github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-25 10:32:00 +01:00
Code Issues Packages Projects Releases Wiki Activity

updated documentation

Browse Source 
Former-commit-id: cb2c5c0fd7e0dfc33ce5a1b3cf75799c015c78df
This commit is contained in:
Jeremy Long
2014-03-23 23:03:51 -04:00
parent 315a616293
commit 9b2cacc3a0
5 changed files with 140 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
dependency-check-ant/src/site/markdown/configuration.md
View File

@@ -18,34 +18,60 @@ the project's dependencies.
</dependency-check> </dependency-check>
</target> </target>
``` ```
The following table lists the configurable properties:
Property | Description | Requirement | Default Value Configuration
----------------------|-------------|-------------|------------ ====================
applicationName | The name of the application to use in the generated report. | Required | &nbsp; The following properties can be set on the dependency-check-maven plugin.
reportFormat | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional | HTML
reportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional | &nbsp; Property | Description | Default Value
failBuildOn | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional | 11 ---------------------|------------------------------------|------------------
autoUpdate | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. | Optional | true autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
dataDirectory | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional | &nbsp; externalReport | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
logFile | The file path to write verbose logging information. | Optional | &nbsp; outputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
suppressionFile | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional | &nbsp; failBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11
proxyUrl | Defines the proxy used to connect to the Internet. | Optional | &nbsp; format | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
proxyPort | Defines the port for the proxy. | Optional | &nbsp; logFile | The file path to write verbose logging information. | &nbsp;
proxyUsername | Defines the proxy user name. | Optional | &nbsp; suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) | &nbsp;
proxyPassword | Defines the proxy password. | Optional | &nbsp; proxyUrl | The Proxy URL. | &nbsp;
connectionTimeout | The connection timeout used when downloading data files from the Internet. | Optional | &nbsp; proxyPort | The Proxy Port. | &nbsp;
nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. | Optional | &nbsp; proxyUsername | Defines the proxy user name. | &nbsp;
nexusUrl | The connection timeout used when downloading data files from the Internet. | Optional | &nbsp; proxyPassword | Defines the proxy password. | &nbsp;
nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | Optional | true connectionTimeout | The URL Connection Timeout. | &nbsp;
databaseDriverName | The name of the database driver. Example: org.h2.Driver. | Optional | &nbsp;
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | Optional | &nbsp; Analyzer Configuration
connectionString | The connection string used to connect to the database. | Optional | &nbsp; ====================
databaseUser | The username used when connecting to the database. | Optional | dcuser The following properties are used to configure the various file type analyzers.
databasePassword | The password used when connecting to the database. | Optional | &nbsp; These properties can be used to turn off specific analyzers if it is not needed.
zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional | &nbsp; Note, that specific analyzers will automatically disable themselves if no file
cveUrl12Modified | URL for the modified CVE 1.2 | Optional | http://nvd.nist.gov/download/nvdcve-modified.xml types that they support are detected - so specifically disabling them may not
cveUrl20Modified | URL for the modified CVE 2.0 | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml be needed.
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | Optional | http://nvd.nist.gov/download/nvdcve-%d.xml
cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml Property | Description | Default Value
pathToMono | The path to Mono for .NET assembly analysis on non-windows systems | Optional | &nbsp; ------------------------|------------------------------------|------------------
archiveAnalyzerEnabled | Sets whether the Archive Analyzer will be used. | true
zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
jarAnalyzer | Sets whether Jar Analyzer will be used. | true
nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. | true
nexusUrl | Defines the Nexus URL. | http://repository.sonatype.org/service/local/
nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true
nuspecAnalyzerEnabled | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | true
assemblyAnalyzerEnabled | Sets whether or not the .NET Assembly Analyzer should be used. | true
pathToMono | The path to Mono for .NET assembly analysis on non-windows systems | &nbsp;
Advanced Configuration
====================
The following properties can be configured in the plugin. However, they are less frequently changed. One exception
may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.
