github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 15:53:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'upmaster' into ruby-bundler. Fixed omission of --disableBundleAudit option.

Browse Source 
Conflicts:
	dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
This commit is contained in:
Dale Visser
2015-09-09 18:09:41 -04:00
parent 1e29d2e751 57ae0f1676
commit 837d4918f2
40 changed files with 361 additions and 887 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@@ -1,3 +1,4 @@
[![Build Status](https://dependency-check.ci.cloudbees.com/buildStatus/icon?job=dependency-check)](https://dependency-check.ci.cloudbees.com/job/dependency-check/)
Dependency-Check
================

105
dependency-check-ant/pom.xml
View File

@@ -190,18 +190,10 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<version>2.3</version>
<version>2.4.1</version>
<configuration>
<transformers>
<transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer" />
@@ -273,96 +265,6 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>${reporting.project-info-reports-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>${reporting.javadoc-plugin.version}</version>
<configuration>
<failOnError>false</failOnError>
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>${reporting.versions-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>${reporting.jxr-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>${reporting.cobertura-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>${reporting.surefire-report-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>${reporting.taglist-plugin.version}</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
@@ -395,11 +297,6 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
</rulesets>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>${reporting.findbugs-plugin.version}</version>
</plugin>
</plugins>
</reporting>
<dependencies>

99
dependency-check-cli/pom.xml
View File

@@ -124,10 +124,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
</systemProperties>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>appassembler-maven-plugin</artifactId>
@@ -178,96 +174,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>${reporting.project-info-reports-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>${reporting.javadoc-plugin.version}</version>
<configuration>
<failOnError>false</failOnError>
<bottom>Copyright<EFBFBD> 2012-15 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>${reporting.versions-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>${reporting.jxr-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>${reporting.cobertura-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>${reporting.surefire-report-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>${reporting.taglist-plugin.version}</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
@@ -300,11 +206,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
</rulesets>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>${reporting.findbugs-plugin.version}</version>
</plugin>
</plugins>
</reporting>
<dependencies>

2
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -423,7 +423,7 @@ public class App {
}
/**
* Takes a path and resolves it to be a canonical & absolute path. The caveats are that this method will take an Ant style
* Takes a path and resolves it to be a canonical &amp; absolute path. The caveats are that this method will take an Ant style
* file selector path (../someDir/**\/*.jar) and convert it to an absolute/canonical path (at least to the left of the first *
* or ?).
*

