github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-24 18:11:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'upmaster' into ruby-bundler. Fixed omission of --disableBundleAudit option.

Browse Source 
Conflicts:
	dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
This commit is contained in:
Dale Visser
2015-09-09 18:09:41 -04:00
parent 1e29d2e751 57ae0f1676
commit 837d4918f2
40 changed files with 361 additions and 887 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@@ -1,3 +1,4 @@
[![Build Status](https://dependency-check.ci.cloudbees.com/buildStatus/icon?job=dependency-check)](https://dependency-check.ci.cloudbees.com/job/dependency-check/)
Dependency-Check Dependency-Check
================ ================

105
dependency-check-ant/pom.xml
View File

@@ -190,18 +190,10 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
</execution> </execution>
</executions> </executions>
</plugin> </plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
</plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId> <artifactId>maven-shade-plugin</artifactId>
<version>2.3</version> <version>2.4.1</version>
<configuration> <configuration>
<transformers> <transformers>
<transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer" /> <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer" />
@@ -273,96 +265,6 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
</build> </build>
<reporting> <reporting>
<plugins> <plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>${reporting.project-info-reports-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>${reporting.javadoc-plugin.version}</version>
<configuration>
<failOnError>false</failOnError>
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>${reporting.versions-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>${reporting.jxr-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>${reporting.cobertura-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>${reporting.surefire-report-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>${reporting.taglist-plugin.version}</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId> <artifactId>maven-checkstyle-plugin</artifactId>
@@ -395,11 +297,6 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
</rulesets> </rulesets>
</configuration> </configuration>
</plugin> </plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>${reporting.findbugs-plugin.version}</version>
</plugin>
</plugins> </plugins>
</reporting> </reporting>
<dependencies> <dependencies>

99
dependency-check-cli/pom.xml
View File

@@ -124,10 +124,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
</systemProperties> </systemProperties>
</configuration> </configuration>
</plugin> </plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
</plugin>
<plugin> <plugin>
<groupId>org.codehaus.mojo</groupId> <groupId>org.codehaus.mojo</groupId>
<artifactId>appassembler-maven-plugin</artifactId> <artifactId>appassembler-maven-plugin</artifactId>
@@ -178,96 +174,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
</build> </build>
<reporting> <reporting>
<plugins> <plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>${reporting.project-info-reports-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>${reporting.javadoc-plugin.version}</version>
<configuration>
<failOnError>false</failOnError>
<bottom>Copyright<EFBFBD> 2012-15 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>${reporting.versions-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>${reporting.jxr-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>${reporting.cobertura-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>${reporting.surefire-report-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>${reporting.taglist-plugin.version}</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId> <artifactId>maven-checkstyle-plugin</artifactId>
@@ -300,11 +206,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
</rulesets> </rulesets>
</configuration> </configuration>
</plugin> </plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>${reporting.findbugs-plugin.version}</version>
</plugin>
</plugins> </plugins>
</reporting> </reporting>
<dependencies> <dependencies>

2
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -423,7 +423,7 @@ public class App {
} }
/** /**
* Takes a path and resolves it to be a canonical & absolute path. The caveats are that this method will take an Ant style * Takes a path and resolves it to be a canonical &amp; absolute path. The caveats are that this method will take an Ant style
* file selector path (../someDir/**\/*.jar) and convert it to an absolute/canonical path (at least to the left of the first * * file selector path (../someDir/**\/*.jar) and convert it to an absolute/canonical path (at least to the left of the first *
* or ?). * or ?).
* *

