From d77a70c3609e2bd6ccda7d2562dc01fa2a892a49 Mon Sep 17 00:00:00 2001 From: Will Stranathan Date: Sat, 12 Mar 2016 15:04:52 -0500 Subject: [PATCH 1/7] Patch for jeremylong/DependencyCheck/#466 This does two things: 1) Updates the PythonPackageAnalyzer to HIGH evidence for __init__.py 2) Removes evidence from the FileNameAnalyzer for __init__.py[co]? TODO: Need for the PythonPackageAnalyzer to still add evidence for __init__.py[co] even though it won't be able to analyze the contents of it. Also, need to work up the tree for __init__.py files to get the parent folders (not sure why subfolders are not being inspected). --- .../dependencycheck/analyzer/FileNameAnalyzer.java | 11 ++++++++++- .../analyzer/PythonPackageAnalyzer.java | 2 +- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java index d21f7b503..b7d23a3e3 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java @@ -18,7 +18,9 @@ package org.owasp.dependencycheck.analyzer; import java.io.File; + import org.apache.commons.io.FilenameUtils; +import org.apache.commons.io.filefilter.NameFileFilter; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; @@ -65,6 +67,13 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer { } // + // Python init files + private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[] { + "__init__.py", + "__init__.pyc", + "__init__.pyo" + }); + /** * Collects information about the file name. * @@ -102,7 +111,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer { fileName, Confidence.HIGHEST); dependency.getVendorEvidence().addEvidence("file", "name", fileName, Confidence.HIGHEST); - } else { + } else if (!IGNORED_FILES.accept(f)) { dependency.getProductEvidence().addEvidence("file", "name", fileName, Confidence.HIGH); dependency.getVendorEvidence().addEvidence("file", "name", diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java index 2572e8ffd..7444bcc69 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java @@ -185,7 +185,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { if (found) { dependency.setDisplayFileName(parentName + "/__init__.py"); dependency.getProductEvidence().addEvidence(file.getName(), - "PackageName", parentName, Confidence.MEDIUM); + "PackageName", parentName, Confidence.HIGH); } else { // copy, alter and set in case some other thread is iterating over final List dependencies = new ArrayList( From db26b46be0d95ef461420c63cd1cc8875028ad34 Mon Sep 17 00:00:00 2001 From: Jonas Berg Date: Wed, 16 Mar 2016 13:58:19 +0200 Subject: [PATCH 2/7] Make it possible to suppress vulnerabilities from OSVDB --- .../src/main/resources/schema/suppression.xsd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dependency-check-core/src/main/resources/schema/suppression.xsd b/dependency-check-core/src/main/resources/schema/suppression.xsd index da927ed99..bb1959e1e 100644 --- a/dependency-check-core/src/main/resources/schema/suppression.xsd +++ b/dependency-check-core/src/main/resources/schema/suppression.xsd @@ -21,7 +21,7 @@ - + @@ -56,4 +56,4 @@ - \ No newline at end of file + From 4cdfcb9f9d16dab99f773360b80dc725369431ca Mon Sep 17 00:00:00 2001 From: Anthony Whitford Date: Sun, 20 Mar 2016 20:47:07 -0400 Subject: [PATCH 3/7] SLF4J 1.7.19 released. --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index a4e973e5c..9466e8b43 100644 --- a/pom.xml +++ b/pom.xml @@ -125,7 +125,7 @@ Copyright (c) 2012 - Jeremy Long 4.7.2 - 1.7.18 + 1.7.19 1.1.6 2.17 2.7 From 84d1f08fda3451877a7b100312e92c791ff2bb06 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 21 Mar 2016 07:58:02 -0400 Subject: [PATCH 4/7] updated documentation for NVD urls to match what is hosted by NIST --- dependency-check-maven/src/site/markdown/index.md.vm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dependency-check-maven/src/site/markdown/index.md.vm b/dependency-check-maven/src/site/markdown/index.md.vm index a30da2b41..49312f4ba 100644 --- a/dependency-check-maven/src/site/markdown/index.md.vm +++ b/dependency-check-maven/src/site/markdown/index.md.vm @@ -156,8 +156,8 @@ Create the DependencyCheck-report.html and use internal mirroring of CVE content dependency-check-maven ${project.version} - http://internal-mirror.mycorp.com/downloads/nist/nvdcve-modified.xml - http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-modified.xml + http://internal-mirror.mycorp.com/downloads/nist/nvdcve-Modified.xml.gz + http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-Modified.xml.gz http://internal-mirror.mycorp.com/downloads/nist/nvdcve-%d.xml http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-%d.xml From 12278cda58ac5c4743f72326fb8df80537e5aec9 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 21 Mar 2016 08:12:39 -0400 Subject: [PATCH 5/7] Update README.md Fixed broken link to documentation. --- dependency-check-cli/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-cli/README.md b/dependency-check-cli/README.md index 2c37d91dc..0392c435a 100644 --- a/dependency-check-cli/README.md +++ b/dependency-check-cli/README.md @@ -5,7 +5,7 @@ performed are a "best effort" and as such, there could be false positives as wel vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities). -Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html). +Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html). Mailing List ------------ From 5633258fa7f78643c8043ab7284609d5f795e915 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 21 Mar 2016 08:16:06 -0400 Subject: [PATCH 6/7] Update README.md --- dependency-check-ant/README.md | 139 ++++----------------------------- 1 file changed, 15 insertions(+), 124 deletions(-) diff --git a/dependency-check-ant/README.md b/dependency-check-ant/README.md index d12265b6c..bb667416d 100644 --- a/dependency-check-ant/README.md +++ b/dependency-check-ant/README.md @@ -1,134 +1,25 @@ -Dependency-Check-Gradle +Dependency-Check Ant Task ========= -**Working in progress** +Dependency-Check Ant Task can be used to check the project dependencies for published security vulnerabilities. The checks +performed are a "best effort" and as such, there could be false positives as well as false negatives. However, +vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP +Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities). -This is a DependencyCheck gradle plugin designed for project which use Gradle as build script. +Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-ant/index.html). -Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. +Mailing List +------------ -========= +Subscribe: [dependency-check+subscribe@googlegroups.com](mailto:dependency-check+subscribe@googlegroups.com) -## What's New -Current latest version is `0.0.8` +Post: [dependency-check@googlegroups.com](mailto:dependency-check@googlegroups.com) -## Usage +Copyright & License +------------------- -### Step 1, Apply dependency check gradle plugin +Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved. -Install from Maven central repo +Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license. -```groovy -buildscript { - repositories { - mavenCentral() - } - dependencies { - classpath 'org.owasp:dependency-check-gradle:1.3.2' - } -} - -apply plugin: 'dependency-check-gradle' -``` - -### Step 2, Run gradle task - -Once gradle plugin applied, run following gradle task to check dependencies: - -``` -gradle dependencyCheck --info -``` - -The reports will be generated automatically under `./reports` folder. - -If your project includes multiple sub-projects, the report will be generated for each sub-project in different sub-directory. - -## FAQ - -> **Questions List:** -> - What if I'm behind a proxy? -> - What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project? -> - How to customize the report directory? - -### What if I'm behind a proxy? - -Maybe you have to use proxy to access internet, in this case, you could configure proxy settings for this plugin: - -```groovy -dependencyCheck { - proxy { - server = "127.0.0.1" // required, the server name or IP address of the proxy - port = 3128 // required, the port number of the proxy - - // optional, the proxy server might require username - // username = "username" - - // optional, the proxy server might require password - // password = "password" - } -} -``` - -In addition, if the proxy only allow HTTP `GET` or `POST` methods, you will find that the update process will always fail, - the root cause is that every time you run `dependencyCheck` task, it will try to query the latest timestamp to determine whether need to perform an update action, - and for performance reason the HTTP method it uses by default is `HEAD`, which probably is disabled or not supported by the proxy. To avoid this problem, you can simply change the HTTP method by below configuration: - -```groovy -dependencyCheck { - quickQueryTimestamp = false // when set to false, it means use HTTP GET method to query timestamp. (default value is true) -} -``` - -### What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project? - -Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below: - -(1) For all projects including root project: - -```groovy -buildscript { - repositories { - mavenCentral() - } - dependencies { - classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8" - } -} - -allprojects { - apply plugin: "dependency-check" -} -``` - -(2) For all sub-projects: - -```groovy -buildscript { - repositories { - mavenCentral() - } - dependencies { - classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8" - } -} - -subprojects { - apply plugin: "dependency-check" -} -``` - -In this way, the dependency check will be executed for all projects (including root project) or just sub projects. - -### How to customize the report directory? - -By default, all reports will be placed under `./reports` folder, to change the default directory, just modify it in the configuration section like this: - -```groovy -subprojects { - apply plugin: "dependency-check" - - dependencyCheck { - outputDirectory = "./customized-path/security-report" - } -} -``` \ No newline at end of file +Dependency-Check-Ant makes use of other open source libraries. Please see the [NOTICE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/dependency-check-ant/NOTICE.txt) file for more information. From ca54daf45648e40c878ab2ef180674d4479e9cce Mon Sep 17 00:00:00 2001 From: "Swapnil S. Mahajan" Date: Fri, 25 Mar 2016 16:55:53 +0530 Subject: [PATCH 7/7] Added primary key to "software" table "software" is a bridge table so there should always be only one record for a pair of cpeEntryId and cveid. --- .../src/main/resources/data/initialize_mysql.sql | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dependency-check-core/src/main/resources/data/initialize_mysql.sql b/dependency-check-core/src/main/resources/data/initialize_mysql.sql index 49dc8cf27..25bc5bd66 100644 --- a/dependency-check-core/src/main/resources/data/initialize_mysql.sql +++ b/dependency-check-core/src/main/resources/data/initialize_mysql.sql @@ -25,7 +25,8 @@ CREATE TABLE cpeEntry (id INT auto_increment PRIMARY KEY, cpe VARCHAR(250), vend CREATE TABLE software (cveid INT, cpeEntryId INT, previousVersion VARCHAR(50) , CONSTRAINT fkSoftwareCve FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE - , CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id)); + , CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id) + , PRIMARY KEY (cveid, cpeEntryId)); CREATE INDEX idxVulnerability ON vulnerability(cve); CREATE INDEX idxReference ON reference(cveid); @@ -53,4 +54,4 @@ DELIMITER ; GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser'; -UPDATE Properties SET value='3.0' WHERE ID='version'; \ No newline at end of file +UPDATE Properties SET value='3.0' WHERE ID='version';