ b/dependency-check-cli/pom.xml @@ -21,7 +21,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.1.2 + 1.1.3-SNAPSHOT dependency-check-cli diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml index 043cf842a..6ab67e6b7 100644 --- a/dependency-check-core/pom.xml +++ b/dependency-check-core/pom.xml @@ -21,7 +21,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.1.2 + 1.1.3-SNAPSHOT dependency-check-core diff --git a/dependency-check-jenkins/pom.xml b/dependency-check-jenkins/pom.xml index e535f56ad..a87c5596a 100644 --- a/dependency-check-jenkins/pom.xml +++ b/dependency-check-jenkins/pom.xml @@ -6,7 +6,7 @@ org.owasp dependency-check-parent - 1.1.2 + 1.1.3-SNAPSHOT org.owasp diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml index 7c90bff90..038fd549d 100644 --- a/dependency-check-maven/pom.xml +++ b/dependency-check-maven/pom.xml @@ -23,7 +23,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.1.2 + 1.1.3-SNAPSHOT dependency-check-maven diff --git a/pom.xml b/pom.xml index 0ced51246..0e8c4458d 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long org.owasp dependency-check-parent - 1.1.2 + 1.1.3-SNAPSHOT pom