From 9da95e592cfbc70a0578af3eeac9662f1c33ce58 Mon Sep 17 00:00:00 2001 From: stevespringett Date: Wed, 26 Apr 2017 00:40:15 -0500 Subject: [PATCH 01/35] Added NSP Analyzer Support --- .../dependencycheck/analyzer/NspAnalyzer.java | 329 +++++++++++++++++ .../dependencycheck/data/nsp/Advisory.java | 344 ++++++++++++++++++ .../dependencycheck/data/nsp/NspSearch.java | 144 ++++++++ .../data/nsp/SanitizePackage.java | 71 ++++ .../data/nsp/package-info.java | 7 + .../dependency/Dependency.java | 19 + .../dependency/Vulnerability.java | 26 ++ ...rg.owasp.dependencycheck.analyzer.Analyzer | 1 + .../main/resources/dependencycheck.properties | 4 + .../main/resources/templates/HtmlReport.vsl | 68 +++- .../templates/VulnerabilityReport.vsl | 19 +- .../main/resources/templates/XmlReport.vsl | 27 +- .../data/nsp/NspSearchTest.java | 73 ++++ .../data/nsp/SanitizePackageTest.java | 65 ++++ .../test/resources/dependencycheck.properties | 4 + .../src/test/resources/nsp/package.json | 59 +++ .../owasp/dependencycheck/utils/Settings.java | 8 + 17 files changed, 1233 insertions(+), 35 deletions(-) create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/Advisory.java create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/SanitizePackage.java create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/package-info.java create mode 100644 dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java create mode 100644 dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/SanitizePackageTest.java create mode 100644 dependency-check-core/src/test/resources/nsp/package.json diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java new file mode 100644 index 000000000..dd1b01bd6 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java @@ -0,0 +1,329 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2017 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import org.apache.commons.io.FileUtils; +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.data.nsp.Advisory; +import org.owasp.dependencycheck.data.nsp.NspSearch; +import org.owasp.dependencycheck.data.nsp.SanitizePackage; +import org.owasp.dependencycheck.dependency.Confidence; +import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.EvidenceCollection; +import org.owasp.dependencycheck.dependency.Identifier; +import org.owasp.dependencycheck.dependency.Vulnerability; +import org.owasp.dependencycheck.dependency.VulnerableSoftware; +import org.owasp.dependencycheck.utils.FileFilterBuilder; +import org.owasp.dependencycheck.utils.Settings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import java.io.File; +import java.io.FileFilter; +import java.io.IOException; +import java.net.MalformedURLException; +import java.net.URL; +import java.util.Arrays; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import javax.json.Json; +import javax.json.JsonException; +import javax.json.JsonObject; +import javax.json.JsonObjectBuilder; +import javax.json.JsonReader; +import javax.json.JsonString; +import javax.json.JsonValue; +import org.owasp.dependencycheck.exception.InitializationException; + +/** + * Used to analyze Node Package Manager (npm) package.json files via + * Node Security Platform (nsp). + * + * @author Steve Springett + */ +public class NspAnalyzer extends AbstractFileTypeAnalyzer { + + /** + * The logger. + */ + private static final Logger LOGGER = LoggerFactory.getLogger(NspAnalyzer.class); + + /** + * The default URL to the NSP check API. + */ + public static final String DEFAULT_URL = "https://api.nodesecurity.io/check"; + + /** + * The file name to scan. + */ + private static final String PACKAGE_JSON = "package.json"; + + /** + * Filter that detects files named "package.json". + */ + private static final FileFilter PACKAGE_JSON_FILTER = FileFilterBuilder.newInstance() + .addFilenames(PACKAGE_JSON).build(); + + /** + * The NSP Searcher. + */ + private NspSearch searcher; + + /** + * Returns the FileFilter + * + * @return the FileFilter + */ + @Override + protected FileFilter getFileFilter() { + return PACKAGE_JSON_FILTER; + } + + /** + * Initializes the analyzer once before any analysis is performed. + * + * @throws InitializationException if there's an error during initialization + */ + @Override + public void initializeFileTypeAnalyzer() throws InitializationException { + LOGGER.debug("Initializing " + getName()); + final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NSP_URL, DEFAULT_URL); + try { + searcher = new NspSearch(new URL(searchUrl)); + } catch (MalformedURLException ex) { + setEnabled(false); + throw new InitializationException("The configured URL to Node Security Platform is malformed: " + searchUrl, ex); + } + } + + /** + * Returns the name of the analyzer. + * + * @return the name of the analyzer. + */ + @Override + public String getName() { + return "Node Security Platform Analyzer"; + } + + /** + * Returns the phase that the analyzer is intended to run in. + * + * @return the phase that the analyzer is intended to run in. + */ + @Override + public AnalysisPhase getAnalysisPhase() { + return AnalysisPhase.FINDING_ANALYSIS; + } + + /** + * Returns the key used in the properties file to reference the analyzer's + * enabled property.x + * + * @return the analyzer's enabled property setting key + */ + @Override + protected String getAnalyzerEnabledSettingKey() { + return Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED; + } + + @Override + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { + final File file = dependency.getActualFile(); + try (JsonReader jsonReader = Json.createReader(FileUtils.openInputStream(file))) { + + // Retrieves the contents of package.json from the Dependency + final JsonObject packageJson = jsonReader.readObject(); + + // Create a sanitized version of the package.json + final JsonObject sanitizedJson = SanitizePackage.sanitize(packageJson); + + // Create a new 'package' object that acts as a container for the sanitized package.json + final JsonObjectBuilder builder = Json.createObjectBuilder(); + final JsonObject nspPayload = builder.add("package", sanitizedJson).build(); + + // Submits the package payload to the nsp check service + final List advisories = searcher.submitPackage(nspPayload); + + for (Advisory advisory: advisories) { + /* + * Create a new vulnerability out of the advisory returned by nsp. + */ + final Vulnerability vuln = new Vulnerability(); + vuln.setCvssScore(advisory.getCvssScore()); + vuln.setDescription(advisory.getOverview()); + vuln.setName(String.valueOf(advisory.getId())); + vuln.setSource(Vulnerability.Source.NSP); + vuln.addReference( + "NSP", + "Advisory " + advisory.getId() + ": " + advisory.getTitle(), + advisory.getAdvisory() + ); + + /* + * Create a single vulnerable software object - these do not use CPEs unlike the NVD. + */ + final VulnerableSoftware vs = new VulnerableSoftware(); + //vs.setVersion(advisory.getVulnerableVersions()); + vs.setUpdate(advisory.getPatchedVersions()); + vs.setName(advisory.getModule() + ":" + advisory.getVulnerableVersions()); + vuln.setVulnerableSoftware(new HashSet<>(Arrays.asList(vs))); + + // Add the vulnerability to package.json + dependency.getVulnerabilities().add(vuln); + } + + /* + * Adds evidence about the node package itself, not any of the modules. + */ + final EvidenceCollection productEvidence = dependency.getProductEvidence(); + final EvidenceCollection vendorEvidence = dependency.getVendorEvidence(); + if (packageJson.containsKey("name")) { + final Object value = packageJson.get("name"); + if (value instanceof JsonString) { + final String valueString = ((JsonString) value).getString(); + productEvidence.addEvidence(PACKAGE_JSON, "name", valueString, Confidence.HIGHEST); + vendorEvidence.addEvidence(PACKAGE_JSON, "name_project", String.format("%s_project", valueString), Confidence.LOW); + } else { + LOGGER.warn("JSON value not string as expected: {}", value); + } + } + + /* + * Processes the dependencies objects in package.json and adds all the modules as related dependencies + */ + if (packageJson.containsKey("dependencies")) { + final JsonObject dependencies = packageJson.getJsonObject("dependencies"); + processPackage(dependency, dependencies, "dependencies"); + } + if (packageJson.containsKey("devDependencies")) { + final JsonObject dependencies = packageJson.getJsonObject("devDependencies"); + processPackage(dependency, dependencies, "devDependencies"); + } + if (packageJson.containsKey("optionalDependencies")) { + final JsonObject dependencies = packageJson.getJsonObject("optionalDependencies"); + processPackage(dependency, dependencies, "optionalDependencies"); + } + if (packageJson.containsKey("peerDependencies")) { + final JsonObject dependencies = packageJson.getJsonObject("peerDependencies"); + processPackage(dependency, dependencies, "peerDependencies"); + } + if (packageJson.containsKey("bundleDependencies")) { + final JsonObject dependencies = packageJson.getJsonObject("bundleDependencies"); + processPackage(dependency, dependencies, "bundleDependencies"); + } + if (packageJson.containsKey("bundledDependencies")) { + final JsonObject dependencies = packageJson.getJsonObject("bundledDependencies"); + processPackage(dependency, dependencies, "bundledDependencies"); + } + + /* + * Adds the license if defined in package.json + */ + if (packageJson.containsKey("license")) { + dependency.setLicense(packageJson.getString("license")); + } + + /* + * Adds general evidence to about the package. + */ + addToEvidence(packageJson, productEvidence, "description"); + addToEvidence(packageJson, vendorEvidence, "author"); + addToEvidence(packageJson, dependency.getVersionEvidence(), "version"); + dependency.setDisplayFileName(String.format("%s/%s", file.getParentFile().getName(), file.getName())); + + } catch (IOException e) { + LOGGER.debug("Error reading dependency or connecting to Node Security Platform /check API", e); + } catch (JsonException e) { + LOGGER.warn("Failed to parse package.json file.", e); + } + } + + /** + * Processes a part of package.json (as defined by JsobObject) and + * update the specified dependency with relevant info. + * + * @param dependency the Dependency to update + * @param jsonObject the jsonObject to parse + */ + private void processPackage(Dependency dependency, JsonObject jsonObject, String depType) { + for (int i=0; i entry : jsonObject.entrySet()) { + /* + * Create identifies that include the npm module and version. Since these are defined, + * assign the highest confidence. + */ + final Identifier moduleName = new Identifier("npm", "Module", null, entry.getKey()); + moduleName.setConfidence(Confidence.HIGHEST); + String version = ""; + if (entry.getValue() != null && entry.getValue().getValueType() == JsonValue.ValueType.STRING) { + version = ((JsonString)entry.getValue()).getString(); + } + final Identifier moduleVersion = new Identifier("npm", "Version", null, version); + moduleVersion.setConfidence(Confidence.HIGHEST); + + final Identifier moduleDepType = new Identifier("npm", "Scope", null, depType); + moduleVersion.setConfidence(Confidence.HIGHEST); + + /* + * Create related dependencies for each module defined in package.json. The path to the related + * dependency will not actually exist but needs to be unique (due to the use of Set in Dependency). + * The use of related dependencies is a way to specify the actual software BOM in package.json. + */ + Dependency nodeModule = new Dependency(new File(dependency.getActualFile() + "#" + entry.getKey()), true); + nodeModule.setDisplayFileName(entry.getKey()); + nodeModule.setIdentifiers(new HashSet<>(Arrays.asList(moduleName, moduleVersion, moduleDepType))); + dependency.addRelatedDependency(nodeModule); + } + } + } + + /** + * Adds information to an evidence collection from the node json + * configuration. + * + * @param json information from node.js + * @param collection a set of evidence about a dependency + * @param key the key to obtain the data from the json information + */ + private void addToEvidence(JsonObject json, EvidenceCollection collection, String key) { + if (json.containsKey(key)) { + final JsonValue value = json.get(key); + if (value instanceof JsonString) { + collection.addEvidence(PACKAGE_JSON, key, ((JsonString) value).getString(), Confidence.HIGHEST); + } else if (value instanceof JsonObject) { + final JsonObject jsonObject = (JsonObject) value; + for (final Map.Entry entry : jsonObject.entrySet()) { + final String property = entry.getKey(); + final JsonValue subValue = entry.getValue(); + if (subValue instanceof JsonString) { + collection.addEvidence(PACKAGE_JSON, + String.format("%s.%s", key, property), + ((JsonString) subValue).getString(), + Confidence.HIGHEST); + } else { + LOGGER.warn("JSON sub-value not string as expected: {}", subValue); + } + } + } else { + LOGGER.warn("JSON value not string or JSON object as expected: {}", value); + } + } + } +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/Advisory.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/Advisory.java new file mode 100644 index 000000000..adce5e334 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/Advisory.java @@ -0,0 +1,344 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2017 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.nsp; + +/** + * The response from NSP check API will respond with 0 or more advisories. + * This class defines the Advisory objects returned. + * + * @author Steve Springett + */ +public class Advisory { + + /** + * The unique ID of the advisory as issued by Node Security Platform. + */ + private int id; + + /** + * The timestamp of the last update to the advisory. + */ + private String updatedAt; + + /** + * The timestamp of which the advisory was created. + */ + private String createdAt; + + /** + * The timestamp of when the advisory was published. + */ + private String publishDate; + + /** + * A detailed description of the advisory. + */ + private String overview; + + /** + * Recommendations for mitigation. Typically involves updating to a newer release. + */ + private String recommendation; + + /** + * The CVSS vector used to calculate the score. + */ + private String cvssVector; + + /** + * The CVSS score. + */ + private float cvssScore; + + /** + * The name of the Node module the advisory is for. + */ + private String module; + + /** + * The version of the Node module the advisory is for. + */ + private String version; + + /** + * A string representation of the versions containing the vulnerability. + */ + private String vulnerableVersions; + + /** + * A string representation of the versions that have been patched. + */ + private String patchedVersions; + + /** + * The title/name of the advisory. + */ + private String title; + + /** + * The linear dependency path that lead to this module. + * [0] is the root with each subsequent array member leading up to the + * final (this) module. + */ + private String[] path; + + /** + * The URL to the advisory. + */ + private String advisory; + + /** + * Returns the unique ID of the advisory as issued by Node Security Platform. + * @return a unique ID + */ + public int getId() { + return id; + } + + /** + * Sets the unique ID of the advisory as issued by Node Security Platform. + * @param id a unique ID + */ + public void setId(int id) { + this.id = id; + } + + /** + * Returns the timestamp of the last update to the advisory. + * @return a timestamp + */ + public String getUpdatedAt() { + return updatedAt; + } + + /** + * Sets the timestamp of the last update to the advisory. + * @param updatedAt a timestamp + */ + public void setUpdatedAt(String updatedAt) { + this.updatedAt = updatedAt; + } + + /** + * Returns the timestamp of which the advisory was created. + * @return a timestamp + */ + public String getCreatedAt() { + return createdAt; + } + + /** + * Sets the timestamp of which the advisory was created. + * @param createdAt a timestamp + */ + public void setCreatedAt(String createdAt) { + this.createdAt = createdAt; + } + + /** + * Returns the timestamp of when the advisory was published. + * @return a timestamp + */ + public String getPublishDate() { + return publishDate; + } + + /** + * Sets the timestamp of when the advisory was published. + * @param publishDate a timestamp + */ + public void setPublishDate(String publishDate) { + this.publishDate = publishDate; + } + + /** + * Returns a detailed description of the advisory. + * @return the overview + */ + public String getOverview() { + return overview; + } + + /** + * Sets the detailed description of the advisory. + * @param overview the overview + */ + public void setOverview(String overview) { + this.overview = overview; + } + + /** + * Returns recommendations for mitigation. Typically involves updating to a newer release. + * @return recommendations + */ + public String getRecommendation() { + return recommendation; + } + + /** + * Sets recommendations for mitigation. Typically involves updating to a newer release. + * @param recommendation recommendations + */ + public void setRecommendation(String recommendation) { + this.recommendation = recommendation; + } + + /** + * Returns the CVSS vector used to calculate the score. + * @return the CVSS vector + */ + public String getCvssVector() { + return cvssVector; + } + + /** + * Sets the CVSS vector used to calculate the score. + * @param cvssVector the CVSS vector + */ + public void setCvssVector(String cvssVector) { + this.cvssVector = cvssVector; + } + + /** + * Returns the CVSS score. + * @return the CVSS score + */ + public float getCvssScore() { + return cvssScore; + } + + /** + * Sets the CVSS score. + * @param cvssScore the CVSS score + */ + public void setCvssScore(float cvssScore) { + this.cvssScore = cvssScore; + } + + /** + * Returns the name of the Node module the advisory is for. + * @return the name of the module + */ + public String getModule() { + return module; + } + + /** + * Sets the name of the Node module the advisory is for. + * @param module the name of the4 module + */ + public void setModule(String module) { + this.module = module; + } + + /** + * Returns the version of the Node module the advisory is for. + * @return the module version + */ + public String getVersion() { + return version; + } + + /** + * Sets the version of the Node module the advisory is for. + * @param version the module version + */ + public void setVersion(String version) { + this.version = version; + } + + /** + * Returns a string representation of the versions containing the vulnerability. + * @return the affected versions + */ + public String getVulnerableVersions() { + return vulnerableVersions; + } + + /** + * Sets the string representation of the versions containing the vulnerability. + * @param vulnerableVersions the affected versions + */ + public void setVulnerableVersions(String vulnerableVersions) { + this.vulnerableVersions = vulnerableVersions; + } + + /** + * Returns a string representation of the versions that have been patched. + * @return the patched versions + */ + public String getPatchedVersions() { + return patchedVersions; + } + + /** + * Sets the string representation of the versions that have been patched. + * @param patchedVersions the patched versions + */ + public void setPatchedVersions(String patchedVersions) { + this.patchedVersions = patchedVersions; + } + + /** + * Returns the title/name of the advisory. + * @return the title/name of the advisory + */ + public String getTitle() { + return title; + } + + /** + * Sets the title/name of the advisory. + * @param title the title/name of the advisory + */ + public void setTitle(String title) { + this.title = title; + } + + /** + * Returns the linear dependency path that lead to this module. + * @return the dependency path + */ + public String[] getPath() { + return path; + } + + /** + * Sets the linear dependency path that lead to this module. + * @param path the dependency path + */ + public void setPath(String[] path) { + this.path = path; + } + + /** + * Returns the URL to the advisory. + * @return the advisory URL + */ + public String getAdvisory() { + return advisory; + } + + /** + * Sets the URL to the advisory. + * @param advisory the advisory URL + */ + public void setAdvisory(String advisory) { + this.advisory = advisory; + } +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java new file mode 100644 index 000000000..b285dab79 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java @@ -0,0 +1,144 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2017 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.nsp; + +import java.io.BufferedInputStream; +import java.io.BufferedOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.net.HttpURLConnection; +import java.net.URL; +import java.nio.charset.StandardCharsets; +import java.util.ArrayList; +import java.util.List; +import org.owasp.dependencycheck.utils.Settings; +import org.owasp.dependencycheck.utils.URLConnectionFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import javax.json.Json; +import javax.json.JsonArray; +import javax.json.JsonObject; +import javax.json.JsonReader; + +/** + * Class of methods to search via Node Security Platform. + * + * @author Steve Springett + */ +public class NspSearch { + + /** + * The URL for the public NSP check API. + */ + private final URL nspCheckUrl; + + /** + * Whether to use the Proxy when making requests. + */ + private final boolean useProxy; + + /** + * Used for logging. + */ + private static final Logger LOGGER = LoggerFactory.getLogger(NspSearch.class); + + /** + * Creates a NspSearch for the given repository URL. + * + * @param nspCheckUrl the URL to the public NSP check API + */ + public NspSearch(URL nspCheckUrl) { + this.nspCheckUrl = nspCheckUrl; + if (null != Settings.getString(Settings.KEYS.PROXY_SERVER)) { + useProxy = true; + LOGGER.debug("Using proxy"); + } else { + useProxy = false; + LOGGER.debug("Not using proxy"); + } + } + + /** + * Submits the package.json file to the NSP public /check API and returns + * a list of zero or more Advisories. + * + * @param packageJson the package.json file retrieved from the Dependency + * @return a List of zero or more Advisory object + * @throws IOException if it's unable to connect to Node Security Platform + */ + public List submitPackage(JsonObject packageJson) throws IOException { + List result = new ArrayList<>(); + byte[] packageDatabytes = packageJson.toString().getBytes(StandardCharsets.UTF_8); + + final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(nspCheckUrl, useProxy); + conn.setDoOutput(true); + conn.setDoInput(true); + conn.setRequestMethod("POST"); + conn.setRequestProperty("X-NSP-VERSION", "2.6.2"); + conn.setRequestProperty("Content-Type", "application/json"); + conn.setRequestProperty("Content-Length", Integer.toString(packageDatabytes.length)); + conn.connect(); + + try (OutputStream os = new BufferedOutputStream(conn.getOutputStream())) { + os.write(packageDatabytes); + os.flush(); + } + + if (conn.getResponseCode() == 200) { + try (InputStream in = new BufferedInputStream(conn.getInputStream())) { + JsonReader jsonReader = Json.createReader(in); + JsonArray array = jsonReader.readArray(); + if (array != null) { + for (int i=0; i stringPath = new ArrayList<>(); + for (int j=0; j WHITELIST = new ArrayList<>(Arrays.asList( + "name", + "version", + "engine", + "dependencies", + "devDependencies", + "optionalDependencies", + "peerDependencies", + "bundleDependencies", + "bundledDependencies" + )); + + /** + * The NSP API only accepts a subset of objects typically found in package.json. + * This method accepts a JsonObject of a raw package.json file and returns a + * new 'sanitized' version based on a pre-defined whitelist of allowable object + * NSP accepts. + * + * @param rawPackage a raw package.json file + * @return a sanitized version of the package.json file + */ + public static JsonObject sanitize(JsonObject rawPackage) { + JsonObjectBuilder builder = Json.createObjectBuilder(); + for (Map.Entry entry: rawPackage.entrySet()) { + if (WHITELIST.contains(entry.getKey())) { + builder.add(entry.getKey(), entry.getValue()); + } + } + return builder.build(); + } + +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/package-info.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/package-info.java new file mode 100644 index 000000000..fc0193536 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/package-info.java @@ -0,0 +1,7 @@ +/** + * + * Contains classes related to searching Node Security Platform (nsp).