252
dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View File

@@ -23,13 +23,12 @@ import java.util.logging.Level;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.CommandLineParser;
import org.apache.commons.cli.DefaultParser;
import org.apache.commons.cli.HelpFormatter;
import org.apache.commons.cli.Option;
import org.apache.commons.cli.OptionBuilder;
import org.apache.commons.cli.OptionGroup;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;
import org.apache.commons.cli.PosixParser;
import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
@@ -79,7 +78,7 @@ public final class CliParser {
* @throws ParseException if the arguments are invalid
*/
private CommandLine parseArgs(String[] args) throws ParseException {
final CommandLineParser parser = new PosixParser();
final CommandLineParser parser = new DefaultParser();
final Options options = createCommandLineOptions();
return parser.parse(options, args);
}
@@ -209,8 +208,8 @@ public final class CliParser {
final Option help = new Option(ARGUMENT.HELP_SHORT, ARGUMENT.HELP, false,
"Print this message.");
final Option advancedHelp = OptionBuilder.withLongOpt(ARGUMENT.ADVANCED_HELP)
.withDescription("Print the advanced help message.").create();
final Option advancedHelp = Option.builder().longOpt(ARGUMENT.ADVANCED_HELP)
.desc("Print the advanced help message.").build();
final Option version = new Option(ARGUMENT.VERSION_SHORT, ARGUMENT.VERSION,
false, "Print the version information.");
@@ -218,44 +217,44 @@ public final class CliParser {
final Option noUpdate = new Option(ARGUMENT.DISABLE_AUTO_UPDATE_SHORT, ARGUMENT.DISABLE_AUTO_UPDATE,
false, "Disables the automatic updating of the CPE data.");
final Option projectName = OptionBuilder.hasArg().withArgName("name").withLongOpt(ARGUMENT.PROJECT)
.withDescription("The name of the project being scanned. This is a required argument.")
.create();
final Option projectName = Option.builder().hasArg().argName("name").longOpt(ARGUMENT.PROJECT)
.desc("The name of the project being scanned. This is a required argument.")
.build();
final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.SCAN)
.withDescription("The path to scan - this option can be specified multiple times. Ant style"
final Option path = Option.builder(ARGUMENT.SCAN_SHORT).argName("path").hasArg().longOpt(ARGUMENT.SCAN)
.desc("The path to scan - this option can be specified multiple times. Ant style"
+ " paths are supported (e.g. path/**/*.jar).")
.create(ARGUMENT.SCAN_SHORT);
.build();
final Option excludes = OptionBuilder.withArgName("pattern").hasArg().withLongOpt(ARGUMENT.EXCLUDE)
.withDescription("Specify and exclusion pattern. This option can be specified multiple times"
final Option excludes = Option.builder().argName("pattern").hasArg().longOpt(ARGUMENT.EXCLUDE)
.desc("Specify and exclusion pattern. This option can be specified multiple times"
+ " and it accepts Ant style excludsions.")
.create("p");
.build();
final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.PROP)
.withDescription("A property file to load.")
.create(ARGUMENT.PROP_SHORT);
final Option props = Option.builder(ARGUMENT.PROP_SHORT).argName("file").hasArg().longOpt(ARGUMENT.PROP)
.desc("A property file to load.")
.build();
final Option out = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.OUT)
.withDescription("The folder to write reports to. This defaults to the current directory. "
final Option out = Option.builder(ARGUMENT.OUT_SHORT).argName("path").hasArg().longOpt(ARGUMENT.OUT)
.desc("The folder to write reports to. This defaults to the current directory. "
+ "It is possible to set this to a specific file name if the format argument is not set to ALL.")
.create(ARGUMENT.OUT_SHORT);
.build();
final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ARGUMENT.OUTPUT_FORMAT)
.withDescription("The output format to write to (XML, HTML, VULN, ALL). The default is HTML.")
.create(ARGUMENT.OUTPUT_FORMAT_SHORT);
final Option outputFormat = Option.builder(ARGUMENT.OUTPUT_FORMAT_SHORT).argName("format").hasArg().longOpt(ARGUMENT.OUTPUT_FORMAT)
.desc("The output format to write to (XML, HTML, VULN, ALL). The default is HTML.")
.build();
final Option verboseLog = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.VERBOSE_LOG)
.withDescription("The file path to write verbose logging information.")
.create(ARGUMENT.VERBOSE_LOG_SHORT);
final Option verboseLog = Option.builder(ARGUMENT.VERBOSE_LOG_SHORT).argName("file").hasArg().longOpt(ARGUMENT.VERBOSE_LOG)
.desc("The file path to write verbose logging information.")
.build();
final Option symLinkDepth = OptionBuilder.withArgName("depth").hasArg().withLongOpt(ARGUMENT.SYM_LINK_DEPTH)
.withDescription("Sets how deep nested symbolic links will be followed; 0 indicates symbolic links will not be followed.")
.create();
final Option symLinkDepth = Option.builder().argName("depth").hasArg().longOpt(ARGUMENT.SYM_LINK_DEPTH)
.desc("Sets how deep nested symbolic links will be followed; 0 indicates symbolic links will not be followed.")
.build();
final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.SUPPRESSION_FILE)
.withDescription("The file path to the suppression XML file.")
.create();
final Option suppressionFile = Option.builder().argName("file").hasArg().longOpt(ARGUMENT.SUPPRESSION_FILE)
.desc("The file path to the suppression XML file.")
.build();
//This is an option group because it can be specified more then once.
final OptionGroup og = new OptionGroup();
@@ -289,119 +288,119 @@ public final class CliParser {
@SuppressWarnings("static-access")
private void addAdvancedOptions(final Options options) throws IllegalArgumentException {
final Option cve12Base = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.CVE_BASE_12)
.withDescription("Base URL for each years CVE 1.2, the %d will be replaced with the year. ")
.create();
final Option cve12Base = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.CVE_BASE_12)
.desc("Base URL for each years CVE 1.2, the %d will be replaced with the year. ")
.build();
final Option cve20Base = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.CVE_BASE_20)
.withDescription("Base URL for each years CVE 2.0, the %d will be replaced with the year.")
.create();
final Option cve20Base = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.CVE_BASE_20)
.desc("Base URL for each years CVE 2.0, the %d will be replaced with the year.")
.build();
final Option cve12Modified = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.CVE_MOD_12)
.withDescription("URL for the modified CVE 1.2.")
.create();
final Option cve12Modified = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.CVE_MOD_12)
.desc("URL for the modified CVE 1.2.")
.build();
final Option cve20Modified = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.CVE_MOD_20)
.withDescription("URL for the modified CVE 2.0.")
.create();
final Option cve20Modified = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.CVE_MOD_20)
.desc("URL for the modified CVE 2.0.")
.build();
final Option updateOnly = OptionBuilder.withLongOpt(ARGUMENT.UPDATE_ONLY)
.withDescription("Only update the local NVD data cache; no scan will be executed.").create();
final Option updateOnly = Option.builder().longOpt(ARGUMENT.UPDATE_ONLY)
.desc("Only update the local NVD data cache; no scan will be executed.").build();
final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.DATA_DIRECTORY)
.withDescription("The location of the H2 Database file. This option should generally not be set.")
.create(ARGUMENT.DATA_DIRECTORY_SHORT);
final Option data = Option.builder(ARGUMENT.DATA_DIRECTORY_SHORT).argName("path").hasArg().longOpt(ARGUMENT.DATA_DIRECTORY)
.desc("The location of the H2 Database file. This option should generally not be set.")
.build();
final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.NEXUS_URL)
.withDescription("The url to the Nexus Server's REST API Endpoint (http://domain/nexus/service/local). "
+ "If not set the Nexus Analyzer will be disabled.").create();
final Option nexusUrl = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.NEXUS_URL)
.desc("The url to the Nexus Server's REST API Endpoint (http://domain/nexus/service/local). "
+ "If not set the Nexus Analyzer will be disabled.").build();
final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ARGUMENT.NEXUS_USES_PROXY)
.withDescription("Whether or not the configured proxy should be used when connecting to Nexus.")
.create();
final Option nexusUsesProxy = Option.builder().argName("true/false").hasArg().longOpt(ARGUMENT.NEXUS_USES_PROXY)
.desc("Whether or not the configured proxy should be used when connecting to Nexus.")
.build();
final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg()
.withLongOpt(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS)
.withDescription("A comma separated list of additional extensions to be scanned as ZIP files "
+ "(ZIP, EAR, WAR are already treated as zip files)").create();
final Option additionalZipExtensions = Option.builder().argName("extensions").hasArg()
.longOpt(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS)
.desc("A comma separated list of additional extensions to be scanned as ZIP files "
+ "(ZIP, EAR, WAR are already treated as zip files)").build();
final Option pathToMono = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.PATH_TO_MONO)
.withDescription("The path to Mono for .NET Assembly analysis on non-windows systems.")
.create();
final Option pathToMono = Option.builder().argName("path").hasArg().longOpt(ARGUMENT.PATH_TO_MONO)
.desc("The path to Mono for .NET Assembly analysis on non-windows systems.")
.build();
final Option pathToBundleAudit = OptionBuilder.withArgName("path").hasArg()
.withLongOpt(ARGUMENT.PATH_TO_BUNDLE_AUDIT)
.withDescription("The path to bundle-audit for Gem bundle analysis.").create();
final Option pathToBundleAudit = Option.builder().argName("path").hasArg()
.longOpt(ARGUMENT.PATH_TO_BUNDLE_AUDIT)
.desc("The path to bundle-audit for Gem bundle analysis.").build();
final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ARGUMENT.CONNECTION_TIMEOUT)
.withDescription("The connection timeout (in milliseconds) to use when downloading resources.")
.create(ARGUMENT.CONNECTION_TIMEOUT_SHORT);
final Option connectionTimeout = Option.builder(ARGUMENT.CONNECTION_TIMEOUT_SHORT).argName("timeout").hasArg().longOpt(ARGUMENT.CONNECTION_TIMEOUT)
.desc("The connection timeout (in milliseconds) to use when downloading resources.")
.build();
final Option proxyServer = OptionBuilder.withArgName("server").hasArg().withLongOpt(ARGUMENT.PROXY_SERVER)
.withDescription("The proxy server to use when downloading resources.").create();
final Option proxyServer = Option.builder().argName("server").hasArg().longOpt(ARGUMENT.PROXY_SERVER)
.desc("The proxy server to use when downloading resources.").build();
final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ARGUMENT.PROXY_PORT)
.withDescription("The proxy port to use when downloading resources.").create();
final Option proxyPort = Option.builder().argName("port").hasArg().longOpt(ARGUMENT.PROXY_PORT)
.desc("The proxy port to use when downloading resources.").build();
final Option proxyUsername = OptionBuilder.withArgName("user").hasArg().withLongOpt(ARGUMENT.PROXY_USERNAME)
.withDescription("The proxy username to use when downloading resources.").create();
final Option proxyUsername = Option.builder().argName("user").hasArg().longOpt(ARGUMENT.PROXY_USERNAME)
.desc("The proxy username to use when downloading resources.").build();
final Option proxyPassword = OptionBuilder.withArgName("pass").hasArg().withLongOpt(ARGUMENT.PROXY_PASSWORD)
.withDescription("The proxy password to use when downloading resources.").create();
final Option proxyPassword = Option.builder().argName("pass").hasArg().longOpt(ARGUMENT.PROXY_PASSWORD)
.desc("The proxy password to use when downloading resources.").build();
final Option connectionString = OptionBuilder.withArgName("connStr").hasArg().withLongOpt(ARGUMENT.CONNECTION_STRING)
.withDescription("The connection string to the database.").create();
final Option connectionString = Option.builder().argName("connStr").hasArg().longOpt(ARGUMENT.CONNECTION_STRING)
.desc("The connection string to the database.").build();
final Option dbUser = OptionBuilder.withArgName("user").hasArg().withLongOpt(ARGUMENT.DB_NAME)
.withDescription("The username used to connect to the database.").create();
final Option dbUser = Option.builder().argName("user").hasArg().longOpt(ARGUMENT.DB_NAME)
.desc("The username used to connect to the database.").build();
final Option dbPassword = OptionBuilder.withArgName("password").hasArg().withLongOpt(ARGUMENT.DB_PASSWORD)
.withDescription("The password for connecting to the database.").create();
final Option dbPassword = Option.builder().argName("password").hasArg().longOpt(ARGUMENT.DB_PASSWORD)
.desc("The password for connecting to the database.").build();
final Option dbDriver = OptionBuilder.withArgName("driver").hasArg().withLongOpt(ARGUMENT.DB_DRIVER)
.withDescription("The database driver name.").create();
final Option dbDriver = Option.builder().argName("driver").hasArg().longOpt(ARGUMENT.DB_DRIVER)
.desc("The database driver name.").build();
final Option dbDriverPath = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.DB_DRIVER_PATH)
.withDescription("The path to the database driver; note, this does not need to be set unless the JAR is outside of the classpath.")
.create();
final Option dbDriverPath = Option.builder().argName("path").hasArg().longOpt(ARGUMENT.DB_DRIVER_PATH)
.desc("The path to the database driver; note, this does not need to be set unless the JAR is outside of the classpath.")
.build();
final Option disableJarAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_JAR)
.withDescription("Disable the Jar Analyzer.").create();
final Option disableJarAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_JAR)
.desc("Disable the Jar Analyzer.").build();
final Option disableArchiveAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_ARCHIVE)
.withDescription("Disable the Archive Analyzer.").create();
final Option disableArchiveAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_ARCHIVE)
.desc("Disable the Archive Analyzer.").build();
final Option disableNuspecAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NUSPEC)
.withDescription("Disable the Nuspec Analyzer.").create();
final Option disableNuspecAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_NUSPEC)
.desc("Disable the Nuspec Analyzer.").build();
final Option disableAssemblyAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_ASSEMBLY)
.withDescription("Disable the .NET Assembly Analyzer.").create();
final Option disableAssemblyAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_ASSEMBLY)
.desc("Disable the .NET Assembly Analyzer.").build();
final Option disablePythonDistributionAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_PY_DIST)
.withDescription("Disable the Python Distribution Analyzer.").create();
final Option disablePythonDistributionAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_PY_DIST)
.desc("Disable the Python Distribution Analyzer.").build();
final Option disablePythonPackageAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_PY_PKG)
.withDescription("Disable the Python Package Analyzer.").create();
final Option disablePythonPackageAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_PY_PKG)
.desc("Disable the Python Package Analyzer.").build();
final Option disableAutoconfAnalyzer = OptionBuilder
.withLongOpt(ARGUMENT.DISABLE_AUTOCONF)
.withDescription("Disable the Autoconf Analyzer.").create();
final Option disableAutoconfAnalyzer = Option.builder()
.longOpt(ARGUMENT.DISABLE_AUTOCONF)
.desc("Disable the Autoconf Analyzer.").build();
final Option disableOpenSSLAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_OPENSSL)
.withDescription("Disable the OpenSSL Analyzer.").create();
final Option disableCmakeAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_CMAKE).
withDescription("Disable the Cmake Analyzer.").create();
final Option disableOpenSSLAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_OPENSSL)
.desc("Disable the OpenSSL Analyzer.").build();
final Option disableCmakeAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_CMAKE)
.desc("Disable the Cmake Analyzer.").build();
final Option disableCentralAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_CENTRAL)
.withDescription("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable "
+ "the Nexus Analyzer.").create();
final Option disableCentralAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_CENTRAL)
.desc("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable "
+ "the Nexus Analyzer.").build();
final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NEXUS)
.withDescription("Disable the Nexus Analyzer.").create();
final Option disableNexusAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_NEXUS)
.desc("Disable the Nexus Analyzer.").build();
final Option purge = OptionBuilder.withLongOpt(ARGUMENT.PURGE_NVD)
.withDescription("Purges the local NVD data cache")
.create();
final Option purge = Option.builder().longOpt(ARGUMENT.PURGE_NVD)
.desc("Purges the local NVD data cache")
.build();
options.addOption(updateOnly)
.addOption(cve12Base)
@@ -422,20 +421,21 @@ public final class CliParser {
.addOption(disableJarAnalyzer)
.addOption(disableArchiveAnalyzer)
.addOption(disableAssemblyAnalyzer)
.addOption(OptionBuilder.withLongOpt(ARGUMENT.DISABLE_BUNDLE_AUDIT)
.withDescription("Disable the Ruby Bundler Audit Analyzer.").create())
.addOption(pathToBundleAudit)
.addOption(disablePythonDistributionAnalyzer)
.addOption(disableCmakeAnalyzer)
.addOption(disablePythonPackageAnalyzer)
.addOption(OptionBuilder.withLongOpt(ARGUMENT.DISABLE_RUBYGEMS)
.withDescription("Disable the Ruby Gemspec Analyzer.").create())
.addOption(Option.builder().longOpt(ARGUMENT.DISABLE_RUBYGEMS)
.desc("Disable the Ruby Gemspec Analyzer.").build())
.addOption(Option.builder().longOpt(ARGUMENT.DISABLE_BUNDLE_AUDIT)
.desc("Disable the Ruby Bundler-Audit Analyzer.").build())
.addOption(disableAutoconfAnalyzer)
.addOption(disableOpenSSLAnalyzer)
.addOption(disableNuspecAnalyzer)
.addOption(disableCentralAnalyzer)
.addOption(disableNexusAnalyzer)
.addOption(OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NODE_JS)
.withDescription("Disable the Node.js Package Analyzer.").create())
.addOption(Option.builder().longOpt(ARGUMENT.DISABLE_NODE_JS)
.desc("Disable the Node.js Package Analyzer.").build())
.addOption(nexusUrl)
.addOption(nexusUsesProxy)
.addOption(additionalZipExtensions)
@@ -454,12 +454,12 @@ public final class CliParser {
@SuppressWarnings({"static-access", "deprecation"})
private void addDeprecatedOptions(final Options options) throws IllegalArgumentException {
final Option proxyServer = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.PROXY_URL)
.withDescription("The proxy url argument is deprecated, use proxyserver instead.")
.create();
final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ARGUMENT.APP_NAME)
.withDescription("The name of the project being scanned.")
.create(ARGUMENT.APP_NAME_SHORT);
final Option proxyServer = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.PROXY_URL)
.desc("The proxy url argument is deprecated, use proxyserver instead.")
.build();
final Option appName = Option.builder(ARGUMENT.APP_NAME_SHORT).argName("name").hasArg().longOpt(ARGUMENT.APP_NAME)
.desc("The name of the project being scanned.")
.build();
options.addOption(proxyServer);
options.addOption(appName);

