diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java index 4d4e1822e..01764c81a 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java @@ -753,6 +753,28 @@ public class DependencyCheckTask extends Task { public void setCveUrl20Base(String cveUrl20Base) { this.cveUrl20Base = cveUrl20Base; } + /** + * The path to Mono for .NET assembly analysis on non-windows systems. + */ + private String pathToMono; + + /** + * Get the value of pathToMono. + * + * @return the value of pathToMono + */ + public String getPathToMono() { + return pathToMono; + } + + /** + * Set the value of pathToMono. + * + * @param pathToMono new value of pathToMono + */ + public void setPathToMono(String pathToMono) { + this.pathToMono = pathToMono; + } @Override public void execute() throws BuildException { @@ -920,6 +942,9 @@ public class DependencyCheckTask extends Task { if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) { Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base); } + if (pathToMono != null && !pathToMono.isEmpty()) { + Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono); + } } /** diff --git a/dependency-check-ant/src/site/markdown/configuration.md b/dependency-check-ant/src/site/markdown/configuration.md index dc6b37583..d10b69d7a 100644 --- a/dependency-check-ant/src/site/markdown/configuration.md +++ b/dependency-check-ant/src/site/markdown/configuration.md @@ -48,3 +48,4 @@ cveUrl12Modified | URL for the modified CVE 1.2 | Optional | http://nvd.nis cveUrl20Modified | URL for the modified CVE 2.0 | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | Optional | http://nvd.nist.gov/download/nvdcve-%d.xml cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml +pathToMono | The path to Mono for .NET assembly analysis on non-windows systems | Optional |   diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index 9f7d04576..8d86946bf 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -167,6 +167,7 @@ public class App { final String databaseUser = cli.getDatabaseUser(); final String databasePassword = cli.getDatabasePassword(); final String additionalZipExtensions = cli.getAdditionalZipExtensions(); + final String pathToMono = cli.getPathToMono(); if (propertiesFile != null) { try { @@ -235,5 +236,8 @@ public class App { if (additionalZipExtensions != null && !additionalZipExtensions.isEmpty()) { Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, additionalZipExtensions); } + if (pathToMono != null && !pathToMono.isEmpty()) { + Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono); + } } } diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java index b9fff985f..ead23f78d 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java @@ -196,24 +196,6 @@ public final class CliParser { .withDescription("The file path to the suppression XML file.") .create(); - final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_NEXUS) - .withDescription("Disable the Nexus Analyzer.") - .create(); - - final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.NEXUS_URL) - .withDescription("The url to the Nexus Server.") - .create(); - - final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_USES_PROXY) - .withDescription("Whether or not the configured proxy should be used when connecting to Nexus.") - .create(); - - final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg() - .withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS) - .withDescription("A comma seperated list of additional extensions to be scanned as ZIP files " - + "(ZIP, EAR, WAR are already treated as zip files)") - .create(); - //This is an option group because it can be specified more then once. final OptionGroup og = new OptionGroup(); og.addOption(path); @@ -228,11 +210,7 @@ public final class CliParser { .addOption(noUpdate) .addOption(props) .addOption(verboseLog) - .addOption(suppressionFile) - .addOption(disableNexusAnalyzer) - .addOption(nexusUrl) - .addOption(nexusUsesProxy) - .addOption(additionalZipExtensions); + .addOption(suppressionFile); } /** @@ -272,19 +250,45 @@ public final class CliParser { final Option connectionString = OptionBuilder.withArgName("connStr").hasArg().withLongOpt(ArgumentName.CONNECTION_STRING) .withDescription("The connection string to the database.") .create(); + final Option dbUser = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.DB_NAME) .withDescription("The username used to connect to the database.") .create(); + final Option dbPassword = OptionBuilder.withArgName("password").hasArg().withLongOpt(ArgumentName.DB_PASSWORD) .withDescription("The password for connecting to the database.") .create(); + final Option dbDriver = OptionBuilder.withArgName("driver").hasArg().withLongOpt(ArgumentName.DB_DRIVER) .withDescription("The database driver name.") .create(); + final Option dbDriverPath = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DB_DRIVER_PATH) .withDescription("The path to the database driver; note, this does not need to be set unless the JAR is outside of the classpath.") .create(); + final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_NEXUS) + .withDescription("Disable the Nexus Analyzer.") + .create(); + + final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.NEXUS_URL) + .withDescription("The url to the Nexus Server.") + .create(); + + final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_USES_PROXY) + .withDescription("Whether