+ * + * These are used to abstract NSP searching away from OWASP Dependency Check so they can be reused elsewhere. + */ +package org.owasp.dependencycheck.data.nsp; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index 9d7662ebb..08705b62d 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -138,6 +138,11 @@ public class Dependency implements Serializable, Comparable { */ private List availableVersions = new ArrayList<>(); + /** + * Defines an actual or virtual dependency. + */ + private boolean isVirtual = false; + /** * Returns the package path. * @@ -175,7 +180,18 @@ public class Dependency implements Serializable, Comparable { * @param file the File to create the dependency object from. */ public Dependency(File file) { + this(file, false); + } + + /** + * Constructs a new Dependency object. + * + * @param file the File to create the dependency object from. + * @param isVirtual specifies if the dependency is virtual indicating the file doesn't actually exist. + */ + public Dependency(File file, boolean isVirtual) { this(); + this.isVirtual = isVirtual; this.actualFilePath = file.getAbsolutePath(); this.filePath = this.actualFilePath; this.fileName = file.getName(); @@ -591,6 +607,9 @@ public class Dependency implements Serializable, Comparable { private void determineHashes(File file) { String md5 = null; String sha1 = null; + if (isVirtual) { + return; + } try { md5 = Checksum.getMD5Checksum(file); sha1 = Checksum.getSHA1Checksum(file); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java index 8d14cd9b8..98ea466b2 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java @@ -32,6 +32,11 @@ import org.apache.commons.lang3.builder.CompareToBuilder; */ public class Vulnerability implements Serializable, Comparable { + public enum Source { + NVD, // National Vulnerability Database + NSP // Node Security Platform + } + /** * The serial version uid. */ @@ -100,6 +105,11 @@ public class Vulnerability implements Serializable, Comparable { */ private String notes; + /** + * The source that identified the vulnerability. + */ + private Source source = Source.NVD; + /** * Get the value of name. * @@ -516,4 +526,20 @@ public class Vulnerability implements Serializable, Comparable { public boolean hasMatchedAllPreviousCPE() { return matchedAllPreviousCPE != null; } + + /** + * Retruns the source that identified the vulnerability. + * @return the source + */ + public Source getSource() { + return source; + } + + /** + * Sets the source that identified the vulnerability. + * @param source the source + */ + public void setSource(Source source) { + this.source = source; + } } diff --git a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer index f9bb4b811..7c657572c 100644 --- a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer +++ b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer @@ -19,6 +19,7 @@ org.owasp.dependencycheck.analyzer.AutoconfAnalyzer org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer org.owasp.dependencycheck.analyzer.CMakeAnalyzer org.owasp.dependencycheck.analyzer.NodePackageAnalyzer +org.owasp.dependencycheck.analyzer.NspAnalyzer org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzer org.owasp.dependencycheck.analyzer.RubyBundlerAnalyzer org.owasp.dependencycheck.analyzer.RubyBundleAuditAnalyzer diff --git a/dependency-check-core/src/main/resources/dependencycheck.properties b/dependency-check-core/src/main/resources/dependencycheck.properties index bf2797f85..a1da6e2ee 100644 --- a/dependency-check-core/src/main/resources/dependencycheck.properties +++ b/dependency-check-core/src/main/resources/dependencycheck.properties @@ -76,6 +76,9 @@ analyzer.nexus.proxy=true analyzer.central.enabled=true analyzer.central.url=https://search.maven.org/solrsearch/select +# the URL for searching api.nodesecurity.io +analyzer.nsp.url=https://api.nodesecurity.io/check + # the number of nested archives that will be searched. archive.scan.depth=3 @@ -87,6 +90,7 @@ analyzer.experimental.enabled=false analyzer.jar.enabled=true analyzer.archive.enabled=true analyzer.node.package.enabled=true +analyzer.nsp.package.enabled=true analyzer.composer.lock.enabled=true analyzer.python.distribution.enabled=true analyzer.python.package.enabled=true diff --git a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl index 8283a443a..182698ef6 100644 --- a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl +++ b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl @@ -759,8 +759,8 @@ Getting Help: $enc.html($related.DisplayFileName) @@ -833,7 +836,11 @@ Getting Help: #foreach($vuln in $dependency.getVulnerabilities()) #set($vsctr=$vsctr+1) -

$enc.html($vuln.name)  

+ #if($vuln.getSource().name().equals("NVD")) +

$enc.html($vuln.name)  

+ #elseif($vuln.getSource().name().equals("NSP")) +

NSP-$enc.html($vuln.name)

+ #end

Severity: #if ($vuln.cvssScore<4.0) Low @@ -842,7 +849,11 @@ Getting Help: CVSS Score: $vuln.cvssScore (AV:$enc.html($vuln.cvssAccessVector.substring(0,1))/AC:$enc.html($vuln.cvssAccessComplexity.substring(0,1))/Au:$enc.html($vuln.cvssAuthentication.substring(0,1))/C:$enc.html($vuln.cvssConfidentialityImpact.substring(0,1))/I:$enc.html($vuln.cvssIntegrityImpact.substring(0,1))/A:$enc.html($vuln.cvssAvailabilityImpact.substring(0,1))) +
CVSS Score: $vuln.cvssScore + #if ($vuln.getSource().name().equals("NVD")) + + (AV:$enc.html($vuln.cvssAccessVector.substring(0,1))/AC:$enc.html($vuln.cvssAccessComplexity.substring(0,1))/Au:$enc.html($vuln.cvssAuthentication.substring(0,1))/C:$enc.html($vuln.cvssConfidentialityImpact.substring(0,1))/I:$enc.html($vuln.cvssIntegrityImpact.substring(0,1))/A:$enc.html($vuln.cvssAvailabilityImpact.substring(0,1))) + #end #if ($vuln.cwe)
CWE: $vuln.cwe #end @@ -859,18 +870,28 @@ Getting Help: - #if ($vuln.getVulnerableSoftware().size()<2) -

Vulnerable Software & Versions:

- #else -

Vulnerable Software & Versions: (show all)

    -
  • $enc.html($vuln.matchedCPE) #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end
    • -
  • ...
    • - #foreach($vs in $vuln.getVulnerableSoftware(true)) - + #if ($vuln.getSource().name().equals("NVD")) + #if ($vuln.getVulnerableSoftware().size()<2) +

    Vulnerable Software & Versions:

    + #else +

    Vulnerable Software & Versions: (show all)

      +
    • $enc.html($vuln.matchedCPE) #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end
      • +
    • ...
      • + #foreach($vs in $vuln.getVulnerableSoftware(true)) + + #end +

    #end -

+ #elseif ($vuln.getSource().name().equals("NSP")) +

Vulnerable Software & Versions: +

    + #foreach($vs in $vuln.getVulnerableSoftware()) +
  • $enc.html($vs.name)
    • + #end +
+

#end #end @@ -925,8 +946,8 @@ Getting Help: $enc.html($related.DisplayFileName)
  • File Path: $enc.html($related.FilePath)
    • -
  • SHA1: $enc.html($related.Sha1sum)
    • -
  • MD5: $enc.html($related.Md5sum)
    • +
  • SHA1: #if($related.Sha1sum)$enc.html($related.Sha1sum)#end
    • +
  • MD5: #if($related.Md5sum)$enc.html($related.Md5sum)#end
#end @@ -978,7 +999,11 @@ Getting Help: #foreach($vuln in $dependency.getSuppressedVulnerabilities()) #set($vsctr=$vsctr+1) -

$enc.html($vuln.name)  suppressed

+ #if($vuln.getSource().name().equals("NVD")) +

$enc.html($vuln.name)  suppressed

+ #elseif($vuln.getSource().name().equals("NSP")) +

NSP-$enc.html($vuln.name)  suppressed

+ #end

Severity: #if ($vuln.cvssScore<4.0) Low @@ -1027,6 +1052,11 @@ Getting Help: -

+
+

+ This report contains data retrieved from the National Vulnerability Database. +
+ This report may contain data retrieved from the Node Security Platform. +
diff --git a/dependency-check-core/src/main/resources/templates/VulnerabilityReport.vsl b/dependency-check-core/src/main/resources/templates/VulnerabilityReport.vsl index f0ee4806f..f3b23e41c 100644 --- a/dependency-check-core/src/main/resources/templates/VulnerabilityReport.vsl +++ b/dependency-check-core/src/main/resources/templates/VulnerabilityReport.vsl @@ -131,7 +131,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. table.lined tr:nth-child(even) { background-color: #fbfbfb; } - th.cve { + th.name { width: 60px; text-align: left; cursor: pointer; @@ -200,7 +200,7 @@ have been reported. Additionally, the HTML report provides many features not fou #set($cnt=0) - + @@ -210,7 +210,13 @@ have been reported. Additionally, the HTML report provides many features not fou #if($dependency.getVulnerabilities().size()>0) #foreach($vuln in $dependency.getVulnerabilities()) - +
CVENAME CWE Severity (CVSS) Dependency
$enc.html($vuln.name) + #if($vuln.getSource().name().equals("NVD")) + $enc.html($vuln.name) + #elseif($vuln.getSource().name().equals("NSP")) + NSP-$enc.html($vuln.name) + #end + #if ($vuln.cwe) $vuln.cwe @@ -241,6 +247,11 @@ have been reported. Additionally, the HTML report provides many features not fou
-



This report contains data retrieved from the National Vulnerability Database.

+

+

+ This report contains data retrieved from the National Vulnerability Database. +
+ This report may contain data retrieved from the Node Security Platform. +