113
dependency-check-core/pom.xml
View File

@@ -110,13 +110,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<executions>
<execution>
<id>jar</id>
<phase>package</phase>
<goals>
<goal>jar</goal>
</goals>
</execution>
<execution>
<id>test-jar</id>
<phase>package</phase>
@@ -228,70 +221,10 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>${reporting.project-info-reports-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>${reporting.javadoc-plugin.version}</version>
<configuration>
<failOnError>false</failOnError>
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>${reporting.versions-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>${reporting.jxr-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>${reporting.cobertura-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>${reporting.surefire-report-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
<reportSet>
<id>integration-tests</id>
<reports>
@@ -301,30 +234,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>${reporting.taglist-plugin.version}</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
@@ -357,11 +266,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</rulesets>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>${reporting.findbugs-plugin.version}</version>
</plugin>
</plugins>
</reporting>
<dependencies>
@@ -376,22 +280,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<artifactId>slf4j-api</artifactId>
</dependency>
<!-- Set this to test so that each project that uses this has to have its own implementation of SLF4J -->
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-core</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<scope>test</scope>
</dependency>
<!-- For the CAL10N support -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-ext</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-utils</artifactId>
@@ -416,8 +309,8 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<artifactId>commons-io</artifactId>
</dependency>
<dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
<dependency>
<groupId>org.apache.lucene</groupId>
@@ -438,6 +331,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.glassfish</groupId>
@@ -446,7 +340,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<type>jar</type>
</dependency>
<dependency>
<groupId>com.sun.mail</groupId>

