From 7f2c51f337c546fd76ec7c5f2a69f50cdb7d33f2 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 1 Mar 2014 16:08:58 -0500 Subject: [PATCH 01/21] cleaned up code duplication Former-commit-id: 561f5f16b22f07199450d090ebb8c56df3703739 --- .../dependencycheck/analyzer/JarAnalyzer.java | 43 +++++-------------- 1 file changed, 11 insertions(+), 32 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index fd5316a56..1e974f6a7 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -604,38 +604,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer { addMatchingValues(classes, trimmedDescription, dependency.getProductEvidence()); } } - - //license - if (pom.getLicenses() != null) { - String license = null; - for (License lic : pom.getLicenses().getLicense()) { - String tmp = null; - if (lic.getName() != null) { - tmp = interpolateString(lic.getName(), pomProperties); - } - if (lic.getUrl() != null) { - if (tmp == null) { - tmp = interpolateString(lic.getUrl(), pomProperties); - } else { - tmp += ": " + interpolateString(lic.getUrl(), pomProperties); - } - } - if (tmp == null) { - continue; - } - if (HTML_DETECTION_PATTERN.matcher(tmp).find()) { - tmp = Jsoup.parse(tmp).text(); - } - if (license == null) { - license = tmp; - } else { - license += "\n" + tmp; - } - } - if (license != null) { - dependency.setLicense(license); - } - } + extractLicense(pom, pomProperties, dependency); return foundSomething; } @@ -1250,7 +1219,17 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer { addDescription(dependency, description, "pom", "description"); } } + extractLicense(pom, pomProperties, dependency); + } + /** + * Extracts the license information from the pom and adds it to the dependency. + * + * @param pom the pom object + * @param pomProperties the properties, used for string interpolation + * @param dependency the dependency to add license information too + */ + private void extractLicense(Model pom, Properties pomProperties, Dependency dependency) { //license if (pom.getLicenses() != null) { String license = null; From 0a24fb57aa29daf59c58a9707213c57ff16e037d Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 1 Mar 2014 16:09:14 -0500 Subject: [PATCH 02/21] minor code formating change Former-commit-id: 184bb0405efa2352116c7412efa07bd354df3e96 --- .../dependencycheck/taskdefs/DependencyCheckTask.java | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java index 2e65813ef..e71af47ce 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java @@ -779,14 +779,17 @@ public class DependencyCheckTask extends Task { showSummary(engine.getDependencies()); } } catch (IOException ex) { - Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "Unable to generate dependency-check report", ex); + Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, + "Unable to generate dependency-check report", ex); throw new BuildException("Unable to generate dependency-check report", ex); } catch (Exception ex) { - Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "An exception occurred; unable to continue task", ex); + Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, + "An exception occurred; unable to continue task", ex); throw new BuildException("An exception occurred; unable to continue task", ex); } } catch (DatabaseException ex) { - Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped"); + Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.SEVERE, + "Unable to connect to the dependency-check database; analysis has stopped"); Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "", ex); } finally { if (engine != null) { From 73e089d3308c07575d60e86e663180c42f520743 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 2 Mar 2014 12:25:50 -0500 Subject: [PATCH 03/21] removed unused argument from runScan Former-commit-id: 777688a5a541a9d3758294cee13f95c7b0d854e5 --- .../src/main/java/org/owasp/dependencycheck/App.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index 19de6fecf..f5447d524 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -83,7 +83,7 @@ public class App { cli.printVersionInfo(); } else if (cli.isRunScan()) { updateSettings(cli); - runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.getAdditionalZipExtensions()); + runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles()); } else { cli.printHelp(); } @@ -97,7 +97,7 @@ public class App { * @param applicationName the application name for the report * @param files the files/directories to scan */ - private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files, String extraExtensions) { + private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files) { Engine scanner = null; try { scanner = new Engine(); From be441d2aa54ef2daea1d6321068a04f1b9184ea9 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 2 Mar 2014 12:26:17 -0500 Subject: [PATCH 04/21] checkstyle fix Former-commit-id: 108f7d5e6b1ef4f59b2d009eddbcb00671576dd8 --- .../org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index 17d67ea57..79935ac73 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -271,7 +271,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer { Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex); throw new AnalysisException("Archive file was not found.", ex); } - final String archiveExt = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(archive.getName()).toLowerCase(); + final String archiveExt = FileUtils.getFileExtension(archive.getName()).toLowerCase(); try { if (ZIPPABLES.contains(archiveExt)) { extractArchive(new ZipArchiveInputStream(new BufferedInputStream(fis)), destination, engine); @@ -279,7 +279,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer { extractArchive(new TarArchiveInputStream(new BufferedInputStream(fis)), destination, engine); } else if ("gz".equals(archiveExt) || "tgz".equals(archiveExt)) { final String uncompressedName = GzipUtils.getUncompressedFilename(archive.getName()); - final String uncompressedExt = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(uncompressedName).toLowerCase(); + final String uncompressedExt = FileUtils.getFileExtension(uncompressedName).toLowerCase(); if (engine.supportsExtension(uncompressedExt)) { decompressFile(new GzipCompressorInputStream(new BufferedInputStream(fis)), new File(destination, uncompressedName)); } @@ -323,7 +323,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer { } } else { final File file = new File(destination, entry.getName()); - final String ext = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(file.getName()); + final String ext = FileUtils.getFileExtension(file.getName()); if (engine.supportsExtension(ext)) { BufferedOutputStream bos = null; FileOutputStream fos; From bb8aa0fe6fddeaa26cad2c72b45d30eced8ae91f Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 2 Mar 2014 12:26:56 -0500 Subject: [PATCH 05/21] fixed JavaDoc @link missing close curly bracket Former-commit-id: 2ae5d38ac5e469c65e986ff0dd0292dcb8267285 --- .../data/nuget/NuspecParseException.java | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java index 027bf4d00..ee8c94871 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java @@ -23,6 +23,7 @@ package org.owasp.dependencycheck.data.nuget; * @author colezlaw */ public class NuspecParseException extends Exception { + /** * The serialVersionUID */ @@ -31,20 +32,19 @@ public class NuspecParseException extends Exception { /** * Constructs a new exception with null as its detail message. * - * The cause is not initialized, and may subsequently be initialized by a call - * to {@link java.lang.Throwable#initCause(java.lang.Throwable)}. + * The cause is not initialized, and may subsequently be initialized by a call to + * {@link java.lang.Throwable#initCause(java.lang.Throwable)}. */ public NuspecParseException() { super(); } /** - * Constructs a new exception with the specified detail message. The cause is - * not initialized, and may subsequently be initialized by a call to - * {@link java.lang.Throwable#initCause(java.lang.Throwable). + * Constructs a new exception with the specified detail message. The cause is not initialized, and may subsequently + * be initialized by a call to {@link java.lang.Throwable#initCause(java.lang.Throwable)}. * - * @param message the detail message. The detail message is saved for later retrieval - * by the {@link java.lang.Throwable#getMessage()} method. + * @param message the detail message. The detail message is saved for later retrieval by the + * {@link java.lang.Throwable#getMessage()} method. */ public NuspecParseException(String message) { super(message); @@ -58,9 +58,8 @@ public class NuspecParseException extends Exception { * * @param message the detail message (whcih is saved for later retrieval by the * {@link java.lang.Throwable#getMessage()} method. - * @param cause the cause (which is saved for later retrieval by the - * {@link java.lang.Throwable#getCause()} method). (A null value is permitted, - * and indicates that the cause is nonexistent or unknown). + * @param cause the cause (which is saved for later retrieval by the {@link java.lang.Throwable#getCause()} method). + * (A null value is permitted, and indicates that the cause is nonexistent or unknown). */ public NuspecParseException(String message, Throwable cause) { super(message, cause); From ef97f9c088daac4389d5e79720d4bb685bca0ce6 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 2 Mar 2014 12:27:26 -0500 Subject: [PATCH 06/21] checkstyle fix Former-commit-id: 1968682a460b5b294553f375ea191bcf6a45072b --- .../owasp/dependencycheck/maven/DependencyCheckMojo.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java index 96d046af8..3068c39aa 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java @@ -279,6 +279,7 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR * Executes the Dependency-Check on the dependent libraries. * * @return the Engine used to scan the dependencies. + * @throws DatabaseException thrown if there is an exception connecting to the database */ private Engine executeDependencyCheck() throws DatabaseException { @@ -812,7 +813,8 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR checkForFailure(engine.getDependencies()); } } catch (DatabaseException ex) { - Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped"); + Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, + "Unable to connect to the dependency-check database; analysis has stopped"); Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINE, "", ex); } finally { if (engine != null) { @@ -847,7 +849,8 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR engine = executeDependencyCheck(); generateMavenSiteReport(engine, sink); } catch (DatabaseException ex) { - Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped"); + Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, + "Unable to connect to the dependency-check database; analysis has stopped"); Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINE, "", ex); } finally { if (engine != null) { From 9d609b6085f6d7e3c88b9e7ef141adfb6921847a Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 2 Mar 2014 18:16:12 -0500 Subject: [PATCH 07/21] added configuration for whether or not the nexus analyzer should use the configured proxy Former-commit-id: 99f3110346941ebc00c14ae1c00220eef76c1e9f --- .../taskdefs/DependencyCheckTask.java | 23 +++++++++++++++++++ .../src/site/markdown/configuration.md | 1 + .../java/org/owasp/dependencycheck/App.java | 3 ++- .../owasp/dependencycheck/cli/CliParser.java | 23 +++++++++++++++++++ .../src/site/markdown/arguments.md | 1 + .../maven/DependencyCheckMojo.java | 7 ++++++ .../src/site/markdown/configuration.md | 1 + 7 files changed, 58 insertions(+), 1 deletion(-) diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java index e71af47ce..8c982fbfd 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java @@ -502,6 +502,28 @@ public class DependencyCheckTask extends Task { public void setNexusUrl(String nexusUrl) { this.nexusUrl = nexusUrl; } + /** + * Whether or not the defined proxy should be used when connecting to Nexus. + */ + private boolean nexusUsesProxy = true; + + /** + * Get the value of nexusUsesProxy + * + * @return the value of nexusUsesProxy + */ + public boolean isNexusUsesProxy() { + return