diff --git a/dependency-check-core/src/main/resources/templates/XmlReport.vsl b/dependency-check-core/src/main/resources/templates/XmlReport.vsl index 143826c57..9b34f59c2 100644 --- a/dependency-check-core/src/main/resources/templates/XmlReport.vsl +++ b/dependency-check-core/src/main/resources/templates/XmlReport.vsl @@ -32,7 +32,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. $enc.xml($applicationName) $scanDateXML - This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov + This report contains data retrieved from the National Vulnerability Database: https://nvd.nist.gov and from the Node Security Platform: https://nodesecurity.io #foreach($dependency in $dependencies) @@ -52,15 +52,18 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. #foreach($related in $dependency.getRelatedDependencies()) $enc.xml($related.FilePath) - $enc.xml($related.Sha1sum) - $enc.xml($related.Md5sum) + #if($related.Sha1sum)$enc.xml($related.Sha1sum)#end + #if($related.Md5sum)$enc.xml($related.Md5sum)#end #foreach($id in $related.getIdentifiers()) -#if ($id.type=="maven") +#if ($id.type=="maven" || $id.type=="npm") - ($id.value) + $enc.xml($id.value) #if( $id.url ) $enc.xml($id.url) #end +#if( $id.description ) + $enc.xml($id.description) +#end #if ($id.notes) $enc.xml($id.notes) #end @@ -130,14 +133,14 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. #foreach($vuln in $dependency.getVulnerabilities()) - $enc.xml($vuln.name) + #if($vuln.getSource().name().equals("NSP"))NSP-#end$enc.xml($vuln.name) $vuln.cvssScore - $enc.xml($vuln.cvssAccessVector) - $enc.xml($vuln.cvssAccessComplexity) - $enc.xml($vuln.cvssAuthentication) - $enc.xml($vuln.cvssConfidentialityImpact) - $enc.xml($vuln.cvssIntegrityImpact) - $enc.xml($vuln.cvssAvailabilityImpact) + #if($vuln.cvssAccessVector)$enc.xml($vuln.cvssAccessVector)#end + #if($vuln.cvssAccessComplexity)$enc.xml($vuln.cvssAccessComplexity)#end + #if($vuln.cvssAuthentication)$enc.xml($vuln.cvssAuthentication)#end + #if($vuln.cvssConfidentialityImpact)$enc.xml($vuln.cvssConfidentialityImpact)#end + #if($vuln.cvssIntegrityImpact)$enc.xml($vuln.cvssIntegrityImpact)#end + #if($vuln.cvssAvailabilityImpact)$enc.xml($vuln.cvssAvailabilityImpact)#end #if ($vuln.cvssScore<4.0) Low #elseif ($vuln.cvssScore>=7.0) diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java new file mode 100644 index 000000000..935caeb64 --- /dev/null +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java @@ -0,0 +1,73 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2017 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.nsp; + +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; +import org.owasp.dependencycheck.BaseTest; +import org.owasp.dependencycheck.utils.Settings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import javax.json.Json; +import javax.json.JsonObject; +import javax.json.JsonObjectBuilder; +import javax.json.JsonReader; +import java.io.IOException; +import java.io.InputStream; +import java.net.URL; +import java.util.List; + +public class NspSearchTest extends BaseTest { + + private static final Logger LOGGER = LoggerFactory.getLogger(NspSearchTest.class); + private NspSearch searcher; + + @Before + public void setUp() throws Exception { + String url = Settings.getString(Settings.KEYS.ANALYZER_NSP_URL); + LOGGER.debug(url); + searcher = new NspSearch(new URL(url)); + } + + //@Test + //todo: this test does not work in Java 7 - UNABLE TO FIND VALID CERTIFICATION PATH TO REQUESTED TARGET + public void testNspSearchPositive() throws Exception { + InputStream in = BaseTest.getResourceAsStream(this, "nsp/package.json"); + try (JsonReader jsonReader = Json.createReader(in)) { + final JsonObject packageJson = jsonReader.readObject(); + final JsonObject sanitizedJson = SanitizePackage.sanitize(packageJson); + final JsonObjectBuilder builder = Json.createObjectBuilder(); + final JsonObject nspPayload = builder.add("package", sanitizedJson).build(); + final List advisories = searcher.submitPackage(nspPayload); + Assert.assertTrue(advisories.size() > 0); + } + } + + //@Test(expected = IOException.class) + //todo: this test does not work in Java 7 - UNABLE TO FIND VALID CERTIFICATION PATH TO REQUESTED TARGET + public void testNspSearchNegative() throws Exception { + InputStream in = BaseTest.getResourceAsStream(this, "nsp/package.json"); + try (JsonReader jsonReader = Json.createReader(in)) { + final JsonObject packageJson = jsonReader.readObject(); + final JsonObject sanitizedJson = SanitizePackage.sanitize(packageJson); + searcher.submitPackage(sanitizedJson); + } + } + +} diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/SanitizePackageTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/SanitizePackageTest.java new file mode 100644 index 000000000..0c17f3318 --- /dev/null +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/SanitizePackageTest.java @@ -0,0 +1,65 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2017 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.nsp; + +import org.junit.Assert; +import org.junit.Test; +import javax.json.Json; +import javax.json.JsonObject; +import javax.json.JsonObjectBuilder; + +public class SanitizePackageTest { + + @Test + public void testSanitizer() throws Exception { + JsonObjectBuilder builder = Json.createObjectBuilder(); + builder + .add("name", "my app") + .add("version", "1.0.0") + .add("description", "my app does amazing things") + .add("keywords", "best, app, ever") + .add("homepage", "http://example.com") + .add("bugs", "http://example.com/bugs") + .add("license", "Apache-2.0") + .add("main", "myscript") + .add("dependencies", "{ \"foo\" : \"1.0.0 - 2.9999.9999\"}") + .add("devDependencies", "{ \"foo\" : \"1.0.0 - 2.9999.9999\"}") + .add("peerDependencies", "{ \"foo\" : \"1.0.0 - 2.9999.9999\"}") + .add("bundledDependencies", "{ \"foo\" : \"1.0.0 - 2.9999.9999\"}") + .add("optionalDependencies", "{ \"foo\" : \"1.0.0 - 2.9999.9999\"}"); + + JsonObject packageJson = builder.build(); + JsonObject sanitized = SanitizePackage.sanitize(packageJson); + + Assert.assertTrue(sanitized.containsKey("name")); + Assert.assertTrue(sanitized.containsKey("version")); + Assert.assertTrue(sanitized.containsKey("dependencies")); + Assert.assertTrue(sanitized.containsKey("devDependencies")); + Assert.assertTrue(sanitized.containsKey("peerDependencies")); + Assert.assertTrue(sanitized.containsKey("bundledDependencies")); + Assert.assertTrue(sanitized.containsKey("optionalDependencies")); + + Assert.assertFalse(sanitized.containsKey("description")); + Assert.assertFalse(sanitized.containsKey("keywords")); + Assert.assertFalse(sanitized.containsKey("homepage")); + Assert.assertFalse(sanitized.containsKey("bugs")); + Assert.assertFalse(sanitized.containsKey("license")); + Assert.assertFalse(sanitized.containsKey("main")); + } + +} diff --git a/dependency-check-core/src/test/resources/dependencycheck.properties b/dependency-check-core/src/test/resources/dependencycheck.properties index 449e1bc5f..6caad0b4d 100644 --- a/dependency-check-core/src/test/resources/dependencycheck.properties +++ b/dependency-check-core/src/test/resources/dependencycheck.properties @@ -72,6 +72,9 @@ analyzer.nexus.proxy=true analyzer.central.enabled=true analyzer.central.url=https://search.maven.org/solrsearch/select +# the URL for searching api.nodesecurity.io +analyzer.nsp.url=https://api.nodesecurity.io/check + # the number of nested archives that will be searched. archive.scan.depth=3 @@ -83,6 +86,7 @@ analyzer.experimental.enabled=true analyzer.jar.enabled=true analyzer.archive.enabled=true analyzer.node.package.enabled=true +analyzer.nsp.package.enabled=true analyzer.composer.lock.enabled=true analyzer.python.distribution.enabled=true analyzer.python.package.enabled=true diff --git a/dependency-check-core/src/test/resources/nsp/package.json b/dependency-check-core/src/test/resources/nsp/package.json new file mode 100644 index 000000000..391ec9061 --- /dev/null +++ b/dependency-check-core/src/test/resources/nsp/package.json @@ -0,0 +1,59 @@ +{ + "name": "owasp-nodejs-goat", + "private": true, + "version": "1.3.0", + "description": "A tool to learn OWASP Top 10 for node.js developers", + "main": "server.js", + "dependencies": { + "bcrypt-nodejs": "0.0.3", + "body-parser": "^1.15.1", + "consolidate": "^0.14.1", + "csurf": "^1.8.3", + "dont-sniff-mimetype": "^1.0.0", + "express": "^4.13.4", + "express-session": "^1.13.0", + "forever": "^0.15.1", + "helmet": "^2.0.0", + "marked": "0.3.5", + "mongodb": "^2.1.18", + "serve-favicon": "^2.3.0", + "swig": "^1.4.2", + "underscore": "^1.8.3" + }, + "comments": { + "//": "do not upgrade the marked package version it is set by purpose", + "//": "to be a vulnerable package to demonstrate an xss introduced through", + "//": "a9 insecure components" + }, + "engines": { + "node": "4.4.x", + "npm": "2.15.x" + }, + "scripts": { + "start": "node server.js", + "test": "node node_modules/grunt-cli/bin/grunt test", + "db:seed": "grunt db-reset", + "precommit": "grunt precommit" + }, + "devDependencies": { + "async": "^2.0.0-rc.4", + "grunt": "^1.0.1", + "grunt-cli": "^1.2.0", + "grunt-concurrent": "^2.3.0", + "grunt-contrib-jshint": "^1.0.0", + "grunt-contrib-watch": "^1.0.0", + "grunt-env": "latest", + "grunt-jsbeautifier": "^0.2.12", + "grunt-mocha-test": "^0.12.7", + "grunt-nodemon": "^0.4.2", + "grunt-if": "https://github.com/binarymist/grunt-if/tarball/master", + "grunt-npm-install": "^0.3.0", + "grunt-retire": "^0.3.12", + "mocha": "^2.4.5", + "selenium-webdriver": "^2.53.2", + "should": "^8.3.1", + "zaproxy": "^0.2.0" + }, + "repository": "https://github.com/OWASP/NodejsGoat", + "license": "Apache 2.0" +} diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index aac1d40ed..5484f7253 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -252,6 +252,14 @@ public final class Settings { * enabled. */ public static final String ANALYZER_NODE_PACKAGE_ENABLED = "analyzer.node.package.enabled"; + /** + * The properties key for whether the Node Security Platform (nsp) analyzer is enabled. + */ + public static final String ANALYZER_NSP_PACKAGE_ENABLED = "analyzer.nsp.package.enabled"; + /** + * The properties key for whether the Nexus analyzer is enabled. + */ + public static final String ANALYZER_NSP_URL = "analyzer.nsp.url"; /** * The properties key for whether the composer lock file analyzer is * enabled. From d457fd14526661a5d5e89d2c8c93ca54d8f09234 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 21 May 2017 07:45:27 -0400 Subject: [PATCH 02/35] fixed copyright --- .../java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java | 2 +- .../main/java/org/owasp/dependencycheck/data/nsp/Advisory.java | 2 +- .../main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java | 2 +- .../org/owasp/dependencycheck/data/nsp/SanitizePackage.java | 2 +- .../java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java | 2 +- .../org/owasp/dependencycheck/data/nsp/SanitizePackageTest.java | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java index dd1b01bd6..2bdac7f7a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java @@ -13,7 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * Copyright (c) 2017 Jeremy Long. All Rights Reserved. + * Copyright (c) 2017 Steve Springett. All Rights Reserved. */ package org.owasp.dependencycheck.analyzer; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/Advisory.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/Advisory.java index adce5e334..d31fcb2bc 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/Advisory.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/Advisory.java @@ -13,7 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * Copyright (c) 2017 Jeremy Long. All Rights Reserved. + * Copyright (c) 2017 Steve Springett. All Rights Reserved. */ package org.owasp.dependencycheck.data.nsp; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java index b285dab79..c59830a4c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java @@ -13,7 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * Copyright (c) 2017 Jeremy Long. All Rights Reserved. + * Copyright (c) 2017 Steve Springett. All Rights Reserved. */ package org.owasp.dependencycheck.data.nsp; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/SanitizePackage.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/SanitizePackage.java index 392df2851..4103ea118 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/SanitizePackage.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/SanitizePackage.java @@ -13,7 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * Copyright (c) 2017 Jeremy Long. All Rights Reserved. + * Copyright (c) 2017 Steve Springett. All Rights Reserved. */ package org.owasp.dependencycheck.data.nsp; diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java index 935caeb64..a39f37899 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java @@ -13,7 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * Copyright (c) 2017 Jeremy Long. All Rights Reserved. + * Copyright (c) 2017 Steve Springett. All Rights Reserved. */ package org.owasp.dependencycheck.data.nsp; diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/SanitizePackageTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/SanitizePackageTest.java index 0c17f3318..8f0c74d7b 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/SanitizePackageTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/SanitizePackageTest.java @@ -13,7 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * Copyright (c) 2017 Jeremy Long. All Rights Reserved. + * Copyright (c) 2017 Steve Springett. All Rights Reserved. */ package org.owasp.dependencycheck.data.nsp; From 122c78648adb7fe8b71cda0839d5e3ea0e311128 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 21 May 2017 18:04:26 -0400 Subject: [PATCH 03/35] updated code to better handle TLS errors --- .../dependencycheck/analyzer/NspAnalyzer.java | 25 ++-- .../dependencycheck/data/nsp/NspSearch.java | 111 ++++++++++-------- .../org/owasp/dependencycheck/EngineIT.java | 31 +++-- .../data/nsp/NspSearchTest.java | 17 ++- 4 files changed, 108 insertions(+), 76 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java index 2bdac7f7a..0cdf6fca6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java @@ -50,10 +50,11 @@ import javax.json.JsonReader; import javax.json.JsonString; import javax.json.JsonValue; import org.owasp.dependencycheck.exception.InitializationException; +import org.owasp.dependencycheck.utils.URLConnectionFailureException; /** - * Used to analyze Node Package Manager (npm) package.json files via - * Node Security Platform (nsp). + * Used to analyze Node Package Manager (npm) package.json files via Node + * Security Platform (nsp). * * @author Steve Springett */ @@ -161,7 +162,7 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer { // Submits the package payload to the nsp check service final List advisories = searcher.submitPackage(nspPayload); - for (Advisory advisory: advisories) { + for (Advisory advisory : advisories) { /* * Create a new vulnerability out of the advisory returned by nsp. */ @@ -247,23 +248,27 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer { addToEvidence(packageJson, vendorEvidence, "author"); addToEvidence(packageJson, dependency.getVersionEvidence(), "version"); dependency.setDisplayFileName(String.format("%s/%s", file.getParentFile().getName(), file.getName())); - + } catch (URLConnectionFailureException e) { + this.setEnabled(false); + throw new AnalysisException(e.getMessage(), e); } catch (IOException e) { - LOGGER.debug("Error reading dependency or connecting to Node Security Platform /check API", e); + LOGGER.debug("Error reading dependency or connecting to Node Security Platform - check API", e); + this.setEnabled(false); + throw new AnalysisException(e.getMessage(), e); } catch (JsonException e) { - LOGGER.warn("Failed to parse package.json file.", e); + throw new AnalysisException(String.format("Failed to parse %s file.", file.getPath()), e); } } /** - * Processes a part of package.json (as defined by JsobObject) and - * update the specified dependency with relevant info. + * Processes a part of package.json (as defined by JsobObject) and update + * the specified dependency with relevant info. * * @param dependency the Dependency to update * @param jsonObject the jsonObject to parse */ private void processPackage(Dependency dependency, JsonObject jsonObject, String depType) { - for (int i=0; i entry : jsonObject.entrySet()) { /* * Create identifies that include the npm module and version. Since these are defined, @@ -273,7 +278,7 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer { moduleName.setConfidence(Confidence.HIGHEST); String version = ""; if (entry.getValue() != null && entry.getValue().getValueType() == JsonValue.ValueType.STRING) { - version = ((JsonString)entry.getValue()).getString(); + version = ((JsonString) entry.getValue()).getString(); } final Identifier moduleVersion = new Identifier("npm", "Version", null, version); moduleVersion.setConfidence(Confidence.HIGHEST); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java index c59830a4c..d78ecfb34 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java @@ -35,6 +35,7 @@ import javax.json.Json; import javax.json.JsonArray; import javax.json.JsonObject; import javax.json.JsonReader; +import org.owasp.dependencycheck.utils.URLConnectionFailureException; /** * Class of methods to search via Node Security Platform. @@ -75,70 +76,80 @@ public class NspSearch { } /** - * Submits the package.json file to the NSP public /check API and returns - * a list of zero or more Advisories. + * Submits the package.json file to the NSP public /check API and returns a + * list of zero or more Advisories. * * @param packageJson the package.json file retrieved from the Dependency * @return a List of zero or more Advisory object * @throws IOException if it's unable to connect to Node Security Platform */ public List submitPackage(JsonObject packageJson) throws IOException { - List result = new ArrayList<>(); - byte[] packageDatabytes = packageJson.toString().getBytes(StandardCharsets.UTF_8); + try { + List result = new ArrayList<>(); + byte[] packageDatabytes = packageJson.toString().getBytes(StandardCharsets.UTF_8); - final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(nspCheckUrl, useProxy); - conn.setDoOutput(true); - conn.setDoInput(true); - conn.setRequestMethod("POST"); - conn.setRequestProperty("X-NSP-VERSION", "2.6.2"); - conn.setRequestProperty("Content-Type", "application/json"); - conn.setRequestProperty("Content-Length", Integer.toString(packageDatabytes.length)); - conn.connect(); + final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(nspCheckUrl, useProxy); + conn.setDoOutput(true); + conn.setDoInput(true); + conn.setRequestMethod("POST"); + conn.setRequestProperty("X-NSP-VERSION", "2.6.2"); + conn.setRequestProperty("Content-Type", "application/json"); + conn.setRequestProperty("Content-Length", Integer.toString(packageDatabytes.length)); + conn.connect(); - try (OutputStream os = new BufferedOutputStream(conn.getOutputStream())) { - os.write(packageDatabytes); - os.flush(); - } + try (OutputStream os = new BufferedOutputStream(conn.getOutputStream())) { + os.write(packageDatabytes); + os.flush(); + } - if (conn.getResponseCode() == 200) { - try (InputStream in = new BufferedInputStream(conn.getInputStream())) { - JsonReader jsonReader = Json.createReader(in); - JsonArray array = jsonReader.readArray(); - if (array != null) { - for (int i=0; i stringPath = new ArrayList<>(); - for (int j=0; j stringPath = new ArrayList<>(); + for (int j = 0; j < jsonPath.size(); j++) { + stringPath.add(jsonPath.getString(j)); + } + advisory.setPath(stringPath.toArray(new String[stringPath.size()])); + + result.add(advisory); } - advisory.setPath(stringPath.toArray(new String[stringPath.size()])); - - result.add(advisory); } } + } else { + LOGGER.debug("Could not connect to Node Security Platform. Received response code: {} {}", + conn.getResponseCode(), conn.getResponseMessage()); + throw new IOException("Could not connect to Node Security Platform"); } - } else { - LOGGER.debug("Could not connect to Node Security Platform. Received response code: {} {}", - conn.getResponseCode(), conn.getResponseMessage()); - throw new IOException("Could not connect to Node Security Platform"); + return result; + } catch (IOException ex) { + if (ex instanceof javax.net.ssl.SSLHandshakeException + && ex.getMessage().contains("unable to find valid certification path to requested target")) { + final String msg = String.format("Unable to connect to '%s' - the Java trust store does not contain a trusted root for the cert. " + + " Please see https://github.com/jeremylong/InstallCert for one method of updating the trusted certificates.", nspCheckUrl); + throw new URLConnectionFailureException(msg, ex); + } + throw ex; } - return result; } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIT.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIT.java index dd81bf828..1df3dc7cf 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIT.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIT.java @@ -18,6 +18,8 @@ package org.owasp.dependencycheck; import java.io.IOException; +import java.util.HashSet; +import java.util.Set; import static org.junit.Assert.assertTrue; import org.junit.Test; @@ -58,18 +60,23 @@ public class EngineIT extends BaseDBTestCase { try { instance.analyzeDependencies(); } catch (ExceptionCollection ex) { - if (ex.getExceptions().size() == 1 - && (ex.getExceptions().get(0).getMessage().contains("bundle-audit") - || ex.getExceptions().get(0).getMessage().contains("AssemblyAnalyzer"))) { - //this is fine to ignore - } else if (ex.getExceptions().size() == 2 - && ((ex.getExceptions().get(0).getMessage().contains("bundle-audit") - && ex.getExceptions().get(1).getMessage().contains("AssemblyAnalyzer")) - || (ex.getExceptions().get(1).getMessage().contains("bundle-audit") - && ex.getExceptions().get(0).getMessage().contains("AssemblyAnalyzer")))) { - //this is fine to ignore - } else { - throw ex; + Set allowedMessages = new HashSet<>(); + allowedMessages.add("bundle-audit"); + allowedMessages.add("AssemblyAnalyzer"); + //allowedMessages.add("Unable to connect to"); + for (Throwable t : ex.getExceptions()) { + boolean isOk = false; + if (t.getMessage()!=null) { + for (String msg : allowedMessages) { + if (t.getMessage().contains(msg)) { + isOk=true; + break; + } + } + } + if (!isOk) { + throw ex; + } } } DatabaseProperties prop = null; diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java index a39f37899..f93c6afbc 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java @@ -32,6 +32,9 @@ import java.io.IOException; import java.io.InputStream; import java.net.URL; import java.util.List; +import static org.junit.Assume.assumeFalse; +import static org.junit.Assume.assumeTrue; +import org.owasp.dependencycheck.utils.URLConnectionFailureException; public class NspSearchTest extends BaseTest { @@ -45,8 +48,7 @@ public class NspSearchTest extends BaseTest { searcher = new NspSearch(new URL(url)); } - //@Test - //todo: this test does not work in Java 7 - UNABLE TO FIND VALID CERTIFICATION PATH TO REQUESTED TARGET + @Test public void testNspSearchPositive() throws Exception { InputStream in = BaseTest.getResourceAsStream(this, "nsp/package.json"); try (JsonReader jsonReader = Json.createReader(in)) { @@ -56,17 +58,24 @@ public class NspSearchTest extends BaseTest { final JsonObject nspPayload = builder.add("package", sanitizedJson).build(); final List advisories = searcher.submitPackage(nspPayload); Assert.assertTrue(advisories.size() > 0); + } catch (Exception ex) { + assumeFalse(ex instanceof URLConnectionFailureException + && ex.getMessage().contains("Unable to connect to ")); + throw ex; } } - //@Test(expected = IOException.class) - //todo: this test does not work in Java 7 - UNABLE TO FIND VALID CERTIFICATION PATH TO REQUESTED TARGET + @Test public void testNspSearchNegative() throws Exception { InputStream in = BaseTest.getResourceAsStream(this, "nsp/package.json"); try (JsonReader jsonReader = Json.createReader(in)) { final JsonObject packageJson = jsonReader.readObject(); final JsonObject sanitizedJson = SanitizePackage.sanitize(packageJson); searcher.submitPackage(sanitizedJson); + } catch (Exception ex) { + assumeFalse(ex instanceof URLConnectionFailureException + && ex.getMessage().contains("Unable to connect to ")); + throw ex; } } From b0f9935fcbfba23c164f7d41006cb9da83da2e8e Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 20 May 2017 07:37:46 -0400 Subject: [PATCH 04/35] updated to resolve issue #696 --- .../java/org/owasp/dependencycheck/App.java | 13 +-- .../org/owasp/dependencycheck/CliParser.java | 72 +++++++++----- .../org/owasp/dependencycheck/AppTest.java | 96 +++++++++++++++++-- .../src/test/resources/sample.properties | 33 +++++++ .../src/test/resources/sample2.properties | 33 +++++++ pom.xml | 1 + 6 files changed, 209 insertions(+), 39 deletions(-) create mode 100644 dependency-check-cli/src/test/resources/sample.properties create mode 100644 dependency-check-cli/src/test/resources/sample2.properties diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index 52c6fce77..399dd15b3 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -353,8 +353,7 @@ public class App { * @throws InvalidSettingException thrown when a user defined properties * file is unable to be loaded. */ - private void populateSettings(CliParser cli) throws InvalidSettingException { - final boolean autoUpdate = cli.isAutoUpdate(); + protected void populateSettings(CliParser cli) throws InvalidSettingException { final String connectionTimeout = cli.getConnectionTimeout(); final String proxyServer = cli.getProxyServer(); final String proxyPort = cli.getProxyPort(); @@ -377,7 +376,8 @@ public class App { final String cveBase12 = cli.getBaseCve12Url(); final String cveBase20 = cli.getBaseCve20Url(); final Integer cveValidForHours = cli.getCveValidForHours(); - final boolean experimentalEnabled = cli.isExperimentalEnabled(); + final Boolean autoUpdate = cli.isAutoUpdate(); + final Boolean experimentalEnabled = cli.isExperimentalEnabled(); if (propertiesFile != null) { try { @@ -390,7 +390,7 @@ public class App { } // We have to wait until we've merged the properties before attempting to set whether we use // the proxy for Nexus since it could be disabled in the properties, but not explicitly stated - // on the command line + // on the command line. This is true of other boolean values set below not using the setBooleanIfNotNull. final boolean nexusUsesProxy = cli.isNexusUsesProxy(); if (dataDirectory != null) { Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory); @@ -404,7 +404,7 @@ public class App { final File dataDir = new File(base, sub); Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath()); } - Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate); + Settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate); Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer); Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort); Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUser); @@ -415,7 +415,8 @@ public class App { Settings.setIntIfNotNull(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours); //File Type Analyzer Settings - Settings.setBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, experimentalEnabled); + Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, experimentalEnabled); + Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !cli.isJarDisabled()); Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !cli.isArchiveDisabled()); Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, !cli.isPythonDistributionDisabled()); diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java index c259e50d0..2ac6152c6 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -567,6 +567,32 @@ public final class CliParser { return value; } + /** + * Utility method to determine if one of the disable options has been set. + * If not set, this method will check the currently configured settings for + * the current value to return. + * + * Example given `--disableArchive` on the command line would cause this + * method to return true for the disable archive setting. + * + * @param argument the command line argument + * @param setting the corresponding settings key + * @return true if the disable option was set, if not set the currently + * configured value will be returned + */ + private boolean hasDisableOption(String argument, String setting) { + if (line == null || !line.hasOption(argument)) { + try { + return !Settings.getBoolean(setting); + } catch (InvalidSettingException ise) { + LOGGER.warn("Invalid property setting '{}' defaulting to false", setting); + return false; + } + } else { + return true; + } + } + /** * Returns true if the disableJar command line argument was specified. * @@ -574,7 +600,7 @@ public final class CliParser { * otherwise false */ public boolean isJarDisabled() { - return (line != null) && line.hasOption(ARGUMENT.DISABLE_JAR); + return hasDisableOption(ARGUMENT.DISABLE_JAR, Settings.KEYS.ANALYZER_JAR_ENABLED); } /** @@ -584,7 +610,7 @@ public final class CliParser { * otherwise false */ public boolean isArchiveDisabled() { - return (line != null) && line.hasOption(ARGUMENT.DISABLE_ARCHIVE); + return hasDisableOption(ARGUMENT.DISABLE_ARCHIVE, Settings.KEYS.ANALYZER_ARCHIVE_ENABLED); } /** @@ -594,7 +620,7 @@ public final class CliParser { * otherwise false */ public boolean isNuspecDisabled() { - return (line != null) && line.hasOption(ARGUMENT.DISABLE_NUSPEC); + return hasDisableOption(ARGUMENT.DISABLE_NUSPEC, Settings.KEYS.ANALYZER_NUSPEC_ENABLED); } /** @@ -604,7 +630,7 @@ public final class CliParser { * otherwise false */ public boolean isAssemblyDisabled() { - return (line != null) && line.hasOption(ARGUMENT.DISABLE_ASSEMBLY); + return hasDisableOption(ARGUMENT.DISABLE_ASSEMBLY, Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED); } /** @@ -615,7 +641,7 @@ public final class CliParser { * specified; otherwise false */ public boolean isBundleAuditDisabled() { - return (line != null) && line.hasOption(ARGUMENT.DISABLE_BUNDLE_AUDIT); + return hasDisableOption(ARGUMENT.DISABLE_BUNDLE_AUDIT, Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED); } /** @@ -625,7 +651,7 @@ public final class CliParser { * otherwise false */ public boolean isPythonDistributionDisabled() { - return (line != null) && line.hasOption(ARGUMENT.DISABLE_PY_DIST); + return hasDisableOption(ARGUMENT.DISABLE_PY_DIST, Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED); } /** @@ -635,7 +661,7 @@ public final class CliParser { * otherwise false */ public boolean isPythonPackageDisabled() { - return (line != null) && line.hasOption(ARGUMENT.DISABLE_PY_PKG); + return hasDisableOption(ARGUMENT.DISABLE_PY_PKG, Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED); } /** @@ -645,7 +671,7 @@ public final class CliParser { * argument was specified; otherwise false */ public boolean isRubyGemspecDisabled() { - return (null != line) && line.hasOption(ARGUMENT.DISABLE_RUBYGEMS); + return hasDisableOption(ARGUMENT.DISABLE_RUBYGEMS, Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED); } /** @@ -655,7 +681,7 @@ public final class CliParser { * otherwise false */ public boolean isCmakeDisabled() { - return (line != null) && line.hasOption(ARGUMENT.DISABLE_CMAKE); + return hasDisableOption(ARGUMENT.DISABLE_CMAKE, Settings.KEYS.ANALYZER_CMAKE_ENABLED); } /** @@ -665,7 +691,7 @@ public final class CliParser { * otherwise false */ public boolean isAutoconfDisabled() { - return (line != null) && line.hasOption(ARGUMENT.DISABLE_AUTOCONF); + return hasDisableOption(ARGUMENT.DISABLE_AUTOCONF, Settings.KEYS.ANALYZER_AUTOCONF_ENABLED); } /** @@ -675,7 +701,7 @@ public final class CliParser { * otherwise false */ public boolean isComposerDisabled() { - return (line != null) && line.hasOption(ARGUMENT.DISABLE_COMPOSER); + return hasDisableOption(ARGUMENT.DISABLE_COMPOSER, Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED); } /** @@ -685,7 +711,7 @@ public final class CliParser { * otherwise false */ public boolean isNexusDisabled() { - return (line != null) && line.hasOption(ARGUMENT.DISABLE_NEXUS); + return hasDisableOption(ARGUMENT.DISABLE_NEXUS, Settings.KEYS.ANALYZER_NEXUS_ENABLED); } /** @@ -695,7 +721,7 @@ public final class CliParser { * otherwise false */ public boolean isOpenSSLDisabled() { - return (line != null) && line.hasOption(ARGUMENT.DISABLE_OPENSSL); + return hasDisableOption(ARGUMENT.DISABLE_OPENSSL, Settings.KEYS.ANALYZER_OPENSSL_ENABLED); } /** @@ -705,7 +731,7 @@ public final class CliParser { * otherwise false */ public boolean isNodeJsDisabled() { - return (line != null) && line.hasOption(ARGUMENT.DISABLE_NODE_JS); + return hasDisableOption(ARGUMENT.DISABLE_NODE_JS, Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED); } /** @@ -716,7 +742,7 @@ public final class CliParser { * specified; otherwise false */ public boolean isCocoapodsAnalyzerDisabled() { - return (line != null) && line.hasOption(ARGUMENT.DISABLE_COCOAPODS); + return hasDisableOption(ARGUMENT.DISABLE_COCOAPODS, Settings.KEYS.ANALYZER_COCOAPODS_ENABLED); } /** @@ -727,7 +753,7 @@ public final class CliParser { * argument was specified; otherwise false */ public boolean isSwiftPackageAnalyzerDisabled() { - return (line != null) && line.hasOption(ARGUMENT.DISABLE_SWIFT); + return hasDisableOption(ARGUMENT.DISABLE_SWIFT, Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED); } /** @@ -737,7 +763,7 @@ public final class CliParser { * otherwise false */ public boolean isCentralDisabled() { - return (line != null) && line.hasOption(ARGUMENT.DISABLE_CENTRAL); + return hasDisableOption(ARGUMENT.DISABLE_CENTRAL, Settings.KEYS.ANALYZER_CENTRAL_ENABLED); } /** @@ -1029,10 +1055,10 @@ public final class CliParser { * disabled via the command line this will return false. * * @return true if auto-update is allowed; otherwise - * false + * null */ - public boolean isAutoUpdate() { - return line != null && !line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE); + public Boolean isAutoUpdate() { + return (line != null && line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE)) ? false : null; } /** @@ -1134,10 +1160,10 @@ public final class CliParser { /** * Returns true if the experimental analyzers are enabled. * - * @return true if the experimental analyzers are enabled; otherwise false + * @return true if the experimental analyzers are enabled; otherwise null */ - public boolean isExperimentalEnabled() { - return line.hasOption(ARGUMENT.EXPERIMENTAL); + public Boolean isExperimentalEnabled() { + return (line != null && line.hasOption(ARGUMENT.EXPERIMENTAL)) ? true : null; } /** diff --git a/dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java b/dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java index fdadb0e39..e6569e761 100644 --- a/dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java +++ b/dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java @@ -13,18 +13,28 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * Copyright (c) 2015 The OWASP Foundatio. All Rights Reserved. + * Copyright (c) 2017 The OWASP Foundatio. All Rights Reserved. */ package org.owasp.dependencycheck; +import java.io.File; +import java.io.FileNotFoundException; +import java.net.URISyntaxException; +import java.util.HashMap; +import java.util.Map; +import org.apache.commons.cli.ParseException; +import org.apache.commons.cli.UnrecognizedOptionException; import org.junit.Test; import static org.junit.Assert.*; +import org.owasp.dependencycheck.utils.InvalidSettingException; +import org.owasp.dependencycheck.utils.Settings; /** * * @author jeremy */ public class AppTest { + /** * Test of ensureCanonicalPath method, of class App. */ @@ -35,17 +45,83 @@ public class AppTest { String result = instance.ensureCanonicalPath(file); assertFalse(result.contains("..")); assertTrue(result.endsWith("*.jar")); - } - /** - * Test of ensureCanonicalPath method, of class App. - */ - @Test - public void testEnsureCanonicalPath2() { - String file = "../some/skip/../path/file.txt"; - App instance = new App(); + file = "../some/skip/../path/file.txt"; String expResult = "/some/path/file.txt"; - String result = instance.ensureCanonicalPath(file); + result = instance.ensureCanonicalPath(file); assertTrue("result=" + result, result.endsWith(expResult)); } + + @Test(expected = UnrecognizedOptionException.class) + public void testPopulateSettingsException() throws FileNotFoundException, ParseException, InvalidSettingException, URISyntaxException { + String[] args = {"-invalidPROPERTY"}; + assertTrue(testBooleanProperties(args, null)); + } + + @Test + public void testPopulateSettings() throws FileNotFoundException, ParseException, InvalidSettingException, URISyntaxException { + File prop = new File(this.getClass().getClassLoader().getResource("sample.properties").toURI().getPath()); + String[] args = {"-P", prop.getAbsolutePath()}; + Map expected = new HashMap<>(); + expected.put(Settings.KEYS.AUTO_UPDATE, Boolean.FALSE); + expected.put(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, Boolean.TRUE); + + assertTrue(testBooleanProperties(args, expected)); + + String[] args2 = {"-n"}; + expected.put(Settings.KEYS.AUTO_UPDATE, Boolean.FALSE); + expected.put(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, Boolean.TRUE); + assertTrue(testBooleanProperties(args2, expected)); + + String[] args3 = {"-h"}; + expected.put(Settings.KEYS.AUTO_UPDATE, Boolean.TRUE); + expected.put(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, Boolean.TRUE); + assertTrue(testBooleanProperties(args3, expected)); + + String[] args4 = {"--disableArchive"}; + expected.put(Settings.KEYS.AUTO_UPDATE, Boolean.TRUE); + expected.put(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, Boolean.FALSE); + assertTrue(testBooleanProperties(args4, expected)); + + String[] args5 = {"-P", prop.getAbsolutePath(), "--disableArchive"}; + expected.put(Settings.KEYS.AUTO_UPDATE, Boolean.FALSE); + expected.put(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, Boolean.FALSE); + assertTrue(testBooleanProperties(args5, expected)); + + prop = new File(this.getClass().getClassLoader().getResource("sample2.properties").toURI().getPath()); + String[] args6 = {"-P", prop.getAbsolutePath(), "--disableArchive"}; + expected.put(Settings.KEYS.AUTO_UPDATE, Boolean.TRUE); + expected.put(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, Boolean.FALSE); + assertTrue(testBooleanProperties(args6, expected)); + + String[] args7 = {"-P", prop.getAbsolutePath(), "--noupdate"}; + expected.put(Settings.KEYS.AUTO_UPDATE, Boolean.FALSE); + expected.put(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, Boolean.TRUE); + assertTrue(testBooleanProperties(args7, expected)); + + String[] args8 = {"-P", prop.getAbsolutePath(), "--noupdate", "--disableArchive"}; + expected.put(Settings.KEYS.AUTO_UPDATE, Boolean.FALSE); + expected.put(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, Boolean.FALSE); + assertTrue(testBooleanProperties(args8, expected)); + + + } + + private boolean testBooleanProperties(String[] args, Map expected) throws URISyntaxException, FileNotFoundException, ParseException, InvalidSettingException { + Settings.initialize(); + try { + final CliParser cli = new CliParser(); + cli.parse(args); + App instance = new App(); + instance.populateSettings(cli); + boolean results = true; + for (Map.Entry entry : expected.entrySet()) { + results &= Settings.getBoolean(entry.getKey()) == entry.getValue(); + } + + return results; + } finally { + Settings.cleanup(); + } + } } diff --git a/dependency-check-cli/src/test/resources/sample.properties b/dependency-check-cli/src/test/resources/sample.properties new file mode 100644 index 000000000..0b45d5d04 --- /dev/null +++ b/dependency-check-cli/src/test/resources/sample.properties @@ -0,0 +1,33 @@ +autoupdate=false + +analyzer.experimental.enabled=false +analyzer.jar.enabled=true +analyzer.archive.enabled=true +analyzer.node.package.enabled=true +analyzer.composer.lock.enabled=true +analyzer.python.distribution.enabled=true +analyzer.python.package.enabled=true +analyzer.ruby.gemspec.enabled=true +analyzer.autoconf.enabled=true +analyzer.cmake.enabled=true +analyzer.assembly.enabled=true +analyzer.nuspec.enabled=true +analyzer.openssl.enabled=true +analyzer.central.enabled=true +analyzer.nexus.enabled=false +analyzer.cocoapods.enabled=true +analyzer.swift.package.manager.enabled=true +#whether the nexus analyzer uses the proxy +analyzer.nexus.proxy=true +analyzer.cpe.enabled=true +analyzer.cpesuppression.enabled=true +analyzer.dependencybundling.enabled=true +analyzer.dependencymerging.enabled=true +analyzer.falsepositive.enabled=true +analyzer.filename.enabled=true +analyzer.hint.enabled=true +analyzer.nvdcve.enabled=true +analyzer.vulnerabilitysuppression.enabled=true +updater.nvdcve.enabled=true +updater.versioncheck.enabled=true +analyzer.versionfilter.enabled=true \ No newline at end of file diff --git a/dependency-check-cli/src/test/resources/sample2.properties b/dependency-check-cli/src/test/resources/sample2.properties new file mode 100644 index 000000000..34a2efe65 --- /dev/null +++ b/dependency-check-cli/src/test/resources/sample2.properties @@ -0,0 +1,33 @@ +autoupdate=true + +analyzer.experimental.enabled=false +analyzer.jar.enabled=true +analyzer.archive.enabled=true +analyzer.node.package.enabled=true +analyzer.composer.lock.enabled=true +analyzer.python.distribution.enabled=true +analyzer.python.package.enabled=true +analyzer.ruby.gemspec.enabled=true +analyzer.autoconf.enabled=true +analyzer.cmake.enabled=true +analyzer.assembly.enabled=true +analyzer.nuspec.enabled=true +analyzer.openssl.enabled=true +analyzer.central.enabled=true +analyzer.nexus.enabled=false +analyzer.cocoapods.enabled=true +analyzer.swift.package.manager.enabled=true +#whether the nexus analyzer uses the proxy +analyzer.nexus.proxy=true +analyzer.cpe.enabled=true +analyzer.cpesuppression.enabled=true +analyzer.dependencybundling.enabled=true +analyzer.dependencymerging.enabled=true +analyzer.falsepositive.enabled=true +analyzer.filename.enabled=true +analyzer.hint.enabled=true +analyzer.nvdcve.enabled=true +analyzer.vulnerabilitysuppression.enabled=true +updater.nvdcve.enabled=true +updater.versioncheck.enabled=true +analyzer.versionfilter.enabled=true \ No newline at end of file diff --git a/pom.xml b/pom.xml index 370e4c9fd..f49db6716 100644 --- a/pom.xml +++ b/pom.xml @@ -134,6 +134,7 @@ Copyright (c) 2012 - Jeremy Long 3.0 2.17 3.6 + From dd4a1f2d5680a869802b850bbbf835601626c10c Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 21 May 2017 07:25:42 -0400 Subject: [PATCH 05/35] updated for code coverage --- .../org/owasp/dependencycheck/AppTest.java | 2 +- .../src/test/resources/sample2.properties | 60 +++++++++---------- pom.xml | 28 ++++++++- 3 files changed, 56 insertions(+), 34 deletions(-) diff --git a/dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java b/dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java index e6569e761..9659c5241 100644 --- a/dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java +++ b/dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java @@ -96,7 +96,7 @@ public class AppTest { String[] args7 = {"-P", prop.getAbsolutePath(), "--noupdate"}; expected.put(Settings.KEYS.AUTO_UPDATE, Boolean.FALSE); - expected.put(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, Boolean.TRUE); + expected.put(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, Boolean.FALSE); assertTrue(testBooleanProperties(args7, expected)); String[] args8 = {"-P", prop.getAbsolutePath(), "--noupdate", "--disableArchive"}; diff --git a/dependency-check-cli/src/test/resources/sample2.properties b/dependency-check-cli/src/test/resources/sample2.properties index 34a2efe65..00d0e5a27 100644 --- a/dependency-check-cli/src/test/resources/sample2.properties +++ b/dependency-check-cli/src/test/resources/sample2.properties @@ -1,33 +1,33 @@ autoupdate=true -analyzer.experimental.enabled=false -analyzer.jar.enabled=true -analyzer.archive.enabled=true -analyzer.node.package.enabled=true -analyzer.composer.lock.enabled=true -analyzer.python.distribution.enabled=true -analyzer.python.package.enabled=true -analyzer.ruby.gemspec.enabled=true -analyzer.autoconf.enabled=true -analyzer.cmake.enabled=true -analyzer.assembly.enabled=true -analyzer.nuspec.enabled=true -analyzer.openssl.enabled=true -analyzer.central.enabled=true -analyzer.nexus.enabled=false -analyzer.cocoapods.enabled=true -analyzer.swift.package.manager.enabled=true +analyzer.experimental.enabled=true +analyzer.jar.enabled=false +analyzer.archive.enabled=false +analyzer.node.package.enabled=false +analyzer.composer.lock.enabled=false +analyzer.python.distribution.enabled=false +analyzer.python.package.enabled=false +analyzer.ruby.gemspec.enabled=false +analyzer.autoconf.enabled=false +analyzer.cmake.enabled=false +analyzer.assembly.enabled=false +analyzer.nuspec.enabled=false +analyzer.openssl.enabled=false +analyzer.central.enabled=false +analyzer.nexus.enabled=true +analyzer.cocoapods.enabled=false +analyzer.swift.package.manager.enabled=false #whether the nexus analyzer uses the proxy -analyzer.nexus.proxy=true -analyzer.cpe.enabled=true -analyzer.cpesuppression.enabled=true -analyzer.dependencybundling.enabled=true -analyzer.dependencymerging.enabled=true -analyzer.falsepositive.enabled=true -analyzer.filename.enabled=true -analyzer.hint.enabled=true -analyzer.nvdcve.enabled=true -analyzer.vulnerabilitysuppression.enabled=true -updater.nvdcve.enabled=true -updater.versioncheck.enabled=true -analyzer.versionfilter.enabled=true \ No newline at end of file +analyzer.nexus.proxy=false +analyzer.cpe.enabled=false +analyzer.cpesuppression.enabled=false +analyzer.dependencybundling.enabled=false +analyzer.dependencymerging.enabled=false +analyzer.falsepositive.enabled=false +analyzer.filename.enabled=false +analyzer.hint.enabled=false +analyzer.nvdcve.enabled=false +analyzer.vulnerabilitysuppression.enabled=false +updater.nvdcve.enabled=false +updater.versioncheck.enabled=false +analyzer.versionfilter.enabled=false \ No newline at end of file diff --git a/pom.xml b/pom.xml index f49db6716..9b371cead 100644 --- a/pom.xml +++ b/pom.xml @@ -134,7 +134,6 @@ Copyright (c) 2012 - Jeremy Long 3.0 2.17 3.6 - @@ -289,7 +288,7 @@ Copyright (c) 2012 - Jeremy Long prepare-agent - + ${project.build.directory}/coverage-reports/jacoco-ut.exec surefireArgLine @@ -300,12 +299,31 @@ Copyright (c) 2012 - Jeremy Long prepare-agent - + ${project.build.directory}/coverage-reports/jacoco-it.exec failsafeArgLine + + org.codehaus.gmaven + gmaven-plugin + 1.5 + + + add-dynamic-properties + pre-integration-test + + execute + + + + project.properties['invoker.mavenOpts']=project.properties.failsafeArgLine + + + + + org.apache.maven.plugins maven-surefire-plugin @@ -579,6 +597,10 @@ Copyright (c) 2012 - Jeremy Long jacoco-maven-plugin 0.7.9 + + target/coverage-reports/jacoco-ut.exec + target/coverage-reports/jacoco-it.exec + From 8206aa9bfdb58b05558ee1b66a8562428ab58e1c Mon Sep 17 00:00:00 2001 From: stevespringett Date: Tue, 23 May 2017 11:08:54 -0500 Subject: [PATCH 06/35] Added additional check when submitting an invalid payload to nsp. Corrected unit test. --- .../owasp/dependencycheck/data/nsp/NspSearch.java | 8 +++++++- .../dependencycheck/data/nsp/NspSearchTest.java | 13 ++++++------- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java index d78ecfb34..9fa4fbbd0 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java @@ -27,6 +27,7 @@ import java.net.URL; import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.List; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.utils.URLConnectionFactory; import org.slf4j.Logger; @@ -81,9 +82,10 @@ public class NspSearch { * * @param packageJson the package.json file retrieved from the Dependency * @return a List of zero or more Advisory object + * @throws AnalysisException if Node Security Platform is unable to analyze the package * @throws IOException if it's unable to connect to Node Security Platform */ - public List submitPackage(JsonObject packageJson) throws IOException { + public List submitPackage(JsonObject packageJson) throws AnalysisException, IOException { try { List result = new ArrayList<>(); byte[] packageDatabytes = packageJson.toString().getBytes(StandardCharsets.UTF_8); @@ -136,6 +138,10 @@ public class NspSearch { } } } + } else if (conn.getResponseCode() == 400) { + LOGGER.debug("Invalid payload submitted to Node Security Platform. Received response code: {} {}", + conn.getResponseCode(), conn.getResponseMessage()); + throw new AnalysisException("Could not perform NSP analysis. Invalid payload submitted to Node Security Platform."); } else { LOGGER.debug("Could not connect to Node Security Platform. Received response code: {} {}", conn.getResponseCode(), conn.getResponseMessage()); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java index f93c6afbc..57569224a 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nsp/NspSearchTest.java @@ -21,6 +21,7 @@ import org.junit.Assert; import org.junit.Before; import org.junit.Test; import org.owasp.dependencycheck.BaseTest; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -28,12 +29,10 @@ import javax.json.Json; import javax.json.JsonObject; import javax.json.JsonObjectBuilder; import javax.json.JsonReader; -import java.io.IOException; import java.io.InputStream; import java.net.URL; import java.util.List; import static org.junit.Assume.assumeFalse; -import static org.junit.Assume.assumeTrue; import org.owasp.dependencycheck.utils.URLConnectionFailureException; public class NspSearchTest extends BaseTest { @@ -59,13 +58,13 @@ public class NspSearchTest extends BaseTest { final List advisories = searcher.submitPackage(nspPayload); Assert.assertTrue(advisories.size() > 0); } catch (Exception ex) { - assumeFalse(ex instanceof URLConnectionFailureException + assumeFalse(ex instanceof URLConnectionFailureException && ex.getMessage().contains("Unable to connect to ")); - throw ex; + throw ex; } } - @Test + @Test(expected = AnalysisException.class) public void testNspSearchNegative() throws Exception { InputStream in = BaseTest.getResourceAsStream(this, "nsp/package.json"); try (JsonReader jsonReader = Json.createReader(in)) { @@ -73,9 +72,9 @@ public class NspSearchTest extends BaseTest { final JsonObject sanitizedJson = SanitizePackage.sanitize(packageJson); searcher.submitPackage(sanitizedJson); } catch (Exception ex) { - assumeFalse(ex instanceof URLConnectionFailureException + assumeFalse(ex instanceof URLConnectionFailureException && ex.getMessage().contains("Unable to connect to ")); - throw ex; + throw ex; } } From 66dbcb98d20163bd197f5233f8fe8a786fe79f4b Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 4 Jun 2017 20:51:27 -0400 Subject: [PATCH 07/35] updated report to support changes in PR #714 --- .../main/resources/templates/jsonReport.vsl | 31 ++++++++++++------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/dependency-check-core/src/main/resources/templates/jsonReport.vsl b/dependency-check-core/src/main/resources/templates/jsonReport.vsl index f5851146d..92939dc4c 100644 --- a/dependency-check-core/src/main/resources/templates/jsonReport.vsl +++ b/dependency-check-core/src/main/resources/templates/jsonReport.vsl @@ -17,7 +17,10 @@ #if($artifactID)"artifactID":"$enc.json($artifactID)",#end #if($version)"version":"$enc.json($version)",#end "reportDate": "$scanDateXML", - "credits": "This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov" + "credits": { + "NVD": "This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov", + "NSP": "This report may contain data retrieved from the Node Security Platform: https://nodesecurity.io" + } }, "dependencies": [ #foreach($dependency in $dependencies)#if($foreach.count > 1),#end{ @@ -31,20 +34,24 @@ ,"relatedDependencies": [ #foreach($related in $dependency.getRelatedDependencies()) #if($foreach.count > 1),#end { "filePath": "$enc.json($related.FilePath)", - "sha1": "$enc.json($related.Sha1sum)", - "md5": "$enc.json($related.Md5sum)"#if($related.getIdentifiers()),#end + "sha1": "#if($related.Sha1sum)$enc.json($related.Sha1sum)#end", + "md5": "#if($related.Md5sum)$enc.json($related.Md5sum)#end"#if($related.getIdentifiers()), "identifiers": [ #foreach($id in $related.getIdentifiers()) #if ($id.type=="maven") { "type": "$enc.json($id.type)", "name": "$id.value" - #if( $id.url ),"url": "$enc.json($id.url)"#end + #if ($id.url),"url": "$enc.json($id.url)"#end #if ($id.notes),"notes": "$enc.json($id.notes)"#end } #end + #if ($id.type=="npm") + ,"id":"$enc.json($id.value)" + ,"description":"$enc.json($id.description)" + #end #end - ] + ]#end } #end ] @@ -112,12 +119,14 @@ #foreach($vuln in $dependency.getVulnerabilities())#if($foreach.count > 1),#end { "name": "$enc.json($vuln.name)", "cvssScore": "$vuln.cvssScore", - "cvssAccessVector": "$enc.json($vuln.cvssAccessVector)", - "cvssAccessComplexity": "$enc.json($vuln.cvssAccessComplexity)", - "cvssAuthenticationr": "$enc.json($vuln.cvssAuthentication)", - "cvssConfidentialImpact": "$enc.json($vuln.cvssConfidentialityImpact)", - "cvssIntegrityImpact": "$enc.json($vuln.cvssIntegrityImpact)", - "cvssAvailabilityImpact": "$enc.json($vuln.cvssAvailabilityImpact)", + #if ($vuln.getSource().name().equals("NVD")) + "cvssAccessVector": "$enc.json($vuln.cvssAccessVector)", + "cvssAccessComplexity": "$enc.json($vuln.cvssAccessComplexity)", + "cvssAuthenticationr": "$enc.json($vuln.cvssAuthentication)", + "cvssConfidentialImpact": "$enc.json($vuln.cvssConfidentialityImpact)", + "cvssIntegrityImpact": "$enc.json($vuln.cvssIntegrityImpact)", + "cvssAvailabilityImpact": "$enc.json($vuln.cvssAvailabilityImpact)", + #end #if ($vuln.cvssScore<4.0)"severity": "Low", #elseif ($vuln.cvssScore>=7.0)"severity": "High", #else "severity": "Medium",#end From 5607e1f17972e4dcd683d009450532d14b56a4bf Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 7 Jun 2017 07:00:14 -0400 Subject: [PATCH 08/35] add the ability to enable/disable the NSP analyzer and updated the site documentation --- .../owasp/dependencycheck/taskdefs/Check.java | 22 +++++ .../src/site/markdown/configuration.md | 21 ++--- .../java/org/owasp/dependencycheck/App.java | 1 + .../org/owasp/dependencycheck/CliParser.java | 15 ++++ .../src/site/markdown/arguments.md | 81 ++++++++++--------- .../maven/BaseDependencyCheckMojo.java | 6 ++ .../src/site/markdown/configuration.md | 1 + src/site/markdown/analyzers/index.md | 1 + src/site/markdown/analyzers/nsp-analyzer | 16 ++++ .../dependency-check-gradle/configuration.md | 1 + 10 files changed, 115 insertions(+), 50 deletions(-) create mode 100644 src/site/markdown/analyzers/nsp-analyzer diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java index 9841a0830..a796e0ebd 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java @@ -58,6 +58,11 @@ public class Check extends Update { * Whether or not the Node.js Analyzer is enabled. */ private Boolean nodeAnalyzerEnabled; + /** + * Whether or not the NSP Analyzer is enabled. + */ + private Boolean nspAnalyzerEnabled; + /** * Whether or not the Ruby Bundle Audit Analyzer is enabled. */ @@ -737,6 +742,22 @@ public class Check extends Update { public void setNodeAnalyzerEnabled(Boolean nodeAnalyzerEnabled) { this.nodeAnalyzerEnabled = nodeAnalyzerEnabled; } + /** + * Get the value of nspAnalyzerEnabled. + * + * @return the value of nspAnalyzerEnabled + */ + public Boolean isNspAnalyzerEnabled() { + return nspAnalyzerEnabled; + } + /** + * Set the value of nspAnalyzerEnabled. + * + * @param nspAnalyzerEnabled new value of nspAnalyzerEnabled + */ + public void setNspAnalyzerEnabled(Boolean nspAnalyzerEnabled) { + this.nspAnalyzerEnabled = nspAnalyzerEnabled; + } /** * Get the value of rubygemsAnalyzerEnabled. @@ -1008,6 +1029,7 @@ public class Check extends Update { Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled); Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled); Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled); + Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED, nspAnalyzerEnabled); Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled); Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled); Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled); diff --git a/dependency-check-ant/src/site/markdown/configuration.md b/dependency-check-ant/src/site/markdown/configuration.md index 8b0b84634..9155b8124 100644 --- a/dependency-check-ant/src/site/markdown/configuration.md +++ b/dependency-check-ant/src/site/markdown/configuration.md @@ -55,23 +55,24 @@ Note, that specific analyzers will automatically disable themselves if no file types that they support are detected - so specifically disabling them may not be needed. -Property | Description | Default Value -------------------------------|-----------------------------------------------------------------------------------|------------------ -archiveAnalyzerEnabled | Sets whether the Archive Analyzer will be used. | true +Property | Description | Default Value +------------------------------|------------------------------------------------------------------------------------------------------------|------------------ +archiveAnalyzerEnabled | Sets whether the Archive Analyzer will be used. | true zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |   -jarAnalyzer | Sets whether the Jar Analyzer will be used. | true +jarAnalyzer | Sets whether the Jar Analyzer will be used. | true centralAnalyzerEnabled | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below). | true nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true nexusUrl | Defines the Nexus web service endpoint (example http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. |   -nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true +nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true pyDistributionAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. | true pyPackageAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. | true rubygemsAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. | true -opensslAnalyzerEnabled | Sets whether the openssl Analyzer should be used. | true +opensslAnalyzerEnabled | Sets whether the openssl Analyzer should be used. | true cmakeAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. | true autoconfAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. | true composerAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. | true nodeAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Node.js Analyzer should be used. | true +nspAnalyzerEnabled | Sets whether the NSP Analyzer should be used. | true nuspecAnalyzerEnabled | Sets whether the .NET Nuget Nuspec Analyzer will be used. | true cocoapodsAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. | true bundleAuditAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Bundle Audit Analyzer should be used. | true @@ -92,8 +93,8 @@ cveUrl20Modified | URL for the modified CVE 2.0. cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml dataDirectory | Data directory that is used to store the local copy of the NVD. This should generally not be changed. | data -databaseDriverName | The name of the database driver. Example: org.h2.Driver. |   +databaseDriverName | The name of the database driver. Example: org.h2.Driver. |   databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |   -connectionString | The connection string used to connect to the database. |   -databaseUser | The username used when connecting to the database. |   -databasePassword | The password used when connecting to the database. |   +connectionString | The connection string used to connect to the database. |   +databaseUser | The username used when connecting to the database. |   +databasePassword | The password used when connecting to the database. |   diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index 0612c0781..57c5cbf74 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -455,6 +455,7 @@ public class App { Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, !cli.isOpenSSLDisabled()); Settings.setBoolean(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, !cli.isComposerDisabled()); Settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, !cli.isNodeJsDisabled()); + Settings.setBoolean(Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED, !cli.isNspDisabled()); Settings.setBoolean(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, !cli.isSwiftPackageAnalyzerDisabled()); Settings.setBoolean(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, !cli.isCocoapodsAnalyzerDisabled()); Settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, !cli.isRubyGemspecDisabled()); diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java index 2ac6152c6..aa0a89560 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -490,6 +490,8 @@ public final class CliParser { .addOption(swiftPackageManagerAnalyzerEnabled) .addOption(Option.builder().longOpt(ARGUMENT.DISABLE_NODE_JS) .desc("Disable the Node.js Package Analyzer.").build()) + .addOption(Option.builder().longOpt(ARGUMENT.DISABLE_NSP) + .desc("Disable the NSP Package Analyzer.").build()) .addOption(nexusUrl) .addOption(nexusUsesProxy) .addOption(additionalZipExtensions) @@ -733,6 +735,15 @@ public final class CliParser { public boolean isNodeJsDisabled() { return hasDisableOption(ARGUMENT.DISABLE_NODE_JS, Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED); } +/** + * Returns true if the disableNSP command line argument was specified. + * + * @return true if the disableNSP command line argument was specified; + * otherwise false + */ + public boolean isNspDisabled() { + return hasDisableOption(ARGUMENT.DISABLE_NSP, Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED); + } /** * Returns true if the disableCocoapodsAnalyzer command line argument was @@ -1443,6 +1454,10 @@ public final class CliParser { * Disables the Node.js Package Analyzer. */ public static final String DISABLE_NODE_JS = "disableNodeJS"; + /** + * Disables the NSP Analyzer. + */ + public static final String DISABLE_NSP = "disableNSP"; /** * The URL of the nexus server. */ diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md index 048c1f193..6a09f4694 100644 --- a/dependency-check-cli/src/site/markdown/arguments.md +++ b/dependency-check-cli/src/site/markdown/arguments.md @@ -24,44 +24,45 @@ Short | Argument Name   | Parameter | Description | Requir Advanced Options ================ Short | Argument Name        | Parameter | Description | Default Value --------|-----------------------|-----------------|----------------------------------------------------------------------------------|------------------- - | \-\-cveUrl12Modified | \ | URL for the modified CVE 1.2 | https://nvd.nist.gov/download/nvdcve-Modified.xml.gz - | \-\-cveUrl20Modified | \ | URL for the modified CVE 2.0 | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz - | \-\-cveUrl12Base | \ | Base URL for each year's CVE 1.2, the %d will be replaced with the year | https://nvd.nist.gov/download/nvdcve-%d.xml.gz - | \-\-cveUrl20Base | \ | Base URL for each year's CVE 2.0, the %d will be replaced with the year | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz - \-P | \-\-propertyfile | \ | Specifies a file that contains properties to use instead of applicaion defaults. |   - | \-\-updateonly | | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. |   - | \-\-disablePyDist | | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. | false - | \-\-disablePyPkg | | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. | false - | \-\-disableNodeJS | | Sets whether the [experimental](../analyzers/index.html) Node.js Package Analyzer will be used. | false - | \-\-disableRubygems | | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. | false - | \-\-disableBundleAudit | | Sets whether the [experimental](../analyzers/index.html) Ruby Bundler Audit Analyzer will be used. | false - | \-\-disableCocoapodsAnalyzer | | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer will be used. | false +-------|------------------------|-----------------|----------------------------------------------------------------------------------|------------------- + | \-\-cveUrl12Modified | \ | URL for the modified CVE 1.2 | https://nvd.nist.gov/download/nvdcve-Modified.xml.gz + | \-\-cveUrl20Modified | \ | URL for the modified CVE 2.0 | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz + | \-\-cveUrl12Base | \ | Base URL for each year's CVE 1.2, the %d will be replaced with the year | https://nvd.nist.gov/download/nvdcve-%d.xml.gz + | \-\-cveUrl20Base | \ | Base URL for each year's CVE 2.0, the %d will be replaced with the year | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz + \-P | \-\-propertyfile | \ | Specifies a file that contains properties to use instead of applicaion defaults. |   + | \-\-updateonly | | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. |   + | \-\-disablePyDist | | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. | false + | \-\-disablePyPkg | | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. | false + | \-\-disableNodeJS | | Sets whether the [experimental](../analyzers/index.html) Node.js Package Analyzer will be used. | false + | \-\-disableNSP | | Sets whether the NSP Analyzer will be used. | false + | \-\-disableRubygems | | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. | false + | \-\-disableBundleAudit | | Sets whether the [experimental](../analyzers/index.html) Ruby Bundler Audit Analyzer will be used. | false + | \-\-disableCocoapodsAnalyzer | | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer will be used. | false | \-\-disableSwiftPackageManagerAnalyzer | | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer will be used. | false - | \-\-disableAutoconf | | Sets whether the [experimental](../analyzers/index.html) Autoconf Analyzer will be used. | false - | \-\-disableOpenSSL | | Sets whether the OpenSSL Analyzer will be used. | false - | \-\-disableCmake | | Sets whether the [experimental](../analyzers/index.html) Cmake Analyzer will be disabled. | false - | \-\-disableArchive | | Sets whether the Archive Analyzer will be disabled. | false - | \-\-zipExtensions | \ | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |   - | \-\-disableJar | | Sets whether the Jar Analyzer will be disabled. | false - | \-\-disableComposer | | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer will be disabled. | false - | \-\-disableCentral | | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer. | false - | \-\-disableNexus | | Sets whether the Nexus Analyzer will be used. Note, this has been superceded by the Central Analyzer. However, you can configure the Nexus URL to utilize an internally hosted Nexus Pro server. | false - | \-\-nexus | \ | The url to the Nexus Server's web service end point (example: http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. |   - | \-\-nexusUsesProxy | \ | Whether or not the defined proxy should be used when connecting to Nexus. | true - | \-\-disableNuspec | | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | false - | \-\-disableAssembly | | Sets whether or not the .NET Assembly Analyzer should be used. | false - | \-\-mono | \ | The path to Mono for .NET Assembly analysis on non-windows systems. |   - | \-\-bundleAudit | | The path to the bundle-audit executable. |   - | \-\-proxyserver | \ | The proxy server to use when downloading resources; see the [proxy configuration](../data/proxy.html) page for more information. |   - | \-\-proxyport | \ | The proxy port to use when downloading resources. |   - | \-\-connectiontimeout | \ | The connection timeout (in milliseconds) to use when downloading resources. |   - | \-\-proxypass | \ | The proxy password to use when downloading resources. |   - | \-\-proxyuser | \ | The proxy username to use when downloading resources. |   - | \-\-connectionString | \ | The connection string to the database. |   - | \-\-dbDriverName | \ | The database driver name. |   - | \-\-dbDriverPath | \ | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. |   - | \-\-dbPassword | \ | The password for connecting to the database. |   - | \-\-dbUser | \ | The username used to connect to the database. |   - \-d | \-\-data | \ | The location of the data directory used to store persistent data. This option should generally not be set. |   - | \-\-purge | | Delete the local copy of the NVD. This is used to force a refresh of the data. |   \ No newline at end of file + | \-\-disableAutoconf | | Sets whether the [experimental](../analyzers/index.html) Autoconf Analyzer will be used. | false + | \-\-disableOpenSSL | | Sets whether the OpenSSL Analyzer will be used. | false + | \-\-disableCmake | | Sets whether the [experimental](../analyzers/index.html) Cmake Analyzer will be disabled. | false + | \-\-disableArchive | | Sets whether the Archive Analyzer will be disabled. | false + | \-\-zipExtensions | \ | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |   + | \-\-disableJar | | Sets whether the Jar Analyzer will be disabled. | false + | \-\-disableComposer | | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer will be disabled. | false + | \-\-disableCentral | | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer. | false + | \-\-disableNexus | | Sets whether the Nexus Analyzer will be used. Note, this has been superceded by the Central Analyzer. However, you can configure the Nexus URL to utilize an internally hosted Nexus Pro server. | false + | \-\-nexus | \ | The url to the Nexus Server's web service end point (example: http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. |   + | \-\-nexusUsesProxy | \ | Whether or not the defined proxy should be used when connecting to Nexus. | true + | \-\-disableNuspec | | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | false + | \-\-disableAssembly | | Sets whether or not the .NET Assembly Analyzer should be used. | false + | \-\-mono | \ | The path to Mono for .NET Assembly analysis on non-windows systems. |   + | \-\-bundleAudit | | The path to the bundle-audit executable. |   + | \-\-proxyserver | \ | The proxy server to use when downloading resources; see the [proxy configuration](../data/proxy.html) page for more information. |   + | \-\-proxyport | \ | The proxy port to use when downloading resources. |   + | \-\-connectiontimeout | \ | The connection timeout (in milliseconds) to use when downloading resources. |   + | \-\-proxypass | \ | The proxy password to use when downloading resources. |   + | \-\-proxyuser | \ | The proxy username to use when downloading resources. |   + | \-\-connectionString | \ | The connection string to the database. |   + | \-\-dbDriverName | \ | The database driver name. |   + | \-\-dbDriverPath | \ | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. |   + | \-\-dbPassword | \ | The password for connecting to the database. |   + | \-\-dbUser | \ | The username used to connect to the database. |   + \-d | \-\-data | \ | The location of the data directory used to store persistent data. This option should generally not be set. |   + | \-\-purge | | Delete the local copy of the NVD. This is used to force a refresh of the data. |   diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index 692bf2eec..76da6f9fd 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -269,6 +269,11 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma */ @Parameter(property = "nodeAnalyzerEnabled", required = false) private Boolean nodeAnalyzerEnabled; + /** + * Sets whether or not the Node Security Project Analyzer should be used. + */ + @Parameter(property = "nspAnalyzerEnabled", required = false) + private Boolean nspAnalyzerEnabled; /** * Whether or not the .NET Assembly Analyzer is enabled. @@ -929,6 +934,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled); Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled); Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled); + Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED, nspAnalyzerEnabled); Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, bundleAuditAnalyzerEnabled); Settings.setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath); Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, cocoapodsAnalyzerEnabled); diff --git a/dependency-check-maven/src/site/markdown/configuration.md b/dependency-check-maven/src/site/markdown/configuration.md index 72168e591..565367dd9 100644 --- a/dependency-check-maven/src/site/markdown/configuration.md +++ b/dependency-check-maven/src/site/markdown/configuration.md @@ -56,6 +56,7 @@ cmakeAnalyzerEnabled | Sets whether the [experimental](../analyzers/ind autoconfAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. | true composerAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. | true nodeAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Node.js Analyzer should be used. | true +nspAnalyzerEnabled | Sets whether the NSP Analyzer should be used. | true nuspecAnalyzerEnabled | Sets whether the .NET Nuget Nuspec Analyzer will be used. | true cocoapodsAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. | true bundleAuditAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Bundle Audit Analyzer should be used. | true diff --git a/src/site/markdown/analyzers/index.md b/src/site/markdown/analyzers/index.md index 3cc0cc450..6d4237edb 100644 --- a/src/site/markdown/analyzers/index.md +++ b/src/site/markdown/analyzers/index.md @@ -9,6 +9,7 @@ to extract identification information from the files analyzed. | [Assembly](./assembly-analyzer.html) | .NET Assemblies (\*.exe, \*.dll) | Uses [GrokAssembly.exe](https://github.com/colezlaw/GrokAssembly), which requires .NET Framework or Mono runtime to be installed. | | [CMake](./cmake.html) | CMake project files (CMakeLists.txt) and scripts (\*.cmake) | Regex scan for project initialization and version setting commands. | | [Jar](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). | +| [NSP](./nsp-analyzer.html) | [Node Security Project](https://nodesecurity.io) is used to analyze Node.js' `package.json` files for known vulnerable packages.| | [Nuspec](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. | | [OpenSSL](./openssl.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. | diff --git a/src/site/markdown/analyzers/nsp-analyzer b/src/site/markdown/analyzers/nsp-analyzer new file mode 100644 index 000000000..d6c201397 --- /dev/null +++ b/src/site/markdown/analyzers/nsp-analyzer @@ -0,0 +1,16 @@ +Node.js Analyzer +================ + +OWASP dependency-check includes a [Node Security Project (NSP)](https://nodesecurity.io) +analyzer that will scan `package.json` files. The analyzer will filter the given +package.json down to a specific white-list of allowed entries and submit the data +to the NSP for analysis. + +This analyzer is enabled by default and requires that the machine performing the +analysis can reach out to the Internet. + +White-list of entries sent to NSP include: name, version, engine, dependencies, +devDependencies, optionalDependencies, peerDependencies, bundleDependencies, and +bundledDependencies + +Files Types Scanned: [package.json](https://docs.npmjs.com/files/package.json) diff --git a/src/site/markdown/dependency-check-gradle/configuration.md b/src/site/markdown/dependency-check-gradle/configuration.md index 9268b9487..5549c6215 100644 --- a/src/site/markdown/dependency-check-gradle/configuration.md +++ b/src/site/markdown/dependency-check-gradle/configuration.md @@ -110,6 +110,7 @@ cmakeEnabled | Sets whether or not the [experimental](../analyzers/inde autoconfEnabled | Sets whether or not the [experimental](../analyzers/index.html) autoconf Analyzer should be used. | true composerEnabled | Sets whether or not the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. | true nodeEnabled | Sets whether or not the [experimental](../analyzers/index.html) Node.js Analyzer should be used. | true +nspEnabled | Sets whether the NSP Analyzer should be used. | true cocoapodsEnabled | Sets whether or not the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. | true swiftEnabled | Sets whether or not the [experimental](../analyzers/index.html) Swift Package Manager Analyzer should be used. | true bundleAuditEnabled | Sets whether or not the [experimental](../analyzers/index.html) Ruby Bundle Audit Analyzer should be used. | true From 091108a369b45fddca200059c75dbdd0dec50dd8 Mon Sep 17 00:00:00 2001 From: Ander Ruiz Date: Tue, 13 Jun 2017 09:10:13 +0200 Subject: [PATCH 09/35] Minor trace patch --- .../owasp/dependencycheck/data/update/nvd/DownloadTask.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java index f291afcd6..03a4309d2 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java @@ -203,8 +203,8 @@ public class DownloadTask implements Callable> { * Attempts to delete the files that were downloaded. */ public void cleanup() { - if (first != null && first.exists() && first.delete()) { - LOGGER.debug("Failed to delete first temporary file {}", second.toString()); + if (first != null && first.exists() && !first.delete()) { + LOGGER.debug("Failed to delete first temporary file {}", first.toString()); first.deleteOnExit(); } if (second != null && second.exists() && !second.delete()) { From 0075a7e1ce2eab3bf2e543f362e9303ea101f6e5 Mon Sep 17 00:00:00 2001 From: Ander Ruiz Date: Tue, 13 Jun 2017 09:10:39 +0200 Subject: [PATCH 10/35] Patch for bootclasspath loading --- .../analyzer/AbstractSuppressionAnalyzer.java | 4 ++-- .../dependencycheck/analyzer/AssemblyAnalyzer.java | 8 ++++---- .../owasp/dependencycheck/analyzer/HintAnalyzer.java | 4 ++-- .../java/org/owasp/dependencycheck/data/cwe/CweDB.java | 3 ++- .../dependencycheck/data/nvdcve/ConnectionFactory.java | 5 +++-- .../dependencycheck/reporting/ReportGenerator.java | 5 +++-- .../owasp/dependencycheck/xml/hints/HintParser.java | 4 +++- .../xml/suppression/SuppressionParser.java | 4 +++- .../org/owasp/dependencycheck/utils/FileUtils.java | 10 ++++++++++ .../java/org/owasp/dependencycheck/utils/Settings.java | 9 +++++++-- 10 files changed, 39 insertions(+), 17 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java index b5a74171a..bc48e6412 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java @@ -107,7 +107,7 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { final SuppressionParser parser = new SuppressionParser(); File file = null; try { - final InputStream in = this.getClass().getClassLoader().getResourceAsStream("dependencycheck-base-suppression.xml"); + final InputStream in = FileUtils.getResourceAsStream("dependencycheck-base-suppression.xml"); rules = parser.parseSuppressionRules(in); } catch (SAXException ex) { throw new SuppressionParseException("Unable to parse the base suppression data file", ex); @@ -132,7 +132,7 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { file = new File(suppressionFilePath); if (!file.exists()) { - try (InputStream suppressionsFromClasspath = this.getClass().getClassLoader().getResourceAsStream(suppressionFilePath)) { + try (InputStream suppressionsFromClasspath = FileUtils.getResourceAsStream(suppressionFilePath)) { if (suppressionsFromClasspath != null) { deleteTempFile = true; file = FileUtils.getTempFile("suppression", "xml"); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index f87cb425f..e161d7c22 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -30,6 +30,7 @@ import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Evidence; import org.owasp.dependencycheck.utils.FileFilterBuilder; +import org.owasp.dependencycheck.utils.FileUtils; import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -208,10 +209,9 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { throw new InitializationException("Unable to create temporary file for the assembly analyzer", ex); } try (FileOutputStream fos = new FileOutputStream(tempFile); - InputStream is = AssemblyAnalyzer.class.getClassLoader().getResourceAsStream("GrokAssembly.exe"); - FileOutputStream fosCfg = new FileOutputStream(cfg); - InputStream isCfg = AssemblyAnalyzer.class.getClassLoader().getResourceAsStream("GrokAssembly.exe.config")) { - IOUtils.copy(is, fos); + InputStream is = FileUtils.getResourceAsStream("GrokAssembly.exe"); + FileOutputStream fosCfg = new FileOutputStream(cfg); + InputStream isCfg = FileUtils.getResourceAsStream("GrokAssembly.exe.config")) { grokAssemblyExe = tempFile; LOGGER.debug("Extracted GrokAssembly.exe to {}", grokAssemblyExe.getPath()); IOUtils.copy(isCfg, fosCfg); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java index 01a7dc699..29bf2a875 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java @@ -219,7 +219,7 @@ public class HintAnalyzer extends AbstractAnalyzer { final HintParser parser = new HintParser(); File file = null; try { - hints = parser.parseHints(this.getClass().getClassLoader().getResourceAsStream(HINT_RULE_FILE_NAME)); + hints = parser.parseHints(FileUtils.getResourceAsStream(HINT_RULE_FILE_NAME)); } catch (HintParseException | SAXException ex) { LOGGER.error("Unable to parse the base hint data file"); LOGGER.debug("Unable to parse the base hint data file", ex); @@ -243,7 +243,7 @@ public class HintAnalyzer extends AbstractAnalyzer { } else { file = new File(filePath); if (!file.exists()) { - try (InputStream fromClasspath = this.getClass().getClassLoader().getResourceAsStream(filePath)) { + try (InputStream fromClasspath = FileUtils.getResourceAsStream(filePath)) { if (fromClasspath != null) { deleteTempFile = true; file = FileUtils.getTempFile("hint", "xml"); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java index 38aefd09e..69065e070 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java @@ -17,6 +17,7 @@ */ package org.owasp.dependencycheck.data.cwe; +import org.owasp.dependencycheck.utils.FileUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -55,7 +56,7 @@ public final class CweDB { */ private static Map loadData() { final String filePath = "data/cwe.hashmap.serialized"; - try (InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath); + try (InputStream input = FileUtils.getResourceAsStream(filePath); ObjectInputStream oin = new ObjectInputStream(input)) { final Map ret = (HashMap) oin.readObject(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java index 4402fd341..67d858d3e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java @@ -31,6 +31,7 @@ import org.apache.commons.io.IOUtils; import org.owasp.dependencycheck.utils.DBUtils; import org.owasp.dependencycheck.utils.DependencyVersion; import org.owasp.dependencycheck.utils.DependencyVersionUtil; +import