9
dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
View File

@@ -352,6 +352,7 @@ public class Engine implements FileFilter {
LOGGER.debug("\n----------------------------------------------------\nBEGIN ANALYSIS\n----------------------------------------------------");
LOGGER.info("Analysis Starting");
final long analysisStart = System.currentTimeMillis();
// analysis phases
for (AnalysisPhase phase : AnalysisPhase.values()) {
@@ -365,8 +366,7 @@ public class Engine implements FileFilter {
* This is okay for adds/deletes because it happens per analyzer.
*/
LOGGER.debug("Begin Analyzer '{}'", a.getName());
final Set<Dependency> dependencySet = new HashSet<Dependency>();
dependencySet.addAll(dependencies);
final Set<Dependency> dependencySet = new HashSet<Dependency>(dependencies);
for (Dependency d : dependencySet) {
boolean shouldAnalyze = true;
if (a instanceof FileTypeAnalyzer) {
@@ -398,7 +398,7 @@ public class Engine implements FileFilter {
}
LOGGER.debug("\n----------------------------------------------------\nEND ANALYSIS\n----------------------------------------------------");
LOGGER.info("Analysis Complete");
LOGGER.info("Analysis Complete ({} ms)", System.currentTimeMillis() - analysisStart);
}
/**
@@ -442,6 +442,7 @@ public class Engine implements FileFilter {
*/
public void doUpdates() {
LOGGER.info("Checking for updates");
final long updateStart = System.currentTimeMillis();
final UpdateService service = new UpdateService(serviceClassLoader);
final Iterator<CachedWebDataSource> iterator = service.getDataSources();
while (iterator.hasNext()) {
@@ -454,7 +455,7 @@ public class Engine implements FileFilter {
LOGGER.debug("Unable to update details for {}", source.getClass().getName(), ex);
}
}
LOGGER.info("Check for updates complete");
LOGGER.info("Check for updates complete ({} ms)", System.currentTimeMillis() - updateStart);
}
/**

34
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
View File

@@ -89,16 +89,16 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
*/
private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "jar", "sar", "apk", "nupkg");
/**
* The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need
* to be explicitly handled in {@link #extractFiles(File, File, Engine)}.
* The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need to be
* explicitly handled in {@link #extractFiles(File, File, Engine)}.
*/
private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz", "bz2", "tbz2");
/**
* Detects files with extensions to remove from the engine's collection of dependencies.
*/
private static final FileFilter REMOVE_FROM_ANALYSIS =
FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2").build();
private static final FileFilter REMOVE_FROM_ANALYSIS
= FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2").build();
static {
final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
@@ -184,7 +184,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
if (tempFileLocation != null && tempFileLocation.exists()) {
LOGGER.debug("Attempting to delete temporary files");
final boolean success = FileUtils.delete(tempFileLocation);
if (!success && tempFileLocation != null && tempFileLocation.exists() && tempFileLocation.list().length > 0) {
if (!success && tempFileLocation.exists() && tempFileLocation.list().length > 0) {
LOGGER.warn("Failed to delete some temporary files, see the log for more details");
}
}
@@ -195,7 +195,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
* and added to the list of dependencies within the engine.
*
* @param dependency the dependency to analyze
* @param engine the engine scanning
* @param engine the engine scanning
* @throws AnalysisException thrown if there is an analysis exception
*/
@Override
@@ -239,7 +239,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
final File tdir = getNextTempDirectory();
final String fileName = dependency.getFileName();
LOGGER.info(String.format("The zip file '%s' appears to be a JAR file, making a copy and analyzing it as a JAR.", fileName));
LOGGER.info("The zip file '{}' appears to be a JAR file, making a copy and analyzing it as a JAR.", fileName);
final File tmpLoc = new File(tdir, fileName.substring(0, fileName.length() - 3) + "jar");
try {
@@ -271,15 +271,14 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
* @return any dependencies that weren't known to the engine before
*/
private static Set<Dependency> findMoreDependencies(Engine engine, File file) {
List<Dependency> before = new ArrayList<Dependency>(engine.getDependencies());
final List<Dependency> before = new ArrayList<Dependency>(engine.getDependencies());
engine.scan(file);
List<Dependency> after = engine.getDependencies();
final List<Dependency> after = engine.getDependencies();
final boolean sizeChanged = before.size() != after.size();
final Set<Dependency> newDependencies;
if (sizeChanged) {
//get the new dependencies
newDependencies = new HashSet<Dependency>();
newDependencies.addAll(after);
newDependencies = new HashSet<Dependency>(after);
newDependencies.removeAll(before);
} else {
newDependencies = EMPTY_DEPENDENCY_SET;
@@ -287,7 +286,6 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
return newDependencies;
}
/**
* Retrieves the next temporary directory to extract an archive too.
*
@@ -311,9 +309,9 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Extracts the contents of an archive into the specified directory.
*
* @param archive an archive file such as a WAR or EAR
* @param archive an archive file such as a WAR or EAR
* @param destination a directory to extract the contents to
* @param engine the scanning engine
* @param engine the scanning engine
* @throws AnalysisException thrown if the archive is not found
*/
private void extractFiles(File archive, File destination, Engine engine) throws AnalysisException {
@@ -359,9 +357,9 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Extracts files from an archive.
*
* @param input the archive to extract files from
* @param input the archive to extract files from
* @param destination the location to write the files too
* @param engine the dependency-check engine
* @param engine the dependency-check engine
* @throws ArchiveExtractionException thrown if there is an exception extracting files from the archive
*/
private void extractArchive(ArchiveInputStream input, File destination, Engine engine) throws ArchiveExtractionException {
@@ -423,7 +421,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
* Decompresses a file.
*
* @param inputStream the compressed file
* @param outputFile the location to write the decompressed file
* @param outputFile the location to write the decompressed file
* @throws ArchiveExtractionException thrown if there is an exception decompressing the file
*/
private void decompressFile(CompressorInputStream inputStream, File outputFile) throws ArchiveExtractionException {
@@ -452,7 +450,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
*
* @param closeable to be closed
*/
private static void close(Closeable closeable){
private static void close(Closeable closeable) {
if (null != closeable) {
try {
closeable.close();

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
View File

@@ -17,8 +17,6 @@
*/
package org.owasp.dependencycheck.analyzer;
import ch.qos.cal10n.IMessageConveyor;
import ch.qos.cal10n.MessageConveyor;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileFilter;
@@ -45,7 +43,6 @@ import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import java.util.ArrayList;
import java.util.List;
import java.util.Locale;
/**
* Analyzer for getting company, product, and version information from a .NET assembly.
@@ -75,10 +72,6 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
* The DocumentBuilder for parsing the XML
*/
private DocumentBuilder builder;
/**
* Message Conveyer
*/
private static final IMessageConveyor MESSAGE_CONVERYOR = new MessageConveyor(Locale.getDefault());
/**
* Logger
*/

9
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java
View File

@@ -18,7 +18,7 @@
package org.owasp.dependencycheck.analyzer;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.StringUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
@@ -167,7 +167,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
dependency.getProductEvidence().addEvidence(name, "Project",
group, Confidence.HIGH);
}
LOGGER.debug(String.format("Found %d matches.", count));
LOGGER.debug("Found {} matches.", count);
analyzeSetVersionCommand(dependency, engine, contents);
}
}
@@ -178,9 +178,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
int count = 0;
while (m.find()) {
count++;
LOGGER.debug(String.format(
"Found project command match with %d groups: %s",
m.groupCount(), m.group(0)));
LOGGER.debug("Found project command match with {} groups: {}",
m.groupCount(), m.group(0));
String product = m.group(1);
final String version = m.group(2);
LOGGER.debug("Group 1: " + product);