252
dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View File

@@ -23,13 +23,12 @@ import java.util.logging.Level;
import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.CommandLineParser; import org.apache.commons.cli.CommandLineParser;
import org.apache.commons.cli.DefaultParser;
import org.apache.commons.cli.HelpFormatter; import org.apache.commons.cli.HelpFormatter;
import org.apache.commons.cli.Option; import org.apache.commons.cli.Option;
import org.apache.commons.cli.OptionBuilder;
import org.apache.commons.cli.OptionGroup; import org.apache.commons.cli.OptionGroup;
import org.apache.commons.cli.Options; import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException; import org.apache.commons.cli.ParseException;
import org.apache.commons.cli.PosixParser;
import org.owasp.dependencycheck.reporting.ReportGenerator.Format; import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
import org.owasp.dependencycheck.utils.InvalidSettingException; import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.utils.Settings;
@@ -79,7 +78,7 @@ public final class CliParser {
* @throws ParseException if the arguments are invalid * @throws ParseException if the arguments are invalid
*/ */
private CommandLine parseArgs(String[] args) throws ParseException { private CommandLine parseArgs(String[] args) throws ParseException {
final CommandLineParser parser = new PosixParser(); final CommandLineParser parser = new DefaultParser();
final Options options = createCommandLineOptions(); final Options options = createCommandLineOptions();
return parser.parse(options, args); return parser.parse(options, args);
} }
@@ -209,8 +208,8 @@ public final class CliParser {
final Option help = new Option(ARGUMENT.HELP_SHORT, ARGUMENT.HELP, false, final Option help = new Option(ARGUMENT.HELP_SHORT, ARGUMENT.HELP, false,
"Print this message."); "Print this message.");
final Option advancedHelp = OptionBuilder.withLongOpt(ARGUMENT.ADVANCED_HELP) final Option advancedHelp = Option.builder().longOpt(ARGUMENT.ADVANCED_HELP)
.withDescription("Print the advanced help message.").create(); .desc("Print the advanced help message.").build();
final Option version = new Option(ARGUMENT.VERSION_SHORT, ARGUMENT.VERSION, final Option version = new Option(ARGUMENT.VERSION_SHORT, ARGUMENT.VERSION,
false, "Print the version information."); false, "Print the version information.");
@@ -218,44 +217,44 @@ public final class CliParser {
final Option noUpdate = new Option(ARGUMENT.DISABLE_AUTO_UPDATE_SHORT, ARGUMENT.DISABLE_AUTO_UPDATE, final Option noUpdate = new Option(ARGUMENT.DISABLE_AUTO_UPDATE_SHORT, ARGUMENT.DISABLE_AUTO_UPDATE,
false, "Disables the automatic updating of the CPE data."); false, "Disables the automatic updating of the CPE data.");
final Option projectName = OptionBuilder.hasArg().withArgName("name").withLongOpt(ARGUMENT.PROJECT) final Option projectName = Option.builder().hasArg().argName("name").longOpt(ARGUMENT.PROJECT)
.withDescription("The name of the project being scanned. This is a required argument.") .desc("The name of the project being scanned. This is a required argument.")
.create(); .build();
final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.SCAN) final Option path = Option.builder(ARGUMENT.SCAN_SHORT).argName("path").hasArg().longOpt(ARGUMENT.SCAN)
.withDescription("The path to scan - this option can be specified multiple times. Ant style" .desc("The path to scan - this option can be specified multiple times. Ant style"
+ " paths are supported (e.g. path/**/*.jar).") + " paths are supported (e.g. path/**/*.jar).")
.create(ARGUMENT.SCAN_SHORT); .build();
final Option excludes = OptionBuilder.withArgName("pattern").hasArg().withLongOpt(ARGUMENT.EXCLUDE) final Option excludes = Option.builder().argName("pattern").hasArg().longOpt(ARGUMENT.EXCLUDE)
.withDescription("Specify and exclusion pattern. This option can be specified multiple times" .desc("Specify and exclusion pattern. This option can be specified multiple times"
+ " and it accepts Ant style excludsions.") + " and it accepts Ant style excludsions.")
.create("p"); .build();
final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.PROP) final Option props = Option.builder(ARGUMENT.PROP_SHORT).argName("file").hasArg().longOpt(ARGUMENT.PROP)
.withDescription("A property file to load.") .desc("A property file to load.")
.create(ARGUMENT.PROP_SHORT); .build();
final Option out = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.OUT) final Option out = Option.builder(ARGUMENT.OUT_SHORT).argName("path").hasArg().longOpt(ARGUMENT.OUT)
.withDescription("The folder to write reports to. This defaults to the current directory. " .desc("The folder to write reports to. This defaults to the current directory. "
+ "It is possible to set this to a specific file name if the format argument is not set to ALL.") + "It is possible to set this to a specific file name if the format argument is not set to ALL.")
.create(ARGUMENT.OUT_SHORT); .build();
final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ARGUMENT.OUTPUT_FORMAT) final Option outputFormat = Option.builder(ARGUMENT.OUTPUT_FORMAT_SHORT).argName("format").hasArg().longOpt(ARGUMENT.OUTPUT_FORMAT)
.withDescription("The output format to write to (XML, HTML, VULN, ALL). The default is HTML.") .desc("The output format to write to (XML, HTML, VULN, ALL). The default is HTML.")
.create(ARGUMENT.OUTPUT_FORMAT_SHORT); .build();
final Option verboseLog = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.VERBOSE_LOG) final Option verboseLog = Option.builder(ARGUMENT.VERBOSE_LOG_SHORT).argName("file").hasArg().longOpt(ARGUMENT.VERBOSE_LOG)
.withDescription("The file path to write verbose logging information.") .desc("The file path to write verbose logging information.")
.create(ARGUMENT.VERBOSE_LOG_SHORT); .build();
final Option symLinkDepth = OptionBuilder.withArgName("depth").hasArg().withLongOpt(ARGUMENT.SYM_LINK_DEPTH) final Option symLinkDepth = Option.builder().argName("depth").hasArg().longOpt(ARGUMENT.SYM_LINK_DEPTH)
.withDescription("Sets how deep nested symbolic links will be followed; 0 indicates symbolic links will not be followed.") .desc("Sets how deep nested symbolic links will be followed; 0 indicates symbolic links will not be followed.")
.create(); .build();
final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.SUPPRESSION_FILE) final Option suppressionFile = Option.builder().argName("file").hasArg().longOpt(ARGUMENT.SUPPRESSION_FILE)
.withDescription("The file path to the suppression XML file.") .desc("The file path to the suppression XML file.")
.create(); .build();
//This is an option group because it can be specified more then once. //This is an option group because it can be specified more then once.
final OptionGroup og = new OptionGroup(); final OptionGroup og = new OptionGroup();
@@ -289,119 +288,119 @@ public final class CliParser {
@SuppressWarnings("static-access") @SuppressWarnings("static-access")
private void addAdvancedOptions(final Options options) throws IllegalArgumentException { private void addAdvancedOptions(final Options options) throws IllegalArgumentException {
final Option cve12Base = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.CVE_BASE_12) final Option cve12Base = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.CVE_BASE_12)
.withDescription("Base URL for each years CVE 1.2, the %d will be replaced with the year. ") .desc("Base URL for each years CVE 1.2, the %d will be replaced with the year. ")
.create(); .build();
final Option cve20Base = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.CVE_BASE_20) final Option cve20Base = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.CVE_BASE_20)
.withDescription("Base URL for each years CVE 2.0, the %d will be replaced with the year.") .desc("Base URL for each years CVE 2.0, the %d will be replaced with the year.")
.create(); .build();
final Option cve12Modified = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.CVE_MOD_12) final Option cve12Modified = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.CVE_MOD_12)
.withDescription("URL for the modified CVE 1.2.") .desc("URL for the modified CVE 1.2.")
.create(); .build();
final Option cve20Modified = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.CVE_MOD_20) final Option cve20Modified = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.CVE_MOD_20)
.withDescription("URL for the modified CVE 2.0.") .desc("URL for the modified CVE 2.0.")
.create(); .build();
final Option updateOnly = OptionBuilder.withLongOpt(ARGUMENT.UPDATE_ONLY) final Option updateOnly = Option.builder().longOpt(ARGUMENT.UPDATE_ONLY)
.withDescription("Only update the local NVD data cache; no scan will be executed.").create(); .desc("Only update the local NVD data cache; no scan will be executed.").build();
final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.DATA_DIRECTORY) final Option data = Option.builder(ARGUMENT.DATA_DIRECTORY_SHORT).argName("path").hasArg().longOpt(ARGUMENT.DATA_DIRECTORY)
.withDescription("The location of the H2 Database file. This option should generally not be set.") .desc("The location of the H2 Database file. This option should generally not be set.")
.create(ARGUMENT.DATA_DIRECTORY_SHORT); .build();
final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.NEXUS_URL) final Option nexusUrl = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.NEXUS_URL)
.withDescription("The url to the Nexus Server's REST API Endpoint (http://domain/nexus/service/local). " .desc("The url to the Nexus Server's REST API Endpoint (http://domain/nexus/service/local). "
+ "If not set the Nexus Analyzer will be disabled.").create(); + "If not set the Nexus Analyzer will be disabled.").build();
final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ARGUMENT.NEXUS_USES_PROXY) final Option nexusUsesProxy = Option.builder().argName("true/false").hasArg().longOpt(ARGUMENT.NEXUS_USES_PROXY)
.withDescription("Whether or not the configured proxy should be used when connecting to Nexus.") .desc("Whether or not the configured proxy should be used when connecting to Nexus.")
.create(); .build();
final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg() final Option additionalZipExtensions = Option.builder().argName("extensions").hasArg()
.withLongOpt(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS) .longOpt(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS)
.withDescription("A comma separated list of additional extensions to be scanned as ZIP files " .desc("A comma separated list of additional extensions to be scanned as ZIP files "
+ "(ZIP, EAR, WAR are already treated as zip files)").create(); + "(ZIP, EAR, WAR are already treated as zip files)").build();
final Option pathToMono = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.PATH_TO_MONO) final Option pathToMono = Option.builder().argName("path").hasArg().longOpt(ARGUMENT.PATH_TO_MONO)
.withDescription("The path to Mono for .NET Assembly analysis on non-windows systems.") .desc("The path to Mono for .NET Assembly analysis on non-windows systems.")
.create(); .build();
final Option pathToBundleAudit = OptionBuilder.withArgName("path").hasArg() final Option pathToBundleAudit = Option.builder().argName("path").hasArg()
.withLongOpt(ARGUMENT.PATH_TO_BUNDLE_AUDIT) .longOpt(ARGUMENT.PATH_TO_BUNDLE_AUDIT)
.withDescription("The path to bundle-audit for Gem bundle analysis.").create(); .desc("The path to bundle-audit for Gem bundle analysis.").build();
final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ARGUMENT.CONNECTION_TIMEOUT) final Option connectionTimeout = Option.builder(ARGUMENT.CONNECTION_TIMEOUT_SHORT).argName("timeout").hasArg().longOpt(ARGUMENT.CONNECTION_TIMEOUT)
.withDescription("The connection timeout (in milliseconds) to use when downloading resources.") .desc("The connection timeout (in milliseconds) to use when downloading resources.")
.create(ARGUMENT.CONNECTION_TIMEOUT_SHORT); .build();
final Option proxyServer = OptionBuilder.withArgName("server").hasArg().withLongOpt(ARGUMENT.PROXY_SERVER) final Option proxyServer = Option.builder().argName("server").hasArg().longOpt(ARGUMENT.PROXY_SERVER)
.withDescription("The proxy server to use when downloading resources.").create(); .desc("The proxy server to use when downloading resources.").build();
final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ARGUMENT.PROXY_PORT) final Option proxyPort = Option.builder().argName("port").hasArg().longOpt(ARGUMENT.PROXY_PORT)
.withDescription("The proxy port to use when downloading resources.").create(); .desc("The proxy port to use when downloading resources.").build();
final Option proxyUsername = OptionBuilder.withArgName("user").hasArg().withLongOpt(ARGUMENT.PROXY_USERNAME) final Option proxyUsername = Option.builder().argName("user").hasArg().longOpt(ARGUMENT.PROXY_USERNAME)
.withDescription("The proxy username to use when downloading resources.").create(); .desc("The proxy username to use when downloading resources.").build();
final Option proxyPassword = OptionBuilder.withArgName("pass").hasArg().withLongOpt(ARGUMENT.PROXY_PASSWORD) final Option proxyPassword = Option.builder().argName("pass").hasArg().longOpt(ARGUMENT.PROXY_PASSWORD)
.withDescription("The proxy password to use when downloading resources.").create(); .desc("The proxy password to use when downloading resources.").build();
final Option connectionString = OptionBuilder.withArgName("connStr").hasArg().withLongOpt(ARGUMENT.CONNECTION_STRING) final Option connectionString = Option.builder().argName("connStr").hasArg().longOpt(ARGUMENT.CONNECTION_STRING)
.withDescription("The connection string to the database.").create(); .desc("The connection string to the database.").build();
final Option dbUser = OptionBuilder.withArgName("user").hasArg().withLongOpt(ARGUMENT.DB_NAME) final Option dbUser = Option.builder().argName("user").hasArg().longOpt(ARGUMENT.DB_NAME)
.withDescription("The username used to connect to the database.").create(); .desc("The username used to connect to the database.").build();
final Option dbPassword = OptionBuilder.withArgName("password").hasArg().withLongOpt(ARGUMENT.DB_PASSWORD) final Option dbPassword = Option.builder().argName("password").hasArg().longOpt(ARGUMENT.DB_PASSWORD)
.withDescription("The password for connecting to the database.").create(); .desc("The password for connecting to the database.").build();
final Option dbDriver = OptionBuilder.withArgName("driver").hasArg().withLongOpt(ARGUMENT.DB_DRIVER) final Option dbDriver = Option.builder().argName("driver").hasArg().longOpt(ARGUMENT.DB_DRIVER)
.withDescription("The database driver name.").create(); .desc("The database driver name.").build();
final Option dbDriverPath = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.DB_DRIVER_PATH) final Option dbDriverPath = Option.builder().argName("path").hasArg().longOpt(ARGUMENT.DB_DRIVER_PATH)
.withDescription("The path to the database driver; note, this does not need to be set unless the JAR is outside of the classpath.") .desc("The path to the database driver; note, this does not need to be set unless the JAR is outside of the classpath.")
.create(); .build();
final Option disableJarAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_JAR) final Option disableJarAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_JAR)
.withDescription("Disable the Jar Analyzer.").create(); .desc("Disable the Jar Analyzer.").build();
final Option disableArchiveAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_ARCHIVE) final Option disableArchiveAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_ARCHIVE)
.withDescription("Disable the Archive Analyzer.").create(); .desc("Disable the Archive Analyzer.").build();
final Option disableNuspecAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NUSPEC) final Option disableNuspecAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_NUSPEC)
.withDescription("Disable the Nuspec Analyzer.").create(); .desc("Disable the Nuspec Analyzer.").build();
final Option disableAssemblyAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_ASSEMBLY) final Option disableAssemblyAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_ASSEMBLY)
.withDescription("Disable the .NET Assembly Analyzer.").create(); .desc("Disable the .NET Assembly Analyzer.").build();
final Option disablePythonDistributionAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_PY_DIST) final Option disablePythonDistributionAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_PY_DIST)
.withDescription("Disable the Python Distribution Analyzer.").create(); .desc("Disable the Python Distribution Analyzer.").build();
final Option disablePythonPackageAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_PY_PKG) final Option disablePythonPackageAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_PY_PKG)
.withDescription("Disable the Python Package Analyzer.").create(); .desc("Disable the Python Package Analyzer.").build();
final Option disableAutoconfAnalyzer = OptionBuilder final Option disableAutoconfAnalyzer = Option.builder()
.withLongOpt(ARGUMENT.DISABLE_AUTOCONF) .longOpt(ARGUMENT.DISABLE_AUTOCONF)
.withDescription("Disable the Autoconf Analyzer.").create(); .desc("Disable the Autoconf Analyzer.").build();
final Option disableOpenSSLAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_OPENSSL) final Option disableOpenSSLAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_OPENSSL)
.withDescription("Disable the OpenSSL Analyzer.").create(); .desc("Disable the OpenSSL Analyzer.").build();
final Option disableCmakeAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_CMAKE). final Option disableCmakeAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_CMAKE)
withDescription("Disable the Cmake Analyzer.").create(); .desc("Disable the Cmake Analyzer.").build();
final Option disableCentralAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_CENTRAL) final Option disableCentralAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_CENTRAL)
.withDescription("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable " .desc("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable "
+ "the Nexus Analyzer.").create(); + "the Nexus Analyzer.").build();
final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NEXUS) final Option disableNexusAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_NEXUS)
.withDescription("Disable the Nexus Analyzer.").create(); .desc("Disable the Nexus Analyzer.").build();
final Option purge = OptionBuilder.withLongOpt(ARGUMENT.PURGE_NVD) final Option purge = Option.builder().longOpt(ARGUMENT.PURGE_NVD)
.withDescription("Purges the local NVD data cache") .desc("Purges the local NVD data cache")
.create(); .build();
options.addOption(updateOnly) options.addOption(updateOnly)
.addOption(cve12Base) .addOption(cve12Base)
@@ -422,20 +421,21 @@ public final class CliParser {
.addOption(disableJarAnalyzer) .addOption(disableJarAnalyzer)
.addOption(disableArchiveAnalyzer) .addOption(disableArchiveAnalyzer)
.addOption(disableAssemblyAnalyzer) .addOption(disableAssemblyAnalyzer)
.addOption(OptionBuilder.withLongOpt(ARGUMENT.DISABLE_BUNDLE_AUDIT) .addOption(pathToBundleAudit)
.withDescription("Disable the Ruby Bundler Audit Analyzer.").create())
.addOption(disablePythonDistributionAnalyzer) .addOption(disablePythonDistributionAnalyzer)
.addOption(disableCmakeAnalyzer) .addOption(disableCmakeAnalyzer)
.addOption(disablePythonPackageAnalyzer) .addOption(disablePythonPackageAnalyzer)
.addOption(OptionBuilder.withLongOpt(ARGUMENT.DISABLE_RUBYGEMS) .addOption(Option.builder().longOpt(ARGUMENT.DISABLE_RUBYGEMS)
.withDescription("Disable the Ruby Gemspec Analyzer.").create()) .desc("Disable the Ruby Gemspec Analyzer.").build())
.addOption(Option.builder().longOpt(ARGUMENT.DISABLE_BUNDLE_AUDIT)
.desc("Disable the Ruby Bundler-Audit Analyzer.").build())
.addOption(disableAutoconfAnalyzer) .addOption(disableAutoconfAnalyzer)
.addOption(disableOpenSSLAnalyzer) .addOption(disableOpenSSLAnalyzer)
.addOption(disableNuspecAnalyzer) .addOption(disableNuspecAnalyzer)
.addOption(disableCentralAnalyzer) .addOption(disableCentralAnalyzer)
.addOption(disableNexusAnalyzer) .addOption(disableNexusAnalyzer)
.addOption(OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NODE_JS) .addOption(Option.builder().longOpt(ARGUMENT.DISABLE_NODE_JS)
.withDescription("Disable the Node.js Package Analyzer.").create()) .desc("Disable the Node.js Package Analyzer.").build())
.addOption(nexusUrl) .addOption(nexusUrl)
.addOption(nexusUsesProxy) .addOption(nexusUsesProxy)
.addOption(additionalZipExtensions) .addOption(additionalZipExtensions)
@@ -454,12 +454,12 @@ public final class CliParser {
@SuppressWarnings({"static-access", "deprecation"}) @SuppressWarnings({"static-access", "deprecation"})
private void addDeprecatedOptions(final Options options) throws IllegalArgumentException { private void addDeprecatedOptions(final Options options) throws IllegalArgumentException {
final Option proxyServer = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.PROXY_URL) final Option proxyServer = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.PROXY_URL)
.withDescription("The proxy url argument is deprecated, use proxyserver instead.") .desc("The proxy url argument is deprecated, use proxyserver instead.")
.create(); .build();
final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ARGUMENT.APP_NAME) final Option appName = Option.builder(ARGUMENT.APP_NAME_SHORT).argName("name").hasArg().longOpt(ARGUMENT.APP_NAME)
.withDescription("The name of the project being scanned.") .desc("The name of the project being scanned.")
.create(ARGUMENT.APP_NAME_SHORT); .build();
options.addOption(proxyServer); options.addOption(proxyServer);
options.addOption(appName); options.addOption(appName);

