merge from upstream

dependency-check-ant/README.md

@@ -1,134 +1,25 @@
-Dependency-Check-Gradle
+Dependency-Check Ant Task
 =========
 
-**Working in progress**
+Dependency-Check Ant Task can be used to check the project dependencies for published security vulnerabilities. The checks
+performed are a "best effort" and as such, there could be false positives as well as false negatives. However,
+vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
+Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
 
-This is a DependencyCheck gradle plugin designed for project which use Gradle as build script.
+Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-ant/index.html).
 
-Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
+Mailing List
+------------
 
-=========
+Subscribe: [dependency-check+subscribe@googlegroups.com](mailto:dependency-check+subscribe@googlegroups.com)
 
-## What's New
-Current latest version is `0.0.8`
+Post: [dependency-check@googlegroups.com](mailto:dependency-check@googlegroups.com)
 
-## Usage
+Copyright & License
+-------------------
 
-### Step 1, Apply dependency check gradle plugin
+Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
 
-Install from Maven central repo
+Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
 
-```groovy
-buildscript {
-    repositories {
-        mavenCentral()
-    }
-    dependencies {
-        classpath 'org.owasp:dependency-check-gradle:1.3.2'
-    }
-}
-
-apply plugin: 'dependency-check-gradle'
-```
-
-### Step 2, Run gradle task
-
-Once gradle plugin applied, run following gradle task to check dependencies:
-
-```
-gradle dependencyCheck --info
-```
-
-The reports will be generated automatically under `./reports` folder.
-
-If your project includes multiple sub-projects, the report will be generated for each sub-project in different sub-directory.
-
-## FAQ
-
-> **Questions List:**
-> - What if I'm behind a proxy?
-> - What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
-> - How to customize the report directory?
-
-### What if I'm behind a proxy?
-
-Maybe you have to use proxy to access internet, in this case, you could configure proxy settings for this plugin:
-
-```groovy
-dependencyCheck {
-    proxy {
-        server = "127.0.0.1"      // required, the server name or IP address of the proxy
-        port = 3128               // required, the port number of the proxy
-
-        // optional, the proxy server might require username
-        // username = "username"
-
-        // optional, the proxy server might require password
-        // password = "password"
-    }
-}
-```
-
-In addition, if the proxy only allow HTTP `GET` or `POST` methods, you will find that the update process will always fail,
- the root cause is that every time you run `dependencyCheck` task, it will try to query the latest timestamp to determine whether need to perform an update action,
- and for performance reason the HTTP method it uses by default is `HEAD`, which probably is disabled or not supported by the proxy. To avoid this problem, you can simply change the HTTP method by below configuration:
-
-```groovy
-dependencyCheck {
-    quickQueryTimestamp = false    // when set to false, it means use HTTP GET method to query timestamp. (default value is true)
-}
-```
-
-### What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
-
-Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below:
-
-(1) For all projects including root project:
-
-```groovy
-buildscript {
-  repositories {
-    mavenCentral()
-  }
-  dependencies {
-    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8"
-  }
-}
-
-allprojects {
-    apply plugin: "dependency-check"
-}
-```
-
-(2) For all sub-projects:
-
-```groovy
-buildscript {
-  repositories {
-    mavenCentral()
-  }
-  dependencies {
-    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8"
-  }
-}
-
-subprojects {
-    apply plugin: "dependency-check"
-}
-```
-
-In this way, the dependency check will be executed for all projects (including root project) or just sub projects.
-
-### How to customize the report directory?
-
-By default, all reports will be placed under `./reports` folder, to change the default directory, just modify it in the configuration section like this:
-
-```groovy
-subprojects {
-    apply plugin: "dependency-check"
-
-    dependencyCheck {
-        outputDirectory = "./customized-path/security-report"
-    }
-}
-```
+Dependency-Check-Ant makes use of other open source libraries. Please see the [NOTICE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/dependency-check-ant/NOTICE.txt) file for more information.

dependency-check-cli/README.md

@@ -5,7 +5,7 @@ performed are a "best effort" and as such, there could be false positives as wel
 vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
 Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
 
-Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html).
+Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html).
 