5
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -134,13 +134,14 @@ public class CPEAnalyzer implements Analyzer {
* process.
*/
public void open() throws IOException, DatabaseException {
LOGGER.debug("Opening the CVE Database");
cve = new CveDB();
cve.open();
LOGGER.debug("Creating the Lucene CPE Index");
cpe = CpeMemoryIndex.getInstance();
try {
LOGGER.info("Creating the CPE Index");
final long creationStart = System.currentTimeMillis();
cpe.open(cve);
LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart);
} catch (IndexException ex) {
LOGGER.debug("IndexException", ex);
throw new DatabaseException(ex);

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -154,8 +154,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
*/
@SuppressWarnings("null")
private void removeSpuriousCPE(Dependency dependency) {
final List<Identifier> ids = new ArrayList<Identifier>();
ids.addAll(dependency.getIdentifiers());
final List<Identifier> ids = new ArrayList<Identifier>(dependency.getIdentifiers());
Collections.sort(ids);
final ListIterator<Identifier> mainItr = ids.listIterator();
while (mainItr.hasNext()) {

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
View File

@@ -247,7 +247,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
}
} catch (IllegalArgumentException iae) {
//dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));
LOGGER.info("invalid sha-1 hash on {}", dependency.getFileName());
} catch (FileNotFoundException fnfe) {
//dependency.addAnalysisException(new AnalysisException("Artifact not found on repository"));
LOGGER.debug("Artifact not found in repository '{}'", dependency.getFileName());

35
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
View File

@@ -28,14 +28,20 @@ import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.json.*;
import java.io.File;
import java.io.FileFilter;
import java.io.IOException;
import java.util.Map;
import javax.json.Json;
import javax.json.JsonException;
import javax.json.JsonObject;
import javax.json.JsonReader;
import javax.json.JsonString;
import javax.json.JsonValue;
/**
* Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine
* the associated CPE.
* Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine the
* associated CPE.
*
* @author Dale Visser <dvisser@ida.org>
*/
@@ -60,8 +66,8 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Filter that detects files named "package.json".
*/
private static final FileFilter PACKAGE_JSON_FILTER =
FileFilterBuilder.newInstance().addFilenames(PACKAGE_JSON).build();
private static final FileFilter PACKAGE_JSON_FILTER
= FileFilterBuilder.newInstance().addFilenames(PACKAGE_JSON).build();
/**
* Returns the FileFilter
@@ -120,17 +126,17 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
"Problem occurred while reading dependency file.", e);
}
try {
JsonObject json = jsonReader.readObject();
final JsonObject json = jsonReader.readObject();
final EvidenceCollection productEvidence = dependency.getProductEvidence();
final EvidenceCollection vendorEvidence = dependency.getVendorEvidence();
if (json.containsKey("name")) {
Object value = json.get("name");
final Object value = json.get("name");
if (value instanceof JsonString) {
String valueString = ((JsonString) value).getString();
final String valueString = ((JsonString) value).getString();
productEvidence.addEvidence(PACKAGE_JSON, "name", valueString, Confidence.HIGHEST);
vendorEvidence.addEvidence(PACKAGE_JSON, "name_project", String.format("%s_project", valueString), Confidence.LOW);
} else {
LOGGER.warn("JSON value not string as expected: %s", value);
LOGGER.warn("JSON value not string as expected: {}", value);
}
}
addToEvidence(json, productEvidence, "description");
@@ -146,24 +152,25 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
private void addToEvidence(JsonObject json, EvidenceCollection collection, String key) {
if (json.containsKey(key)) {
Object value = json.get(key);
final JsonValue value = json.get(key);
if (value instanceof JsonString) {
collection.addEvidence(PACKAGE_JSON, key, ((JsonString) value).getString(), Confidence.HIGHEST);
} else if (value instanceof JsonObject) {
final JsonObject jsonObject = (JsonObject) value;
for (String property : jsonObject.keySet()) {
final Object subValue = jsonObject.get(property);
for (final Map.Entry<String, JsonValue> entry : jsonObject.entrySet()) {
final String property = entry.getKey();
final JsonValue subValue = entry.getValue();
if (subValue instanceof JsonString) {
collection.addEvidence(PACKAGE_JSON,
String.format("%s.%s", key, property),
((JsonString) subValue).getString(),
Confidence.HIGHEST);
} else {
LOGGER.warn("JSON sub-value not string as expected: %s");
LOGGER.warn("JSON sub-value not string as expected: {}", subValue);
}
}
} else {
LOGGER.warn("JSON value not string or JSON object as expected: %s", value);
LOGGER.warn("JSON value not string or JSON object as expected: {}", value);
}
}
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java
View File

@@ -26,7 +26,7 @@ import java.io.FilenameFilter;
import org.apache.commons.io.filefilter.NameFileFilter;
import org.apache.commons.io.filefilter.SuffixFileFilter;
import org.apache.commons.io.input.AutoCloseInputStream;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.StringUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java
View File

@@ -93,17 +93,12 @@ public final class LuceneUtils {
* @return the escaped text.
*/
public static String escapeLuceneQuery(final CharSequence text) {
if (text == null) {
return null;
}
int size = text.length();
size = size >> 1;
final int size = text.length() << 1;
final StringBuilder buf = new StringBuilder(size);
appendEscapedLuceneQuery(buf, text);
return buf.toString();
}
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -490,7 +490,7 @@ public class CveDB {
deleteReferences = getConnection().prepareStatement(statementBundle.getString("DELETE_REFERENCE"));
deleteSoftware = getConnection().prepareStatement(statementBundle.getString("DELETE_SOFTWARE"));
updateVulnerability = getConnection().prepareStatement(statementBundle.getString("UPDATE_VULNERABILITY"));
String ids[] = {"id"};
final String ids[] = {"id"};
insertVulnerability = getConnection().prepareStatement(statementBundle.getString("INSERT_VULNERABILITY"),
//Statement.RETURN_GENERATED_KEYS);
ids);

9
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java
View File

@@ -24,7 +24,6 @@ import java.io.FileOutputStream;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Date;
import java.util.List;
import java.util.zip.GZIPInputStream;
import javax.xml.parsers.ParserConfigurationException;
@@ -69,8 +68,8 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
for (Cpe cpe : cpes) {
getCveDB().addCpe(cpe.getValue(), cpe.getVendor(), cpe.getProduct());
}
final Date now = new Date();
getProperties().save(LAST_CPE_UPDATE, Long.toString(now.getTime()));
final long now = System.currentTimeMillis();
getProperties().save(LAST_CPE_UPDATE, Long.toString(now));
LOGGER.info("CPE update complete");
}
} finally {
@@ -134,14 +133,14 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
* @return true if the CPE data should be refreshed
*/
private boolean updateNeeded() {
final Date now = new Date();
final long now = System.currentTimeMillis();
final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 30);
long timestamp = 0;
final String ts = getProperties().getProperty(LAST_CPE_UPDATE);
if (ts != null && ts.matches("^[0-9]+$")) {
timestamp = Long.parseLong(ts);
}
return !DateUtil.withinDateRange(timestamp, now.getTime(), days);
return !DateUtil.withinDateRange(timestamp, now, days);
}
/**

