github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-15 16:23:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

Browse Source 
Former-commit-id: c980e2c3cbcfbebd38bd99b62ffcca60f0153eb0
This commit is contained in:
Will Stranathan
2014-03-04 13:13:01 -05:00
parent 4340368e49 e0410783be
commit 9d1ea4b551
22 changed files with 265 additions and 128 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
dependency-check-ant/pom.xml
View File

@@ -21,7 +21,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.1.2-SNAPSHOT</version>
<version>1.1.3-SNAPSHOT</version>
</parent>
<artifactId>dependency-check-ant</artifactId>

32
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
View File

@@ -502,6 +502,28 @@ public class DependencyCheckTask extends Task {
public void setNexusUrl(String nexusUrl) {
this.nexusUrl = nexusUrl;
}
/**
* Whether or not the defined proxy should be used when connecting to Nexus.
*/
private boolean nexusUsesProxy = true;
/**
* Get the value of nexusUsesProxy.
*
* @return the value of nexusUsesProxy
*/
public boolean isNexusUsesProxy() {
return nexusUsesProxy;
}
/**
* Set the value of nexusUsesProxy.
*
* @param nexusUsesProxy new value of nexusUsesProxy
*/
public void setNexusUsesProxy(boolean nexusUsesProxy) {
this.nexusUsesProxy = nexusUsesProxy;
}
/**
* The database driver name; such as org.h2.Driver.
@@ -779,14 +801,17 @@ public class DependencyCheckTask extends Task {
showSummary(engine.getDependencies());
}
} catch (IOException ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "Unable to generate dependency-check report", ex);
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE,
"Unable to generate dependency-check report", ex);
throw new BuildException("Unable to generate dependency-check report", ex);
} catch (Exception ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "An exception occurred; unable to continue task", ex);
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE,
"An exception occurred; unable to continue task", ex);
throw new BuildException("An exception occurred; unable to continue task", ex);
}
} catch (DatabaseException ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.SEVERE,
"Unable to connect to the dependency-check database; analysis has stopped");
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "", ex);
} finally {
if (engine != null) {
@@ -864,6 +889,7 @@ public class DependencyCheckTask extends Task {
if (nexusUrl != null && !nexusUrl.isEmpty()) {
Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
}
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
}

41
dependency-check-ant/src/site/markdown/configuration.md
View File

@@ -22,27 +22,28 @@ The following table lists the configurable properties:
Property | Description | Requirement | Default Value
----------------------|-------------|-------------|------------
ApplicationName | The name of the application to use in the generated report. | Required |
ReportFormat | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional |
ReportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional |
FailBuildOn | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional |
AutoUpdate | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. The default value is true. | Optional |
DataDirectory | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional |
LogFile | The file path to write verbose logging information. | Optional |
SuppressionFile | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional |
ProxyUrl | Defines the proxy used to connect to the Internet. | Optional |
ProxyPort | Defines the port for the proxy. | Optional |
ProxyUsername | Defines the proxy user name. | Optional |
ProxyPassword | Defines the proxy password. | Optional |
ConnectionTimeout | The connection timeout used when downloading data files from the Internet. | Optional |
nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. | Optional |
nexusUrl | The connection timeout used when downloading data files from the Internet. | Optional |
databaseDriverName | The name of the database driver. Example: org.h2.Driver. | Optional |
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | Optional |
connectionString | The connection string used to connect to the database. | Optional |
applicationName | The name of the application to use in the generated report. | Required | &nbsp;
reportFormat | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional | HTML
reportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional | &nbsp;
failBuildOn | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional | 11
autoUpdate | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. | Optional | true
dataDirectory | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional | &nbsp;
logFile | The file path to write verbose logging information. | Optional | &nbsp;
suppressionFile | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional | &nbsp;
proxyUrl | Defines the proxy used to connect to the Internet. | Optional | &nbsp;
proxyPort | Defines the port for the proxy. | Optional | &nbsp;
proxyUsername | Defines the proxy user name. | Optional | &nbsp;
proxyPassword | Defines the proxy password. | Optional | &nbsp;
connectionTimeout | The connection timeout used when downloading data files from the Internet. | Optional | &nbsp;
nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. | Optional | &nbsp;
nexusUrl | The connection timeout used when downloading data files from the Internet. | Optional | &nbsp;
nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | Optional | true
databaseDriverName | The name of the database driver. Example: org.h2.Driver. | Optional | &nbsp;
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | Optional | &nbsp;
connectionString | The connection string used to connect to the database. | Optional | &nbsp;
databaseUser | The username used when connecting to the database. | Optional | dcuser
databasePassword | The password used when connecting to the database. | Optional |
zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional
databasePassword | The password used when connecting to the database. | Optional | &nbsp;
zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional | &nbsp;
cveUrl12Modified | URL for the modified CVE 1.2 | Optional | http://nvd.nist.gov/download/nvdcve-modified.xml
cveUrl20Modified | URL for the modified CVE 2.0 | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | Optional | http://nvd.nist.gov/download/nvdcve-%d.xml