org.owasp.dependencycheck.utils.FileUtils; import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -277,7 +278,7 @@ public final class ConnectionFactory { LOGGER.debug("Creating database structure"); InputStream is = null; try { - is = ConnectionFactory.class.getClassLoader().getResourceAsStream(DB_STRUCTURE_RESOURCE); + is = FileUtils.getResourceAsStream(DB_STRUCTURE_RESOURCE); final String dbStructure = IOUtils.toString(is, "UTF-8"); Statement statement = null; @@ -325,7 +326,7 @@ public final class ConnectionFactory { String updateFile = null; try { updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, currentDbVersion.toString()); - is = ConnectionFactory.class.getClassLoader().getResourceAsStream(updateFile); + is = FileUtils.getResourceAsStream(updateFile); if (is == null) { throw new DatabaseException(String.format("Unable to load update file '%s'", updateFile)); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java index c92d8c9f7..2d82f963e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java @@ -46,6 +46,7 @@ import org.owasp.dependencycheck.analyzer.Analyzer; import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.exception.ReportException; +import org.owasp.dependencycheck.utils.FileUtils; import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -339,11 +340,11 @@ public class ReportGenerator { } } else { logTag = "templates/" + templateName + ".vsl"; - input = this.getClass().getClassLoader().getResourceAsStream(logTag); + input = FileUtils.getResourceAsStream(logTag); } if (input == null) { logTag = templateName; - input = this.getClass().getClassLoader().getResourceAsStream(templateName); + input = FileUtils.getResourceAsStream(templateName); } if (input == null) { throw new ReportException("Template file doesn't exist: " + logTag); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java index 58966d0f8..7f440049a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java @@ -26,6 +26,8 @@ import java.io.InputStreamReader; import java.io.Reader; import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParser; + +import org.owasp.dependencycheck.utils.FileUtils; import org.owasp.dependencycheck.utils.XmlUtils; import org.slf4j.Logger; @@ -120,7 +122,7 @@ public class HintParser { * @throws SAXException thrown if the XML cannot be parsed */ private Hints parseHints(InputStream inputStream, String schema) throws HintParseException, SAXException { - try (InputStream schemaStream = this.getClass().getClassLoader().getResourceAsStream(schema)) { + try (InputStream schemaStream = FileUtils.getResourceAsStream(schema)) { final HintHandler handler = new HintHandler(); final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream); final XMLReader xmlReader = saxParser.getXMLReader(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java index 4ee98c82a..a2f039a07 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java @@ -27,6 +27,8 @@ import java.io.Reader; import java.util.List; import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParser; + +import org.owasp.dependencycheck.utils.FileUtils; import org.owasp.dependencycheck.utils.XmlUtils; import org.slf4j.Logger; @@ -104,7 +106,7 @@ public class SuppressionParser { * @throws SAXException thrown if the XML cannot be parsed */ private List parseSuppressionRules(InputStream inputStream, String schema) throws SuppressionParseException, SAXException { - try (InputStream schemaStream = this.getClass().getClassLoader().getResourceAsStream(schema)) { + try (InputStream schemaStream = FileUtils.getResourceAsStream(schema)) { final SuppressionHandler handler = new SuppressionHandler(); final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream); final XMLReader xmlReader = saxParser.getXMLReader(); diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java index 1ba099aca..b139e5b59 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java @@ -24,6 +24,7 @@ import org.slf4j.LoggerFactory; import java.io.File; import java.io.IOException; +import java.io.InputStream; import java.util.UUID; import org.apache.commons.lang3.SystemUtils; @@ -148,4 +149,13 @@ public final class FileUtils { } } } + + /** + * Gets the {@link InputStream} for this resource + * @param resource path + * @return + */ + public static InputStream getResourceAsStream(String resource) { + return FileUtils.class.getClassLoader()!=null?FileUtils.class.getClassLoader().getResourceAsStream(resource):ClassLoader.getSystemResourceAsStream(resource); + } } diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index da96ad1c6..cabc8a76b 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -29,6 +29,7 @@ import java.io.PrintWriter; import java.io.StringWriter; import java.io.UnsupportedEncodingException; import java.net.URLDecoder; +import java.security.ProtectionDomain; import java.util.Enumeration; import java.util.Properties; @@ -440,7 +441,7 @@ public final class Settings { */ private Settings(String propertiesFilePath) { props = new Properties(); - try (InputStream in = this.getClass().getClassLoader().getResourceAsStream(propertiesFilePath)) { + try (InputStream in = FileUtils.getResourceAsStream(propertiesFilePath)) { props.load(in); } catch (NullPointerException ex) { LOGGER.error("Did not find settings file '{}'.", propertiesFilePath); @@ -733,8 +734,12 @@ public final class Settings { * @return a File object */ private static File getJarPath() { - final String jarPath = Settings.class.getProtectionDomain().getCodeSource().getLocation().getPath(); String decodedPath = "."; + String jarPath = ""; + ProtectionDomain domain = Settings.class.getProtectionDomain(); + if(domain!=null&& domain.getCodeSource()!=null && domain.getCodeSource().getLocation()!=null) { + jarPath = Settings.class.getProtectionDomain().getCodeSource().getLocation().getPath(); + } try { decodedPath = URLDecoder.decode(jarPath, "UTF-8"); } catch (UnsupportedEncodingException ex) { From d1ac0de74045e38720750e7ffbfd9d944e9f722f Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 17 Jun 2017 21:19:23 -0400 Subject: [PATCH 11/35] updates and add deploy --- .travis.settings.xml | 56 ++++++++++++++++++++++++++++++++++++++++++++ .travis.yml | 21 +++++++++++++++++ pom.xml | 10 ++++---- 3 files changed, 82 insertions(+), 5 deletions(-) create mode 100644 .travis.settings.xml diff --git a/.travis.settings.xml b/.travis.settings.xml new file mode 100644 index 000000000..a49554469 --- /dev/null +++ b/.travis.settings.xml @@ -0,0 +1,56 @@ + + + + + ${env.JFROG_USER} + ${env.JFROG_PASSWORD} + release + + + ${env.JFROG_USER} + ${env.JFROG_PASSWORD} + snapshot + + + + + + + + false + + release + libs-release + https://dependencycheck.jfrog.io/dependencycheck/libs-release + + + + snapshot + libs-snapshot + https://dependencycheck.jfrog.io/dependencycheck/libs-snapshot + + + + + + false + + release + plugins-release + https://dependencycheck.jfrog.io/dependencycheck/plugins-release + + + + snapshot + plugins-snapshot + https://dependencycheck.jfrog.io/dependencycheck/plugins-snapshot + + + artifactory + + + + artifactory + + diff --git a/.travis.yml b/.travis.yml index ea4ed6220..6e85a39c2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,6 +6,9 @@ env: global: - secure: ZUzhWfpXJw/oAeDlUkDFkEJMT0T7kCN3d7ah8urkL2B0KFfKOqQagkbXkgvDa1SYud8VdcnoGa69LfkEr5IrdqW7R4bEYZAiN5swm4Z0iO8t53szVspm2f+O9jQ44O/sfOfpfLxWUUuhdc7Vbrszp+tSszxdPmssWL+f5a/mfWs= - secure: pmFymoI7qH0Kna3NkcHrqLiTVWKmrhwqA4Z9U6XLhWDQxcs5g94wCCKpGB6Lkz9mkvRxBRFpZZelnXJa9W9mnuVOMIa5tQfS5gBuaNXOe7AXXdc+Y2975OR9sSfvf16FxLFvNJILmZq+bpMLs+EXaQvjYQHW2O6OWZdLhAPVG6A= + - secure: GgpxZNu8kY4fmn/5+NismK0bLgcBhowBuQmpjcOUti/MCCa0yurKdTnELQxYWaufokq1+XgyHwnPfpLaQbSlW/eOcu6D1sfyqZvtK6DMkyO7DWX1s5PXizdHIugh51HmlwQAhnlT5ka8aJam0qtPlUdFhe9tuXjZw6VEbUnxq2Q= + - secure: P1iVppoVvH+tdhgdyaON7BNAUvI7ocUECKJ2q6IYn9kLXOXhcym4vz2z3gA+aEQAeB5QUn1mPrl6/i0BWV7O6NgyZijE01Hu42QU5UuBbuUSoyedF9vWEC21n9LiEZtK2H9SMNUUknX2IZwZAZzYcnPfZtURS85KDdE50VxEVA8= + - secure: Bh5LAk8XQnJ885jc/Lli2fhPKDx0TNZRxcJMnNo96EgwOnD+Zhw+v3u/DMCgyyrRToM8Bkca/HktrlZaRTk2htsdKZZ3RHFMCXO0fXCgpcf+wkaSYDF/lnErpSJG3Lrz8ILxJPODsrGhjaIg2++79lwhsBYtpujc6UdxFhgpffc= before_install: - wget -O ~/codacy-coverage-reporter-assembly.jar https://oss.sonatype.org/service/local/repositories/releases/content/com/codacy/codacy-coverage-reporter/1.0.13/codacy-coverage-reporter-1.0.13-assembly.jar @@ -13,3 +16,21 @@ before_install: after_success: - java -cp ~/codacy-coverage-reporter-assembly.jar com.codacy.CodacyCoverageReporter -l Java -r build-reporting/target/coverage-reports/jacoco.xml - ./coverity_scan.sh + +deploy: + provider: script + script: "mvn --settings .travis.settings.xml mvn deploy" + skip_cleanup: true + on: + branch: master +# tags: true + +deploy: + provider: pages + skip_cleanup: true + local_dir: target + github_token: $GITHUB_TOKEN + on: + tags: true + branch: master + \ No newline at end of file diff --git a/pom.xml b/pom.xml index 6601a294b..f988652b4 100644 --- a/pom.xml +++ b/pom.xml @@ -135,12 +135,12 @@ Copyright (c) 2012 - Jeremy Long - ossrh - https://oss.sonatype.org/content/repositories/snapshots + snapshot + https://dependencycheck.jfrog.io/dependencycheck/libs-snapshot - ossrh - https://oss.sonatype.org/service/local/staging/deploy/maven2/ + release + https://dependencycheck.jfrog.io/dependencycheck/libs-release gh-pages @@ -535,7 +535,7 @@ Copyright (c) 2012 - Jeremy Long 2.10.4 false - Copyright© 2012-15 Jeremy Long. All Rights Reserved. + Copyright© 2012-17 Jeremy Long. All Rights Reserved. From c748d591465f4680500208242c564b71c8c83f78 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 06:25:04 -0400 Subject: [PATCH 12/35] minor fix to javadoc --- .../owasp/dependencycheck/agent/DependencyCheckScanAgent.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java index e63c51214..22f5e0f62 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java @@ -837,7 +837,7 @@ public class DependencyCheckScanAgent { * * @param engine a dependency-check engine * @param outDirectory the directory to write the reports to - * @throw ScanAgentException thrown if there is an error generating the + * @throws ScanAgentException thrown if there is an error generating the * report */ private void generateExternalReports(Engine engine, File outDirectory) throws ScanAgentException { From a13c6fcb253ba00843c7527496ef10b64c57269c Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 06:36:38 -0400 Subject: [PATCH 13/35] updated deployment for staging and gh-pages --- .travis.yml | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/.travis.yml b/.travis.yml index 6e85a39c2..ae13ce84a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,8 @@ +sudo: false language: java jdk: oraclejdk7 -script: mvn install -DreleaseTesting +script: + - if [ ! -z "$TRAVIS_TAG" ]; then mvn install site site:stage -DreleaseTesting; else mvn install -DreleaseTesting; fi env: global: @@ -18,19 +20,16 @@ after_success: - ./coverity_scan.sh deploy: - provider: script - script: "mvn --settings .travis.settings.xml mvn deploy" - skip_cleanup: true - on: - branch: master -# tags: true - -deploy: - provider: pages - skip_cleanup: true - local_dir: target - github_token: $GITHUB_TOKEN - on: - tags: true - branch: master + - provider: script + script: "mvn --settings .travis.settings.xml mvn deploy" + skip_cleanup: true + on: + branch: master + - provider: pages + skip_cleanup: true + local_dir: target/staging + github_token: $GITHUB_TOKEN + on: + tags: true + branch: master \ No newline at end of file From 2e35c5bcabf00ba8091abdbc5d3bf4e2905f3aff Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 07:01:13 -0400 Subject: [PATCH 14/35] minor build cleanup --- .travis.yml | 3 +-- pom.xml | 15 +++++---------- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/.travis.yml b/.travis.yml index ae13ce84a..1405fefe6 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,8 +1,7 @@ -sudo: false language: java jdk: oraclejdk7 script: - - if [ ! -z "$TRAVIS_TAG" ]; then mvn install site site:stage -DreleaseTesting; else mvn install -DreleaseTesting; fi + - if [ ! -z "$TRAVIS_TAG" ]; then mvn install source:jar javadoc:jar site site:stage -DreleaseTesting; else mvn install -DreleaseTesting; fi env: global: diff --git a/pom.xml b/pom.xml index f988652b4..008cf527e 100644 --- a/pom.xml +++ b/pom.xml @@ -363,13 +363,6 @@ Copyright (c) 2012 - Jeremy Long - - org.apache.maven.plugins - maven-release-plugin - - release - - org.apache.maven.plugins maven-resources-plugin @@ -422,9 +415,11 @@ Copyright (c) 2012 - Jeremy Long - - - + + + + + From 936830084e81da1177dc59e0f8b6c111358701bf Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 07:36:00 -0400 Subject: [PATCH 15/35] removed release profile --- pom.xml | 134 +++++++++++++++++++------------------------------------- 1 file changed, 44 insertions(+), 90 deletions(-) diff --git a/pom.xml b/pom.xml index 008cf527e..226d1bed2 100644 --- a/pom.xml +++ b/pom.xml @@ -189,6 +189,11 @@ Copyright (c) 2012 - Jeremy Long maven-enforcer-plugin 1.4.1 + + org.codehaus.mojo + animal-sniffer-maven-plugin + 1.15 + org.apache.maven.plugins maven-deploy-plugin @@ -276,6 +281,45 @@ Copyright (c) 2012 - Jeremy Long + + org.apache.maven.plugins + maven-enforcer-plugin + + + enforce-java + + enforce + + + + + 1.7.0 + + + + + + + + org.codehaus.mojo + animal-sniffer-maven-plugin + + + signature-check + verify + + check + + + + + + org.codehaus.mojo.signature + java17 + 1.0 + + + org.jacoco jacoco-maven-plugin @@ -427,96 +471,6 @@ Copyright (c) 2012 - Jeremy Long - - - release - - false - - - - - org.apache.maven.plugins - maven-enforcer-plugin - 1.4.1 - - - enforce-java - - enforce - - - - - 1.7.0 - - - - - - - - org.codehaus.mojo - animal-sniffer-maven-plugin - 1.15 - - - signature-check - verify - - check - - - - - - org.codehaus.mojo.signature - java17 - 1.1 - - - - - org.apache.maven.plugins - maven-source-plugin - - - attach-sources - - jar-no-fork - - - - - - org.apache.maven.plugins - maven-javadoc-plugin - - - attach-javadocs - - jar - - - - - - org.apache.maven.plugins - maven-gpg-plugin - - - sign-artifacts - verify - - sign - - - - - - - - From f219cb69d43e359e43243b17cf96969eb8101804 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 10:19:25 -0400 Subject: [PATCH 16/35] increase build time --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 1405fefe6..1edd773a1 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,7 @@ language: java jdk: oraclejdk7 script: - - if [ ! -z "$TRAVIS_TAG" ]; then mvn install source:jar javadoc:jar site site:stage -DreleaseTesting; else mvn install -DreleaseTesting; fi + - travis_wait 30 if [ ! -z "$TRAVIS_TAG" ]; then mvn install source:jar javadoc:jar site site:stage -DreleaseTesting; else mvn install -DreleaseTesting; fi env: global: From aed980f79d1a5d819cccacbfa5fd59a03f06507b Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 10:32:47 -0400 Subject: [PATCH 17/35] fix build script for travis wait --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 1edd773a1..134313c1c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,7 @@ language: java jdk: oraclejdk7 script: - - travis_wait 30 if [ ! -z "$TRAVIS_TAG" ]; then mvn install source:jar javadoc:jar site site:stage -DreleaseTesting; else mvn install -DreleaseTesting; fi + - if [ ! -z "$TRAVIS_TAG" ]; then travis_wait 30 mvn install source:jar javadoc:jar site site:stage -DreleaseTesting; else travis_wait 30 mvn install -DreleaseTesting; fi env: global: From 9f52bf5dc95f07f93ea287b8c629b5b0c819fdbb Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 11:45:14 -0400 Subject: [PATCH 18/35] fixed deploy script --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 134313c1c..bf40bec6d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -20,7 +20,7 @@ after_success: deploy: - provider: script - script: "mvn --settings .travis.settings.xml mvn deploy" + script: "mvn --settings .travis.settings.xml deploy" skip_cleanup: true on: branch: master From d56f452f3165624a09bc8713b0b860c722db21ef Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 13:30:11 -0400 Subject: [PATCH 19/35] continued debugging --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index bf40bec6d..ecdef3462 100644 --- a/.travis.yml +++ b/.travis.yml @@ -20,7 +20,7 @@ after_success: deploy: - provider: script - script: "mvn --settings .travis.settings.xml deploy" + script: mvn --settings .travis.settings.xml -X deploy skip_cleanup: true on: branch: master From 99828b5cb3b9fdef9712a6324154b6d52e280a03 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 14:26:33 -0400 Subject: [PATCH 20/35] updated jfrog credentials --- .travis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index ecdef3462..34539ceeb 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,8 +7,8 @@ env: global: - secure: ZUzhWfpXJw/oAeDlUkDFkEJMT0T7kCN3d7ah8urkL2B0KFfKOqQagkbXkgvDa1SYud8VdcnoGa69LfkEr5IrdqW7R4bEYZAiN5swm4Z0iO8t53szVspm2f+O9jQ44O/sfOfpfLxWUUuhdc7Vbrszp+tSszxdPmssWL+f5a/mfWs= - secure: pmFymoI7qH0Kna3NkcHrqLiTVWKmrhwqA4Z9U6XLhWDQxcs5g94wCCKpGB6Lkz9mkvRxBRFpZZelnXJa9W9mnuVOMIa5tQfS5gBuaNXOe7AXXdc+Y2975OR9sSfvf16FxLFvNJILmZq+bpMLs+EXaQvjYQHW2O6OWZdLhAPVG6A= - - secure: GgpxZNu8kY4fmn/5+NismK0bLgcBhowBuQmpjcOUti/MCCa0yurKdTnELQxYWaufokq1+XgyHwnPfpLaQbSlW/eOcu6D1sfyqZvtK6DMkyO7DWX1s5PXizdHIugh51HmlwQAhnlT5ka8aJam0qtPlUdFhe9tuXjZw6VEbUnxq2Q= - - secure: P1iVppoVvH+tdhgdyaON7BNAUvI7ocUECKJ2q6IYn9kLXOXhcym4vz2z3gA+aEQAeB5QUn1mPrl6/i0BWV7O6NgyZijE01Hu42QU5UuBbuUSoyedF9vWEC21n9LiEZtK2H9SMNUUknX2IZwZAZzYcnPfZtURS85KDdE50VxEVA8= + - secure: Xkeo8OXzlLE5lmcRlkmlO8fbZqyxdzxF/yOZJVa7wfENU60LNkqGj3H8RcxVEwFRLYVe0PHu1MbDQdPrLe61Kt1z2Xr2oG1qNAUF5vySzvNbAycYbrW6L2lfHD21WWMVSBgQb8RXW8PhWTjucO6sVTyk6IpcIvrP8AEzjeHWIZI= + - secure: eHvhfklQU9n95JiJLfwAOsVj7QOYgLljhUyR7cJO0uT6U/CT86bFxpxwKVlUGPQof+l+a99vWHXBq/4MD5IeoaM5ioDvwm++x8W1IhD7LHHEVLD4dYHsRieNYFzXv9E4femSmZCl+xOA0/DyXDOHpEZD56U+N7GjVB5Sbzo3fNM= - secure: Bh5LAk8XQnJ885jc/Lli2fhPKDx0TNZRxcJMnNo96EgwOnD+Zhw+v3u/DMCgyyrRToM8Bkca/HktrlZaRTk2htsdKZZ3RHFMCXO0fXCgpcf+wkaSYDF/lnErpSJG3Lrz8ILxJPODsrGhjaIg2++79lwhsBYtpujc6UdxFhgpffc= before_install: From f257388108e8da2ecf0005fe7b27b5e9f074adb4 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 14:34:16 -0400 Subject: [PATCH 21/35] corrected distribution management section to point to the correct repository --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 226d1bed2..1dfb4f0ea 100644 --- a/pom.xml +++ b/pom.xml @@ -136,11 +136,11 @@ Copyright (c) 2012 - Jeremy Long snapshot - https://dependencycheck.jfrog.io/dependencycheck/libs-snapshot + https://dependencycheck.jfrog.io/dependencycheck/libs-snapshot-local release - https://dependencycheck.jfrog.io/dependencycheck/libs-release + https://dependencycheck.jfrog.io/dependencycheck/libs-release-local gh-pages From fec08780912b05fde9575f1297a94681e37f4bc3 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 14:57:35 -0400 Subject: [PATCH 22/35] updated credentials --- .travis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 34539ceeb..ecdef3462 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,8 +7,8 @@ env: global: - secure: ZUzhWfpXJw/oAeDlUkDFkEJMT0T7kCN3d7ah8urkL2B0KFfKOqQagkbXkgvDa1SYud8VdcnoGa69LfkEr5IrdqW7R4bEYZAiN5swm4Z0iO8t53szVspm2f+O9jQ44O/sfOfpfLxWUUuhdc7Vbrszp+tSszxdPmssWL+f5a/mfWs= - secure: pmFymoI7qH0Kna3NkcHrqLiTVWKmrhwqA4Z9U6XLhWDQxcs5g94wCCKpGB6Lkz9mkvRxBRFpZZelnXJa9W9mnuVOMIa5tQfS5gBuaNXOe7AXXdc+Y2975OR9sSfvf16FxLFvNJILmZq+bpMLs+EXaQvjYQHW2O6OWZdLhAPVG6A= - - secure: Xkeo8OXzlLE5lmcRlkmlO8fbZqyxdzxF/yOZJVa7wfENU60LNkqGj3H8RcxVEwFRLYVe0PHu1MbDQdPrLe61Kt1z2Xr2oG1qNAUF5vySzvNbAycYbrW6L2lfHD21WWMVSBgQb8RXW8PhWTjucO6sVTyk6IpcIvrP8AEzjeHWIZI= - - secure: eHvhfklQU9n95JiJLfwAOsVj7QOYgLljhUyR7cJO0uT6U/CT86bFxpxwKVlUGPQof+l+a99vWHXBq/4MD5IeoaM5ioDvwm++x8W1IhD7LHHEVLD4dYHsRieNYFzXv9E4femSmZCl+xOA0/DyXDOHpEZD56U+N7GjVB5Sbzo3fNM= + - secure: GgpxZNu8kY4fmn/5+NismK0bLgcBhowBuQmpjcOUti/MCCa0yurKdTnELQxYWaufokq1+XgyHwnPfpLaQbSlW/eOcu6D1sfyqZvtK6DMkyO7DWX1s5PXizdHIugh51HmlwQAhnlT5ka8aJam0qtPlUdFhe9tuXjZw6VEbUnxq2Q= + - secure: P1iVppoVvH+tdhgdyaON7BNAUvI7ocUECKJ2q6IYn9kLXOXhcym4vz2z3gA+aEQAeB5QUn1mPrl6/i0BWV7O6NgyZijE01Hu42QU5UuBbuUSoyedF9vWEC21n9LiEZtK2H9SMNUUknX2IZwZAZzYcnPfZtURS85KDdE50VxEVA8= - secure: Bh5LAk8XQnJ885jc/Lli2fhPKDx0TNZRxcJMnNo96EgwOnD+Zhw+v3u/DMCgyyrRToM8Bkca/HktrlZaRTk2htsdKZZ3RHFMCXO0fXCgpcf+wkaSYDF/lnErpSJG3Lrz8ILxJPODsrGhjaIg2++79lwhsBYtpujc6UdxFhgpffc= before_install: From 74fbaeefbf5e5e6a1c086b9a69cdbd89b6ec1293 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 15:32:52 -0400 Subject: [PATCH 23/35] updated credentials --- .travis.