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java
View File

@@ -21,7 +21,6 @@ import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Date;
import org.apache.commons.io.IOUtils;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
@@ -88,7 +87,7 @@ public class EngineVersionCheck implements CachedWebDataSource {
LOGGER.debug("Begin Engine Version Check");
final DatabaseProperties properties = cveDB.getDatabaseProperties();
final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
final long now = (new Date()).getTime();
final long now = System.currentTimeMillis();
updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
LOGGER.debug("Last checked: {}", lastChecked);

5
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
View File

@@ -19,7 +19,6 @@ package org.owasp.dependencycheck.data.update;
import java.net.MalformedURLException;
import java.util.Calendar;
import java.util.Date;
import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.ExecutionException;
@@ -214,11 +213,11 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
if (!getProperties().isEmpty()) {
try {
final long lastUpdated = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED, "0"));
final Date now = new Date();
final long now = System.currentTimeMillis();
final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 7);
if (lastUpdated == updates.getTimeStamp(MODIFIED)) {
updates.clear(); //we don't need to update anything.
} else if (DateUtil.withinDateRange(lastUpdated, now.getTime(), days)) {
} else if (DateUtil.withinDateRange(lastUpdated, now, days)) {
for (NvdCveInfo entry : updates) {
if (MODIFIED.equals(entry.getId())) {
entry.setNeedsUpdate(true);

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java
View File

@@ -179,7 +179,7 @@ public class CPEHandler extends DefaultHandler {
/**
* A simple class to maintain information about the current element while parsing the CPE XML.
*/
protected class Element {
protected static final class Element {
/**
* A node type in the CPE Schema 2.2

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java
View File

@@ -185,6 +185,7 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
final URL url1 = new URL(nvdCveInfo.getUrl());
final URL url2 = new URL(nvdCveInfo.getOldSchemaVersionUrl());
LOGGER.info("Download Started for NVD CVE - {}", nvdCveInfo.getId());
final long startDownload = System.currentTimeMillis();
try {
Downloader.fetchFile(url1, first);
Downloader.fetchFile(url2, second);
@@ -204,7 +205,8 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
extractGzip(second);
}
LOGGER.info("Download Complete for NVD CVE - {}", nvdCveInfo.getId());
LOGGER.info("Download Complete for NVD CVE - {} ({} ms)", nvdCveInfo.getId(),
System.currentTimeMillis() - startDownload);
if (this.processorService == null) {
return null;
}

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java
View File

@@ -157,6 +157,7 @@ public class ProcessTask implements Callable<ProcessTask> {
*/
private void processFiles() throws UpdateException {
LOGGER.info("Processing Started for NVD CVE - {}", filePair.getNvdCveInfo().getId());
final long startProcessing = System.currentTimeMillis();
try {
importXML(filePair.getFirst(), filePair.getSecond());
cveDB.commit();
@@ -178,6 +179,7 @@ public class ProcessTask implements Callable<ProcessTask> {
} finally {
filePair.cleanup();
}
LOGGER.info("Processing Complete for NVD CVE - {}", filePair.getNvdCveInfo().getId());
LOGGER.info("Processing Complete for NVD CVE - {} ({} ms)", filePair.getNvdCveInfo().getId(),
System.currentTimeMillis() - startProcessing);
}
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
View File

@@ -28,7 +28,7 @@ import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import org.apache.commons.lang.ObjectUtils;
import org.apache.commons.lang3.ObjectUtils;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.utils.Checksum;
import org.slf4j.Logger;

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
View File

@@ -17,8 +17,8 @@
*/
package org.owasp.dependencycheck.dependency;
import org.apache.commons.lang.ObjectUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.ObjectUtils;
import org.apache.commons.lang3.StringUtils;
import java.io.Serializable;

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
View File

@@ -24,7 +24,7 @@ import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.StringUtils;
import org.owasp.dependencycheck.utils.DependencyVersion;
import org.owasp.dependencycheck.utils.DependencyVersionUtil;
import org.owasp.dependencycheck.utils.Filter;

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java
View File

@@ -19,7 +19,7 @@ package org.owasp.dependencycheck.reporting;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang3.StringEscapeUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -65,7 +65,7 @@ public class EscapeTool {
if (text == null || text.isEmpty()) {
return text;
}
return StringEscapeUtils.escapeHtml(text);
return StringEscapeUtils.escapeHtml4(text);
}
/**
@@ -78,6 +78,6 @@ public class EscapeTool {
if (text == null || text.isEmpty()) {
return text;
}
return StringEscapeUtils.escapeXml(text);
return StringEscapeUtils.escapeXml11(text);
}
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java
View File

@@ -22,7 +22,7 @@ import java.util.Iterator;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.StringUtils;
/**
* <p>

3
dependency-check-gradle/build.gradle
View File

@@ -38,6 +38,9 @@ apply plugin: 'maven'
apply plugin: 'signing'
apply plugin: "com.gradle.plugin-publish"
sourceCompatibility = 1.6
targetCompatibility = 1.6
repositories {
mavenCentral()
}

32
dependency-check-gradle/pom.xml
View File

@@ -34,12 +34,6 @@ Copyright (c) 2015 Wei Ma. All Rights Reserved.
<description>dependency-check-gradle is a Gradle Plugin that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The plugin will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description>
<inceptionYear>2015</inceptionYear>
<licenses>
<license>
<name>The Apache Software License, Version 2.0</name>
<url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
</license>
</licenses>
<!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
<distributionManagement>
<site>
@@ -48,6 +42,12 @@ Copyright (c) 2015 Wei Ma. All Rights Reserved.
<url>${basedir}/../target/site/${project.version}/dependency-check-gradle</url>
</site>
</distributionManagement>
<properties>
<!-- Skip the surefire report since there are no tests... -->
<skipSurefireReport>true</skipSurefireReport>
<!-- Skip the versions report since there are no dependencies... -->
<versions.skip>true</versions.skip>
</properties>
<!-- end copy -->
<build>
<plugins>
@@ -58,7 +58,7 @@ Copyright (c) 2015 Wei Ma. All Rights Reserved.
<dependency>
<groupId>org.apache.maven.doxia</groupId>
<artifactId>doxia-module-markdown</artifactId>
<version>1.4</version>
<version>1.6</version>
</dependency>
</dependencies>
<configuration>
@@ -67,22 +67,4 @@ Copyright (c) 2015 Wei Ma. All Rights Reserved.
</plugin>
</plugins>
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>${reporting.project-info-reports-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
</plugins>
</reporting>
</project>

33
dependency-check-jenkins/pom.xml
View File

@@ -19,6 +19,13 @@
</distributionManagement>
<!-- end copy -->
<properties>
<!-- Skip the surefire report since there are no tests... -->
<skipSurefireReport>true</skipSurefireReport>
<!-- Skip the versions report since there are no dependencies... -->
<versions.skip>true</versions.skip>
</properties>
<packaging>pom</packaging>
<inceptionYear>2012</inceptionYear>
<organization>
@@ -47,12 +54,6 @@
<system>github</system>
<url>https://github.com/jenkinsci/dependency-check-jenkins/issues</url>
</issueManagement>
<licenses>
<license>
<name>The Apache Software License, Version 2.0</name>
<url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
</license>
</licenses>
<build>
<plugins>
<plugin>
@@ -62,7 +63,7 @@
<dependency>
<groupId>org.apache.maven.doxia</groupId>
<artifactId>doxia-module-markdown</artifactId>
<version>1.4</version>
<version>1.6</version>
</dependency>
</dependencies>
<configuration>
@@ -71,22 +72,4 @@
</plugin>
</plugins>
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>${reporting.project-info-reports-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
</plugins>
</reporting>
</project>