or not the configured proxy should be used when connecting to Nexus.") + .create(); + + final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg() + .withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS) + .withDescription("A comma seperated list of additional extensions to be scanned as ZIP files " + + "(ZIP, EAR, WAR are already treated as zip files)") + .create(); + + final Option pathToMono = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.PATH_TO_MONO) + .withDescription("The path to Mono for .NET Assembly analysis on non-windows systems.") + .create(); + options.addOption(proxyPort) .addOption(proxyUrl) .addOption(proxyUsername) @@ -295,7 +299,12 @@ public final class CliParser { .addOption(data) .addOption(dbPassword) .addOption(dbDriver) - .addOption(dbDriverPath); + .addOption(dbDriverPath) + .addOption(disableNexusAnalyzer) + .addOption(nexusUrl) + .addOption(nexusUsesProxy) + .addOption(additionalZipExtensions) + .addOption(pathToMono); } /** @@ -403,6 +412,15 @@ public final class CliParser { return line.getOptionValue(ArgumentName.OUT, "."); } + /** + * Returns the path to Mono for .NET Assembly analysis on non-windows systems. + * + * @return the path to Mono + */ + public String getPathToMono() { + return line.getOptionValue(ArgumentName.PATH_TO_MONO); + } + /** * Returns the output format specified on the command line. Defaults to HTML if no format was specified. * @@ -740,6 +758,10 @@ public final class CliParser { * The CLI argument name for setting the path to the database driver; in case it is not on the class path. */ public static final String DB_DRIVER_PATH = "dbDriverPath"; + /** + * The CLI argument name for setting the path to mono for .NET Assembly analysis on non-windows systems. + */ + public static final String PATH_TO_MONO = "mono"; /** * The CLI argument name for setting extra extensions. */ diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md index bee424390..2e164ed2f 100644 --- a/dependency-check-cli/src/site/markdown/arguments.md +++ b/dependency-check-cli/src/site/markdown/arguments.md @@ -29,4 +29,5 @@ Short | Argument Name | Parameter | Description | Requirement | \-\-disableNexus | | Disable the Nexus Analyzer. | Optional | \-\-nexus | \ | The url to the Nexus Server. | Optional | \-\-nexusUsesProxy | \ | Whether or not the defined proxy should be used when connecting to Nexus. | Optional - | \-\-zipExtensions | \ | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional \ No newline at end of file + | \-\-zipExtensions | \ | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional + | \-\-pathToMono | \ | The path to Mono for .NET Assembly analysis on non-windows systems. | Optional \ No newline at end of file diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java index cec783ceb..cee0602e8 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java @@ -92,17 +92,17 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR @Parameter(property = "report-name", defaultValue = "dependency-check-report") private String reportName; /** - * The path to the verbose log + * The path to the verbose log. */ @Parameter(property = "logfile", defaultValue = "") private String logFile; /** - * The name of the report to be displayed in the Maven Generated Reports page + * The name of the report to be displayed in the Maven Generated Reports page. */ @Parameter(property = "name", defaultValue = "Dependency-Check") private String name; /** - * The description of the Dependency-Check report to be displayed in the Maven Generated Reports page + * The description of the Dependency-Check report to be displayed in the Maven Generated Reports page. */ @Parameter(property = "description", defaultValue = "A report providing details on any published " + "vulnerabilities within project dependencies. This report is a best effort but may contain " @@ -117,6 +117,7 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 * which means since the CVSS scores are 0-10, by default the build will never fail. */ + @SuppressWarnings("CanBeFinal") @Parameter(property = "failBuildOnCVSS", defaultValue = "11", required = true) private float failBuildOnCVSS = 11; /** @@ -128,7 +129,7 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to * false. Default is true. */ - @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"}) + @SuppressWarnings("CanBeFinal") @Parameter(property = "autoupdate", defaultValue = "true", required = true) private boolean autoUpdate = true; /** @@ -240,18 +241,21 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR @Parameter(property = "zipExtensions", required = false) private String zipExtensions; /** - * Skip Analisys for Test Scope Dependencies + * Skip Analisys for Test Scope Dependencies. */ + @SuppressWarnings("CanBeFinal") @Parameter(property = "skipTestScope", defaultValue = "true", required = false) private boolean skipTestScope = true; /** - * Skip Analisys for Runtime Scope Dependencies + * Skip Analisys for Runtime Scope Dependencies. */ + @SuppressWarnings("CanBeFinal") @Parameter(property = "skipRuntimeScope", defaultValue = "false", required = false) private boolean skipRuntimeScope = false; /** - * Skip Analisys for Provided Scope Dependencies + * Skip Analisys for Provided Scope Dependencies. */ + @SuppressWarnings("CanBeFinal") @Parameter(property = "skipProvidedScope", defaultValue = "false", required = false) private boolean skipProvidedScope = false; /** @@ -260,26 +264,32 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR @Parameter(property = "dataDirectory", defaultValue = "", required = false) private String dataDirectory; /** - * Data Mirror URL for CVE 1.2 + * Data Mirror URL for CVE 1.2. */ @Parameter(property = "cveUrl12Modified", defaultValue = "", required = false) private String cveUrl12Modified; /** - * Data Mirror URL for CVE 2.0 + * Data Mirror URL for CVE 2.0. */ @Parameter(property = "cveUrl20Modified", defaultValue = "", required = false) private String cveUrl20Modified; /** - * Base Data Mirror URL for CVE 1.2 + * Base Data Mirror URL for CVE 1.2. */ @Parameter(property = "cveUrl12Base", defaultValue = "", required = false) private String cveUrl12Base; /** - * Data Mirror URL for CVE 2.0 + * Data Mirror URL for CVE 2.0. */ @Parameter(property = "cveUrl20Base", defaultValue = "", required = false) private String cveUrl20Base; + /** + * The path to mono for .NET Assembly analysis on non-windows systems. + */ + @Parameter(property = "pathToMono", defaultValue = "", required = false) + private String pathToMono; + // /** * Executes the Dependency-Check on the dependent libraries. @@ -800,6 +810,9 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) { Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base); } + if (pathToMono != null && !pathToMono.isEmpty()) { + Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono); + } } /** diff --git a/dependency-check-maven/src/site/markdown/configuration.md b/dependency-check-maven/src/site/markdown/configuration.md index af3efb2f2..abadab36d 100644 --- a/dependency-check-maven/src/site/markdown/configuration.md +++ b/dependency-check-maven/src/site/markdown/configuration.md @@ -8,27 +8,28 @@ autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is ena externalReport | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false failBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11 format | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML -logFile | The file path to write verbose logging information. | -suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) | -connectionTimeout | The Connection Timeout. | -proxyUrl | The Proxy URL. | -proxyPort | The Proxy Port. | -proxyUsername | Defines the proxy user name. | -proxyPassword | Defines the proxy password. | -nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. | -nexusUrl | Defines the Nexus URL. | +logFile | The file path to write verbose logging information. |   +suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) |   +connectionTimeout | The Connection Timeout. |   +proxyUrl | The Proxy URL. |   +proxyPort | The Proxy Port. |   +proxyUsername | Defines the proxy user name. |   +proxyPassword | Defines the proxy password. |   +nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. |   +nexusUrl | Defines the Nexus URL. |   nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true -databaseDriverName | The name of the database driver. Example: org.h2.Driver. | -databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | -connectionString | The connection string used to connect to the database. | -databaseUser | The username used when connecting to the database. | -databasePassword | The password used when connecting to the database. | -zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | -skipTestScope | Should be skip analysis for artifacts with Test Scope | true -skipProvidedScope | Should be skip analysis for artifacts with Provided Scope | false -skipRuntimeScope | Should be skip analysis for artifacts with Runtime Scope | false -dataDirectory | Data directory to hold SQL CVEs contents. This should generally not be changed. | -cveUrl12Modified | URL for the modified CVE 1.2 | http://nvd.nist.gov/download/nvdcve-modified.xml -cveUrl20Modified | URL for the modified CVE 2.0 | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml -cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml -cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml +databaseDriverName | The name of the database driver. Example: org.h2.Driver. |   +databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |   +connectionString | The connection string used to connect to the database. |   +databaseUser | The username used when connecting to the database. |   +databasePassword | The password used when connecting to the database. |   +zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |   +skipTestScope | Should be skip analysis for artifacts with Test Scope | true +skipProvidedScope | Should be skip analysis for artifacts with Provided Scope | false +skipRuntimeScope | Should be skip analysis for artifacts with Runtime Scope | false +dataDirectory | Data directory to hold SQL CVEs contents. This should generally not be changed. |   +cveUrl12Modified | URL for the modified CVE 1.2 | http://nvd.nist.gov/download/nvdcve-modified.xml +cveUrl20Modified | URL for the modified CVE 2.0 | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml +cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml +cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml +pathToMono | The path to Mono for .NET assembly analysis on non-windows systems |