2
dependency-check-cli/pom.xml
View File

@@ -21,7 +21,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.1.2-SNAPSHOT</version>
<version>1.1.3-SNAPSHOT</version>
</parent>
<artifactId>dependency-check-cli</artifactId>

7
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -83,7 +83,7 @@ public class App {
cli.printVersionInfo();
} else if (cli.isRunScan()) {
updateSettings(cli);
runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.getAdditionalZipExtensions());
runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles());
} else {
cli.printHelp();
}
@@ -97,7 +97,7 @@ public class App {
* @param applicationName the application name for the report
* @param files the files/directories to scan
*/
private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files, String extraExtensions) {
private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files) {
Engine scanner = null;
try {
scanner = new Engine();
@@ -160,6 +160,7 @@ public class App {
final String suppressionFile = cli.getSuppressionFile();
final boolean nexusDisabled = cli.isNexusDisabled();
final String nexusUrl = cli.getNexusUrl();
final boolean nexusUsesProxy = cli.isNexusUsesProxy();
final String databaseDriverName = cli.getDatabaseDriverName();
final String databaseDriverPath = cli.getDatabaseDriverPath();
final String connectionString = cli.getConnectionString();
@@ -215,7 +216,7 @@ public class App {
if (nexusUrl != null && !nexusUrl.isEmpty()) {
Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
}
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
}

23
dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java
View File

@@ -204,6 +204,10 @@ public final class CliParser {
.withDescription("The url to the Nexus Server.")
.create();
final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_USES_PROXY)
.withDescription("Whether or not the configured proxy should be used when connecting to Nexus.")
.create();
final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg()
.withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS)
.withDescription("A comma seperated list of additional extensions to be scanned as ZIP files "
@@ -227,6 +231,7 @@ public final class CliParser {
.addOption(suppressionFile)
.addOption(disableNexusAnalyzer)
.addOption(nexusUrl)
.addOption(nexusUsesProxy)
.addOption(additionalZipExtensions);
}
@@ -342,6 +347,20 @@ public final class CliParser {
}
}
/**
* Returns true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false is
* returned.
*
* @return true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false
*/
public boolean isNexusUsesProxy() {
if (line == null || !line.hasOption(ArgumentName.NEXUS_USES_PROXY)) {
return true;
} else {
return Boolean.parseBoolean(line.getOptionValue(ArgumentName.NEXUS_USES_PROXY));
}
}
/**
* Displays the command line help message to the standard output.
*/
@@ -697,6 +716,10 @@ public final class CliParser {
* The URL of the nexus server.
*/
public static final String NEXUS_URL = "nexus";
/**
* Whether or not the defined proxy should be used when connecting to Nexus.
*/
public static final String NEXUS_USES_PROXY = "nexusUsesProxy";
/**
* The CLI argument name for setting the connection string.
*/