115
dependency-check-maven/pom.xml
View File

@@ -40,6 +40,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
</site>
</distributionManagement>
<!-- end copy -->
<properties>
<version.maven-plugin-plugin>3.4</version.maven-plugin-plugin>
</properties>
<build>
<resources>
<resource>
@@ -63,6 +66,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-plugin-plugin</artifactId>
<version>${version.maven-plugin-plugin}</version>
<configuration>
<skipErrorNoDescriptorsFound>true</skipErrorNoDescriptorsFound>
<goalPrefix>dependency-check</goalPrefix>
@@ -119,117 +123,24 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
</plugin>
</plugins>
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>${reporting.project-info-reports-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-plugin-plugin</artifactId>
<version>${reporting.maven-plugin-plugin.version}</version>
<version>${version.maven-plugin-plugin}</version>
<configuration>
<goalPrefix>dependency-check</goalPrefix>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>${reporting.javadoc-plugin.version}</version>
<configuration>
<failOnError>false</failOnError>
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>${reporting.versions-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>${reporting.jxr-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>${reporting.cobertura-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>${reporting.surefire-report-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>${reporting.taglist-plugin.version}</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>${reporting.checkstyle-plugin.version}</version>
<configuration>
<excludes>**/HelpMojo.java</excludes>
<enableRulesSummary>false</enableRulesSummary>
<enableFilesSummary>false</enableFilesSummary>
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
@@ -258,11 +169,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
</rulesets>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>${reporting.findbugs-plugin.version}</version>
</plugin>
</plugins>
</reporting>
<dependencies>
@@ -279,23 +185,22 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-plugin-api</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-settings</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-core</artifactId>
</dependency>
<dependency>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.maven.plugin-tools</groupId>
<artifactId>maven-plugin-annotations</artifactId>
<scope>compile</scope>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.maven.reporting</groupId>

12
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
View File

@@ -46,7 +46,7 @@ import org.owasp.dependencycheck.utils.Settings;
@Mojo(
name = "aggregate",
defaultPhase = LifecyclePhase.COMPILE,
aggregator = true,
/*aggregator = true,*/
threadSafe = true,
requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,
requiresOnline = true
@@ -69,9 +69,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
for (MavenProject current : getReactorProjects()) {
final File dataFile = getDataFile(current);
if (dataFile == null) { //dc was never run on this project. write the ser to the target.
if (getLog().isDebugEnabled()) {
getLog().debug(String.format("Executing dependency-check on %s", current.getName()));
}
getLog().error(String.format("Module '%s' did not execute dependency-check; an attempt will be made to perform the check but dependencies may be missed resulting in false negatives.", current.getName()));
generateDataFile(engine, current);
}
}
@@ -108,9 +106,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
}
} catch (AnalysisException ex) {
getLog().warn("An error occured grouping the dependencies; duplicate entries may exist in the report", ex);
if (getLog().isDebugEnabled()) {
getLog().debug("Bundling Exception", ex);
}
getLog().debug("Bundling Exception", ex);
}
File outputDir = getCorrectOutputDirectory(current);
@@ -119,8 +115,6 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
//we shouldn't write this because nothing is configured to generate this report.
outputDir = new File(current.getBuild().getDirectory());
}
getLog().warn("\n\n\nwritting: " + outputDir);
getLog().warn("for: " + current.getName());
writeReports(engine, current, outputDir);
}
}

61
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View File

@@ -30,15 +30,10 @@ import java.io.OutputStream;
import java.util.List;
import java.util.Locale;
import org.apache.maven.artifact.Artifact;
import org.apache.maven.artifact.metadata.ArtifactMetadataRetrievalException;
import org.apache.maven.artifact.metadata.ArtifactMetadataSource;
import org.apache.maven.artifact.repository.ArtifactRepository;
import org.apache.maven.artifact.versioning.ArtifactVersion;
import org.apache.maven.doxia.sink.Sink;
import org.apache.maven.plugin.AbstractMojo;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.MojoFailureException;
import org.apache.maven.plugins.annotations.Component;
import org.apache.maven.plugins.annotations.Parameter;
import org.apache.maven.project.MavenProject;
import org.apache.maven.reporting.MavenReport;
@@ -53,7 +48,6 @@ import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.reporting.ReportGenerator;
import org.owasp.dependencycheck.utils.DependencyVersion;
import org.owasp.dependencycheck.utils.Settings;
/**
@@ -82,23 +76,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
/**
* The Maven Project Object.
*/
@Component
@Parameter(property = "project", required = true, readonly = true)
private MavenProject project;
/**
* The meta data source for retrieving artifact version information.
*/
@Component
private ArtifactMetadataSource metadataSource;
/**
* A reference to the local repository.
*/
@Parameter(property = "localRepository", readonly = true)
private ArtifactRepository localRepository;
/**
* References to the remote repositories.
*/
@Parameter(property = "project.remoteArtifactRepositories", readonly = true)
private List<ArtifactRepository> remoteRepositories;
/**
* List of Maven project of the current build
*/
@@ -441,8 +420,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
}
final Object obj = current.getContextValue(getDataFileContextKey());
if (obj != null) {
if (obj instanceof File) {
return (File) obj;
if (obj instanceof String) {
final File f = new File((String) obj);
return f;
}
} else {
if (getLog().isDebugEnabled()) {
@@ -475,31 +455,6 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
getLog().debug(String.format("Adding project reference %s on dependency %s", project.getName(),
d.getDisplayFileName()));
}
if (metadataSource != null) {
try {
final DependencyVersion currentVersion = new DependencyVersion(a.getVersion());
final List<ArtifactVersion> versions = metadataSource.retrieveAvailableVersions(a,
localRepository, remoteRepositories);
for (ArtifactVersion av : versions) {
final DependencyVersion newVersion = new DependencyVersion(av.toString());
if (currentVersion.compareTo(newVersion) < 0) {
d.addAvailableVersion(av.toString());
}
}
} catch (ArtifactMetadataRetrievalException ex) {
getLog().warn(
"Unable to check for new versions of dependencies; see the log for more details.");
if (getLog().isDebugEnabled()) {
getLog().debug("", ex);
}
} catch (Throwable t) {
getLog().warn(
"Unexpected error occured checking for new versions; see the log for more details.");
if (getLog().isDebugEnabled()) {
getLog().debug("", t);
}
}
}
}
} else {
if (getLog().isDebugEnabled()) {
@@ -955,11 +910,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
file = new File(writeTo, dataFileName);
}
final File parent = file.getParentFile();
if (!parent.isDirectory()) {
if (parent.mkdirs()) {
getLog().error(String.format("Directory '%s' does not exist and cannot be created; unable to write data file.",
parent.getAbsolutePath()));
}
if (!parent.isDirectory() && parent.mkdirs()) {
getLog().error(String.format("Directory '%s' does not exist and cannot be created; unable to write data file.",
parent.getAbsolutePath()));
}
OutputStream os = null;

4
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/Engine.java
View File

@@ -117,7 +117,7 @@ public class Engine extends org.owasp.dependencycheck.Engine {
*/
@Override
protected Analyzer initializeAnalyzer(Analyzer analyzer) {
if ((analyzer instanceof CPEAnalyzer)) {
if (analyzer instanceof CPEAnalyzer) {
CPEAnalyzer cpe = getPreviouslyLoadedCPEAnalyzer();
if (cpe != null && cpe.isOpen()) {
return cpe;
@@ -152,7 +152,7 @@ public class Engine extends org.owasp.dependencycheck.Engine {
*/
@Override
protected void closeAnalyzer(Analyzer analyzer) {
if ((analyzer instanceof CPEAnalyzer)) {
if (analyzer instanceof CPEAnalyzer) {
if (getPreviouslyLoadedCPEAnalyzer() == null) {
super.closeAnalyzer(analyzer);
}