113
dependency-check-core/pom.xml
View File

@@ -110,13 +110,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId> <artifactId>maven-jar-plugin</artifactId>
<executions> <executions>
<execution>
<id>jar</id>
<phase>package</phase>
<goals>
<goal>jar</goal>
</goals>
</execution>
<execution> <execution>
<id>test-jar</id> <id>test-jar</id>
<phase>package</phase> <phase>package</phase>
@@ -228,70 +221,10 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</build> </build>
<reporting> <reporting>
<plugins> <plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>${reporting.project-info-reports-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>${reporting.javadoc-plugin.version}</version>
<configuration>
<failOnError>false</failOnError>
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>${reporting.versions-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>${reporting.jxr-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>${reporting.cobertura-plugin.version}</version>
</plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId> <artifactId>maven-surefire-report-plugin</artifactId>
<version>${reporting.surefire-report-plugin.version}</version>
<reportSets> <reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
<reportSet> <reportSet>
<id>integration-tests</id> <id>integration-tests</id>
<reports> <reports>
@@ -301,30 +234,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</reportSet> </reportSet>
</reportSets> </reportSets>
</plugin> </plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>${reporting.taglist-plugin.version}</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId> <artifactId>maven-checkstyle-plugin</artifactId>
@@ -357,11 +266,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</rulesets> </rulesets>
</configuration> </configuration>
</plugin> </plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>${reporting.findbugs-plugin.version}</version>
</plugin>
</plugins> </plugins>
</reporting> </reporting>
<dependencies> <dependencies>
@@ -376,22 +280,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<artifactId>slf4j-api</artifactId> <artifactId>slf4j-api</artifactId>
</dependency> </dependency>
<!-- Set this to test so that each project that uses this has to have its own implementation of SLF4J --> <!-- Set this to test so that each project that uses this has to have its own implementation of SLF4J -->
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-core</artifactId>
<scope>test</scope>
</dependency>
<dependency> <dependency>
<groupId>ch.qos.logback</groupId> <groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId> <artifactId>logback-classic</artifactId>
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<!-- For the CAL10N support -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-ext</artifactId>
<scope>compile</scope>
</dependency>
<dependency> <dependency>
<groupId>org.owasp</groupId> <groupId>org.owasp</groupId>
<artifactId>dependency-check-utils</artifactId> <artifactId>dependency-check-utils</artifactId>
@@ -416,8 +309,8 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<artifactId>commons-io</artifactId> <artifactId>commons-io</artifactId>
</dependency> </dependency>
<dependency> <dependency>
<groupId>commons-lang</groupId> <groupId>org.apache.commons</groupId>
<artifactId>commons-lang</artifactId> <artifactId>commons-lang3</artifactId>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.lucene</groupId> <groupId>org.apache.lucene</groupId>
@@ -438,6 +331,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<dependency> <dependency>
<groupId>com.h2database</groupId> <groupId>com.h2database</groupId>
<artifactId>h2</artifactId> <artifactId>h2</artifactId>
<scope>runtime</scope>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.glassfish</groupId> <groupId>org.glassfish</groupId>
@@ -446,7 +340,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<dependency> <dependency>
<groupId>org.jsoup</groupId> <groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId> <artifactId>jsoup</artifactId>
<type>jar</type>
</dependency> </dependency>
<dependency> <dependency>
<groupId>com.sun.mail</groupId> <groupId>com.sun.mail</groupId>

9
dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
View File

@@ -352,6 +352,7 @@ public class Engine implements FileFilter {
LOGGER.debug("\n----------------------------------------------------\nBEGIN ANALYSIS\n----------------------------------------------------"); LOGGER.debug("\n----------------------------------------------------\nBEGIN ANALYSIS\n----------------------------------------------------");
LOGGER.info("Analysis Starting"); LOGGER.info("Analysis Starting");
final long analysisStart = System.currentTimeMillis();
// analysis phases // analysis phases
for (AnalysisPhase phase : AnalysisPhase.values()) { for (AnalysisPhase phase : AnalysisPhase.values()) {
@@ -365,8 +366,7 @@ public class Engine implements FileFilter {
* This is okay for adds/deletes because it happens per analyzer. * This is okay for adds/deletes because it happens per analyzer.
*/ */
LOGGER.debug("Begin Analyzer '{}'", a.getName()); LOGGER.debug("Begin Analyzer '{}'", a.getName());
final Set<Dependency> dependencySet = new HashSet<Dependency>(); final Set<Dependency> dependencySet = new HashSet<Dependency>(dependencies);
dependencySet.addAll(dependencies);
for (Dependency d : dependencySet) { for (Dependency d : dependencySet) {
boolean shouldAnalyze = true; boolean shouldAnalyze = true;
if (a instanceof FileTypeAnalyzer) { if (a instanceof FileTypeAnalyzer) {
@@ -398,7 +398,7 @@ public class Engine implements FileFilter {
} }
LOGGER.debug("\n----------------------------------------------------\nEND ANALYSIS\n----------------------------------------------------"); LOGGER.debug("\n----------------------------------------------------\nEND ANALYSIS\n----------------------------------------------------");
LOGGER.info("Analysis Complete"); LOGGER.info("Analysis Complete ({} ms)", System.currentTimeMillis() - analysisStart);
} }
/** /**
@@ -442,6 +442,7 @@ public class Engine implements FileFilter {
*/ */
public void doUpdates() { public void doUpdates() {
LOGGER.info("Checking for updates"); LOGGER.info("Checking for updates");
final long updateStart = System.currentTimeMillis();
final UpdateService service = new UpdateService(serviceClassLoader); final UpdateService service = new UpdateService(serviceClassLoader);
final Iterator<CachedWebDataSource> iterator = service.getDataSources(); final Iterator<CachedWebDataSource> iterator = service.getDataSources();
while (iterator.hasNext()) { while (iterator.hasNext()) {
@@ -454,7 +455,7 @@ public class Engine implements FileFilter {
LOGGER.debug("Unable to update details for {}", source.getClass().getName(), ex); LOGGER.debug("Unable to update details for {}", source.getClass().getName(), ex);
} }
} }
LOGGER.info("Check for updates complete"); LOGGER.info("Check for updates complete ({} ms)", System.currentTimeMillis() - updateStart);
} }
/** /**