53
dependency-check-cli/src/site/markdown/arguments.md
View File

@@ -3,29 +3,30 @@ Command Line Arguments
The following table lists the command line arguments:
Short | Argument Name | Parameter | Description | Requirement
-------|-----------------------|-------------|-------------|------------
\-a | \-\-app | \<name\> | The name of the application being scanned. This is a required argument. |
\-c | \-\-connectiontimeout | \<timeout\> | The connection timeout (in milliseconds) to use when downloading resources. | Optional
\-d | \-\-data | \<path\> | The location of the data directory used to store persistent data. This option should generally not be set. | Optional
\-f | \-\-format | \<format\> | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. |
\-h | \-\-help | | Print the help message. | Optional
\-l | \-\-log | \<file\> | The file path to write verbose logging information. | Optional
\-n | \-\-noupdate | | Disables the automatic updating of the CPE data. | Optional
\-o | \-\-out | \<folder\> | The folder to write reports to. This defaults to the current directory. | Optional
\-p | \-\-proxyport | \<port\> | The proxy port to use when downloading resources. | Optional
| \-\-proxypass | \<pass\> | The proxy password to use when downloading resources. | Optional
| \-\-proxyuser | \<user\> | The proxy username to use when downloading resources. | Optional
\-s | \-\-scan | \<path\> | The path to scan \- this option can be specified multiple times. |
| \-\-suppression | \<file\> | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional
\-u | \-\-proxyurl | \<url\> | The proxy url to use when downloading resources. | Optional
\-v | \-\-version | | Print the version information. | Optional
| \-\-advancedHelp | | Print the advanced help message. | Optional
| \-\-connectionString | \<connStr\> | The connection string to the database. | Optional
| \-\-dbDriverName | \<driver\> | The database driver name. | Optional
| \-\-dbDriverPath | \<path\> | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | Optional
| \-\-dbPassword | \<password\>| The password for connecting to the database. | Optional
| \-\-dbUser | \<user\> | The username used to connect to the database. | Optional
| \-\-disableNexus | | Disable the Nexus Analyzer. | Optional
| \-\-nexus | \<url\> | The url to the Nexus Server. | Optional
| \-\-zipExtensions | \<strings\> | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional
Short | Argument Name | Parameter | Description | Requirement
-------|-----------------------|-----------------|-------------|------------
\-a | \-\-app | \<name\> | The name of the application being scanned. This is a required argument. | Required
\-c | \-\-connectiontimeout | \<timeout\> | The connection timeout (in milliseconds) to use when downloading resources. | Optional
\-d | \-\-data | \<path\> | The location of the data directory used to store persistent data. This option should generally not be set. | Optional
\-f | \-\-format | \<format\> | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. | Required
\-h | \-\-help | | Print the help message. | Optional
\-l | \-\-log | \<file\> | The file path to write verbose logging information. | Optional
\-n | \-\-noupdate | | Disables the automatic updating of the CPE data. | Optional
\-o | \-\-out | \<folder\> | The folder to write reports to. This defaults to the current directory. | Optional
\-p | \-\-proxyport | \<port\> | The proxy port to use when downloading resources. | Optional
| \-\-proxypass | \<pass\> | The proxy password to use when downloading resources. | Optional
| \-\-proxyuser | \<user\> | The proxy username to use when downloading resources. | Optional
\-s | \-\-scan | \<path\> | The path to scan \- this option can be specified multiple times. | Required
| \-\-suppression | \<file\> | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional
\-u | \-\-proxyurl | \<url\> | The proxy url to use when downloading resources. | Optional
\-v | \-\-version | | Print the version information. | Optional
| \-\-advancedHelp | | Print the advanced help message. | Optional
| \-\-connectionString | \<connStr\> | The connection string to the database. | Optional
| \-\-dbDriverName | \<driver\> | The database driver name. | Optional
| \-\-dbDriverPath | \<path\> | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | Optional
| \-\-dbPassword | \<password\> | The password for connecting to the database. | Optional
| \-\-dbUser | \<user\> | The username used to connect to the database. | Optional
| \-\-disableNexus | | Disable the Nexus Analyzer. | Optional
| \-\-nexus | \<url\> | The url to the Nexus Server. | Optional
| \-\-nexusUsesProxy | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus. | Optional
| \-\-zipExtensions | \<strings\> | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional

2
dependency-check-core/pom.xml
View File

@@ -21,7 +21,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.1.2-SNAPSHOT</version>
<version>1.1.3-SNAPSHOT</version>
</parent>
<artifactId>dependency-check-core</artifactId>

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
View File

@@ -271,7 +271,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
throw new AnalysisException("Archive file was not found.", ex);
}
final String archiveExt = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(archive.getName()).toLowerCase();
final String archiveExt = FileUtils.getFileExtension(archive.getName()).toLowerCase();
try {
if (ZIPPABLES.contains(archiveExt)) {
extractArchive(new ZipArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
@@ -279,7 +279,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
extractArchive(new TarArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
} else if ("gz".equals(archiveExt) || "tgz".equals(archiveExt)) {
final String uncompressedName = GzipUtils.getUncompressedFilename(archive.getName());
final String uncompressedExt = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(uncompressedName).toLowerCase();
final String uncompressedExt = FileUtils.getFileExtension(uncompressedName).toLowerCase();
if (engine.supportsExtension(uncompressedExt)) {
decompressFile(new GzipCompressorInputStream(new BufferedInputStream(fis)), new File(destination, uncompressedName));
}
@@ -323,7 +323,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
}
} else {
final File file = new File(destination, entry.getName());
final String ext = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(file.getName());
final String ext = FileUtils.getFileExtension(file.getName());
if (engine.supportsExtension(ext)) {
BufferedOutputStream bos = null;
FileOutputStream fos;

43
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -604,38 +604,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
addMatchingValues(classes, trimmedDescription, dependency.getProductEvidence());
}
}
//license
if (pom.getLicenses() != null) {
String license = null;
for (License lic : pom.getLicenses().getLicense()) {
String tmp = null;
if (lic.getName() != null) {
tmp = interpolateString(lic.getName(), pomProperties);
}
if (lic.getUrl() != null) {
if (tmp == null) {
tmp = interpolateString(lic.getUrl(), pomProperties);
} else {
tmp += ": " + interpolateString(lic.getUrl(), pomProperties);
}
}
if (tmp == null) {
continue;
}
if (HTML_DETECTION_PATTERN.matcher(tmp).find()) {
tmp = Jsoup.parse(tmp).text();
}
if (license == null) {
license = tmp;
} else {
license += "\n" + tmp;
}
}
if (license != null) {
dependency.setLicense(license);
}
}
extractLicense(pom, pomProperties, dependency);
return foundSomething;
}
@@ -1250,7 +1219,17 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
addDescription(dependency, description, "pom", "description");
}
}
extractLicense(pom, pomProperties, dependency);
}
/**
* Extracts the license information from the pom and adds it to the dependency.
*
* @param pom the pom object
* @param pomProperties the properties, used for string interpolation
* @param dependency the dependency to add license information too
*/
private void extractLicense(Model pom, Properties pomProperties, Dependency dependency) {
//license
if (pom.getLicenses() != null) {
String license = null;