nexusUsesProxy; + } + + /** + * Set the value of nexusUsesProxy + * + * @param nexusUsesProxy new value of nexusUsesProxy + */ + public void setNexusUsesProxy(boolean nexusUsesProxy) { + this.nexusUsesProxy = nexusUsesProxy; + } /** * The database driver name; such as org.h2.Driver. @@ -867,6 +889,7 @@ public class DependencyCheckTask extends Task { if (nexusUrl != null && !nexusUrl.isEmpty()) { Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl); } + Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy); if (databaseDriverName != null && !databaseDriverName.isEmpty()) { Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName); } diff --git a/dependency-check-ant/src/site/markdown/configuration.md b/dependency-check-ant/src/site/markdown/configuration.md index 3545b885b..48465e4b0 100644 --- a/dependency-check-ant/src/site/markdown/configuration.md +++ b/dependency-check-ant/src/site/markdown/configuration.md @@ -37,6 +37,7 @@ ProxyPassword | Defines the proxy password. | Optional | ConnectionTimeout | The connection timeout used when downloading data files from the Internet. | Optional | nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. | Optional | nexusUrl | The connection timeout used when downloading data files from the Internet. | Optional | +nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | Optional | true databaseDriverName | The name of the database driver. Example: org.h2.Driver. | Optional | databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | Optional | connectionString | The connection string used to connect to the database. | Optional | diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index f5447d524..9f7d04576 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -160,6 +160,7 @@ public class App { final String suppressionFile = cli.getSuppressionFile(); final boolean nexusDisabled = cli.isNexusDisabled(); final String nexusUrl = cli.getNexusUrl(); + final boolean nexusUsesProxy = cli.isNexusUsesProxy(); final String databaseDriverName = cli.getDatabaseDriverName(); final String databaseDriverPath = cli.getDatabaseDriverPath(); final String connectionString = cli.getConnectionString(); @@ -215,7 +216,7 @@ public class App { if (nexusUrl != null && !nexusUrl.isEmpty()) { Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl); } - + Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy); if (databaseDriverName != null && !databaseDriverName.isEmpty()) { Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName); } diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java index fa01d0c97..b5e06673c 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java @@ -204,6 +204,10 @@ public final class CliParser { .withDescription("The url to the Nexus Server.") .create(); + final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_URL) + .withDescription("Whether or not the configured proxy should be used when connecting to Nexus.") + .create(); + final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg() .withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS) .withDescription("A comma seperated list of additional extensions to be scanned as ZIP files " @@ -227,6 +231,7 @@ public final class CliParser { .addOption(suppressionFile) .addOption(disableNexusAnalyzer) .addOption(nexusUrl) + .addOption(nexusUsesProxy) .addOption(additionalZipExtensions); } @@ -342,6 +347,20 @@ public final class CliParser { } } + /** + * Returns true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false is + * returned. + * + * @return true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false + */ + public boolean isNexusUsesProxy() { + if (line == null || !line.hasOption(ArgumentName.NEXUS_USES_PROXY)) { + return true; + } else { + return Boolean.parseBoolean(line.getOptionValue(ArgumentName.NEXUS_USES_PROXY)); + } + } + /** * Displays the command line help message to the standard output. */ @@ -697,6 +716,10 @@ public final class CliParser { * The URL of the nexus server. */ public static final String NEXUS_URL = "nexus"; + /** + * Whether or not the defined proxy should be used when connecting to Nexus. + */ + public static final String NEXUS_USES_PROXY = "nexusUsesProxy"; /** * The CLI argument name for setting the connection string. */ diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md index 756999048..e16bab883 100644 --- a/dependency-check-cli/src/site/markdown/arguments.md +++ b/dependency-check-cli/src/site/markdown/arguments.md @@ -28,4 +28,5 @@ Short | Argument Name | Parameter | Description | Requirement | \-\-dbUser | \ | The username used to connect to the database. | Optional | \-\-disableNexus | | Disable the Nexus Analyzer. | Optional | \-\-nexus | \ | The url to the Nexus Server. | Optional + | \-\-nexusUsesProxy | \ | Whether or not the defined proxy should be used when connecting to Nexus. | Optional | \-\-zipExtensions | \ | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional \ No newline at end of file diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java index 3068c39aa..cec783ceb 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java @@ -198,6 +198,12 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"}) @Parameter(property = "nexusUrl", defaultValue = "", required = false) private String nexusUrl; + /** + * Whether or not the configured proxy is used to connect to Nexus. + */ + @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"}) + @Parameter(property = "nexusUsesProxy", defaultValue = "true", required = false) + private boolean nexusUsesProxy = true; /** * The database connection string. */ @@ -751,6 +757,7 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR if (nexusUrl != null && !nexusUrl.isEmpty()) { Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl); } + Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy); if (databaseDriverName != null && !databaseDriverName.isEmpty()) { Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName); } diff --git a/dependency-check-maven/src/site/markdown/configuration.md b/dependency-check-maven/src/site/markdown/configuration.md index da8a4f3c1..af3efb2f2 