22
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
View File

@@ -89,16 +89,16 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
*/ */
private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "jar", "sar", "apk", "nupkg"); private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "jar", "sar", "apk", "nupkg");
/** /**
* The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need * The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need to be
* to be explicitly handled in {@link #extractFiles(File, File, Engine)}. * explicitly handled in {@link #extractFiles(File, File, Engine)}.
*/ */
private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz", "bz2", "tbz2"); private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz", "bz2", "tbz2");
/** /**
* Detects files with extensions to remove from the engine's collection of dependencies. * Detects files with extensions to remove from the engine's collection of dependencies.
*/ */
private static final FileFilter REMOVE_FROM_ANALYSIS = private static final FileFilter REMOVE_FROM_ANALYSIS
FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2").build(); = FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2").build();
static { static {
final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS); final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
@@ -184,7 +184,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
if (tempFileLocation != null && tempFileLocation.exists()) { if (tempFileLocation != null && tempFileLocation.exists()) {
LOGGER.debug("Attempting to delete temporary files"); LOGGER.debug("Attempting to delete temporary files");
final boolean success = FileUtils.delete(tempFileLocation); final boolean success = FileUtils.delete(tempFileLocation);
if (!success && tempFileLocation != null && tempFileLocation.exists() && tempFileLocation.list().length > 0) { if (!success && tempFileLocation.exists() && tempFileLocation.list().length > 0) {
LOGGER.warn("Failed to delete some temporary files, see the log for more details"); LOGGER.warn("Failed to delete some temporary files, see the log for more details");
} }
} }
@@ -239,7 +239,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
final File tdir = getNextTempDirectory(); final File tdir = getNextTempDirectory();
final String fileName = dependency.getFileName(); final String fileName = dependency.getFileName();
LOGGER.info(String.format("The zip file '%s' appears to be a JAR file, making a copy and analyzing it as a JAR.", fileName)); LOGGER.info("The zip file '{}' appears to be a JAR file, making a copy and analyzing it as a JAR.", fileName);
final File tmpLoc = new File(tdir, fileName.substring(0, fileName.length() - 3) + "jar"); final File tmpLoc = new File(tdir, fileName.substring(0, fileName.length() - 3) + "jar");
try { try {
@@ -271,15 +271,14 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
* @return any dependencies that weren't known to the engine before * @return any dependencies that weren't known to the engine before
*/ */
private static Set<Dependency> findMoreDependencies(Engine engine, File file) { private static Set<Dependency> findMoreDependencies(Engine engine, File file) {
List<Dependency> before = new ArrayList<Dependency>(engine.getDependencies()); final List<Dependency> before = new ArrayList<Dependency>(engine.getDependencies());
engine.scan(file); engine.scan(file);
List<Dependency> after = engine.getDependencies(); final List<Dependency> after = engine.getDependencies();
final boolean sizeChanged = before.size() != after.size(); final boolean sizeChanged = before.size() != after.size();
final Set<Dependency> newDependencies; final Set<Dependency> newDependencies;
if (sizeChanged) { if (sizeChanged) {
//get the new dependencies //get the new dependencies
newDependencies = new HashSet<Dependency>(); newDependencies = new HashSet<Dependency>(after);
newDependencies.addAll(after);
newDependencies.removeAll(before); newDependencies.removeAll(before);
} else { } else {
newDependencies = EMPTY_DEPENDENCY_SET; newDependencies = EMPTY_DEPENDENCY_SET;
@@ -287,7 +286,6 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
return newDependencies; return newDependencies;
} }
/** /**
* Retrieves the next temporary directory to extract an archive too. * Retrieves the next temporary directory to extract an archive too.
* *
@@ -452,7 +450,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
* *
* @param closeable to be closed * @param closeable to be closed
*/ */
private static void close(Closeable closeable){ private static void close(Closeable closeable) {
if (null != closeable) { if (null != closeable) {
try { try {
closeable.close(); closeable.close();

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
View File

@@ -17,8 +17,6 @@
*/ */
package org.owasp.dependencycheck.analyzer; package org.owasp.dependencycheck.analyzer;
import ch.qos.cal10n.IMessageConveyor;
import ch.qos.cal10n.MessageConveyor;
import java.io.BufferedReader; import java.io.BufferedReader;
import java.io.File; import java.io.File;
import java.io.FileFilter; import java.io.FileFilter;
@@ -45,7 +43,6 @@ import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory; import javax.xml.xpath.XPathFactory;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.Locale;
/** /**
* Analyzer for getting company, product, and version information from a .NET assembly. * Analyzer for getting company, product, and version information from a .NET assembly.
@@ -75,10 +72,6 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
* The DocumentBuilder for parsing the XML * The DocumentBuilder for parsing the XML
*/ */
private DocumentBuilder builder; private DocumentBuilder builder;
/**
* Message Conveyer
*/
private static final IMessageConveyor MESSAGE_CONVERYOR = new MessageConveyor(Locale.getDefault());
/** /**
* Logger * Logger
*/ */

9
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java
View File

@@ -18,7 +18,7 @@
package org.owasp.dependencycheck.analyzer; package org.owasp.dependencycheck.analyzer;
import org.apache.commons.io.FileUtils; import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Confidence;
@@ -167,7 +167,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
dependency.getProductEvidence().addEvidence(name, "Project", dependency.getProductEvidence().addEvidence(name, "Project",
group, Confidence.HIGH); group, Confidence.HIGH);
} }
LOGGER.debug(String.format("Found %d matches.", count)); LOGGER.debug("Found {} matches.", count);
analyzeSetVersionCommand(dependency, engine, contents); analyzeSetVersionCommand(dependency, engine, contents);
} }
} }
@@ -178,9 +178,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
int count = 0; int count = 0;
while (m.find()) { while (m.find()) {
count++; count++;
LOGGER.debug(String.format( LOGGER.debug("Found project command match with {} groups: {}",
"Found project command match with %d groups: %s", m.groupCount(), m.group(0));
m.groupCount(), m.group(0)));
String product = m.group(1); String product = m.group(1);
final String version = m.group(2); final String version = m.group(2);
LOGGER.debug("Group 1: " + product); LOGGER.debug("Group 1: " + product);

5
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -134,13 +134,14 @@ public class CPEAnalyzer implements Analyzer {
* process. * process.
*/ */
public void open() throws IOException, DatabaseException { public void open() throws IOException, DatabaseException {
LOGGER.debug("Opening the CVE Database");
cve = new CveDB(); cve = new CveDB();
cve.open(); cve.open();
LOGGER.debug("Creating the Lucene CPE Index");
cpe = CpeMemoryIndex.getInstance(); cpe = CpeMemoryIndex.getInstance();
try { try {
LOGGER.info("Creating the CPE Index");
final long creationStart = System.currentTimeMillis();
cpe.open(cve); cpe.open(cve);
LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart);
} catch (IndexException ex) { } catch (IndexException ex) {
LOGGER.debug("IndexException", ex); LOGGER.debug("IndexException", ex);
throw new DatabaseException(ex); throw new DatabaseException(ex);

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -154,8 +154,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
*/ */
@SuppressWarnings("null") @SuppressWarnings("null")
private void removeSpuriousCPE(Dependency dependency) { private void removeSpuriousCPE(Dependency dependency) {
final List<Identifier> ids = new ArrayList<Identifier>(); final List<Identifier> ids = new ArrayList<Identifier>(dependency.getIdentifiers());
ids.addAll(dependency.getIdentifiers());
Collections.sort(ids); Collections.sort(ids);
final ListIterator<Identifier> mainItr = ids.listIterator(); final ListIterator<Identifier> mainItr = ids.listIterator();
while (mainItr.hasNext()) { while (mainItr.hasNext()) {

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
View File

@@ -247,7 +247,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
} }
} catch (IllegalArgumentException iae) { } catch (IllegalArgumentException iae) {
//dependency.addAnalysisException(new AnalysisException("Invalid SHA-1")); //dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName())); LOGGER.info("invalid sha-1 hash on {}", dependency.getFileName());
} catch (FileNotFoundException fnfe) { } catch (FileNotFoundException fnfe) {
//dependency.addAnalysisException(new AnalysisException("Artifact not found on repository")); //dependency.addAnalysisException(new AnalysisException("Artifact not found on repository"));
LOGGER.debug("Artifact not found in repository '{}'", dependency.getFileName()); LOGGER.debug("Artifact not found in repository '{}'", dependency.getFileName());