 Mailing List
 ------------

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java

@@ -18,7 +18,9 @@
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.File;
+
 import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.io.filefilter.NameFileFilter;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
@@ -65,6 +67,13 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
     //</editor-fold>
 
+    // Python init files
+    private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[] {
+        "__init__.py",
+        "__init__.pyc",
+        "__init__.pyo"
+    });
+
     /**
      * Collects information about the file name.
      *
@@ -97,16 +106,16 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
         }
 
         //add as vendor and product evidence
-//        if (fileName.contains("-")) {
-//            dependency.getProductEvidence().addEvidence("file", "name",
-//                    fileName, Confidence.HIGHEST);
-//            dependency.getVendorEvidence().addEvidence("file", "name",
-//                    fileName, Confidence.HIGHEST);
-//        } else {
+        if (fileName.contains("-")) {
+            dependency.getProductEvidence().addEvidence("file", "name",
+                    fileName, Confidence.HIGHEST);
+            dependency.getVendorEvidence().addEvidence("file", "name",
+                    fileName, Confidence.HIGHEST);
+        } else if (!IGNORED_FILES.accept(f)) {
             dependency.getProductEvidence().addEvidence("file", "name",
                     fileName, Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("file", "name",
                     fileName, Confidence.HIGH);
-//        }
+        }
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java

@@ -185,7 +185,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
         if (found) {
             dependency.setDisplayFileName(parentName + "/__init__.py");
             dependency.getProductEvidence().addEvidence(file.getName(),
-                    "PackageName", parentName, Confidence.MEDIUM);
+                    "PackageName", parentName, Confidence.HIGH);
         } else {
             // copy, alter and set in case some other thread is iterating over
             final List<Dependency> dependencies = new ArrayList<Dependency>(

dependency-check-core/src/main/resources/data/initialize_mysql.sql

@@ -25,7 +25,8 @@ CREATE TABLE cpeEntry (id INT auto_increment PRIMARY KEY, cpe VARCHAR(250), vend
 
 CREATE TABLE software (cveid INT, cpeEntryId INT, previousVersion VARCHAR(50)
     , CONSTRAINT fkSoftwareCve FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE
-    , CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id));
+    , CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id)
+    , PRIMARY KEY (cveid, cpeEntryId));
 
 CREATE INDEX idxVulnerability ON vulnerability(cve);
 CREATE INDEX idxReference ON reference(cveid);
@@ -53,4 +54,4 @@ DELIMITER ;
 
 GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
 
-UPDATE Properties SET value='3.0' WHERE ID='version';
+UPDATE Properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/schema/suppression.xsd

@@ -21,7 +21,7 @@
     </xs:simpleType>
     <xs:simpleType name="cveType">
         <xs:restriction base="xs:string">
-            <xs:pattern value="(\w+\-)?CVE\-\d\d\d\d\-\d+"/>
+            <xs:pattern value="((\w+\-)?CVE\-\d\d\d\d\-\d+|\d+)"/>
         </xs:restriction>
     </xs:simpleType>
     <xs:simpleType name="sha1Type">
@@ -56,4 +56,4 @@
             </xs:sequence>
         </xs:complexType>
     </xs:element>
-</xs:schema>
+</xs:schema>

dependency-check-maven/src/site/markdown/index.md.vm

@@ -156,8 +156,8 @@ Create the DependencyCheck-report.html and use internal mirroring of CVE content
                 <artifactId>dependency-check-maven</artifactId>
                 <version>${project.version}</version>
                 <configuration>
-                    <cveUrl12Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-modified.xml</cveUrl12Modified>
-                    <cveUrl20Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-modified.xml</cveUrl20Modified>
+                    <cveUrl12Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-Modified.xml.gz</cveUrl12Modified>
+                    <cveUrl20Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-Modified.xml.gz</cveUrl20Modified>
                     <cveUrl12Base>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-%d.xml</cveUrl12Base>
                     <cveUrl20Base>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-%d.xml</cveUrl20Base>
                 </configuration>

pom.xml

@@ -125,7 +125,7 @@ Copyright (c) 2012 - Jeremy Long
         <!-- new versions of lucene are compiled with JDK 1.7 and cannot be used ubiquitously in Jenkins
         thus, we cannot upgrade beyond 4.7.2 -->
         <apache.lucene.version>4.7.2</apache.lucene.version>
-        <slf4j.version>1.7.18</slf4j.version>
+        <slf4j.version>1.7.19</slf4j.version>
         <logback.version>1.1.6</logback.version>
         <reporting.checkstyle-plugin.version>2.17</reporting.checkstyle-plugin.version>
         <reporting.cobertura-plugin.version>2.7</reporting.cobertura-plugin.version>