9
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
View File

@@ -22,6 +22,7 @@ import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLConnection;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@@ -151,17 +152,17 @@ public class NexusSearch {
*/
public boolean preflightRequest() {
try {
final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(new URL(rootURL, "status"));
final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(new URL(rootURL, "status"), useProxy);
conn.addRequestProperty("Accept", "application/xml");
conn.connect();
if (conn.getResponseCode() != 200) {
LOGGER.warning("Expected 200 result from Nexus, got " + conn.getResponseCode());
LOGGER.log(Level.WARNING, "Expected 200 result from Nexus, got {0}", conn.getResponseCode());
return false;
}
final DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
final Document doc = builder.parse(conn.getInputStream());
if (doc.getDocumentElement().getNodeName() != "status") {
LOGGER.warning("Expected root node name of status, got " + doc.getDocumentElement().getNodeName());
if (!"status".equals(doc.getDocumentElement().getNodeName())) {
LOGGER.log(Level.WARNING, "Expected root node name of status, got {0}", doc.getDocumentElement().getNodeName());
return false;
}
} catch (Throwable e) {

19
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java
View File

@@ -23,6 +23,7 @@ package org.owasp.dependencycheck.data.nuget;
* @author colezlaw
*/
public class NuspecParseException extends Exception {
/**
* The serialVersionUID
*/
@@ -31,20 +32,19 @@ public class NuspecParseException extends Exception {
/**
* Constructs a new exception with <code>null</code> as its detail message.
*
* The cause is not initialized, and may subsequently be initialized by a call
* to {@link java.lang.Throwable#initCause(java.lang.Throwable)}.
* The cause is not initialized, and may subsequently be initialized by a call to
* {@link java.lang.Throwable#initCause(java.lang.Throwable)}.
*/
public NuspecParseException() {
super();
}
/**
* Constructs a new exception with the specified detail message. The cause is
* not initialized, and may subsequently be initialized by a call to
* {@link java.lang.Throwable#initCause(java.lang.Throwable).
* Constructs a new exception with the specified detail message. The cause is not initialized, and may subsequently
* be initialized by a call to {@link java.lang.Throwable#initCause(java.lang.Throwable)}.
*
* @param message the detail message. The detail message is saved for later retrieval
* by the {@link java.lang.Throwable#getMessage()} method.
* @param message the detail message. The detail message is saved for later retrieval by the
* {@link java.lang.Throwable#getMessage()} method.
*/
public NuspecParseException(String message) {
super(message);
@@ -58,9 +58,8 @@ public class NuspecParseException extends Exception {
*
* @param message the detail message (whcih is saved for later retrieval by the
* {@link java.lang.Throwable#getMessage()} method.
* @param cause the cause (which is saved for later retrieval by the
* {@link java.lang.Throwable#getCause()} method). (A <code>null</code> value is permitted,
* and indicates that the cause is nonexistent or unknown).
* @param cause the cause (which is saved for later retrieval by the {@link java.lang.Throwable#getCause()} method).
* (A <code>null</code> value is permitted, and indicates that the cause is nonexistent or unknown).
*/
public NuspecParseException(String message, Throwable cause) {
super(message, cause);

21
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java
View File

@@ -134,20 +134,20 @@ public class StandardUpdate {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during download", ex);
throw new UpdateException("The download was interupted", ex);
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download", ex);
throw new UpdateException("The download was interrupted", ex);
} catch (ExecutionException ex) {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during download execution", ex);
throw new UpdateException("The execution of the download was interupted", ex);
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download execution", ex);
throw new UpdateException("The execution of the download was interrupted", ex);
}
if (task == null) {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during download");
throw new UpdateException("The download was interupted; unable to complete the update");
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download");
throw new UpdateException("The download was interrupted; unable to complete the update");
} else {
processFutures.add(task);
}
@@ -161,7 +161,7 @@ public class StandardUpdate {
}
} catch (InterruptedException ex) {
processExecutor.shutdownNow();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during processing", ex);
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during processing", ex);
throw new UpdateException(ex);
} catch (ExecutionException ex) {
processExecutor.shutdownNow();
@@ -245,11 +245,8 @@ public class StandardUpdate {
}
} catch (NumberFormatException ex) {
final String msg = "An invalid schema version or timestamp exists in the data.properties file.";
Logger
.getLogger(StandardUpdate.class
.getName()).log(Level.WARNING, msg);
Logger.getLogger(StandardUpdate.class
.getName()).log(Level.FINE, null, ex);
Logger.getLogger(StandardUpdate.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "", ex);
}
}
return updates;