Property | Description | Default Value
---------------------|-------------------------------------------------------------------------|------------------
cveUrl12Modified | URL for the modified CVE 1.2 | http://nvd.nist.gov/download/nvdcve-modified.xml
cveUrl20Modified | URL for the modified CVE 2.0 | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml
cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
dataDirectory | Data directory to hold SQL CVEs contents. This should generally not be changed. | &nbsp;
databaseDriverName | The name of the database driver. Example: org.h2.Driver. | &nbsp;
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp;
connectionString | The connection string used to connect to the database. | &nbsp;
databaseUser | The username used when connecting to the database. | &nbsp;
databasePassword | The password used when connecting to the database. | &nbsp;

52
dependency-check-cli/src/site/markdown/arguments.md
View File

@@ -1,33 +1,43 @@
Command Line Arguments Command Line Arguments
==================== ======================
The following table lists the command line arguments: The following table lists the command line arguments:
Short | Argument Name | Parameter | Description | Requirement Short | Argument Name | Parameter | Description | Requirement
-------|-----------------------|-----------------|-------------|------------ -------|-----------------------|-----------------|-------------|------------
\-a | \-\-app | \<name\> | The name of the application being scanned. This is a required argument. | Required \-a | \-\-app | \<name\> | The name of the application being scanned. This is a required argument. | Required
\-c | \-\-connectiontimeout | \<timeout\> | The connection timeout (in milliseconds) to use when downloading resources. | Optional \-s | \-\-scan | \<path\> | The path to scan \- this option can be specified multiple times. | Required
\-d | \-\-data | \<path\> | The location of the data directory used to store persistent data. This option should generally not be set. | Optional \-o | \-\-out | \<folder\> | The folder to write reports to. This defaults to the current directory. | Optional
\-f | \-\-format | \<format\> | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. | Required \-f | \-\-format | \<format\> | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. | Required
\-h | \-\-help | | Print the help message. | Optional
\-l | \-\-log | \<file\> | The file path to write verbose logging information. | Optional \-l | \-\-log | \<file\> | The file path to write verbose logging information. | Optional
\-n | \-\-noupdate | | Disables the automatic updating of the CPE data. | Optional \-n | \-\-noupdate | | Disables the automatic updating of the CPE data. | Optional
\-o | \-\-out | \<folder\> | The folder to write reports to. This defaults to the current directory. | Optional
\-p | \-\-proxyport | \<port\> | The proxy port to use when downloading resources. | Optional
| \-\-proxypass | \<pass\> | The proxy password to use when downloading resources. | Optional
| \-\-proxyuser | \<user\> | The proxy username to use when downloading resources. | Optional
\-s | \-\-scan | \<path\> | The path to scan \- this option can be specified multiple times. | Required
| \-\-suppression | \<file\> | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional | \-\-suppression | \<file\> | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional
\-u | \-\-proxyurl | \<url\> | The proxy url to use when downloading resources. | Optional \-h | \-\-help | | Print the help message. | Optional
\-v | \-\-version | | Print the version information. | Optional
| \-\-advancedHelp | | Print the advanced help message. | Optional | \-\-advancedHelp | | Print the advanced help message. | Optional
| \-\-connectionString | \<connStr\> | The connection string to the database. | Optional \-v | \-\-version | | Print the version information. | Optional
| \-\-dbDriverName | \<driver\> | The database driver name. | Optional
| \-\-dbDriverPath | \<path\> | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | Optional Advanced Options
| \-\-dbPassword | \<password\> | The password for connecting to the database. | Optional ================
| \-\-dbUser | \<user\> | The username used to connect to the database. | Optional Short | Argument Name | Parameter | Description | Default Value
| \-\-disableNexus | | Disable the Nexus Analyzer. | Optional -------|-----------------------|-----------------|-------------|---------------
| \-\-nexus | \<url\> | The url to the Nexus Server. | Optional | \-\-disableArchive | | Sets whether the Archive Analyzer will be used. | false
| \-\-nexusUsesProxy | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus. | Optional | \-\-zipExtensions | \<strings\> | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
| \-\-zipExtensions | \<strings\> | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional | \-\-disableJar | | Sets whether Jar Analyzer will be used. | false