100644 --- a/dependency-check-maven/src/site/markdown/configuration.md +++ b/dependency-check-maven/src/site/markdown/configuration.md @@ -17,6 +17,7 @@ proxyUsername | Defines the proxy user name. | proxyPassword | Defines the proxy password. | nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. | nexusUrl | Defines the Nexus URL. | +nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true databaseDriverName | The name of the database driver. Example: org.h2.Driver. | databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | connectionString | The connection string used to connect to the database. | From d9eed4a460f30bf9b081f223b738af220377bdc0 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 2 Mar 2014 18:26:58 -0500 Subject: [PATCH 08/21] updated to address issue #74 Former-commit-id: 9ebe411a6f1dae5c0ffb39399fe5b5c63b927836 --- src/site/markdown/suppression.md | 49 ++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/src/site/markdown/suppression.md b/src/site/markdown/suppression.md index c50e11196..5d10a6dc5 100644 --- a/src/site/markdown/suppression.md +++ b/src/site/markdown/suppression.md @@ -18,6 +18,55 @@ A sample suppression file would look like: ``` The above XML file will suppress the cpe:/a:apache:struts:2.0.0 from any file with the a matching SHA1 hash. +The following shows some other ways to suppress individual findings. Note the ways to select files using either +the sha1 hash or the filePath (the filePath can also be a regex). Additionally, there are several things that +can be suppressed - individual CPEs, individual CVEs, or all CVE entries below a specified CVSS score. The most common +would be suppressing CPEs based off of SHA1 hashes or filePath (regexes) - these entries can be generated using the +HTML version of the report. The other common scenario would be to ignore all CVEs below a certain CVSS threshold. + +```xml + + + + + c:\path\to\some.jar + cpe:/a:csv:csv:1.0 + + + + .*\btest\.jar + cpe:/a:jboss:jboss + + + + .*\btest\.jar + CVE-2013-1337 + + + + 384FAA82E193D4E4B0546059CA09572654BC3970 + CVE-2013-1337 + + + + 7 + + +``` + The full schema for suppression files can be found here: [suppression.xsd](https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/schema/suppression.xsd "Suppression Schema") Please see the appropriate configuration option in each interfaces configuration guide: From 8093927579945d811f33aa1123343e106bf3b248 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 2 Mar 2014 19:17:08 -0500 Subject: [PATCH 09/21] minor checkstyle patch Former-commit-id: e72e6856d19861fcfcc18e723852ca5fec2ff58a --- .../owasp/dependencycheck/taskdefs/DependencyCheckTask.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java index 8c982fbfd..4d4e1822e 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java @@ -508,7 +508,7 @@ public class DependencyCheckTask extends Task { private boolean nexusUsesProxy = true; /** - * Get the value of nexusUsesProxy + * Get the value of nexusUsesProxy. * * @return the value of nexusUsesProxy */ @@ -517,7 +517,7 @@ public class DependencyCheckTask extends Task { } /** - * Set the value of nexusUsesProxy + * Set the value of nexusUsesProxy. * * @param nexusUsesProxy new value of nexusUsesProxy */ From 06fc5e71c38a16e5f28fffea3b38567053053e0e Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 2 Mar 2014 19:23:04 -0500 Subject: [PATCH 10/21] updated documentation Former-commit-id: 0380144c003adf7a2e50d32d43f3605a30b6b089 --- .../src/site/markdown/configuration.md | 40 +++++++------- .../src/site/markdown/arguments.md | 54 +++++++++---------- 2 files changed, 47 insertions(+), 47 deletions(-) diff --git a/dependency-check-ant/src/site/markdown/configuration.md b/dependency-check-ant/src/site/markdown/configuration.md index 48465e4b0..ef16d1f18 100644 --- a/dependency-check-ant/src/site/markdown/configuration.md +++ b/dependency-check-ant/src/site/markdown/configuration.md @@ -22,28 +22,28 @@ The following table lists the configurable properties: Property | Description | Requirement | Default Value ----------------------|-------------|-------------|------------ -ApplicationName | The name of the application to use in the generated report. | Required | -ReportFormat | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional | -ReportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional | -FailBuildOn | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional | -AutoUpdate | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. The default value is true. | Optional | -DataDirectory | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional | -LogFile | The file path to write verbose logging information. | Optional | -SuppressionFile | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional | -ProxyUrl | Defines the proxy used to connect to the Internet. | Optional | -ProxyPort | Defines the port for the proxy. | Optional | -ProxyUsername | Defines the proxy user name. | Optional | -ProxyPassword | Defines the proxy password. | Optional | -ConnectionTimeout | The connection timeout used when downloading data files from the Internet. | Optional | -nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. | Optional | -nexusUrl | The connection timeout used when downloading data files from the Internet. | Optional | +ApplicationName | The name of the application to use in the generated report. | Required |   +ReportFormat | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional | HTML +ReportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional |   +FailBuildOn | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional | 11 +AutoUpdate | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. | Optional | true +DataDirectory | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional |   +LogFile | The file path to write verbose logging information. | Optional |   +SuppressionFile | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional |   +ProxyUrl | Defines the proxy used to connect to the Internet. | Optional |   +ProxyPort | Defines the port for the proxy. | Optional |   +ProxyUsername | Defines the proxy user name. | Optional |   +ProxyPassword | Defines the proxy password. | Optional |   +ConnectionTimeout | The connection timeout used when downloading data files from the Internet. | Optional |   +nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. | Optional |   +nexusUrl | The connection timeout used when downloading data files from the Internet. | Optional |   nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | Optional | true -databaseDriverName | The name of the database driver. Example: org.h2.Driver. | Optional | -databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | Optional | -connectionString | The connection string used to connect to the database. | Optional | +databaseDriverName | The name of the database driver. Example: org.h2.Driver. | Optional |   +databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | Optional |   +connectionString | The connection string used to connect to the database. | Optional |   databaseUser | The username used when connecting to the database. | Optional | dcuser -databasePassword | The password used when connecting to the database. | Optional | -zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional +databasePassword | The password used when connecting to the database. | Optional |   +zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional |   cveUrl12Modified | URL for the modified CVE 1.2 | Optional | http://nvd.nist.gov/download/nvdcve-modified.xml cveUrl20Modified | URL for the modified CVE 2.0 | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | Optional | http://nvd.nist.gov/download/nvdcve-%d.xml diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md index e16bab883..bee424390 100644 --- a/dependency-check-cli/src/site/markdown/arguments.md +++ b/dependency-check-cli/src/site/markdown/arguments.md @@ -3,30 +3,30 @@ Command Line Arguments The following table lists the command line arguments: -Short | Argument Name | Parameter | Description | Requirement --------|-----------------------|-------------|-------------|------------ - \-a | \-\-app | \ | The name of the application being scanned. This is a required argument. | - \-c | \-\-connectiontimeout | \ | The connection timeout (in milliseconds) to use when downloading resources. | Optional - \-d | \-\-data | \ | The location of the data directory used to store persistent data. This option should generally not be set. | Optional - \-f | \-\-format | \ | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. | - \-h | \-\-help | | Print the help message. | Optional - \-l | \-\-log | \ | The file path to write verbose logging information. | Optional - \-n | \-\-noupdate | | Disables the automatic updating of the CPE data. | Optional - \-o | \-\-out | \ | The folder to write reports to. This defaults to the current directory. | Optional - \-p | \-\-proxyport | \ | The proxy port to use when downloading resources. | Optional - | \-\-proxypass | \ | The proxy password to use when downloading resources. | Optional - | \-\-proxyuser | \ | The proxy username to use when downloading resources. | Optional - \-s | \-\-scan | \ | The path to scan \- this option can be specified multiple times. | - | \-\-suppression | \ | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional - \-u | \-\-proxyurl | \ | The proxy url to use when downloading resources. | Optional - \-v | \-\-version | | Print the version information. | Optional - | \-\-advancedHelp | | Print the advanced help message. | Optional - | \-\-connectionString | \ | The connection string to the database. | Optional - | \-\-dbDriverName | \ | The database driver name. | Optional - | \-\-dbDriverPath | \ | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | Optional - | \-\-dbPassword | \| The password for connecting to the database. | Optional - | \-\-dbUser | \ | The username used to connect to the database. | Optional - | \-\-disableNexus | | Disable the Nexus Analyzer. | Optional - | \-\-nexus | \ | The url to the Nexus Server. | Optional - | \-\-nexusUsesProxy | \ | Whether or not the defined proxy should be used when connecting to Nexus. | Optional - | \-\-zipExtensions | \ | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional \ No newline at end of file +Short | Argument Name | Parameter | Description | Requirement +-------|-----------------------|-----------------|-------------|------------ + \-a | \-\-app | \ | The name of the application being scanned. This is a required argument. | Required + \-c | \-\-connectiontimeout | \ | The connection timeout (in milliseconds) to use when downloading resources. | Optional + \-d | \-\-data | \ | The location of the data directory used to store persistent data. This option should generally not be set. | Optional + \-f | \-\-format | \ | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. | Required + \-h | \-\-help | | Print the help message. | Optional + \-l | \-\-log | \ | The file path to write verbose logging information. | Optional + \-n | \-\-noupdate | | Disables the automatic updating of the CPE data. | Optional + \-o | \-\-out | \ | The folder to write reports to. This defaults to the current directory. | Optional + \-p | \-\-proxyport | \ | The proxy port to use when downloading resources. | Optional + | \-\-proxypass | \ | The proxy password to use when downloading resources. | Optional + | \-\-proxyuser | \ | The proxy username to use when downloading resources. | Optional + \-s | \-\-scan | \ | The path to scan \- this option can be specified multiple times. | Required + | \-\-suppression | \ | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional + \-u | \-\-proxyurl | \ | The proxy url to use when downloading resources. | Optional + \-v | \-\-version | | Print the version information. | Optional + | \-\-advancedHelp | | Print the advanced help message. | Optional + | \-\-connectionString | \ | The connection string to the database. | Optional + | \-\-dbDriverName | \ | The database driver name. | Optional + | \-\-dbDriverPath | \ | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | Optional + | \-\-dbPassword | \ | The password for connecting to the database. | Optional + | \-\-dbUser | \ | The username used to connect to the database. | Optional + | \-\-disableNexus | | Disable the Nexus Analyzer. | Optional + | \-\-nexus | \ | The url to the Nexus Server. | Optional + | \-\-nexusUsesProxy | \ | Whether or not the defined proxy should be used when connecting to Nexus. | Optional + | \-\-zipExtensions | \ | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional \ No newline at end of file From c189b258b4563f8d58be860117f6ffe9eb01a8f2 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 05:41:55 -0500 Subject: [PATCH 11/21] corrected long option name for nexus uses proxy argument Former-commit-id: 4dfcd0fc4324828ff99138ca5d5903aa8e368a39 --- .../src/main/java/org/owasp/dependencycheck/cli/CliParser.