35
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
View File

@@ -28,14 +28,20 @@ import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import javax.json.*;
import java.io.File; import java.io.File;
import java.io.FileFilter; import java.io.FileFilter;
import java.io.IOException; import java.io.IOException;
import java.util.Map;
import javax.json.Json;
import javax.json.JsonException;
import javax.json.JsonObject;
import javax.json.JsonReader;
import javax.json.JsonString;
import javax.json.JsonValue;
/** /**
* Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine * Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine the
* the associated CPE. * associated CPE.
* *
* @author Dale Visser <dvisser@ida.org> * @author Dale Visser <dvisser@ida.org>
*/ */
@@ -60,8 +66,8 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
/** /**
* Filter that detects files named "package.json". * Filter that detects files named "package.json".
*/ */
private static final FileFilter PACKAGE_JSON_FILTER = private static final FileFilter PACKAGE_JSON_FILTER
FileFilterBuilder.newInstance().addFilenames(PACKAGE_JSON).build(); = FileFilterBuilder.newInstance().addFilenames(PACKAGE_JSON).build();
/** /**
* Returns the FileFilter * Returns the FileFilter
@@ -120,17 +126,17 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
"Problem occurred while reading dependency file.", e); "Problem occurred while reading dependency file.", e);
} }
try { try {
JsonObject json = jsonReader.readObject(); final JsonObject json = jsonReader.readObject();
final EvidenceCollection productEvidence = dependency.getProductEvidence(); final EvidenceCollection productEvidence = dependency.getProductEvidence();
final EvidenceCollection vendorEvidence = dependency.getVendorEvidence(); final EvidenceCollection vendorEvidence = dependency.getVendorEvidence();
if (json.containsKey("name")) { if (json.containsKey("name")) {
Object value = json.get("name"); final Object value = json.get("name");
if (value instanceof JsonString) { if (value instanceof JsonString) {
String valueString = ((JsonString) value).getString(); final String valueString = ((JsonString) value).getString();
productEvidence.addEvidence(PACKAGE_JSON, "name", valueString, Confidence.HIGHEST); productEvidence.addEvidence(PACKAGE_JSON, "name", valueString, Confidence.HIGHEST);
vendorEvidence.addEvidence(PACKAGE_JSON, "name_project", String.format("%s_project", valueString), Confidence.LOW); vendorEvidence.addEvidence(PACKAGE_JSON, "name_project", String.format("%s_project", valueString), Confidence.LOW);
} else { } else {
LOGGER.warn("JSON value not string as expected: %s", value); LOGGER.warn("JSON value not string as expected: {}", value);
} }
} }
addToEvidence(json, productEvidence, "description"); addToEvidence(json, productEvidence, "description");
@@ -146,24 +152,25 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
private void addToEvidence(JsonObject json, EvidenceCollection collection, String key) { private void addToEvidence(JsonObject json, EvidenceCollection collection, String key) {
if (json.containsKey(key)) { if (json.containsKey(key)) {
Object value = json.get(key); final JsonValue value = json.get(key);
if (value instanceof JsonString) { if (value instanceof JsonString) {
collection.addEvidence(PACKAGE_JSON, key, ((JsonString) value).getString(), Confidence.HIGHEST); collection.addEvidence(PACKAGE_JSON, key, ((JsonString) value).getString(), Confidence.HIGHEST);
} else if (value instanceof JsonObject) { } else if (value instanceof JsonObject) {
final JsonObject jsonObject = (JsonObject) value; final JsonObject jsonObject = (JsonObject) value;
for (String property : jsonObject.keySet()) { for (final Map.Entry<String, JsonValue> entry : jsonObject.entrySet()) {
final Object subValue = jsonObject.get(property); final String property = entry.getKey();
final JsonValue subValue = entry.getValue();
if (subValue instanceof JsonString) { if (subValue instanceof JsonString) {
collection.addEvidence(PACKAGE_JSON, collection.addEvidence(PACKAGE_JSON,
String.format("%s.%s", key, property), String.format("%s.%s", key, property),
((JsonString) subValue).getString(), ((JsonString) subValue).getString(),
Confidence.HIGHEST); Confidence.HIGHEST);
} else { } else {
LOGGER.warn("JSON sub-value not string as expected: %s"); LOGGER.warn("JSON sub-value not string as expected: {}", subValue);
} }
} }
} else { } else {
LOGGER.warn("JSON value not string or JSON object as expected: %s", value); LOGGER.warn("JSON value not string or JSON object as expected: {}", value);
} }
} }
} }

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java
View File

@@ -26,7 +26,7 @@ import java.io.FilenameFilter;
import org.apache.commons.io.filefilter.NameFileFilter; import org.apache.commons.io.filefilter.NameFileFilter;
import org.apache.commons.io.filefilter.SuffixFileFilter; import org.apache.commons.io.filefilter.SuffixFileFilter;
import org.apache.commons.io.input.AutoCloseInputStream; import org.apache.commons.io.input.AutoCloseInputStream;
import org.apache.commons.lang.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Confidence;

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java
View File

@@ -93,17 +93,12 @@ public final class LuceneUtils {
* @return the escaped text. * @return the escaped text.
*/ */
public static String escapeLuceneQuery(final CharSequence text) { public static String escapeLuceneQuery(final CharSequence text) {
if (text == null) { if (text == null) {
return null; return null;
} }
final int size = text.length() << 1;
int size = text.length();
size = size >> 1;
final StringBuilder buf = new StringBuilder(size); final StringBuilder buf = new StringBuilder(size);
appendEscapedLuceneQuery(buf, text); appendEscapedLuceneQuery(buf, text);
return buf.toString(); return buf.toString();
} }
} }

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -490,7 +490,7 @@ public class CveDB {
deleteReferences = getConnection().prepareStatement(statementBundle.getString("DELETE_REFERENCE")); deleteReferences = getConnection().prepareStatement(statementBundle.getString("DELETE_REFERENCE"));
deleteSoftware = getConnection().prepareStatement(statementBundle.getString("DELETE_SOFTWARE")); deleteSoftware = getConnection().prepareStatement(statementBundle.getString("DELETE_SOFTWARE"));
updateVulnerability = getConnection().prepareStatement(statementBundle.getString("UPDATE_VULNERABILITY")); updateVulnerability = getConnection().prepareStatement(statementBundle.getString("UPDATE_VULNERABILITY"));
String ids[] = {"id"}; final String ids[] = {"id"};
insertVulnerability = getConnection().prepareStatement(statementBundle.getString("INSERT_VULNERABILITY"), insertVulnerability = getConnection().prepareStatement(statementBundle.getString("INSERT_VULNERABILITY"),
//Statement.RETURN_GENERATED_KEYS); //Statement.RETURN_GENERATED_KEYS);
ids); ids);

9
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java
View File

@@ -24,7 +24,6 @@ import java.io.FileOutputStream;
import java.io.IOException; import java.io.IOException;
import java.net.MalformedURLException; import java.net.MalformedURLException;
import java.net.URL; import java.net.URL;
import java.util.Date;
import java.util.List; import java.util.List;
import java.util.zip.GZIPInputStream; import java.util.zip.GZIPInputStream;
import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.ParserConfigurationException;
@@ -69,8 +68,8 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
for (Cpe cpe : cpes) { for (Cpe cpe : cpes) {
getCveDB().addCpe(cpe.getValue(), cpe.getVendor(), cpe.getProduct()); getCveDB().addCpe(cpe.getValue(), cpe.getVendor(), cpe.getProduct());
} }
final Date now = new Date(); final long now = System.currentTimeMillis();
getProperties().save(LAST_CPE_UPDATE, Long.toString(now.getTime())); getProperties().save(LAST_CPE_UPDATE, Long.toString(now));
LOGGER.info("CPE update complete"); LOGGER.info("CPE update complete");
} }
} finally { } finally {
@@ -134,14 +133,14 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
* @return true if the CPE data should be refreshed * @return true if the CPE data should be refreshed
*/ */
private boolean updateNeeded() { private boolean updateNeeded() {
final Date now = new Date(); final long now = System.currentTimeMillis();
final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 30); final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 30);
long timestamp = 0; long timestamp = 0;
final String ts = getProperties().getProperty(LAST_CPE_UPDATE); final String ts = getProperties().getProperty(LAST_CPE_UPDATE);
if (ts != null && ts.matches("^[0-9]+$")) { if (ts != null && ts.matches("^[0-9]+$")) {
timestamp = Long.parseLong(ts); timestamp = Long.parseLong(ts);
} }
return !DateUtil.withinDateRange(timestamp, now.getTime(), days); return !DateUtil.withinDateRange(timestamp, now, days);
} }
/** /**

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java
View File

@@ -21,7 +21,6 @@ import java.io.IOException;
import java.net.HttpURLConnection; import java.net.HttpURLConnection;
import java.net.MalformedURLException; import java.net.MalformedURLException;
import java.net.URL; import java.net.URL;
import java.util.Date;
import org.apache.commons.io.IOUtils; import org.apache.commons.io.IOUtils;
import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException; import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
@@ -88,7 +87,7 @@ public class EngineVersionCheck implements CachedWebDataSource {
LOGGER.debug("Begin Engine Version Check"); LOGGER.debug("Begin Engine Version Check");
final DatabaseProperties properties = cveDB.getDatabaseProperties(); final DatabaseProperties properties = cveDB.getDatabaseProperties();
final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0")); final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
final long now = (new Date()).getTime(); final long now = System.currentTimeMillis();
updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, ""); updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0"); final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
LOGGER.debug("Last checked: {}", lastChecked); LOGGER.debug("Last checked: {}", lastChecked);

5
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
View File

@@ -19,7 +19,6 @@ package org.owasp.dependencycheck.data.update;
import java.net.MalformedURLException; import java.net.MalformedURLException;
import java.util.Calendar; import java.util.Calendar;
import java.util.Date;
import java.util.HashSet; import java.util.HashSet;
import java.util.Set; import java.util.Set;
import java.util.concurrent.ExecutionException; import java.util.concurrent.ExecutionException;
@@ -214,11 +213,11 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
if (!getProperties().isEmpty()) { if (!getProperties().isEmpty()) {
try { try {
final long lastUpdated = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED, "0")); final long lastUpdated = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED, "0"));
final Date now = new Date(); final long now = System.currentTimeMillis();
final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 7); final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 7);
if (lastUpdated == updates.getTimeStamp(MODIFIED)) { if (lastUpdated == updates.getTimeStamp(MODIFIED)) {
updates.clear(); //we don't need to update anything. updates.clear(); //we don't need to update anything.
} else if (DateUtil.withinDateRange(lastUpdated, now.getTime(), days)) { } else if (DateUtil.withinDateRange(lastUpdated, now, days)) {
for (NvdCveInfo entry : updates) { for (NvdCveInfo entry : updates) {
if (MODIFIED.equals(entry.getId())) { if (MODIFIED.equals(entry.getId())) {
entry.setNeedsUpdate(true); entry.setNeedsUpdate(true);

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java
View File

@@ -179,7 +179,7 @@ public class CPEHandler extends DefaultHandler {
/** /**
* A simple class to maintain information about the current element while parsing the CPE XML. * A simple class to maintain information about the current element while parsing the CPE XML.
*/ */
protected class Element { protected static final class Element {
/** /**
* A node type in the CPE Schema 2.2 * A node type in the CPE Schema 2.2

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java
View File

@@ -185,6 +185,7 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
final URL url1 = new URL(nvdCveInfo.getUrl()); final URL url1 = new URL(nvdCveInfo.getUrl());
final URL url2 = new URL(nvdCveInfo.getOldSchemaVersionUrl()); final URL url2 = new URL(nvdCveInfo.getOldSchemaVersionUrl());
LOGGER.info("Download Started for NVD CVE - {}", nvdCveInfo.getId()); LOGGER.info("Download Started for NVD CVE - {}", nvdCveInfo.getId());
final long startDownload = System.currentTimeMillis();
try { try {
Downloader.fetchFile(url1, first); Downloader.fetchFile(url1, first);
Downloader.fetchFile(url2, second); Downloader.fetchFile(url2, second);
@@ -204,7 +205,8 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
extractGzip(second); extractGzip(second);
} }
LOGGER.info("Download Complete for NVD CVE - {}", nvdCveInfo.getId()); LOGGER.info("Download Complete for NVD CVE - {} ({} ms)", nvdCveInfo.getId(),
System.currentTimeMillis() - startDownload);
if (this.processorService == null) { if (this.processorService == null) {
return null; return null;
} }