1
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java
View File

@@ -25,7 +25,6 @@ import org.apache.maven.plugin.MojoFailureException;
import org.apache.maven.plugins.annotations.LifecyclePhase;
import org.apache.maven.plugins.annotations.Mojo;
import org.apache.maven.plugins.annotations.ResolutionScope;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.utils.Settings;
/**

90
dependency-check-utils/pom.xml
View File

@@ -38,7 +38,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<!-- end copy -->
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<findbugs.onlyAnalyze>org.owasp.dependencycheck.utils.*</findbugs.onlyAnalyze>
</properties>
<build>
<plugins>
@@ -97,90 +97,10 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
</plugin>
</plugins>
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>${reporting.javadoc-plugin.version}</version>
<configuration>
<failOnError>false</failOnError>
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>${reporting.versions-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>${reporting.jxr-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>${reporting.cobertura-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>${reporting.surefire-report-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>${reporting.taglist-plugin.version}</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
@@ -213,14 +133,6 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
</rulesets>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>${reporting.findbugs-plugin.version}</version>
<configuration>
<onlyAnalyze>org.owasp.dependencycheck.utils.*</onlyAnalyze>
</configuration>
</plugin>
</plugins>
</reporting>
<dependencies>

9
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -31,7 +31,6 @@ import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.Enumeration;
import java.util.Properties;
import java.util.logging.Level;
/**
* A simple settings container that wraps the dependencycheck.properties file.
@@ -634,11 +633,9 @@ public final class Settings {
*/
public static File getTempDirectory() throws IOException {
final File tmpDir = new File(Settings.getString(Settings.KEYS.TEMP_DIRECTORY, System.getProperty("java.io.tmpdir")), "dctemp");
if (!tmpDir.exists()) {
if (!tmpDir.mkdirs()) {
final String msg = String.format("Unable to make a temporary folder '%s'", tmpDir.getPath());
throw new IOException(msg);
}
if (!tmpDir.exists() && !tmpDir.mkdirs()) {
final String msg = String.format("Unable to make a temporary folder '%s'", tmpDir.getPath());
throw new IOException(msg);
}
tempDirectory = tmpDir;
return tmpDir;

156
pom.xml
View File

@@ -129,19 +129,9 @@ Copyright (c) 2012 - Jeremy Long
<apache.lucene.version>4.7.2</apache.lucene.version>
<slf4j.version>1.7.12</slf4j.version>
<logback.version>1.1.3</logback.version>
<reporting.checkstyle-plugin.version>2.11</reporting.checkstyle-plugin.version>
<reporting.cobertura-plugin.version>2.6</reporting.cobertura-plugin.version>
<reporting.findbugs-plugin.version>2.5.3</reporting.findbugs-plugin.version>
<reporting.javadoc-plugin.version>2.9.1</reporting.javadoc-plugin.version>
<reporting.jxr-plugin.version>2.4</reporting.jxr-plugin.version>
<!-- todo(code review): only used in maven module? Not needed elsewhere -->
<reporting.maven-plugin-plugin.version>3.2</reporting.maven-plugin-plugin.version>
<reporting.pmd-plugin.version>3.0.1</reporting.pmd-plugin.version>
<!-- TODO(code review) project-info-reports-plugin was/is not used in utils. Expected/intended? -->
<reporting.project-info-reports-plugin.version>2.7</reporting.project-info-reports-plugin.version>
<reporting.surefire-report-plugin.version>2.16</reporting.surefire-report-plugin.version>
<reporting.taglist-plugin.version>2.4</reporting.taglist-plugin.version>
<reporting.versions-plugin.version>2.1</reporting.versions-plugin.version>
<reporting.checkstyle-plugin.version>2.16</reporting.checkstyle-plugin.version>
<reporting.cobertura-plugin.version>2.7</reporting.cobertura-plugin.version>
<reporting.pmd-plugin.version>3.5</reporting.pmd-plugin.version>
</properties>
<distributionManagement>
<site>
@@ -189,7 +179,7 @@ Copyright (c) 2012 - Jeremy Long
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>1.3.1</version>
<version>1.4.1</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
@@ -216,11 +206,6 @@ Copyright (c) 2012 - Jeremy Long
<artifactId>maven-jar-plugin</artifactId>
<version>2.6</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-plugin-plugin</artifactId>
<version>${reporting.maven-plugin-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-release-plugin</artifactId>
@@ -234,11 +219,7 @@ Copyright (c) 2012 - Jeremy Long
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<!-- Before upgrading this to a newer version, verify the pages produced by `mvn site` still works.
In particular, pay attention to all pages under "File type analyzers" as well as those under "General".
Previously when testing with maven-site-plugin 3.4, these links have stopped working for some reason.
-->
<version>3.3</version>
<version>3.4</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
@@ -334,7 +315,7 @@ Copyright (c) 2012 - Jeremy Long
<dependency>
<groupId>org.apache.maven.doxia</groupId>
<artifactId>doxia-module-markdown</artifactId>
<version>1.5</version>
<version>1.6</version>
</dependency>
</dependencies>
<configuration>
@@ -366,10 +347,36 @@ Copyright (c) 2012 - Jeremy Long
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.10.3</version>
<configuration>
<failOnError>false</failOnError>
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>2.5</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>${reporting.project-info-reports-plugin.version}</version>
<version>2.8</version>
<reportSets>
<reportSet>
<reports>
@@ -393,6 +400,72 @@ Copyright (c) 2012 - Jeremy Long
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.18.1</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>${reporting.cobertura-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>cobertura</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.4</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.2</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
</plugins>
</reporting>
<dependencyManagement>
@@ -410,10 +483,7 @@ Copyright (c) 2012 - Jeremy Long
<dependency>
<groupId>commons-cli</groupId>
<artifactId>commons-cli</artifactId>
<!-- Before upgrading to 1.3, note that this introduces several
deprecation warnings. Most notable OptionBuilder has been
marked as deprecated. Should probably be sorted out. -->
<version>1.2</version>
<version>1.3.1</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
@@ -421,14 +491,14 @@ Copyright (c) 2012 - Jeremy Long
<version>2.4</version>
</dependency>
<dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
<version>2.6</version>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.4</version>
</dependency>
<dependency>
<groupId>com.sun.mail</groupId>
<artifactId>mailapi</artifactId>
<version>1.5.2</version>
<version>1.5.4</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
@@ -449,17 +519,17 @@ Copyright (c) 2012 - Jeremy Long
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.9</version>
<version>1.10</version>
</dependency>
<dependency>
<groupId>org.apache.ant</groupId>
<artifactId>ant</artifactId>
<version>1.9.5</version>
<version>1.9.6</version>
</dependency>
<dependency>
<groupId>org.apache.ant</groupId>
<artifactId>ant-testutil</artifactId>
<version>1.9.5</version>
<version>1.9.6</version>
</dependency>
<dependency>
<groupId>org.apache.lucene</groupId>
@@ -543,23 +613,13 @@ Copyright (c) 2012 - Jeremy Long
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>1.7.2</version>
<version>1.8.3</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${slf4j.version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-ext</artifactId>
<version>${slf4j.version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-jdk14</artifactId>
<version>${slf4j.version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-simple</artifactId>

2
src/site/site.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<skin>
<groupId>org.apache.maven.skins</groupId>
<artifactId>maven-fluido-skin</artifactId>
<version>1.3.1</version>
<version>1.4</version>
</skin>
<custom>
<fluidoSkin>