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java index b5e06673c..b9fff985f 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java @@ -204,7 +204,7 @@ public final class CliParser { .withDescription("The url to the Nexus Server.") .create(); - final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_URL) + final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_USES_PROXY) .withDescription("Whether or not the configured proxy should be used when connecting to Nexus.") .create(); From b48f83ff4951a50c50a87c1405ff6f95c3846474 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 06:36:25 -0500 Subject: [PATCH 12/21] updated imports Former-commit-id: f7c013937243063b60f2b5cb7012e476b1fdcc98 --- .../dependencycheck/analyzer/AssemblyAnalyzerTest.java | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java index eccdab7c9..1a8e915d9 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java @@ -17,15 +17,12 @@ */ package org.owasp.dependencycheck.analyzer; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; -import static org.junit.Assume.assumeFalse; - import java.io.File; import java.util.logging.Level; import java.util.logging.Logger; - import org.junit.After; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; import org.junit.Assume; import static org.junit.Assume.assumeFalse; import org.junit.Before; @@ -43,7 +40,7 @@ import org.owasp.dependencycheck.utils.Settings; * */ public class AssemblyAnalyzerTest { - + private static final Logger LOGGER = Logger.getLogger(AssemblyAnalyzerTest.class.getName()); AssemblyAnalyzer analyzer; From d95fa8a8933e42d149f297209a0c2a25bb3426f2 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 07:01:19 -0500 Subject: [PATCH 13/21] updated logging of properties Former-commit-id: f9e224a9c5ad0972e2f8ae0fc5850947b1e59c2f --- .../owasp/dependencycheck/utils/Settings.java | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java index 2ef8d4f88..e973efdff 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -22,8 +22,11 @@ import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; +import java.io.PrintWriter; +import java.io.StringWriter; import java.io.UnsupportedEncodingException; import java.net.URLDecoder; +import java.util.Enumeration; import java.util.Properties; import java.util.logging.Level; import java.util.logging.Logger; @@ -35,6 +38,8 @@ import java.util.logging.Logger; */ public final class Settings { + private static final Logger LOGGER = Logger.getLogger(Settings.class.getName()); + /** * The collection of keys used within the properties file. */ @@ -204,6 +209,43 @@ public final class Settings { } } } + logProperties("Properties loaded", props); + } + + /** + * Logs the properties. This will not log any properties that contain 'password' in the key. + * + * @param header the header to print with the log message + * @param properties the properties to log + */ + private static void logProperties(String header, Properties properties) { + if (LOGGER.isLoggable(Level.FINE)) { + final StringWriter sw = new StringWriter(); + PrintWriter pw = null; + try { + pw = new PrintWriter(sw); + pw.format("%s:%n%n", header); + final Enumeration e = properties.propertyNames(); + while (e.hasMoreElements()) { + final String key = (String) e.nextElement(); + if (key.contains("password")) { + pw.format("%s='*****'%n", key); + } else { + final String value = properties.getProperty(key); + if (value != null) { + pw.format("%s='%s'%n", key, value); + } + } + } + pw.flush(); + LOGGER.fine(sw.toString()); + } finally { + if (pw != null) { + pw.close(); + } + } + + } } /** @@ -214,6 +256,9 @@ public final class Settings { */ public static void setString(String key, String value) { INSTANCE.props.setProperty(key, value); + if (LOGGER.isLoggable(Level.FINE)) { + LOGGER.fine(String.format("Setting: %s='%s'", key, value)); + } } /** @@ -228,6 +273,9 @@ public final class Settings { } else { INSTANCE.props.setProperty(key, Boolean.FALSE.toString()); } + if (LOGGER.isLoggable(Level.FINE)) { + LOGGER.fine(String.format("Setting: %s='%b'", key, value)); + } } /** @@ -268,6 +316,7 @@ public final class Settings { */ public static void mergeProperties(InputStream stream) throws IOException { INSTANCE.props.load(stream); + logProperties("Properties updated via merge", INSTANCE.props); } /** From fc34b40c0a03b9c51e01d5f60a9ea006d5b69fac Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 07:02:59 -0500 Subject: [PATCH 14/21] corrected spelling Former-commit-id: 9acb6efd615f2327a8235f13bd2054797d8b52f7 --- .../data/update/StandardUpdate.java | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java index bca85e461..a9e34249b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java @@ -134,20 +134,20 @@ public class StandardUpdate { downloadExecutors.shutdownNow(); processExecutor.shutdownNow(); - Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during download", ex); - throw new UpdateException("The download was interupted", ex); + Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download", ex); + throw new UpdateException("The download was interrupted", ex); } catch (ExecutionException ex) { downloadExecutors.shutdownNow(); processExecutor.shutdownNow(); - Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during download