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java
View File

@@ -157,6 +157,7 @@ public class ProcessTask implements Callable<ProcessTask> {
*/ */
private void processFiles() throws UpdateException { private void processFiles() throws UpdateException {
LOGGER.info("Processing Started for NVD CVE - {}", filePair.getNvdCveInfo().getId()); LOGGER.info("Processing Started for NVD CVE - {}", filePair.getNvdCveInfo().getId());
final long startProcessing = System.currentTimeMillis();
try { try {
importXML(filePair.getFirst(), filePair.getSecond()); importXML(filePair.getFirst(), filePair.getSecond());
cveDB.commit(); cveDB.commit();
@@ -178,6 +179,7 @@ public class ProcessTask implements Callable<ProcessTask> {
} finally { } finally {
filePair.cleanup(); filePair.cleanup();
} }
LOGGER.info("Processing Complete for NVD CVE - {}", filePair.getNvdCveInfo().getId()); LOGGER.info("Processing Complete for NVD CVE - {} ({} ms)", filePair.getNvdCveInfo().getId(),
System.currentTimeMillis() - startProcessing);
} }
} }

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
View File

@@ -28,7 +28,7 @@ import java.util.Set;
import java.util.SortedSet; import java.util.SortedSet;
import java.util.TreeSet; import java.util.TreeSet;
import org.apache.commons.lang.ObjectUtils; import org.apache.commons.lang3.ObjectUtils;
import org.owasp.dependencycheck.data.nexus.MavenArtifact; import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.utils.Checksum; import org.owasp.dependencycheck.utils.Checksum;
import org.slf4j.Logger; import org.slf4j.Logger;

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
View File

@@ -17,8 +17,8 @@
*/ */
package org.owasp.dependencycheck.dependency; package org.owasp.dependencycheck.dependency;
import org.apache.commons.lang.ObjectUtils; import org.apache.commons.lang3.ObjectUtils;
import org.apache.commons.lang.StringUtils; import org.apache.commons.lang3.StringUtils;
import java.io.Serializable; import java.io.Serializable;

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
View File

@@ -24,7 +24,7 @@ import java.util.Iterator;
import java.util.List; import java.util.List;
import java.util.Set; import java.util.Set;
import java.util.TreeSet; import java.util.TreeSet;
import org.apache.commons.lang.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.owasp.dependencycheck.utils.DependencyVersion; import org.owasp.dependencycheck.utils.DependencyVersion;
import org.owasp.dependencycheck.utils.DependencyVersionUtil; import org.owasp.dependencycheck.utils.DependencyVersionUtil;
import org.owasp.dependencycheck.utils.Filter; import org.owasp.dependencycheck.utils.Filter;

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java
View File

@@ -19,7 +19,7 @@ package org.owasp.dependencycheck.reporting;
import java.io.UnsupportedEncodingException; import java.io.UnsupportedEncodingException;
import java.net.URLEncoder; import java.net.URLEncoder;
import org.apache.commons.lang.StringEscapeUtils; import org.apache.commons.lang3.StringEscapeUtils;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@@ -65,7 +65,7 @@ public class EscapeTool {
if (text == null || text.isEmpty()) { if (text == null || text.isEmpty()) {
return text; return text;
} }
return StringEscapeUtils.escapeHtml(text); return StringEscapeUtils.escapeHtml4(text);
} }
/** /**
@@ -78,6 +78,6 @@ public class EscapeTool {
if (text == null || text.isEmpty()) { if (text == null || text.isEmpty()) {
return text; return text;
} }
return StringEscapeUtils.escapeXml(text); return StringEscapeUtils.escapeXml11(text);
} }
} }

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java
View File

@@ -22,7 +22,7 @@ import java.util.Iterator;
import java.util.List; import java.util.List;
import java.util.regex.Matcher; import java.util.regex.Matcher;
import java.util.regex.Pattern; import java.util.regex.Pattern;
import org.apache.commons.lang.StringUtils; import org.apache.commons.lang3.StringUtils;
/** /**
* <p> * <p>

3
dependency-check-gradle/build.gradle
View File

@@ -38,6 +38,9 @@ apply plugin: 'maven'
apply plugin: 'signing' apply plugin: 'signing'
apply plugin: "com.gradle.plugin-publish" apply plugin: "com.gradle.plugin-publish"
sourceCompatibility = 1.6
targetCompatibility = 1.6
repositories { repositories {
mavenCentral() mavenCentral()
} }

32
dependency-check-gradle/pom.xml
View File

@@ -34,12 +34,6 @@ Copyright (c) 2015 Wei Ma. All Rights Reserved.
<description>dependency-check-gradle is a Gradle Plugin that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The plugin will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description> <description>dependency-check-gradle is a Gradle Plugin that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The plugin will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description>
<inceptionYear>2015</inceptionYear> <inceptionYear>2015</inceptionYear>
<licenses>
<license>
<name>The Apache Software License, Version 2.0</name>
<url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
</license>
</licenses>
<!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ --> <!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
<distributionManagement> <distributionManagement>
<site> <site>
@@ -48,6 +42,12 @@ Copyright (c) 2015 Wei Ma. All Rights Reserved.
<url>${basedir}/../target/site/${project.version}/dependency-check-gradle</url> <url>${basedir}/../target/site/${project.version}/dependency-check-gradle</url>
</site> </site>
</distributionManagement> </distributionManagement>
<properties>
<!-- Skip the surefire report since there are no tests... -->
<skipSurefireReport>true</skipSurefireReport>
<!-- Skip the versions report since there are no dependencies... -->
<versions.skip>true</versions.skip>
</properties>
<!-- end copy --> <!-- end copy -->
<build> <build>
<plugins> <plugins>
@@ -58,7 +58,7 @@ Copyright (c) 2015 Wei Ma. All Rights Reserved.
<dependency> <dependency>
<groupId>org.apache.maven.doxia</groupId> <groupId>org.apache.maven.doxia</groupId>
<artifactId>doxia-module-markdown</artifactId> <artifactId>doxia-module-markdown</artifactId>
<version>1.4</version> <version>1.6</version>
</dependency> </dependency>
</dependencies> </dependencies>
<configuration> <configuration>
@@ -67,22 +67,4 @@ Copyright (c) 2015 Wei Ma. All Rights Reserved.
</plugin> </plugin>
</plugins> </plugins>
</build> </build>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>${reporting.project-info-reports-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
</plugins>
</reporting>
</project> </project>

33
dependency-check-jenkins/pom.xml
View File

@@ -19,6 +19,13 @@
</distributionManagement> </distributionManagement>
<!-- end copy --> <!-- end copy -->
<properties>
<!-- Skip the surefire report since there are no tests... -->
<skipSurefireReport>true</skipSurefireReport>
<!-- Skip the versions report since there are no dependencies... -->
<versions.skip>true</versions.skip>
</properties>
<packaging>pom</packaging> <packaging>pom</packaging>
<inceptionYear>2012</inceptionYear> <inceptionYear>2012</inceptionYear>
<organization> <organization>
@@ -47,12 +54,6 @@
<system>github</system> <system>github</system>
<url>https://github.com/jenkinsci/dependency-check-jenkins/issues</url> <url>https://github.com/jenkinsci/dependency-check-jenkins/issues</url>
</issueManagement> </issueManagement>
<licenses>
<license>
<name>The Apache Software License, Version 2.0</name>
<url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
</license>
</licenses>
<build> <build>
<plugins> <plugins>
<plugin> <plugin>
@@ -62,7 +63,7 @@
<dependency> <dependency>
<groupId>org.apache.maven.doxia</groupId> <groupId>org.apache.maven.doxia</groupId>
<artifactId>doxia-module-markdown</artifactId> <artifactId>doxia-module-markdown</artifactId>
<version>1.4</version> <version>1.6</version>
</dependency> </dependency>
</dependencies> </dependencies>
<configuration> <configuration>
@@ -71,22 +72,4 @@
</plugin> </plugin>
</plugins> </plugins>
</build> </build>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>${reporting.project-info-reports-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
</plugins>
</reporting>
</project> </project>

115
dependency-check-maven/pom.xml
View File

@@ -40,6 +40,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
</site> </site>
</distributionManagement> </distributionManagement>
<!-- end copy --> <!-- end copy -->
<properties>
<version.maven-plugin-plugin>3.4</version.maven-plugin-plugin>
</properties>
<build> <build>
<resources> <resources>
<resource> <resource>
@@ -63,6 +66,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-plugin-plugin</artifactId> <artifactId>maven-plugin-plugin</artifactId>
<version>${version.maven-plugin-plugin}</version>
<configuration> <configuration>
<skipErrorNoDescriptorsFound>true</skipErrorNoDescriptorsFound> <skipErrorNoDescriptorsFound>true</skipErrorNoDescriptorsFound>
<goalPrefix>dependency-check</goalPrefix> <goalPrefix>dependency-check</goalPrefix>
@@ -119,117 +123,24 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
</execution> </execution>
</executions> </executions>
</plugin> </plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
</plugin>
</plugins> </plugins>
</build> </build>
<reporting> <reporting>
<plugins> <plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>${reporting.project-info-reports-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-plugin-plugin</artifactId> <artifactId>maven-plugin-plugin</artifactId>
<version>${reporting.maven-plugin-plugin.version}</version> <version>${version.maven-plugin-plugin}</version>
<configuration> <configuration>
<goalPrefix>dependency-check</goalPrefix> <goalPrefix>dependency-check</goalPrefix>
</configuration> </configuration>
</plugin> </plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>${reporting.javadoc-plugin.version}</version>
<configuration>
<failOnError>false</failOnError>
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>${reporting.versions-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>${reporting.jxr-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>${reporting.cobertura-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>${reporting.surefire-report-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>${reporting.taglist-plugin.version}</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId> <artifactId>maven-checkstyle-plugin</artifactId>
<version>${reporting.checkstyle-plugin.version}</version> <version>${reporting.checkstyle-plugin.version}</version>
<configuration> <configuration>
<excludes>**/HelpMojo.java</excludes>
<enableRulesSummary>false</enableRulesSummary> <enableRulesSummary>false</enableRulesSummary>
<enableFilesSummary>false</enableFilesSummary> <enableFilesSummary>false</enableFilesSummary>
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation> <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
@@ -258,11 +169,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
</rulesets> </rulesets>
</configuration> </configuration>
</plugin> </plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>${reporting.findbugs-plugin.version}</version>
</plugin>
</plugins> </plugins>
</reporting> </reporting>
<dependencies> <dependencies>
@@ -279,23 +185,22 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<dependency> <dependency>
<groupId>org.apache.maven</groupId> <groupId>org.apache.maven</groupId>
<artifactId>maven-plugin-api</artifactId> <artifactId>maven-plugin-api</artifactId>
<scope>provided</scope>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.maven</groupId> <groupId>org.apache.maven</groupId>
<artifactId>maven-settings</artifactId> <artifactId>maven-settings</artifactId>
<scope>provided</scope>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.maven</groupId> <groupId>org.apache.maven</groupId>
<artifactId>maven-core</artifactId> <artifactId>maven-core</artifactId>
</dependency> <scope>provided</scope>
<dependency>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.maven.plugin-tools</groupId> <groupId>org.apache.maven.plugin-tools</groupId>
<artifactId>maven-plugin-annotations</artifactId> <artifactId>maven-plugin-annotations</artifactId>
<scope>compile</scope> <scope>provided</scope>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.maven.reporting</groupId> <groupId>org.apache.maven.reporting</groupId>