| \-\-pathToMono | \<path\> | The path to Mono for .NET Assembly analysis on non-windows systems. | Optional | \-\-disableNexus | | Sets whether Nexus Analyzer will be used. | false
| \-\-disableNexus | | Disable the Nexus Analyzer. | &nbsp;
| \-\-nexus | \<url\> | The url to the Nexus Server. | http://repository.sonatype.org/service/local/
| \-\-nexusUsesProxy | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus. | true
| \-\-disableNuspec | | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | false
| \-\-disableAssembly | | Sets whether or not the .NET Assembly Analyzer should be used. | false
| \-\-pathToMono | \<path\> | The path to Mono for .NET Assembly analysis on non-windows systems. | &nbsp;
| \-\-proxyurl | \<url\> | The proxy url to use when downloading resources. | &nbsp;
| \-\-proxyport | \<port\> | The proxy port to use when downloading resources. | &nbsp;
| \-\-connectiontimeout | \<timeout\> | The connection timeout (in milliseconds) to use when downloading resources. | &nbsp;
| \-\-proxypass | \<pass\> | The proxy password to use when downloading resources. | &nbsp;
| \-\-proxyuser | \<user\> | The proxy username to use when downloading resources. | &nbsp;
| \-\-connectionString | \<connStr\> | The connection string to the database. | &nbsp;
| \-\-dbDriverName | \<driver\> | The database driver name. | &nbsp;
| \-\-dbDriverPath | \<path\> | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | &nbsp;
| \-\-dbPassword | \<password\> | The password for connecting to the database. | &nbsp;
| \-\-dbUser | \<user\> | The username used to connect to the database. | &nbsp;
\-d | \-\-data | \<path\> | The location of the data directory used to store persistent data. This option should generally not be set. | &nbsp;

14
dependency-check-cli/src/site/markdown/installation.md.vm
View File

@@ -8,20 +8,18 @@ script executable:
$ chmod +777 dependency-check.sh $ chmod +777 dependency-check.sh
To scan a folder on the system you can run: To scan a folder on the system you can run:
#set( $H = '#' )
Windows $H$H$H Windows
-------
dependency-check.bat --app "My App Name" --scan "c:\java\application\lib" dependency-check.bat --app "My App Name" --scan "c:\java\application\lib"
\*nix $H$H$H *nix
-------
dependency-check.sh --app "My App Name" --scan "/java/application/lib" dependency-check.sh --app "My App Name" --scan "/java/application/lib"
To view the command line arguments, see the <a href="arguments.html">arguments page</a>, or you can run: To view the command line arguments, see the <a href="arguments.html">arguments page</a>, or you can run:
Windows
------- $H$H$H Windows
dependency-check.bat --help dependency-check.bat --help
\*nix $H$H$H *nix
-------
dependency-check.sh --help dependency-check.sh --help

53
dependency-check-maven/src/site/markdown/configuration.md
View File

@@ -11,28 +11,51 @@ failBuildOnCVSS | Specifies if the build should be failed if a CVSS score a
format | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML format | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
logFile | The file path to write verbose logging information. | &nbsp; logFile | The file path to write verbose logging information. | &nbsp;
suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) | &nbsp; suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) | &nbsp;
connectionTimeout | The Connection Timeout. | &nbsp;
nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. | &nbsp;
nexusUrl | Defines the Nexus URL. | &nbsp;
nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true
databaseDriverName | The name of the database driver. Example: org.h2.Driver. | &nbsp;
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp;
connectionString | The connection string used to connect to the database. | &nbsp;
databaseUser | The username used when connecting to the database. | &nbsp;
databasePassword | The password used when connecting to the database. | &nbsp;
zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
skipTestScope | Should be skip analysis for artifacts with Test Scope | true skipTestScope | Should be skip analysis for artifacts with Test Scope | true
skipProvidedScope | Should be skip analysis for artifacts with Provided Scope | false skipProvidedScope | Should be skip analysis for artifacts with Provided Scope | false
skipRuntimeScope | Should be skip analysis for artifacts with Runtime Scope | false skipRuntimeScope | Should be skip analysis for artifacts with Runtime Scope | false
dataDirectory | Data directory to hold SQL CVEs contents. This should generally not be changed. | &nbsp;
cveUrl12Modified | URL for the modified CVE 1.2 | http://nvd.nist.gov/download/nvdcve-modified.xml Analyzer Configuration
cveUrl20Modified | URL for the modified CVE 2.0 | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml ====================
The following properties are used to configure the various file type analyzers.