execution", ex); - throw new UpdateException("The execution of the download was interupted", ex); + Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download execution", ex); + throw new UpdateException("The execution of the download was interrupted", ex); } if (task == null) { downloadExecutors.shutdownNow(); processExecutor.shutdownNow(); - Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during download"); - throw new UpdateException("The download was interupted; unable to complete the update"); + Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download"); + throw new UpdateException("The download was interrupted; unable to complete the update"); } else { processFutures.add(task); } @@ -161,7 +161,7 @@ public class StandardUpdate { } } catch (InterruptedException ex) { processExecutor.shutdownNow(); - Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during processing", ex); + Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during processing", ex); throw new UpdateException(ex); } catch (ExecutionException ex) { processExecutor.shutdownNow(); From 6d47e32cac11a567188999a1074f69c554e66dfc Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 07:05:24 -0500 Subject: [PATCH 15/21] minor update to logging statement Former-commit-id: 0f197a42a7bdf4eebefed860d5d03b5dd2634a1d --- .../owasp/dependencycheck/data/update/StandardUpdate.java | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java index a9e34249b..2f090fa8c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java @@ -245,11 +245,8 @@ public class StandardUpdate { } } catch (NumberFormatException ex) { final String msg = "An invalid schema version or timestamp exists in the data.properties file."; - Logger - .getLogger(StandardUpdate.class - .getName()).log(Level.WARNING, msg); - Logger.getLogger(StandardUpdate.class - .getName()).log(Level.FINE, null, ex); + Logger.getLogger(StandardUpdate.class.getName()).log(Level.WARNING, msg); + Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "", ex); } } return updates; From 88c04714f88c865b419e35daac6a64a41264c095 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 07:12:58 -0500 Subject: [PATCH 16/21] updated pre-flight to correctly skip the proxy if configured to do so Former-commit-id: eca1f3b7bf24d88b4e80cda9e296e31ad8c1215b --- .../owasp/dependencycheck/data/nexus/NexusSearch.java | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java index b5f58856f..88baf7a31 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java @@ -22,6 +22,7 @@ import java.io.IOException; import java.net.HttpURLConnection; import java.net.URL; import java.net.URLConnection; +import java.util.logging.Level; import java.util.logging.Logger; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -151,17 +152,17 @@ public class NexusSearch { */ public boolean preflightRequest() { try { - final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(new URL(rootURL, "status")); + final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(new URL(rootURL, "status"), useProxy); conn.addRequestProperty("Accept", "application/xml"); conn.connect(); if (conn.getResponseCode() != 200) { - LOGGER.warning("Expected 200 result from Nexus, got " + conn.getResponseCode()); + LOGGER.log(Level.WARNING, "Expected 200 result from Nexus, got {0}", conn.getResponseCode()); return false; } final DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); final Document doc = builder.parse(conn.getInputStream()); - if (doc.getDocumentElement().getNodeName() != "status") { - LOGGER.warning("Expected root node name of status, got " + doc.getDocumentElement().getNodeName()); + if (!"status".equals(doc.getDocumentElement().getNodeName())) { + LOGGER.log(Level.WARNING, "Expected root node name of status, got {0}", doc.getDocumentElement().getNodeName()); return false; } } catch (Throwable e) { From 95cd215e9ebc258d589897f347d7807f7f24af8b Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 07:32:43 -0500 Subject: [PATCH 17/21] added more javadoc Former-commit-id: 5b42bdc4fdf6670ea5316d21c02a3223a44505d4 --- .../main/java/org/owasp/dependencycheck/utils/Settings.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java index e973efdff..753c5d2ca 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -38,6 +38,9 @@ import java.util.logging.Logger; */ public final class Settings { + /** + * The logger. + */ private static final Logger LOGGER = Logger.getLogger(Settings.class.getName()); /** From 220539e51a3c3f816ba206adc05d0a39c7b0add3 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 07:37:33 -0500 Subject: [PATCH 18/21] minor update to formating Former-commit-id: b3c3f53e6d227c8b08ff908380bf2af94cb64b04 --- .../src/site/markdown/configuration.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/dependency-check-ant/src/site/markdown/configuration.md b/dependency-check-ant/src/site/markdown/configuration.md index ef16d1f18..dc6b37583 100644 --- a/dependency-check-ant/src/site/markdown/configuration.md +++ b/dependency-check-ant/src/site/markdown/configuration.md @@ -22,19 +22,19 @@ The following table lists the configurable properties: Property | Description | Requirement | Default Value ----------------------|-------------|-------------|------------ -ApplicationName | The name of the application to use in the generated report. | Required |   -ReportFormat | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional | HTML -ReportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional |   -FailBuildOn | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional | 11 -AutoUpdate | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. | Optional | true -DataDirectory | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional |   -LogFile | The file path to write verbose logging information. | Optional |   -SuppressionFile | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional |   -ProxyUrl | Defines the proxy used to connect to the Internet. | Optional |   -ProxyPort | Defines the port for the proxy. | Optional |   -ProxyUsername | Defines the proxy user name. | Optional |   -ProxyPassword | Defines the proxy