10
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
View File

@@ -46,7 +46,7 @@ import org.owasp.dependencycheck.utils.Settings;
@Mojo( @Mojo(
name = "aggregate", name = "aggregate",
defaultPhase = LifecyclePhase.COMPILE, defaultPhase = LifecyclePhase.COMPILE,
aggregator = true, /*aggregator = true,*/
threadSafe = true, threadSafe = true,
requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME, requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,
requiresOnline = true requiresOnline = true
@@ -69,9 +69,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
for (MavenProject current : getReactorProjects()) { for (MavenProject current : getReactorProjects()) {
final File dataFile = getDataFile(current); final File dataFile = getDataFile(current);
if (dataFile == null) { //dc was never run on this project. write the ser to the target. if (dataFile == null) { //dc was never run on this project. write the ser to the target.
if (getLog().isDebugEnabled()) { getLog().error(String.format("Module '%s' did not execute dependency-check; an attempt will be made to perform the check but dependencies may be missed resulting in false negatives.", current.getName()));
getLog().debug(String.format("Executing dependency-check on %s", current.getName()));
}
generateDataFile(engine, current); generateDataFile(engine, current);
} }
} }
@@ -108,10 +106,8 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
} }
} catch (AnalysisException ex) { } catch (AnalysisException ex) {
getLog().warn("An error occured grouping the dependencies; duplicate entries may exist in the report", ex); getLog().warn("An error occured grouping the dependencies; duplicate entries may exist in the report", ex);
if (getLog().isDebugEnabled()) {
getLog().debug("Bundling Exception", ex); getLog().debug("Bundling Exception", ex);
} }
}
File outputDir = getCorrectOutputDirectory(current); File outputDir = getCorrectOutputDirectory(current);
if (outputDir == null) { if (outputDir == null) {
@@ -119,8 +115,6 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
//we shouldn't write this because nothing is configured to generate this report. //we shouldn't write this because nothing is configured to generate this report.
outputDir = new File(current.getBuild().getDirectory()); outputDir = new File(current.getBuild().getDirectory());
} }
getLog().warn("\n\n\nwritting: " + outputDir);
getLog().warn("for: " + current.getName());
writeReports(engine, current, outputDir); writeReports(engine, current, outputDir);
} }
} }

57
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View File

@@ -30,15 +30,10 @@ import java.io.OutputStream;
import java.util.List; import java.util.List;
import java.util.Locale; import java.util.Locale;
import org.apache.maven.artifact.Artifact; import org.apache.maven.artifact.Artifact;
import org.apache.maven.artifact.metadata.ArtifactMetadataRetrievalException;
import org.apache.maven.artifact.metadata.ArtifactMetadataSource;
import org.apache.maven.artifact.repository.ArtifactRepository;
import org.apache.maven.artifact.versioning.ArtifactVersion;
import org.apache.maven.doxia.sink.Sink; import org.apache.maven.doxia.sink.Sink;
import org.apache.maven.plugin.AbstractMojo; import org.apache.maven.plugin.AbstractMojo;
import org.apache.maven.plugin.MojoExecutionException; import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.MojoFailureException; import org.apache.maven.plugin.MojoFailureException;
import org.apache.maven.plugins.annotations.Component;
import org.apache.maven.plugins.annotations.Parameter; import org.apache.maven.plugins.annotations.Parameter;
import org.apache.maven.project.MavenProject; import org.apache.maven.project.MavenProject;
import org.apache.maven.reporting.MavenReport; import org.apache.maven.reporting.MavenReport;
@@ -53,7 +48,6 @@ import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier; import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.Vulnerability; import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.reporting.ReportGenerator; import org.owasp.dependencycheck.reporting.ReportGenerator;
import org.owasp.dependencycheck.utils.DependencyVersion;
import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.utils.Settings;
/** /**
@@ -82,23 +76,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
/** /**
* The Maven Project Object. * The Maven Project Object.
*/ */
@Component @Parameter(property = "project", required = true, readonly = true)
private MavenProject project; private MavenProject project;
/**
* The meta data source for retrieving artifact version information.
*/
@Component
private ArtifactMetadataSource metadataSource;
/**
* A reference to the local repository.
*/
@Parameter(property = "localRepository", readonly = true)
private ArtifactRepository localRepository;
/**
* References to the remote repositories.
*/
@Parameter(property = "project.remoteArtifactRepositories", readonly = true)
private List<ArtifactRepository> remoteRepositories;
/** /**
* List of Maven project of the current build * List of Maven project of the current build
*/ */
@@ -441,8 +420,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
} }
final Object obj = current.getContextValue(getDataFileContextKey()); final Object obj = current.getContextValue(getDataFileContextKey());
if (obj != null) { if (obj != null) {
if (obj instanceof File) { if (obj instanceof String) {
return (File) obj; final File f = new File((String) obj);
return f;
} }
} else { } else {
if (getLog().isDebugEnabled()) { if (getLog().isDebugEnabled()) {
@@ -475,31 +455,6 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
getLog().debug(String.format("Adding project reference %s on dependency %s", project.getName(), getLog().debug(String.format("Adding project reference %s on dependency %s", project.getName(),
d.getDisplayFileName())); d.getDisplayFileName()));
} }
if (metadataSource != null) {
try {
final DependencyVersion currentVersion = new DependencyVersion(a.getVersion());
final List<ArtifactVersion> versions = metadataSource.retrieveAvailableVersions(a,
localRepository, remoteRepositories);
for (ArtifactVersion av : versions) {
final DependencyVersion newVersion = new DependencyVersion(av.toString());
if (currentVersion.compareTo(newVersion) < 0) {
d.addAvailableVersion(av.toString());
}
}
} catch (ArtifactMetadataRetrievalException ex) {
getLog().warn(
"Unable to check for new versions of dependencies; see the log for more details.");
if (getLog().isDebugEnabled()) {
getLog().debug("", ex);
}
} catch (Throwable t) {
getLog().warn(
"Unexpected error occured checking for new versions; see the log for more details.");
if (getLog().isDebugEnabled()) {
getLog().debug("", t);
}
}
}
} }
} else { } else {
if (getLog().isDebugEnabled()) { if (getLog().isDebugEnabled()) {
@@ -955,12 +910,10 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
file = new File(writeTo, dataFileName); file = new File(writeTo, dataFileName);
} }
final File parent = file.getParentFile(); final File parent = file.getParentFile();
if (!parent.isDirectory()) { if (!parent.isDirectory() && parent.mkdirs()) {
if (parent.mkdirs()) {
getLog().error(String.format("Directory '%s' does not exist and cannot be created; unable to write data file.", getLog().error(String.format("Directory '%s' does not exist and cannot be created; unable to write data file.",
parent.getAbsolutePath())); parent.getAbsolutePath()));
} }
}
OutputStream os = null; OutputStream os = null;
OutputStream bos = null; OutputStream bos = null;

4
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/Engine.java
View File

@@ -117,7 +117,7 @@ public class Engine extends org.owasp.dependencycheck.Engine {
*/ */
@Override @Override
protected Analyzer initializeAnalyzer(Analyzer analyzer) { protected Analyzer initializeAnalyzer(Analyzer analyzer) {
if ((analyzer instanceof CPEAnalyzer)) { if (analyzer instanceof CPEAnalyzer) {
CPEAnalyzer cpe = getPreviouslyLoadedCPEAnalyzer(); CPEAnalyzer cpe = getPreviouslyLoadedCPEAnalyzer();
if (cpe != null && cpe.isOpen()) { if (cpe != null && cpe.isOpen()) {
return cpe; return cpe;
@@ -152,7 +152,7 @@ public class Engine extends org.owasp.dependencycheck.Engine {
*/ */
@Override @Override
protected void closeAnalyzer(Analyzer analyzer) { protected void closeAnalyzer(Analyzer analyzer) {
if ((analyzer instanceof CPEAnalyzer)) { if (analyzer instanceof CPEAnalyzer) {
if (getPreviouslyLoadedCPEAnalyzer() == null) { if (getPreviouslyLoadedCPEAnalyzer() == null) {
super.closeAnalyzer(analyzer); super.closeAnalyzer(analyzer);
} }

1
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java
View File

@@ -25,7 +25,6 @@ import org.apache.maven.plugin.MojoFailureException;
import org.apache.maven.plugins.annotations.LifecyclePhase; import org.apache.maven.plugins.annotations.LifecyclePhase;
import org.apache.maven.plugins.annotations.Mojo; import org.apache.maven.plugins.annotations.Mojo;
import org.apache.maven.plugins.annotations.ResolutionScope; import org.apache.maven.plugins.annotations.ResolutionScope;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.utils.Settings;
/** /**