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index ecdef3462..2070ffa67 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,14 +1,14 @@ language: java jdk: oraclejdk7 script: - - if [ ! -z "$TRAVIS_TAG" ]; then travis_wait 30 mvn install source:jar javadoc:jar site site:stage -DreleaseTesting; else travis_wait 30 mvn install -DreleaseTesting; fi + - if [ ! -z "$TRAVIS_TAG" ]; then travis_wait 20 mvn install site site:stage -DreleaseTesting; else travis_wait 15 mvn install -DreleaseTesting; fi env: global: - secure: ZUzhWfpXJw/oAeDlUkDFkEJMT0T7kCN3d7ah8urkL2B0KFfKOqQagkbXkgvDa1SYud8VdcnoGa69LfkEr5IrdqW7R4bEYZAiN5swm4Z0iO8t53szVspm2f+O9jQ44O/sfOfpfLxWUUuhdc7Vbrszp+tSszxdPmssWL+f5a/mfWs= - secure: pmFymoI7qH0Kna3NkcHrqLiTVWKmrhwqA4Z9U6XLhWDQxcs5g94wCCKpGB6Lkz9mkvRxBRFpZZelnXJa9W9mnuVOMIa5tQfS5gBuaNXOe7AXXdc+Y2975OR9sSfvf16FxLFvNJILmZq+bpMLs+EXaQvjYQHW2O6OWZdLhAPVG6A= - - secure: GgpxZNu8kY4fmn/5+NismK0bLgcBhowBuQmpjcOUti/MCCa0yurKdTnELQxYWaufokq1+XgyHwnPfpLaQbSlW/eOcu6D1sfyqZvtK6DMkyO7DWX1s5PXizdHIugh51HmlwQAhnlT5ka8aJam0qtPlUdFhe9tuXjZw6VEbUnxq2Q= - - secure: P1iVppoVvH+tdhgdyaON7BNAUvI7ocUECKJ2q6IYn9kLXOXhcym4vz2z3gA+aEQAeB5QUn1mPrl6/i0BWV7O6NgyZijE01Hu42QU5UuBbuUSoyedF9vWEC21n9LiEZtK2H9SMNUUknX2IZwZAZzYcnPfZtURS85KDdE50VxEVA8= + - secure: POs1Icgp59RdhkzzCdDwVeAk+rUC2Vz0PeFw0lDZgSZ5oTHVQfS7GO3BjLSUUJOoD+ZZy/rQo8AeqgcVAtAzrx1SlDsf45EFY2VuZ4bXNe0Hw8sfA3TNyhiI2DrUXkNL0L3uReytqwbH32tza6RFgK4n920BI6hruu1Yjwz1TS0= + - secure: PenNjCgxC86fIqhPQvY2O0yNfknXpsLWVH0EX0gtnR6iHJVCtrTO/RNkizcEYQtTNzfUfdw4C6cyL3Et0hF6pN64Q+4yhYsZF7W04A80sGvPkQD375cUAkMcIaf6pQImm1nhdtwtFBhW1kCGOLPpvTr0/f/HtrgGyX38T0nYXlI= - secure: Bh5LAk8XQnJ885jc/Lli2fhPKDx0TNZRxcJMnNo96EgwOnD+Zhw+v3u/DMCgyyrRToM8Bkca/HktrlZaRTk2htsdKZZ3RHFMCXO0fXCgpcf+wkaSYDF/lnErpSJG3Lrz8ILxJPODsrGhjaIg2++79lwhsBYtpujc6UdxFhgpffc= before_install: @@ -20,7 +20,7 @@ after_success: deploy: - provider: script - script: mvn --settings .travis.settings.xml -X deploy + script: mvn --settings .travis.settings.xml source:jar javadoc:jar deploy -DskipTests=true skip_cleanup: true on: branch: master From 74dd1e63599b6b1b2ec7c2d400d0562c4513af24 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 15:48:08 -0400 Subject: [PATCH 24/35] updated credentials --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 2070ffa67..48e61e6eb 100644 --- a/.travis.yml +++ b/.travis.yml @@ -8,7 +8,7 @@ env: - secure: ZUzhWfpXJw/oAeDlUkDFkEJMT0T7kCN3d7ah8urkL2B0KFfKOqQagkbXkgvDa1SYud8VdcnoGa69LfkEr5IrdqW7R4bEYZAiN5swm4Z0iO8t53szVspm2f+O9jQ44O/sfOfpfLxWUUuhdc7Vbrszp+tSszxdPmssWL+f5a/mfWs= - secure: pmFymoI7qH0Kna3NkcHrqLiTVWKmrhwqA4Z9U6XLhWDQxcs5g94wCCKpGB6Lkz9mkvRxBRFpZZelnXJa9W9mnuVOMIa5tQfS5gBuaNXOe7AXXdc+Y2975OR9sSfvf16FxLFvNJILmZq+bpMLs+EXaQvjYQHW2O6OWZdLhAPVG6A= - secure: POs1Icgp59RdhkzzCdDwVeAk+rUC2Vz0PeFw0lDZgSZ5oTHVQfS7GO3BjLSUUJOoD+ZZy/rQo8AeqgcVAtAzrx1SlDsf45EFY2VuZ4bXNe0Hw8sfA3TNyhiI2DrUXkNL0L3uReytqwbH32tza6RFgK4n920BI6hruu1Yjwz1TS0= - - secure: PenNjCgxC86fIqhPQvY2O0yNfknXpsLWVH0EX0gtnR6iHJVCtrTO/RNkizcEYQtTNzfUfdw4C6cyL3Et0hF6pN64Q+4yhYsZF7W04A80sGvPkQD375cUAkMcIaf6pQImm1nhdtwtFBhW1kCGOLPpvTr0/f/HtrgGyX38T0nYXlI= + - secure: gdlR5D/aDP9fgMubqu2KWBcF5hp7dzkrbo8zYzXr4IVK4acx6kcD5XbeNvVVYYyRT13HXfPgP8I1Z/u/fG6nDs4Js7mPASecxUtY3A7WmMCSq1RCYGa3QJH6OoJQq119zIMr5W6cijMWmaDgz8Ofmy3OG3SKdGwnQcpDzOOxZKc= - secure: Bh5LAk8XQnJ885jc/Lli2fhPKDx0TNZRxcJMnNo96EgwOnD+Zhw+v3u/DMCgyyrRToM8Bkca/HktrlZaRTk2htsdKZZ3RHFMCXO0fXCgpcf+wkaSYDF/lnErpSJG3Lrz8ILxJPODsrGhjaIg2++79lwhsBYtpujc6UdxFhgpffc= before_install: From 9c52ffc48f578c8d0d874734e99f2d9871c1e000 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 16:03:08 -0400 Subject: [PATCH 25/35] fix encrypted setting --- .travis.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.travis.yml b/.travis.yml index 48e61e6eb..3984de9d5 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,11 +5,11 @@ script: env: global: - - secure: ZUzhWfpXJw/oAeDlUkDFkEJMT0T7kCN3d7ah8urkL2B0KFfKOqQagkbXkgvDa1SYud8VdcnoGa69LfkEr5IrdqW7R4bEYZAiN5swm4Z0iO8t53szVspm2f+O9jQ44O/sfOfpfLxWUUuhdc7Vbrszp+tSszxdPmssWL+f5a/mfWs= - - secure: pmFymoI7qH0Kna3NkcHrqLiTVWKmrhwqA4Z9U6XLhWDQxcs5g94wCCKpGB6Lkz9mkvRxBRFpZZelnXJa9W9mnuVOMIa5tQfS5gBuaNXOe7AXXdc+Y2975OR9sSfvf16FxLFvNJILmZq+bpMLs+EXaQvjYQHW2O6OWZdLhAPVG6A= - - secure: POs1Icgp59RdhkzzCdDwVeAk+rUC2Vz0PeFw0lDZgSZ5oTHVQfS7GO3BjLSUUJOoD+ZZy/rQo8AeqgcVAtAzrx1SlDsf45EFY2VuZ4bXNe0Hw8sfA3TNyhiI2DrUXkNL0L3uReytqwbH32tza6RFgK4n920BI6hruu1Yjwz1TS0= - - secure: gdlR5D/aDP9fgMubqu2KWBcF5hp7dzkrbo8zYzXr4IVK4acx6kcD5XbeNvVVYYyRT13HXfPgP8I1Z/u/fG6nDs4Js7mPASecxUtY3A7WmMCSq1RCYGa3QJH6OoJQq119zIMr5W6cijMWmaDgz8Ofmy3OG3SKdGwnQcpDzOOxZKc= - - secure: Bh5LAk8XQnJ885jc/Lli2fhPKDx0TNZRxcJMnNo96EgwOnD+Zhw+v3u/DMCgyyrRToM8Bkca/HktrlZaRTk2htsdKZZ3RHFMCXO0fXCgpcf+wkaSYDF/lnErpSJG3Lrz8ILxJPODsrGhjaIg2++79lwhsBYtpujc6UdxFhgpffc= + - secure: "ZUzhWfpXJw/oAeDlUkDFkEJMT0T7kCN3d7ah8urkL2B0KFfKOqQagkbXkgvDa1SYud8VdcnoGa69LfkEr5IrdqW7R4bEYZAiN5swm4Z0iO8t53szVspm2f+O9jQ44O/sfOfpfLxWUUuhdc7Vbrszp+tSszxdPmssWL+f5a/mfWs=" + - secure: "pmFymoI7qH0Kna3NkcHrqLiTVWKmrhwqA4Z9U6XLhWDQxcs5g94wCCKpGB6Lkz9mkvRxBRFpZZelnXJa9W9mnuVOMIa5tQfS5gBuaNXOe7AXXdc+Y2975OR9sSfvf16FxLFvNJILmZq+bpMLs+EXaQvjYQHW2O6OWZdLhAPVG6A=" + - secure: "POs1Icgp59RdhkzzCdDwVeAk+rUC2Vz0PeFw0lDZgSZ5oTHVQfS7GO3BjLSUUJOoD+ZZy/rQo8AeqgcVAtAzrx1SlDsf45EFY2VuZ4bXNe0Hw8sfA3TNyhiI2DrUXkNL0L3uReytqwbH32tza6RFgK4n920BI6hruu1Yjwz1TS0=" + - secure: "a1XE1i2T9MFfxF3wieKboOSEyT2XGzwTBigEkTT4inwjOUJiH6CICBymPBf0uMHp+RsMFGe88Jf+2UfKElsg1IgYiu2dmE+s1bKxpL/xrs8mvpLu4oe+/5J952A+A61xFbTfjftFiamkVW/yTK0mVKiQUnC/j8IIGak3MqasM+o=" + - secure: "Bh5LAk8XQnJ885jc/Lli2fhPKDx0TNZRxcJMnNo96EgwOnD+Zhw+v3u/DMCgyyrRToM8Bkca/HktrlZaRTk2htsdKZZ3RHFMCXO0fXCgpcf+wkaSYDF/lnErpSJG3Lrz8ILxJPODsrGhjaIg2++79lwhsBYtpujc6UdxFhgpffc=" before_install: - wget -O ~/codacy-coverage-reporter-assembly.jar https://oss.sonatype.org/service/local/repositories/releases/content/com/codacy/codacy-coverage-reporter/1.0.13/codacy-coverage-reporter-1.0.13-assembly.jar From 8b2c6d69183e929cd2795f06ce8e01c414485c9a Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 16:05:52 -0400 Subject: [PATCH 26/35] fix encrypted setting --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 3984de9d5..efee1dda5 100644 --- a/.travis.yml +++ b/.travis.yml @@ -8,7 +8,7 @@ env: - secure: "ZUzhWfpXJw/oAeDlUkDFkEJMT0T7kCN3d7ah8urkL2B0KFfKOqQagkbXkgvDa1SYud8VdcnoGa69LfkEr5IrdqW7R4bEYZAiN5swm4Z0iO8t53szVspm2f+O9jQ44O/sfOfpfLxWUUuhdc7Vbrszp+tSszxdPmssWL+f5a/mfWs=" - secure: "pmFymoI7qH0Kna3NkcHrqLiTVWKmrhwqA4Z9U6XLhWDQxcs5g94wCCKpGB6Lkz9mkvRxBRFpZZelnXJa9W9mnuVOMIa5tQfS5gBuaNXOe7AXXdc+Y2975OR9sSfvf16FxLFvNJILmZq+bpMLs+EXaQvjYQHW2O6OWZdLhAPVG6A=" - secure: "POs1Icgp59RdhkzzCdDwVeAk+rUC2Vz0PeFw0lDZgSZ5oTHVQfS7GO3BjLSUUJOoD+ZZy/rQo8AeqgcVAtAzrx1SlDsf45EFY2VuZ4bXNe0Hw8sfA3TNyhiI2DrUXkNL0L3uReytqwbH32tza6RFgK4n920BI6hruu1Yjwz1TS0=" - - secure: "a1XE1i2T9MFfxF3wieKboOSEyT2XGzwTBigEkTT4inwjOUJiH6CICBymPBf0uMHp+RsMFGe88Jf+2UfKElsg1IgYiu2dmE+s1bKxpL/xrs8mvpLu4oe+/5J952A+A61xFbTfjftFiamkVW/yTK0mVKiQUnC/j8IIGak3MqasM+o=" + - secure: "CuxNw1fSw7gT8Wb4woAA0PrePs6Sn08SaATu0iSOt/HS8T9HfDAeIVHE+8RqT2/LM9b3XBEA2oPd1vXN7D9Tn6R3LUNOmiLjG6ZhDKAMV6d7RSELHnF3876BshEDESn4BNoWpYaEgRtn+uUdwRmceWE6d8fHOJy/c59rNe5OZAU=" - secure: "Bh5LAk8XQnJ885jc/Lli2fhPKDx0TNZRxcJMnNo96EgwOnD+Zhw+v3u/DMCgyyrRToM8Bkca/HktrlZaRTk2htsdKZZ3RHFMCXO0fXCgpcf+wkaSYDF/lnErpSJG3Lrz8ILxJPODsrGhjaIg2++79lwhsBYtpujc6UdxFhgpffc=" before_install: From 31463597ef0bbf6923f771216f0bde49dcfdb2ea Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 16:10:56 -0400 Subject: [PATCH 27/35] fix encrypted setting --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index efee1dda5..f6b3d6c84 100644 --- a/.travis.yml +++ b/.travis.yml @@ -8,7 +8,7 @@ env: - secure: "ZUzhWfpXJw/oAeDlUkDFkEJMT0T7kCN3d7ah8urkL2B0KFfKOqQagkbXkgvDa1SYud8VdcnoGa69LfkEr5IrdqW7R4bEYZAiN5swm4Z0iO8t53szVspm2f+O9jQ44O/sfOfpfLxWUUuhdc7Vbrszp+tSszxdPmssWL+f5a/mfWs=" - secure: "pmFymoI7qH0Kna3NkcHrqLiTVWKmrhwqA4Z9U6XLhWDQxcs5g94wCCKpGB6Lkz9mkvRxBRFpZZelnXJa9W9mnuVOMIa5tQfS5gBuaNXOe7AXXdc+Y2975OR9sSfvf16FxLFvNJILmZq+bpMLs+EXaQvjYQHW2O6OWZdLhAPVG6A=" - secure: "POs1Icgp59RdhkzzCdDwVeAk+rUC2Vz0PeFw0lDZgSZ5oTHVQfS7GO3BjLSUUJOoD+ZZy/rQo8AeqgcVAtAzrx1SlDsf45EFY2VuZ4bXNe0Hw8sfA3TNyhiI2DrUXkNL0L3uReytqwbH32tza6RFgK4n920BI6hruu1Yjwz1TS0=" - - secure: "CuxNw1fSw7gT8Wb4woAA0PrePs6Sn08SaATu0iSOt/HS8T9HfDAeIVHE+8RqT2/LM9b3XBEA2oPd1vXN7D9Tn6R3LUNOmiLjG6ZhDKAMV6d7RSELHnF3876BshEDESn4BNoWpYaEgRtn+uUdwRmceWE6d8fHOJy/c59rNe5OZAU=" + - secure: "fx/AOre3VzFxWAKTSoV6OQmcSAno1c5kCECBE7PxaqR/a1FdqCQzrgk+BinGV2wNDRHbVtmmxpcB7ic2CQQaQyyxatj4zozXO/7RQc8aS3BwNd1gbagMi1tlyvcc9zWftyMqdOvamIJnacFYSdw1l7cxfkzNMRFG692SZCNIs44=" - secure: "Bh5LAk8XQnJ885jc/Lli2fhPKDx0TNZRxcJMnNo96EgwOnD+Zhw+v3u/DMCgyyrRToM8Bkca/HktrlZaRTk2htsdKZZ3RHFMCXO0fXCgpcf+wkaSYDF/lnErpSJG3Lrz8ILxJPODsrGhjaIg2++79lwhsBYtpujc6UdxFhgpffc=" before_install: From 37ea0bf05b12ed247e8e35c223e7e5de2e532ca1 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 16:13:34 -0400 Subject: [PATCH 28/35] fix encrypted setting --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index f6b3d6c84..2354e7f8b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -8,7 +8,7 @@ env: - secure: "ZUzhWfpXJw/oAeDlUkDFkEJMT0T7kCN3d7ah8urkL2B0KFfKOqQagkbXkgvDa1SYud8VdcnoGa69LfkEr5IrdqW7R4bEYZAiN5swm4Z0iO8t53szVspm2f+O9jQ44O/sfOfpfLxWUUuhdc7Vbrszp+tSszxdPmssWL+f5a/mfWs=" - secure: "pmFymoI7qH0Kna3NkcHrqLiTVWKmrhwqA4Z9U6XLhWDQxcs5g94wCCKpGB6Lkz9mkvRxBRFpZZelnXJa9W9mnuVOMIa5tQfS5gBuaNXOe7AXXdc+Y2975OR9sSfvf16FxLFvNJILmZq+bpMLs+EXaQvjYQHW2O6OWZdLhAPVG6A=" - secure: "POs1Icgp59RdhkzzCdDwVeAk+rUC2Vz0PeFw0lDZgSZ5oTHVQfS7GO3BjLSUUJOoD+ZZy/rQo8AeqgcVAtAzrx1SlDsf45EFY2VuZ4bXNe0Hw8sfA3TNyhiI2DrUXkNL0L3uReytqwbH32tza6RFgK4n920BI6hruu1Yjwz1TS0=" - - secure: "fx/AOre3VzFxWAKTSoV6OQmcSAno1c5kCECBE7PxaqR/a1FdqCQzrgk+BinGV2wNDRHbVtmmxpcB7ic2CQQaQyyxatj4zozXO/7RQc8aS3BwNd1gbagMi1tlyvcc9zWftyMqdOvamIJnacFYSdw1l7cxfkzNMRFG692SZCNIs44=" + - secure: "Ss7ERZfcgaH8m/11pWqmFfRCQpvEjnVHrz6dRIhsFo0AEp+ZDY9iWyfTn8mkjS97xk6V5NhZvqfqJ06MJMEHIbBcziaZu8n9AkBqtNUMkMAwcFtOK8wExJlHaNZ/HijZnWbz22ATNwDtpIfmf7KTsqk0rYCaL1aRogyv6C12MTc=" - secure: "Bh5LAk8XQnJ885jc/Lli2fhPKDx0TNZRxcJMnNo96EgwOnD+Zhw+v3u/DMCgyyrRToM8Bkca/HktrlZaRTk2htsdKZZ3RHFMCXO0fXCgpcf+wkaSYDF/lnErpSJG3Lrz8ILxJPODsrGhjaIg2++79lwhsBYtpujc6UdxFhgpffc=" before_install: From 4f4e734eeec9ff01a972ff4bb9c653a691e4d5a6 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 16:15:50 -0400 Subject: [PATCH 29/35] fix encrypted setting --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 2354e7f8b..c348421a3 100644 --- a/.travis.yml +++ b/.travis.yml @@ -8,7 +8,7 @@ env: - secure: "ZUzhWfpXJw/oAeDlUkDFkEJMT0T7kCN3d7ah8urkL2B0KFfKOqQagkbXkgvDa1SYud8VdcnoGa69LfkEr5IrdqW7R4bEYZAiN5swm4Z0iO8t53szVspm2f+O9jQ44O/sfOfpfLxWUUuhdc7Vbrszp+tSszxdPmssWL+f5a/mfWs=" - secure: "pmFymoI7qH0Kna3NkcHrqLiTVWKmrhwqA4Z9U6XLhWDQxcs5g94wCCKpGB6Lkz9mkvRxBRFpZZelnXJa9W9mnuVOMIa5tQfS5gBuaNXOe7AXXdc+Y2975OR9sSfvf16FxLFvNJILmZq+bpMLs+EXaQvjYQHW2O6OWZdLhAPVG6A=" - secure: "POs1Icgp59RdhkzzCdDwVeAk+rUC2Vz0PeFw0lDZgSZ5oTHVQfS7GO3BjLSUUJOoD+ZZy/rQo8AeqgcVAtAzrx1SlDsf45EFY2VuZ4bXNe0Hw8sfA3TNyhiI2DrUXkNL0L3uReytqwbH32tza6RFgK4n920BI6hruu1Yjwz1TS0=" - - secure: "Ss7ERZfcgaH8m/11pWqmFfRCQpvEjnVHrz6dRIhsFo0AEp+ZDY9iWyfTn8mkjS97xk6V5NhZvqfqJ06MJMEHIbBcziaZu8n9AkBqtNUMkMAwcFtOK8wExJlHaNZ/HijZnWbz22ATNwDtpIfmf7KTsqk0rYCaL1aRogyv6C12MTc=" + - secure: "dgWpUwVKsW6e5sjVKnNfyHjri4cpgSEO2SqS6Udo12F0fuwnTXWciCjOz+L9UVnd4cV0DKHRbU592syZDeexCfPJIOIFS8n5VUOC3Cs86NzJ4Aw1sy2yBoEyOJrzc+5GbSrWC/+7wGUhv5PPMEgFgEIbkJ4UalbLpKjQVloK6PA=" - secure: "Bh5LAk8XQnJ885jc/Lli2fhPKDx0TNZRxcJMnNo96EgwOnD+Zhw+v3u/DMCgyyrRToM8Bkca/HktrlZaRTk2htsdKZZ3RHFMCXO0fXCgpcf+wkaSYDF/lnErpSJG3Lrz8ILxJPODsrGhjaIg2++79lwhsBYtpujc6UdxFhgpffc=" before_install: From d0bfe114f6523b566d8d34be5dce02e43ac29d21 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 20:26:35 -0400 Subject: [PATCH 30/35] fix encrypted setting --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index c348421a3..c14a22a1f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,7 +7,7 @@ env: global: - secure: "ZUzhWfpXJw/oAeDlUkDFkEJMT0T7kCN3d7ah8urkL2B0KFfKOqQagkbXkgvDa1SYud8VdcnoGa69LfkEr5IrdqW7R4bEYZAiN5swm4Z0iO8t53szVspm2f+O9jQ44O/sfOfpfLxWUUuhdc7Vbrszp+tSszxdPmssWL+f5a/mfWs=" - secure: "pmFymoI7qH0Kna3NkcHrqLiTVWKmrhwqA4Z9U6XLhWDQxcs5g94wCCKpGB6Lkz9mkvRxBRFpZZelnXJa9W9mnuVOMIa5tQfS5gBuaNXOe7AXXdc+Y2975OR9sSfvf16FxLFvNJILmZq+bpMLs+EXaQvjYQHW2O6OWZdLhAPVG6A=" - - secure: "POs1Icgp59RdhkzzCdDwVeAk+rUC2Vz0PeFw0lDZgSZ5oTHVQfS7GO3BjLSUUJOoD+ZZy/rQo8AeqgcVAtAzrx1SlDsf45EFY2VuZ4bXNe0Hw8sfA3TNyhiI2DrUXkNL0L3uReytqwbH32tza6RFgK4n920BI6hruu1Yjwz1TS0=" + - secure: "omj5HP2wKdegLYp8/a24Wsoryb92+XYWheEkxp7CzHGDJB1Y4SSr315n/na/mdgd7lr1Ac+m4stYfCrclG7be71xWs6ApF+6I5QSzplJ1fyIF5piHrmhgw6ymIf/HBdeevggJM8igD8agCOwEETYFKfPEj5wFWhNQfxYwANbpl0=" - secure: "dgWpUwVKsW6e5sjVKnNfyHjri4cpgSEO2SqS6Udo12F0fuwnTXWciCjOz+L9UVnd4cV0DKHRbU592syZDeexCfPJIOIFS8n5VUOC3Cs86NzJ4Aw1sy2yBoEyOJrzc+5GbSrWC/+7wGUhv5PPMEgFgEIbkJ4UalbLpKjQVloK6PA=" - secure: "Bh5LAk8XQnJ885jc/Lli2fhPKDx0TNZRxcJMnNo96EgwOnD+Zhw+v3u/DMCgyyrRToM8Bkca/HktrlZaRTk2htsdKZZ3RHFMCXO0fXCgpcf+wkaSYDF/lnErpSJG3Lrz8ILxJPODsrGhjaIg2++79lwhsBYtpujc6UdxFhgpffc=" From b0cf555b6e6f34a4e9b70f1e4654da28925d6195 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 18 Jun 2017 20:56:33 -0400 Subject: [PATCH 31/35] fix encrypted setting --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index c14a22a1f..058666f35 100644 --- a/.travis.yml +++ b/.travis.yml @@ -8,7 +8,7 @@ env: - secure: "ZUzhWfpXJw/oAeDlUkDFkEJMT0T7kCN3d7ah8urkL2B0KFfKOqQagkbXkgvDa1SYud8VdcnoGa69LfkEr5IrdqW7R4bEYZAiN5swm4Z0iO8t53szVspm2f+O9jQ44O/sfOfpfLxWUUuhdc7Vbrszp+tSszxdPmssWL+f5a/mfWs=" - secure: "pmFymoI7qH0Kna3NkcHrqLiTVWKmrhwqA4Z9U6XLhWDQxcs5g94wCCKpGB6Lkz9mkvRxBRFpZZelnXJa9W9mnuVOMIa5tQfS5gBuaNXOe7AXXdc+Y2975OR9sSfvf16FxLFvNJILmZq+bpMLs+EXaQvjYQHW2O6OWZdLhAPVG6A=" - secure: "omj5HP2wKdegLYp8/a24Wsoryb92+XYWheEkxp7CzHGDJB1Y4SSr315n/na/mdgd7lr1Ac+m4stYfCrclG7be71xWs6ApF+6I5QSzplJ1fyIF5piHrmhgw6ymIf/HBdeevggJM8igD8agCOwEETYFKfPEj5wFWhNQfxYwANbpl0=" - - secure: "dgWpUwVKsW6e5sjVKnNfyHjri4cpgSEO2SqS6Udo12F0fuwnTXWciCjOz+L9UVnd4cV0DKHRbU592syZDeexCfPJIOIFS8n5VUOC3Cs86NzJ4Aw1sy2yBoEyOJrzc+5GbSrWC/+7wGUhv5PPMEgFgEIbkJ4UalbLpKjQVloK6PA=" + - secure: "FqPcda7a6rEvGVYEyWeaFP+mIhZeJ6FGSdHvVRlBL0H9I3bz6eZg50g6DH3yo1bkmTPQ94eXdDpoKihk9+CDLl0TS+Sg9W8HplG3B2U1/6Yi3vd0T8yjKZC7xf0VZO6t8AT9vpFvzQBRZe24n+6kDtp2OiBzawJhgU5t09zH6is=" - secure: "Bh5LAk8XQnJ885jc/Lli2fhPKDx0TNZRxcJMnNo96EgwOnD+Zhw+v3u/DMCgyyrRToM8Bkca/HktrlZaRTk2htsdKZZ3RHFMCXO0fXCgpcf+wkaSYDF/lnErpSJG3Lrz8ILxJPODsrGhjaIg2++79lwhsBYtpujc6UdxFhgpffc=" before_install: From 65ad53f59e8b144e7cd22fe76590ce2b54b608fe Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 19 Jun 2017 05:51:12 -0400 Subject: [PATCH 32/35] trimmed build time tasks temporarily while debugging artifactory integration --- .travis.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index 058666f35..22bd39d29 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,8 @@ language: java jdk: oraclejdk7 script: - - if [ ! -z "$TRAVIS_TAG" ]; then travis_wait 20 mvn install site site:stage -DreleaseTesting; else travis_wait 15 mvn install -DreleaseTesting; fi + - mvn package -DskipTests=true +# if [ ! -z "$TRAVIS_TAG" ]; then travis_wait 20 mvn install site site:stage -DreleaseTesting; else travis_wait 15 mvn install -DreleaseTesting; fi env: global: @@ -12,11 +13,11 @@ env: - secure: "Bh5LAk8XQnJ885jc/Lli2fhPKDx0TNZRxcJMnNo96EgwOnD+Zhw+v3u/DMCgyyrRToM8Bkca/HktrlZaRTk2htsdKZZ3RHFMCXO0fXCgpcf+wkaSYDF/lnErpSJG3Lrz8ILxJPODsrGhjaIg2++79lwhsBYtpujc6UdxFhgpffc=" before_install: - - wget -O ~/codacy-coverage-reporter-assembly.jar https://oss.sonatype.org/service/local/repositories/releases/content/com/codacy/codacy-coverage-reporter/1.0.13/codacy-coverage-reporter-1.0.13-assembly.jar +# - wget -O ~/codacy-coverage-reporter-assembly.jar https://oss.sonatype.org/service/local/repositories/releases/content/com/codacy/codacy-coverage-reporter/1.0.13/codacy-coverage-reporter-1.0.13-assembly.jar after_success: - - java -cp ~/codacy-coverage-reporter-assembly.jar com.codacy.CodacyCoverageReporter -l Java -r build-reporting/target/coverage-reports/jacoco.xml - - ./coverity_scan.sh +# - java -cp ~/codacy-coverage-reporter-assembly.jar com.codacy.CodacyCoverageReporter -l Java -r build-reporting/target/coverage-reports/jacoco.xml +# - ./coverity_scan.sh deploy: - provider: script From dacf493a949838fa7a0b12a82b5ae4272561e492 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 19 Jun 2017 06:13:33 -0400 Subject: [PATCH 33/35] fixed ci build/deploy --- .travis.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.travis.yml b/.travis.yml index 22bd39d29..058666f35 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,8 +1,7 @@ language: java jdk: oraclejdk7 script: - - mvn package -DskipTests=true -# if [ ! -z "$TRAVIS_TAG" ]; then travis_wait 20 mvn install site site:stage -DreleaseTesting; else travis_wait 15 mvn install -DreleaseTesting; fi + - if [ ! -z "$TRAVIS_TAG" ]; then travis_wait 20 mvn install site site:stage -DreleaseTesting; else travis_wait 15 mvn install -DreleaseTesting; fi env: global: @@ -13,11 +12,11 @@ env: - secure: "Bh5LAk8XQnJ885jc/Lli2fhPKDx0TNZRxcJMnNo96EgwOnD+Zhw+v3u/DMCgyyrRToM8Bkca/HktrlZaRTk2htsdKZZ3RHFMCXO0fXCgpcf+wkaSYDF/lnErpSJG3Lrz8ILxJPODsrGhjaIg2++79lwhsBYtpujc6UdxFhgpffc=" before_install: -# - wget -O ~/codacy-coverage-reporter-assembly.jar https://oss.sonatype.org/service/local/repositories/releases/content/com/codacy/codacy-coverage-reporter/1.0.13/codacy-coverage-reporter-1.0.13-assembly.jar + - wget -O ~/codacy-coverage-reporter-assembly.jar https://oss.sonatype.org/service/local/repositories/releases/content/com/codacy/codacy-coverage-reporter/1.0.13/codacy-coverage-reporter-1.0.13-assembly.jar after_success: -# - java -cp ~/codacy-coverage-reporter-assembly.jar com.codacy.CodacyCoverageReporter -l Java -r build-reporting/target/coverage-reports/jacoco.xml -# - ./coverity_scan.sh + - java -cp ~/codacy-coverage-reporter-assembly.jar com.codacy.CodacyCoverageReporter -l Java -r build-reporting/target/coverage-reports/jacoco.xml + - ./coverity_scan.sh deploy: - provider: script From 7ccfee73bc17a8960d65c21d498ce54488cbe13f Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 19 Jun 2017 06:41:34 -0400 Subject: [PATCH 34/35] minor formating updatae --- .../java/org/owasp/dependencycheck/utils/FileUtils.java | 7 +++++-- .../java/org/owasp/dependencycheck/utils/Settings.java | 7 ++++--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java index b139e5b59..b4a898192 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java @@ -149,13 +149,16 @@ public final class FileUtils { } } } - + /** * Gets the {@link InputStream} for this resource + * * @param resource path * @return */ public static InputStream getResourceAsStream(String resource) { - return FileUtils.class.getClassLoader()!=null?FileUtils.class.getClassLoader().getResourceAsStream(resource):ClassLoader.getSystemResourceAsStream(resource); + return FileUtils.class.getClassLoader() != null + ? FileUtils.class.getClassLoader().getResourceAsStream(resource) + : ClassLoader.getSystemResourceAsStream(resource); } } diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index 49dd34b43..a2f142479 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -260,7 +260,8 @@ public final class Settings { */ public static final String ANALYZER_NODE_PACKAGE_ENABLED = "analyzer.node.package.enabled"; /** - * The properties key for whether the Node Security Platform (nsp) analyzer is enabled. + * The properties key for whether the Node Security Platform (nsp) + * analyzer is enabled. */ public static final String ANALYZER_NSP_PACKAGE_ENABLED = "analyzer.nsp.package.enabled"; /** @@ -745,8 +746,8 @@ public final class Settings { String decodedPath = "."; String jarPath = ""; ProtectionDomain domain = Settings.class.getProtectionDomain(); - if(domain!=null&& domain.getCodeSource()!=null && domain.getCodeSource().getLocation()!=null) { - jarPath = Settings.class.getProtectionDomain().getCodeSource().getLocation().getPath(); + if (domain != null && domain.getCodeSource() != null && domain.getCodeSource().getLocation() != null) { + jarPath = Settings.class.getProtectionDomain().getCodeSource().getLocation().getPath(); } try { decodedPath = URLDecoder.decode(jarPath, "UTF-8"); From 7545329db2fc6c8f4899b97784cb0d7aed34013f Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 19 Jun 2017 07:05:19 -0400 Subject: [PATCH 35/35] updated copyright... --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c924b00c2..51f1488bc 100644 --- a/README.md +++ b/README.md @@ -148,7 +148,7 @@ Archive: [google group](https://groups.google.com/forum/#!forum/dependency-check Copyright & License - -Dependency-Check is Copyright (c) 2012-2016 Jeremy Long. All Rights Reserved. +Dependency-Check is Copyright (c) 2012-2017 Jeremy Long. All Rights Reserved. Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.