password. | Optional |   -ConnectionTimeout | The connection timeout used when downloading data files from the Internet. | Optional |   +applicationName | The name of the application to use in the generated report. | Required |   +reportFormat | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional | HTML +reportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional |   +failBuildOn | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional | 11 +autoUpdate | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. | Optional | true +dataDirectory | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional |   +logFile | The file path to write verbose logging information. | Optional |   +suppressionFile | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional |   +proxyUrl | Defines the proxy used to connect to the Internet. | Optional |   +proxyPort | Defines the port for the proxy. | Optional |   +proxyUsername | Defines the proxy user name. | Optional |   +proxyPassword | Defines the proxy password. | Optional |   +connectionTimeout | The connection timeout used when downloading data files from the Internet. | Optional |   nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. | Optional |   nexusUrl | The connection timeout used when downloading data files from the Internet. | Optional |   nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | Optional | true From 6379bfb8b807cfaf44043ede915f4894a92f1b18 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 08:51:17 -0500 Subject: [PATCH 19/21] version 1.1.2 Former-commit-id: 876e8a1a02fdb24968779f6988652e0c11afc866 --- dependency-check-ant/pom.xml | 2 +- dependency-check-cli/pom.xml | 2 +- dependency-check-core/pom.xml | 2 +- dependency-check-jenkins/pom.xml | 2 +- dependency-check-maven/pom.xml | 2 +- pom.xml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/dependency-check-ant/pom.xml b/dependency-check-ant/pom.xml index 902c909fc..a0fe78293 100644 --- a/dependency-check-ant/pom.xml +++ b/dependency-check-ant/pom.xml @@ -21,7 +21,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.1.2-SNAPSHOT + 1.1.2 dependency-check-ant diff --git a/dependency-check-cli/pom.xml b/dependency-check-cli/pom.xml index 3d4f1e0f9..109481ce1 100644 --- a/dependency-check-cli/pom.xml +++ b/dependency-check-cli/pom.xml @@ -21,7 +21,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.1.2-SNAPSHOT + 1.1.2 dependency-check-cli diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml index 43a572ced..043cf842a 100644 --- a/dependency-check-core/pom.xml +++ b/dependency-check-core/pom.xml @@ -21,7 +21,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.1.2-SNAPSHOT + 1.1.2 dependency-check-core diff --git a/dependency-check-jenkins/pom.xml b/dependency-check-jenkins/pom.xml index 426e0aaa3..e535f56ad 100644 --- a/dependency-check-jenkins/pom.xml +++ b/dependency-check-jenkins/pom.xml @@ -6,7 +6,7 @@ org.owasp dependency-check-parent - 1.1.2-SNAPSHOT + 1.1.2 org.owasp diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml index 3a7b11ae5..7c90bff90 100644 --- a/dependency-check-maven/pom.xml +++ b/dependency-check-maven/pom.xml @@ -23,7 +23,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.1.2-SNAPSHOT + 1.1.2 dependency-check-maven diff --git a/pom.xml b/pom.xml index 02bc9c735..0ced51246 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long org.owasp dependency-check-parent - 1.1.2-SNAPSHOT + 1.1.2 pom From d064337c15368fded16ce24ad58930b34b73b52c Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 3 Mar 2014 19:54:46 -0500 Subject: [PATCH 20/21] corrected intellij idea link Former-commit-id: da919f5e5b81328e35e7a91f0f16f0c07f42a1e4 --- src/site/site.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/site/site.xml b/src/site/site.xml index 0c29f2b5c..3b6db2c00 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -50,7 +50,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. title="built with maven" alt="built with maven" img="http://jeremylong.github.io/DependencyCheck/images/logos/maven-feather.png"/> - From e0410783be1426f87bfb28ff27c182b1d98ced35 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 4 Mar 2014 07:33:27 -0500 Subject: [PATCH 21/21] updated version to 1.1.3-SNAPSHOT Former-commit-id: b0d241a5d856244c5dac22f24d2ea135d2e4f545 --- dependency-check-ant/pom.xml | 2 +- dependency-check-cli/pom.xml | 2 +- dependency-check-core/pom.xml | 2 +- dependency-check-jenkins/pom.xml | 2 +- dependency-check-maven/pom.xml | 2 +- pom.xml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/dependency-check-ant/pom.xml b/dependency-check-ant/pom.xml index a0fe78293..c20c39567 100644 --- a/dependency-check-ant/pom.xml +++ b/dependency-check-ant/pom.xml @@ -21,7 +21,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.1.2 + 1.1.3-SNAPSHOT dependency-check-ant diff --git a/dependency-check-cli/pom.xml b/dependency-check-cli/pom.xml index 109481ce1..89653be11 100644 --- a/dependency-check-cli/pom.xml +++ b/dependency-check-cli/pom.xml @@ -21,7 +21,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.1.2 + 1.1.3-SNAPSHOT dependency-check-cli diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml index 043cf842a..6ab67e6b7 100644 --- a/dependency-check-core/pom.xml +++ b/dependency-check-core/pom.xml @@ -21,7 +21,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.1.2 + 1.1.3-SNAPSHOT dependency-check-core diff --git a/dependency-check-jenkins/pom.xml b/dependency-check-jenkins/pom.xml index e535f56ad..a87c5596a 100644 --- a/dependency-check-jenkins/pom.xml +++ b/dependency-check-jenkins/pom.xml @@ -6,7 +6,7 @@ org.owasp dependency-check-parent - 1.1.2 + 1.1.3-SNAPSHOT org.owasp diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml index 7c90bff90..038fd549d 100644 --- a/dependency-check-maven/pom.xml +++ b/dependency-check-maven/pom.xml @@ -23,7 +23,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.1.2 + 1.1.3-SNAPSHOT dependency-check-maven diff --git a/pom.xml b/pom.xml index 0ced51246..0e8c4458d 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long org.owasp dependency-check-parent - 1.1.2 + 1.1.3-SNAPSHOT pom