52
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -22,8 +22,11 @@ import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.Enumeration;
import java.util.Properties;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -35,6 +38,11 @@ import java.util.logging.Logger;
*/
public final class Settings {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(Settings.class.getName());
/**
* The collection of keys used within the properties file.
*/
@@ -204,6 +212,43 @@ public final class Settings {
}
}
}
logProperties("Properties loaded", props);
}
/**
* Logs the properties. This will not log any properties that contain 'password' in the key.
*
* @param header the header to print with the log message
* @param properties the properties to log
*/
private static void logProperties(String header, Properties properties) {
if (LOGGER.isLoggable(Level.FINE)) {
final StringWriter sw = new StringWriter();
PrintWriter pw = null;
try {
pw = new PrintWriter(sw);
pw.format("%s:%n%n", header);
final Enumeration e = properties.propertyNames();
while (e.hasMoreElements()) {
final String key = (String) e.nextElement();
if (key.contains("password")) {
pw.format("%s='*****'%n", key);
} else {
final String value = properties.getProperty(key);
if (value != null) {
pw.format("%s='%s'%n", key, value);
}
}
}
pw.flush();
LOGGER.fine(sw.toString());
} finally {
if (pw != null) {
pw.close();
}
}
}
}
/**
@@ -214,6 +259,9 @@ public final class Settings {
*/
public static void setString(String key, String value) {
INSTANCE.props.setProperty(key, value);
if (LOGGER.isLoggable(Level.FINE)) {
LOGGER.fine(String.format("Setting: %s='%s'", key, value));
}
}
/**
@@ -228,6 +276,9 @@ public final class Settings {
} else {
INSTANCE.props.setProperty(key, Boolean.FALSE.toString());
}
if (LOGGER.isLoggable(Level.FINE)) {
LOGGER.fine(String.format("Setting: %s='%b'", key, value));
}
}
/**
@@ -268,6 +319,7 @@ public final class Settings {
*/
public static void mergeProperties(InputStream stream) throws IOException {
INSTANCE.props.load(stream);
logProperties("Properties updated via merge", INSTANCE.props);
}
/**

9
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
View File

@@ -17,15 +17,12 @@
*/
package org.owasp.dependencycheck.analyzer;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.junit.Assume.assumeFalse;
import java.io.File;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.junit.After;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Assume;
import static org.junit.Assume.assumeFalse;
import org.junit.Before;
@@ -43,7 +40,7 @@ import org.owasp.dependencycheck.utils.Settings;
*
*/
public class AssemblyAnalyzerTest {
private static final Logger LOGGER = Logger.getLogger(AssemblyAnalyzerTest.class.getName());
AssemblyAnalyzer analyzer;

2
dependency-check-jenkins/pom.xml
View File

@@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.1.2-SNAPSHOT</version>
<version>1.1.3-SNAPSHOT</version>
</parent>
<groupId>org.owasp</groupId>

2
dependency-check-maven/pom.xml
View File

@@ -23,7 +23,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.1.2-SNAPSHOT</version>
<version>1.1.3-SNAPSHOT</version>
</parent>
<artifactId>dependency-check-maven</artifactId>