90
dependency-check-utils/pom.xml
View File

@@ -38,7 +38,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<!-- end copy --> <!-- end copy -->
<properties> <properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <findbugs.onlyAnalyze>org.owasp.dependencycheck.utils.*</findbugs.onlyAnalyze>
</properties> </properties>
<build> <build>
<plugins> <plugins>
@@ -97,90 +97,10 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId> <artifactId>maven-failsafe-plugin</artifactId>
</plugin> </plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
</plugin>
</plugins> </plugins>
</build> </build>
<reporting> <reporting>
<plugins> <plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>${reporting.javadoc-plugin.version}</version>
<configuration>
<failOnError>false</failOnError>
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>${reporting.versions-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>${reporting.jxr-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>${reporting.cobertura-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>${reporting.surefire-report-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>${reporting.taglist-plugin.version}</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId> <artifactId>maven-checkstyle-plugin</artifactId>
@@ -213,14 +133,6 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
</rulesets> </rulesets>
</configuration> </configuration>
</plugin> </plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>${reporting.findbugs-plugin.version}</version>
<configuration>
<onlyAnalyze>org.owasp.dependencycheck.utils.*</onlyAnalyze>
</configuration>
</plugin>
</plugins> </plugins>
</reporting> </reporting>
<dependencies> <dependencies>

5
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -31,7 +31,6 @@ import java.io.UnsupportedEncodingException;
import java.net.URLDecoder; import java.net.URLDecoder;
import java.util.Enumeration; import java.util.Enumeration;
import java.util.Properties; import java.util.Properties;
import java.util.logging.Level;
/** /**
* A simple settings container that wraps the dependencycheck.properties file. * A simple settings container that wraps the dependencycheck.properties file.
@@ -634,12 +633,10 @@ public final class Settings {
*/ */
public static File getTempDirectory() throws IOException { public static File getTempDirectory() throws IOException {
final File tmpDir = new File(Settings.getString(Settings.KEYS.TEMP_DIRECTORY, System.getProperty("java.io.tmpdir")), "dctemp"); final File tmpDir = new File(Settings.getString(Settings.KEYS.TEMP_DIRECTORY, System.getProperty("java.io.tmpdir")), "dctemp");
if (!tmpDir.exists()) { if (!tmpDir.exists() && !tmpDir.mkdirs()) {
if (!tmpDir.mkdirs()) {
final String msg = String.format("Unable to make a temporary folder '%s'", tmpDir.getPath()); final String msg = String.format("Unable to make a temporary folder '%s'", tmpDir.getPath());
throw new IOException(msg); throw new IOException(msg);
} }
}
tempDirectory = tmpDir; tempDirectory = tmpDir;
return tmpDir; return tmpDir;
} }

156
pom.xml
View File

@@ -129,19 +129,9 @@ Copyright (c) 2012 - Jeremy Long
<apache.lucene.version>4.7.2</apache.lucene.version> <apache.lucene.version>4.7.2</apache.lucene.version>
<slf4j.version>1.7.12</slf4j.version> <slf4j.version>1.7.12</slf4j.version>
<logback.version>1.1.3</logback.version> <logback.version>1.1.3</logback.version>
<reporting.checkstyle-plugin.version>2.11</reporting.checkstyle-plugin.version> <reporting.checkstyle-plugin.version>2.16</reporting.checkstyle-plugin.version>
<reporting.cobertura-plugin.version>2.6</reporting.cobertura-plugin.version> <reporting.cobertura-plugin.version>2.7</reporting.cobertura-plugin.version>
<reporting.findbugs-plugin.version>2.5.3</reporting.findbugs-plugin.version> <reporting.pmd-plugin.version>3.5</reporting.pmd-plugin.version>
<reporting.javadoc-plugin.version>2.9.1</reporting.javadoc-plugin.version>
<reporting.jxr-plugin.version>2.4</reporting.jxr-plugin.version>
<!-- todo(code review): only used in maven module? Not needed elsewhere -->
<reporting.maven-plugin-plugin.version>3.2</reporting.maven-plugin-plugin.version>
<reporting.pmd-plugin.version>3.0.1</reporting.pmd-plugin.version>
<!-- TODO(code review) project-info-reports-plugin was/is not used in utils. Expected/intended? -->
<reporting.project-info-reports-plugin.version>2.7</reporting.project-info-reports-plugin.version>
<reporting.surefire-report-plugin.version>2.16</reporting.surefire-report-plugin.version>
<reporting.taglist-plugin.version>2.4</reporting.taglist-plugin.version>
<reporting.versions-plugin.version>2.1</reporting.versions-plugin.version>
</properties> </properties>
<distributionManagement> <distributionManagement>
<site> <site>
@@ -189,7 +179,7 @@ Copyright (c) 2012 - Jeremy Long
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId> <artifactId>maven-enforcer-plugin</artifactId>
<version>1.3.1</version> <version>1.4.1</version>
</plugin> </plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
@@ -216,11 +206,6 @@ Copyright (c) 2012 - Jeremy Long
<artifactId>maven-jar-plugin</artifactId> <artifactId>maven-jar-plugin</artifactId>
<version>2.6</version> <version>2.6</version>
</plugin> </plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-plugin-plugin</artifactId>
<version>${reporting.maven-plugin-plugin.version}</version>
</plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-release-plugin</artifactId> <artifactId>maven-release-plugin</artifactId>
@@ -234,11 +219,7 @@ Copyright (c) 2012 - Jeremy Long
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId> <artifactId>maven-site-plugin</artifactId>
<!-- Before upgrading this to a newer version, verify the pages produced by `mvn site` still works. <version>3.4</version>
In particular, pay attention to all pages under "File type analyzers" as well as those under "General".
Previously when testing with maven-site-plugin 3.4, these links have stopped working for some reason.
-->
<version>3.3</version>
</plugin> </plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
@@ -334,7 +315,7 @@ Copyright (c) 2012 - Jeremy Long
<dependency> <dependency>
<groupId>org.apache.maven.doxia</groupId> <groupId>org.apache.maven.doxia</groupId>
<artifactId>doxia-module-markdown</artifactId> <artifactId>doxia-module-markdown</artifactId>
<version>1.5</version> <version>1.6</version>
</dependency> </dependency>
</dependencies> </dependencies>
<configuration> <configuration>
@@ -366,10 +347,36 @@ Copyright (c) 2012 - Jeremy Long
</build> </build>
<reporting> <reporting>
<plugins> <plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.10.3</version>
<configuration>
<failOnError>false</failOnError>
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>2.5</version>
</plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId> <artifactId>maven-project-info-reports-plugin</artifactId>
<version>${reporting.project-info-reports-plugin.version}</version> <version>2.8</version>
<reportSets> <reportSets>
<reportSet> <reportSet>
<reports> <reports>
@@ -393,6 +400,72 @@ Copyright (c) 2012 - Jeremy Long
</reportSet> </reportSet>
</reportSets> </reportSets>
</plugin> </plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.18.1</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>${reporting.cobertura-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
<report>cobertura</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.4</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.2</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
</plugins> </plugins>
</reporting> </reporting>
<dependencyManagement> <dependencyManagement>
@@ -410,10 +483,7 @@ Copyright (c) 2012 - Jeremy Long
<dependency> <dependency>
<groupId>commons-cli</groupId> <groupId>commons-cli</groupId>
<artifactId>commons-cli</artifactId> <artifactId>commons-cli</artifactId>
<!-- Before upgrading to 1.3, note that this introduces several <version>1.3.1</version>
deprecation warnings. Most notable OptionBuilder has been
marked as deprecated. Should probably be sorted out. -->
<version>1.2</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>commons-io</groupId> <groupId>commons-io</groupId>
@@ -421,14 +491,14 @@ Copyright (c) 2012 - Jeremy Long
<version>2.4</version> <version>2.4</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>commons-lang</groupId> <groupId>org.apache.commons</groupId>
<artifactId>commons-lang</artifactId> <artifactId>commons-lang3</artifactId>
<version>2.6</version> <version>3.4</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>com.sun.mail</groupId> <groupId>com.sun.mail</groupId>
<artifactId>mailapi</artifactId> <artifactId>mailapi</artifactId>
<version>1.5.2</version> <version>1.5.4</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>ch.qos.logback</groupId> <groupId>ch.qos.logback</groupId>
@@ -449,17 +519,17 @@ Copyright (c) 2012 - Jeremy Long
<dependency> <dependency>
<groupId>org.apache.commons</groupId> <groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId> <artifactId>commons-compress</artifactId>
<version>1.9</version> <version>1.10</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.ant</groupId> <groupId>org.apache.ant</groupId>
<artifactId>ant</artifactId> <artifactId>ant</artifactId>
<version>1.9.5</version> <version>1.9.6</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.ant</groupId> <groupId>org.apache.ant</groupId>
<artifactId>ant-testutil</artifactId> <artifactId>ant-testutil</artifactId>
<version>1.9.5</version> <version>1.9.6</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.lucene</groupId> <groupId>org.apache.lucene</groupId>
@@ -543,23 +613,13 @@ Copyright (c) 2012 - Jeremy Long
<dependency> <dependency>
<groupId>org.jsoup</groupId> <groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId> <artifactId>jsoup</artifactId>
<version>1.7.2</version> <version>1.8.3</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.slf4j</groupId> <groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId> <artifactId>slf4j-api</artifactId>
<version>${slf4j.version}</version> <version>${slf4j.version}</version>
</dependency> </dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-ext</artifactId>
<version>${slf4j.version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-jdk14</artifactId>
<version>${slf4j.version}</version>
</dependency>
<dependency> <dependency>
<groupId>org.slf4j</groupId> <groupId>org.slf4j</groupId>
<artifactId>slf4j-simple</artifactId> <artifactId>slf4j-simple</artifactId>

2
src/site/site.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<skin> <skin>
<groupId>org.apache.maven.skins</groupId> <groupId>org.apache.maven.skins</groupId>
<artifactId>maven-fluido-skin</artifactId> <artifactId>maven-fluido-skin</artifactId>
<version>1.3.1</version> <version>1.4</version>
</skin> </skin>
<custom> <custom>
<fluidoSkin> <fluidoSkin>