These properties can be used to turn off specific analyzers if it is not needed.
Note, that specific analyzers will automatically disable themselves if no file
types that they support are detected - so specifically disabling them may not
be needed.
Property | Description | Default Value
------------------------|------------------------------------|------------------
archiveAnalyzerEnabled | Sets whether the Archive Analyzer will be used. | true
zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
jarAnalyzer | Sets whether Jar Analyzer will be used. | true
nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. | true
nexusUrl | Defines the Nexus URL. | http://repository.sonatype.org/service/local/
nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true
nuspecAnalyzerEnabled | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | true
assemblyAnalyzerEnabled | Sets whether or not the .NET Assembly Analyzer should be used. | true
pathToMono | The path to Mono for .NET assembly analysis on non-windows systems | &nbsp;
Advanced Configuration
====================
The following properties can be configured in the plugin. However, they are less frequently changed. One exception
may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.
Property | Description | Default Value
---------------------|-------------------------------------------------------------------------|------------------
cveUrl12Modified | URL for the modified CVE 1.2 | http://nvd.nist.gov/download/nvdcve-modified.xml
cveUrl20Modified | URL for the modified CVE 2.0 | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml
cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
pathToMono | The path to Mono for .NET assembly analysis on non-windows systems | &nbsp; connectionTimeout | The URL Connection Timeout. | &nbsp;
dataDirectory | Data directory to hold SQL CVEs contents. This should generally not be changed. | &nbsp;
databaseDriverName | The name of the database driver. Example: org.h2.Driver. | &nbsp;
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp;
connectionString | The connection string used to connect to the database. | &nbsp;
databaseUser | The username used when connecting to the database. | &nbsp;
databasePassword | The password used when connecting to the database. | &nbsp;
Deprecated Properties Deprecated Configuration
==================== ====================
The following properties have been deprecated. These can stell be set in The following properties have been deprecated. These can stell be set in
the dependency-check-maven plugin's configuration. However, future versions the dependency-check-maven plugin's configuration. However, future versions

20
dependency-check-maven/src/site/markdown/usage.md.vm
View File

@@ -10,8 +10,9 @@ Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov
After the first batch download, as long as the plugin is executed at least once every After the first batch download, as long as the plugin is executed at least once every
seven days the update will only take a few seconds. seven days the update will only take a few seconds.
Example 1: #set( $H = '#' )
---------------------
$H$H$H Example 1:
Create the DependencyCheck-report.html in the target directory Create the DependencyCheck-report.html in the target directory
```xml ```xml
@@ -39,8 +40,7 @@ Create the DependencyCheck-report.html in the target directory
</project> </project>
``` ```
Example 2: $H$H$H Example 2:
---------------------
Create the DependencyCheck-report.html and fail the build for CVSS greater then 8 Create the DependencyCheck-report.html and fail the build for CVSS greater then 8
```xml ```xml
@@ -71,8 +71,7 @@ Create the DependencyCheck-report.html and fail the build for CVSS greater then
</project> </project>
``` ```
Example 3: $H$H$H Example 3:
---------------------
Create the dependency-check report within the site Create the dependency-check report within the site
```xml ```xml
@@ -103,8 +102,8 @@ Create the dependency-check report within the site
... ...
</project> </project>
``` ```
Example 4:
--------------------- $H$H$H Example 4:
Create the DependencyCheck-report.html and skip artifacts no bundled in distribution (Provided and Runtime scope) Create the DependencyCheck-report.html and skip artifacts no bundled in distribution (Provided and Runtime scope)
```xml ```xml
@@ -135,8 +134,8 @@ Create the DependencyCheck-report.html and skip artifacts no bundled in distribu
... ...
</project> </project>
``` ```
Example 5:
--------------------- $H$H$H Example 5:
Create the DependencyCheck-report.html and use internal mirroring of CVE contents Create the DependencyCheck-report.html and use internal mirroring of CVE contents
```xml ```xml
@@ -169,4 +168,3 @@ Create the DependencyCheck-report.html and use internal mirroring of CVE content
... ...
</project> </project>
``` ```