mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-03-23 01:29:43 +01:00
Jeremy Long
@@ -50,7 +50,6 @@ import org.slf4j.LoggerFactory;
|
|||||||
*
|
*
|
||||||
* @author Dale Visser
|
* @author Dale Visser
|
||||||
*/
|
*/
|
||||||
@Experimental
|
|
||||||
public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@@ -97,6 +97,7 @@ analyzer.composer.lock.enabled=true
|
|||||||
analyzer.python.distribution.enabled=true
|
analyzer.python.distribution.enabled=true
|
||||||
analyzer.python.package.enabled=true
|
analyzer.python.package.enabled=true
|
||||||
analyzer.ruby.gemspec.enabled=true
|
analyzer.ruby.gemspec.enabled=true
|
||||||
|
analyzer.bundle.audit.enabled=true
|
||||||
analyzer.autoconf.enabled=true
|
analyzer.autoconf.enabled=true
|
||||||
analyzer.cmake.enabled=true
|
analyzer.cmake.enabled=true
|
||||||
analyzer.assembly.enabled=true
|
analyzer.assembly.enabled=true
|
||||||
|
|||||||
16
src/site/markdown/analyzers/bundle-audit.md
Normal file
16
src/site/markdown/analyzers/bundle-audit.md
Normal file
@@ -0,0 +1,16 @@
|
|||||||
|
Ruby Bundle-audit Analyzer
|
||||||
|
=====================
|
||||||
|
|
||||||
|
OWASP dependency-check includes an analyzer that will execute [bundle-audit](https://github.com/rubysec/bundler-audit#readme)
|
||||||
|
and include the results in the dependency-check report. This is useful for multi-language
|
||||||
|
projects and merging the results of multiple software composition analysis tools.
|
||||||
|
|
||||||
|
**NOTE** - it is important to run `bundle-audit update` occasionally to keep the bundle-audit
|
||||||
|
database current. ATM - dependency-check does **not** perform the `bundle-audit update` automatically.
|
||||||
|
|
||||||
|
```shell
|
||||||
|
$ sudo gem install bundler-audit
|
||||||
|
$ bundle-audit update
|
||||||
|
```
|
||||||
|
|
||||||
|
Files Types Scanned: Gemfile.lock
|
||||||
@@ -12,6 +12,7 @@ to extract identification information from the files analyzed.
|
|||||||
| [NSP](./nsp-analyzer.html) | [Node Security Project](https://nodesecurity.io) is used to analyze Node.js' `package.json` files for known vulnerable packages.|
|
| [NSP](./nsp-analyzer.html) | [Node Security Project](https://nodesecurity.io) is used to analyze Node.js' `package.json` files for known vulnerable packages.|
|
||||||
| [Nuspec](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. |
|
| [Nuspec](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. |
|
||||||
| [OpenSSL](./openssl.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. |
|
| [OpenSSL](./openssl.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. |
|
||||||
|
| [Ruby bundler‑audit](./bundle-audit.html) | Ruby `Gemfile.lock` files | Executes bundle-audit and incorporates the results into the dependency-check report. |
|
||||||
|
|
||||||
Experimental Analyzers
|
Experimental Analyzers
|
||||||
----------------------
|
----------------------
|
||||||
|
|||||||
@@ -14,6 +14,8 @@ evidence to identify any Common Platform Enumeration (CPE) identifiers that
|
|||||||
apply.
|
apply.
|
||||||
|
|
||||||
*Note*: It is highly recommended that Ruby projects use
|
*Note*: It is highly recommended that Ruby projects use
|
||||||
[bundler-audit](https://github.com/rubysec/bundler-audit#readme).
|
[bundler-audit](https://github.com/rubysec/bundler-audit#readme). It is possible
|
||||||
|
to incorporate the results of bundle-audit into the dependency-check report(s) by
|
||||||
|
using the [bundle-audit analyzer](./bundle-audit.html).
|
||||||
|
|
||||||
Files Types Scanned: Rakefile, \*.gemspec
|
Files Types Scanned: Rakefile, \*.gemspec
|
||||||
Reference in New Issue
Block a user