14
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java
View File

@@ -198,6 +198,12 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
@SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "nexusUrl", defaultValue = "", required = false)
private String nexusUrl;
/**
* Whether or not the configured proxy is used to connect to Nexus.
*/
@SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "nexusUsesProxy", defaultValue = "true", required = false)
private boolean nexusUsesProxy = true;
/**
* The database connection string.
*/
@@ -279,6 +285,7 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
* Executes the Dependency-Check on the dependent libraries.
*
* @return the Engine used to scan the dependencies.
* @throws DatabaseException thrown if there is an exception connecting to the database
*/
private Engine executeDependencyCheck() throws DatabaseException {
@@ -750,6 +757,7 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
if (nexusUrl != null && !nexusUrl.isEmpty()) {
Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
}
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
}
@@ -812,7 +820,8 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
checkForFailure(engine.getDependencies());
}
} catch (DatabaseException ex) {
Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE,
"Unable to connect to the dependency-check database; analysis has stopped");
Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINE, "", ex);
} finally {
if (engine != null) {
@@ -847,7 +856,8 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
engine = executeDependencyCheck();
generateMavenSiteReport(engine, sink);
} catch (DatabaseException ex) {
Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE,
"Unable to connect to the dependency-check database; analysis has stopped");
Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINE, "", ex);
} finally {
if (engine != null) {

1
dependency-check-maven/src/site/markdown/configuration.md
View File

@@ -17,6 +17,7 @@ proxyUsername | Defines the proxy user name. |
proxyPassword | Defines the proxy password. |
nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. |
nexusUrl | Defines the Nexus URL. |
nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true
databaseDriverName | The name of the database driver. Example: org.h2.Driver. |
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |
connectionString | The connection string used to connect to the database. |

2
pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.1.2-SNAPSHOT</version>
<version>1.1.3-SNAPSHOT</version>
<packaging>pom</packaging>
<modules>

49
src/site/markdown/suppression.md
View File

@@ -18,6 +18,55 @@ A sample suppression file would look like:
```
The above XML file will suppress the cpe:/a:apache:struts:2.0.0 from any file with the a matching SHA1 hash.
The following shows some other ways to suppress individual findings. Note the ways to select files using either
the sha1 hash or the filePath (the filePath can also be a regex). Additionally, there are several things that
can be suppressed - individual CPEs, individual CVEs, or all CVE entries below a specified CVSS score. The most common
would be suppressing CPEs based off of SHA1 hashes or filePath (regexes) - these entries can be generated using the
HTML version of the report. The other common scenario would be to ignore all CVEs below a certain CVSS threshold.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<suppressions
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns='https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression'
xsi:schemaLocation='https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression suppression.xsd'>
<suppress>
<notes><![CDATA[
This suppresses cpe:/a:csv:csv:1.0 for some.jar in the "c:\path\to" directory.
]]></notes>
<filePath>c:\path\to\some.jar</filePath>
<cpe>cpe:/a:csv:csv:1.0</cpe>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses any jboss:jboss cpe for any test.jar in any directory.
]]></notes>
<filePath regex="true">.*\btest\.jar</filePath>
<cpe>cpe:/a:jboss:jboss</cpe>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses a specific cve for any test.jar in any directory.
]]></notes>
<filePath regex="true">.*\btest\.jar</filePath>
<cve>CVE-2013-1337</cve>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses a specific cve for any dependency in any directory that has the specified sha1 checksum.
]]></notes>
<sha1>384FAA82E193D4E4B0546059CA09572654BC3970</sha1>
<cve>CVE-2013-1337</cve>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses all CVE entries that have a score below CVSS 7.
]]></notes>
<cvssBelow>7</cvssBelow>
</suppress>
</suppressions>
```
The full schema for suppression files can be found here: [suppression.xsd](https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/schema/suppression.xsd "Suppression Schema")
Please see the appropriate configuration option in each interfaces configuration guide:

2
src/site/site.xml
View File

@@ -50,7 +50,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
title="built with maven"
alt="built with maven"
img="http://jeremylong.github.io/DependencyCheck/images/logos/maven-feather.png"/>
<logo name="IntelliJ" href="http://maven.apache.org/"
<logo name="IntelliJ" href="http://www.jetbrains.com/idea/"
title="developed using" width="170px"
alt="developed using"
img="http://jeremylong.github.io/DependencyCheck/images/logos/logo_intellij_idea.png"/>