From 0183457b7a0d14282dd0bf1aab887e09f13140b4 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Fri, 21 Jul 2017 06:10:03 -0400 Subject: [PATCH 1/2] resolve issue #810 --- .../analyzer/RubyBundleAuditAnalyzer.java | 1 - .../src/main/resources/dependencycheck.properties | 1 + src/site/markdown/analyzers/bundle-audit.md | 13 +++++++++++++ src/site/markdown/analyzers/index.md | 1 + 4 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 src/site/markdown/analyzers/bundle-audit.md diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java index 0de3ae8a1..1ee0ce491 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java @@ -50,7 +50,6 @@ import org.slf4j.LoggerFactory; * * @author Dale Visser */ -@Experimental public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { /** diff --git a/dependency-check-core/src/main/resources/dependencycheck.properties b/dependency-check-core/src/main/resources/dependencycheck.properties index 84c0d81e3..845074965 100644 --- a/dependency-check-core/src/main/resources/dependencycheck.properties +++ b/dependency-check-core/src/main/resources/dependencycheck.properties @@ -97,6 +97,7 @@ analyzer.composer.lock.enabled=true analyzer.python.distribution.enabled=true analyzer.python.package.enabled=true analyzer.ruby.gemspec.enabled=true +analyzer.bundle.audit.enabled=true analyzer.autoconf.enabled=true analyzer.cmake.enabled=true analyzer.assembly.enabled=true diff --git a/src/site/markdown/analyzers/bundle-audit.md b/src/site/markdown/analyzers/bundle-audit.md new file mode 100644 index 000000000..a67b8a7d5 --- /dev/null +++ b/src/site/markdown/analyzers/bundle-audit.md @@ -0,0 +1,13 @@ +Ruby Bundle-audit Analyzer +===================== + +OWASP dependency-check includes an analyzer that will execute [bundle-audit](https://github.com/rubysec/bundler-audit#readme) +and include the results in the dependency-check report. This is useful for multi-language +projects and merging the results of multiple software composition analysis tools. + +```shell +$ sudo gem install bundler-audit +$ bundle-audit update +``` + +Files Types Scanned: Gemfile.lock diff --git a/src/site/markdown/analyzers/index.md b/src/site/markdown/analyzers/index.md index 6d4237edb..3155fa1ec 100644 --- a/src/site/markdown/analyzers/index.md +++ b/src/site/markdown/analyzers/index.md @@ -12,6 +12,7 @@ to extract identification information from the files analyzed. | [NSP](./nsp-analyzer.html) | [Node Security Project](https://nodesecurity.io) is used to analyze Node.js' `package.json` files for known vulnerable packages.| | [Nuspec](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. | | [OpenSSL](./openssl.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. | +| [Ruby bundle-audit](./bundle-audit.html) | Ruby Gemfile.lcok files | Executes bundle-audit and incorporates the results into the dependency-check report. | Experimental Analyzers ---------------------- From f3580dece7e515c0e07f0b83f215db3d7975a695 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Fri, 21 Jul 2017 06:35:30 -0400 Subject: [PATCH 2/2] documentation update --- src/site/markdown/analyzers/bundle-audit.md | 3 +++ src/site/markdown/analyzers/index.md | 2 +- src/site/markdown/analyzers/ruby-gemspec.md | 4 +++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/site/markdown/analyzers/bundle-audit.md b/src/site/markdown/analyzers/bundle-audit.md index a67b8a7d5..ffc899537 100644 --- a/src/site/markdown/analyzers/bundle-audit.md +++ b/src/site/markdown/analyzers/bundle-audit.md @@ -5,6 +5,9 @@ OWASP dependency-check includes an analyzer that will execute [bundle-audit](htt and include the results in the dependency-check report. This is useful for multi-language projects and merging the results of multiple software composition analysis tools. +**NOTE** - it is important to run `bundle-audit update` occasionally to keep the bundle-audit +database current. ATM - dependency-check does **not** perform the `bundle-audit update` automatically. + ```shell $ sudo gem install bundler-audit $ bundle-audit update diff --git a/src/site/markdown/analyzers/index.md b/src/site/markdown/analyzers/index.md index 3155fa1ec..f7a04e9d9 100644 --- a/src/site/markdown/analyzers/index.md +++ b/src/site/markdown/analyzers/index.md @@ -12,7 +12,7 @@ to extract identification information from the files analyzed. | [NSP](./nsp-analyzer.html) | [Node Security Project](https://nodesecurity.io) is used to analyze Node.js' `package.json` files for known vulnerable packages.| | [Nuspec](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. | | [OpenSSL](./openssl.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. | -| [Ruby bundle-audit](./bundle-audit.html) | Ruby Gemfile.lcok files | Executes bundle-audit and incorporates the results into the dependency-check report. | +| [Ruby bundler‑audit](./bundle-audit.html) | Ruby `Gemfile.lock` files | Executes bundle-audit and incorporates the results into the dependency-check report. | Experimental Analyzers ---------------------- diff --git a/src/site/markdown/analyzers/ruby-gemspec.md b/src/site/markdown/analyzers/ruby-gemspec.md index ee3925782..cf6f8b570 100644 --- a/src/site/markdown/analyzers/ruby-gemspec.md +++ b/src/site/markdown/analyzers/ruby-gemspec.md @@ -14,6 +14,8 @@ evidence to identify any Common Platform Enumeration (CPE) identifiers that apply. *Note*: It is highly recommended that Ruby projects use -[bundler-audit](https://github.com/rubysec/bundler-audit#readme). +[bundler-audit](https://github.com/rubysec/bundler-audit#readme). It is possible +to incorporate the results of bundle-audit into the dependency-check report(s) by +using the [bundle-audit analyzer](./bundle-audit.html). Files Types Scanned: Rakefile, \*.gemspec \ No newline at end of file